--On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller heller@deepsoft.com wrote:
OK, I have narrowed things down to slapd and sssd not playing nice with each other. slapd is able to listen on ldaps (port 636) and accept SSL connections (eg from openssl s_client and other applications using straight SSL). slapd will also listen on ldap (port 389), but refuses to negotiate a TLS connection on port 389. It also refuses to negotiate TLS connection on port 636. sssd seems to *insist* on negotiating a TLS connection on port 636 or port 389 and won't just connect using ssl to port 636. (At least that is what I *think* is going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
You're using a bit of a confusing word soup.
ldaps == Deprecated, non-standard way of securing connection to LDAP. Usually on port 636 startTLS == RFC standard way of securing connections to LDAP. Usually on port 389
If you are using ldaps, then you want startTLS to be disabled if you are using startTLS, then you want it enabled.
Your SSD config has:
ldap_id_use_start_tls = false
so this would be correct with use with ldaps:///
You don't provide any error messages or other useful information, so one can only specualte what issues you may be having.
I would note that most versions of openssl s_client do not support startTLS with LDAP (Thus you cannot use it to test port 389). That feature was only recently added to OpenSSL.
If you want to test startTLS on port 389, your best bet is to use an ldap client utility such as ldapwhoami, like:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com