On 28.09.2017 21:41, Robert Heller wrote:
Will these spit out useful error messages? If I just get "TLS Negotiation failure" it is not going to be helpful.
You can make it a little bit more verbose with the option "-d -1"
It is only a suggestion, but can you test the parameter
TLS_REQCERT allow
in your /etc/openldap/ldap.conf
This ist not a good option for production systems, but it seems you come in trouble with your certificates.
You have to set your
TLS_CACERT xor TLS_CACERTDIR
correctly in your /etc/openldap/slapd.conf to work stressless with your ssl/tls.
best regards Michael
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller heller@deepsoft.com wrote:
Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation, either it is just not doing it or it is doing it wrong (somehow). Unless SSSD is not configured properly.
You need to start with the following:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com