hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, but the correct CA cert and server cert have been provided to SSSD to use for login. The two machines are using identical certificates and SSSD configuration files.
How do we begin to troubleshoot this? The trouble is seen in the SSSD log:
(2023-01-09 21:08:26): [be[default]] [fo_resolve_service_send] (0x0100): [RID#13] Trying to resolve service 'LDAP' (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved' (2023-01-09 21:08:26): [be[default]] [get_port_status] (0x1000): [RID#13] Port status of port 636 for server '10.8.8.60' is 'neutral' (2023-01-09 21:08:26): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#13] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved' (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'resolving name' (2023-01-09 21:08:26): [be[default]] [check_if_online_delayed] (0x2000): [RID#12] Check online req created. (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'name resolved' (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x1000): [RID#13] Saving the first resolved server (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x0200): [RID#13] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 (2023-01-09 21:08:26): [be[default]] [sdap_uri_callback] (0x0400): [RID#13] Constructed uri 'ldaps://10.8.8.60:636' (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#13] Using file descriptor [23] for the connection. (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#13] Setting 60 seconds timeout [ldap_network_timeout] for connecting (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#13] ldap_install_tls failed: [Connect error] [unknown error] (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] calling ldap_unbind_ext for ldap:[0x55c44d26c1b0] sd:[23] (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] closing socket [23] (2023-01-09 21:08:26): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#13] sdap_async_connect_call request failed: [5]: Input/output error. (2023-01-09 21:08:26): [be[default]] [sdap_handle_release] (0x2000): [RID#13] Trace: sh[0x55c44d24a740], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (2023-01-09 21:08:26): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#13] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0100): [RID#13] Marking port 636 of server '10.8.8.60' as 'not working' (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0400): [RID#13] Marking port 636 of duplicate server '10.8.8.60' as 'not working'
Thanks, Jarett