On 28.09.2017 21:41, Robert Heller wrote:
> Will these spit out useful error messages? If I just get "TLS Negotiation
> failure" it is not going to be helpful.
>
You can make it a little bit more verbose with the option "-d -1"
It is only a suggestion, but can you test the parameter
TLS_REQCERT allow
in your /etc/openldap/ldap.conf
This ist not a good option for production systems, but it seems you come
in trouble with your certificates.
You have to set your
TLS_CACERT
xor
TLS_CACERTDIR
correctly in your /etc/openldap/slapd.conf to work stressless with your
ssl/tls.
best regards
Michael
> At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
>>
>> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
>> <heller@deepsoft.com> wrote:
>>
>>
>>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
>>> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
>>> something is wrong with slapd's TLS configuration -- it is failing to do
>>> TLS Negotiation, either it is just not doing it or it is doing it wrong
>>> (somehow). Unless SSSD is not configured properly.
>>
>> You need to start with the following:
>>
>>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>>
>> to test startTLS
>>
>> and
>>
>> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>>
>> to test without startTLS
>>
>> If you can get those to work, then you can move on to SSSD.
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Product Architect
>> Symas Corporation
>> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>> <http://www.symas.com>
>>
>>
>
--
Michael Wandel
Braakstraße 43
33647 Bielefeld