Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation

28 Sep 2017


      OK, I have narrowed things down to slapd and sssd not playing nice with each 
other.  slapd is able to listen on ldaps (port 636) and accept SSL connections 
(eg from openssl s_client and other applications using straight SSL).  slapd 
will also listen on ldap (port 389), but refuses to negotiate a TLS connection 
on port 389.  It also refuses to negotiate TLS connection on port 636.  sssd 
seems to *insist* on negotiating a TLS connection on port 636 or port 389 and 
won't just connect using ssl to port 636.  (At least that is what I *think* is 
going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, 
or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
here are my config files:
[root@c764guest heller]# cat /etc/openldap/slapd.d/cn=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ba294eab
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
structuralObjectClass: olcGlobal
entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
entryCSN: 20170927144348.897441Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170927144348Z
[root@c764guest heller]# cat /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=deepsoft,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.250.98/
ldap_id_use_start_tls = false
ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem
ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com
ldap_default_authtok = sssd
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
debug_level = 0x7770
ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[root@c764guest heller]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com
URI ldaps://192.168.250.98/
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
TLS_REQCERT allow
-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller@deepsoft.com       -- Webhosting Services

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation