Hi,


If you use sssd you don't need nslcd. Because  openldap runs on localhost you can use the following configuration option for sssd to disable TLS ( sssd doesn't work without TLS but there is this undocumented option you can use ):

ldap_auth_disable_tls_never_use_in_production = true

 

Regards,


Andrei

On 2013-04-24 00:38, Rodney Simioni wrote:

Hi, I’m getting a weird behavior in LDAP with TLS.

 

Using:

openldap

Linux Red Hat

Sssd

Nslcd

 

When I issue a ‘ ldapsearch –x ZZ’, it works flawlessly but when issue a `getent passwd`, I get back the system users in /etc/passwd file but I don’t see the ldap users.

 

The openldap.log indicates the following when I issue the ‘getent passwd’ command

connection_read(14): TLS accept failure error=-1 id=1037

 

But it does not  give any errors when doing the ldapsearch –x ZZ.

 

So, if I have TLS not correctly configured, shouldn’t it not work completely?

 

Here’s my sssd.conf:

[domain/local]

debug_level = 9

ldap_id_use_start_tls = True

cache_credentials = True

ldap_search_base = dc=wh,dc=local

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://127.0.0.1/

ldap_tls_cacert = /certs/cacert.pem

 

[sssd]

services = nss, pam

config_file_version = 2

domains = local

 

[nss]

 

[pam]

 

[sudo]

 

[autofs]

 

[ssh]

 

Here’s my nslcd.conf:

 

uri ldap://127.0.0.1/

base dc=wh,dc=local

ssl start_tls

tls_cacertfile  /certs/cacert.pem

tls_reqcert hard

 

Here’s my /etc/openldap/ldap.conf:

TLS_CACERT /certs/cacert.pem

TLS_REQCERT hard

URI ldap://127.0.0.1/

BASE dc=wh,dc=local

 

 


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.

-- 
Andrei BĂNARU Internal Support CCNA Security, CCIP StreamWIDE Romania