On Jan 10, 2023, at 1:25 AM, Jarett jarett@bioteam.net wrote:
I have actually read this post before, and it describes the problem I’m having exactly, but the purported fix does not work for me. My SSSD configuration file contains “ldap_tls_reqcert = never,” “ldap_tls_cacert = (certificate path for ca)” and “ldap_tls_cert = (certificate path for server).”
Ulrich: I actually don’t even remember what SANs or CNs are in the certificate, but it shouldn’t matter as we have reqcert set to never. Too, if I turn verification off in SSSD entirely with “certificate_verification = no_verification,” I have the exact same problem. (We really could not care less about TLS security on this particular network, but SSSD simply will not work without at least nominally connecting over TLS/SSL.)
SSSD uses the openldap client config on a particular machine. So, you can sidestep (SSSD) by issuing command line operations from the same machine, to troubleshoot. Ldapsearch, ldapwhoami, ...
It’s almost always something wrong with the CA cert, e.g. can’t find it, doesn’t match the server, etc. Meaning, TLS paras in the ldap.conf file
— Shawn