Late ti the thread, so forgive the stupid question, but why arent you using SASL and forgoing all the OpenSSL vs MozNSS kerfuffle? If you have OpenLDAP and SSSD going on, surely Kerberos is something you are able to setup.

On Sep 29, 2017 2:20 AM, "Michael Wandel" <m.wandel@t-online.de> wrote:
On 28.09.2017 21:41, Robert Heller wrote:
> Will these spit out useful error messages?  If I just get "TLS Negotiation
> failure" it is not going to be helpful.
>

You can make it a little bit more verbose with the option "-d -1"

It is only a suggestion, but can you test the parameter

TLS_REQCERT allow

in your /etc/openldap/ldap.conf

This ist not a good option for production systems, but it seems you come
in trouble with your certificates.

You have to set your

TLS_CACERT
xor
TLS_CACERTDIR

correctly in your /etc/openldap/slapd.conf to work stressless with your
ssl/tls.

best regards
Michael

> At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
>>
>> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
>> <heller@deepsoft.com> wrote:
>>
>>
>>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
>>> it.   For both port 389 (ldap:///) and 636 (ldaps:///).  So I guess
>>> something is  wrong with slapd's TLS configuration -- it is failing to do
>>> TLS Negotiation,  either it is just not doing it or it is doing it wrong
>>> (somehow).  Unless SSSD  is not configured properly.
>>
>> You need to start with the following:
>>
>>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>>
>> to test startTLS
>>
>> and
>>
>> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>>
>> to test without startTLS
>>
>> If you can get those to work, then you can move on to SSSD.
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Product Architect
>> Symas Corporation
>> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>> <http://www.symas.com>
>>
>>
>


--
Michael Wandel
Braakstraße 43
33647 Bielefeld