Robert Heller heller@deepsoft.com writes:
R> At Thu, 28 Sep 2017 10:19:43 -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller heller@deepsoft.com wrote:
OK, I have narrowed things down to slapd and sssd not playing nice with each other. slapd is able to listen on ldaps (port 636) and accept SSL connections (eg from openssl s_client and other applications using straight SSL). slapd will also listen on ldap (port 389), but refuses to negotiate a TLS connection on port 389. It also refuses to negotiate TLS connection on port 636. sssd seems to *insist* on negotiating a TLS connection on port 636 or port 389 and won't just connect using ssl to port 636. (At least that is what I *think* is going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
You're using a bit of a confusing word soup.
Well, yes...
ldaps == Deprecated, non-standard way of securing connection to LDAP. Usually on port 636 startTLS == RFC standard way of securing connections to LDAP. Usually on port 389
If you are using ldaps, then you want startTLS to be disabled if you are using startTLS, then you want it enabled.
Your SSD config has:
ldap_id_use_start_tls = false
so this would be correct with use with ldaps:///
But SSSD does not work with ldaps:///... It *wants* startTLS over ldap:///, which does not *seem* to work.
You don't provide any error messages or other useful information, so one can only specualte what issues you may be having.
Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation, either it is just not doing it or it is doing it wrong (somehow). Unless SSSD is not configured properly.
I would note that most versions of openssl s_client do not support startTLS with LDAP (Thus you cannot use it to test port 389). That feature was only recently added to OpenSSL.
OK, back to basics, 1. check whether sssd is compiled with openssl's libcrypto: ldd sssd which should present something like libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 2. check whether slapd has been build with openssl ldd slapd, which should present: libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 3. verify your certificates: openssl verify -CAfile <file> <hostcert> 4. run slapd -h ldaps:///; than test connection: openssl s_client -connect host:636 -CAfile <file>
-Dieter
If you want to test startTLS on port 389, your best bet is to use an ldap client utility such as ldapwhoami, like:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
[...]