SSSD should be configured to bind TLS with ldap:389 not ldaps:636. Increase SSSD log verbosity to get more information. I have also found that slapd logging can help determine bind issues.
How does one estalish their own CA that's trusted by other Root CA's? Perhaps try disabling verification of the chain then see if bind happens.
On Sep 28, 2017 9:14 PM, "Robert Heller" heller@deepsoft.com wrote:
At Thu, 28 Sep 2017 16:08:42 -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller heller@deepsoft.com wrote:
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <
quanah@symas.com>
wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller heller@deepsoft.com wrote:
Slapd is reporting TLS Negotiation failure when SSSD tries to
connect
to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I
guess
something is wrong with slapd's TLS configuration -- it is failing
to
do TLS Negotiation, either it is just not doing it or it is doing
it
wrong (somehow). Unless SSSD is not configured properly.
You need to start with the following:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not
found.
This may be of help: <https://urldefense.proofpoint.com/v2/url?u=https-
3A__serverfault.com_questions_640910_my-2Dcertificate- 2Ddoesnt-2Dwork-2Don-2Dall-2Dmachines&d=DwIBAg&c= lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- CbhH6xUjnRkaqPFUS2wTJ2cw&m=fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s= h0ZJ27HydY4c7iw8uXd-1iadz94M-ZzNGL7KMfOsi2w&e=>
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This may mean slapd isn't listening on port 636 (With no -d -1 info, hard to know for sure). It may also simply be a different manifistation of
the
error above.
I added a -d option (picked 10), and discovered that it wanted the full name as specificed in the certificate. That fixed ldapwhoami and I put that in ldap.conf, smb.conf, and in sssd.conf, but sssd is still not behaving (samba is though, mostly -- it might also be having issues since sssd is not working)...
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-
3A__www.symas.com&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9- RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=4Jyip- C583CeHTI2N1wXllUKzrjwwvY9tqyl3tZVq8w&e=>
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services https://urldefense.proofpoint.com/v2/url?u=http-3A__www. deepsoft.com_&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9- RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=hf9o7fTr6iLSDpsS6xK6nGDWhZo- N7aXcKoRAXfrPUE&e= -- Linux Administration Services heller@deepsoft.com -- Webhosting Services