SSSD should be configured to bind TLS with ldap:389 not ldaps:636.  Increase SSSD log verbosity to get more information.  I have also found that slapd logging can help determine bind issues.

How does one estalish their own CA that's trusted by other Root CA's?  Perhaps try disabling verification of the chain then see if bind happens.

On Sep 28, 2017 9:14 PM, "Robert Heller" <heller@deepsoft.com> wrote:
At Thu, 28 Sep 2017 16:08:42 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:

>
> --On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller
> <heller@deepsoft.com> wrote:
>
> > At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com>
> > wrote:
> >
> >>
> >> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
> >> <heller@deepsoft.com> wrote:
> >>
> >>
> >> > Slapd is reporting TLS Negotiation failure when SSSD tries to connect
> >> > to it.   For both port 389 (ldap:///) and 636 (ldaps:///).  So I guess
> >> > something is  wrong with slapd's TLS configuration -- it is failing to
> >> > do TLS Negotiation,  either it is just not doing it or it is doing it
> >> > wrong (somehow).  Unless SSSD  is not configured properly.
> >>
> >> You need to start with the following:
> >>
> >> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
> >>
> >> to test startTLS
> >>
> >> and
> >>
> >> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
> >>
> >> to test without startTLS
> >>
> >> If you can get those to work, then you can move on to SSSD.
> >
> > [heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D
> > cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11)
> >        additional info: TLS error -8157:Certificate extension not found.
>
> This may be of help:
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__serverfault.com_questions_640910_my-2Dcertificate-2Ddoesnt-2Dwork-2Don-2Dall-2Dmachines&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=h0ZJ27HydY4c7iw8uXd-1iadz94M-ZzNGL7KMfOsi2w&e=>
>
> > [heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D
> > cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password:
> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> This may mean slapd isn't listening on port 636 (With no -d -1 info, hard
> to know for sure).  It may also simply be a different manifistation of the
> error above.

I added a -d option (picked 10), and discovered that it wanted the full name
as specificed in the certificate. That fixed ldapwhoami and I put that in
ldap.conf, smb.conf, and in sssd.conf, but sssd is still not behaving (samba
is though, mostly -- it might also be having issues since sssd is not
working)...

>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=4Jyip-C583CeHTI2N1wXllUKzrjwwvY9tqyl3tZVq8w&e=>
>
>

--
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.deepsoft.com_&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=hf9o7fTr6iLSDpsS6xK6nGDWhZo-N7aXcKoRAXfrPUE&e=  -- Linux Administration Services
heller@deepsoft.com       -- Webhosting Services