At Fri, 29 Sep 2017 07:52:34 -0400 brendan kearney <bpk678@gmail.com> wrote:
>
>
> Late ti the thread, so forgive the stupid question, but why arent you using
> SASL and forgoing all the OpenSSL vs MozNSS kerfuffle? If you have OpenLDAP
> and SSSD going on, surely Kerberos is something you are able to setup.
Does SASL replace TLS/SSL? I thought SASL had to do with password hashing and
not anything to do with the connection protocol. I know basicly nothing about
Kerberos.
>
> On Sep 29, 2017 2:20 AM, "Michael Wandel" <m.wandel@t-online.de> wrote:
>
> > On 28.09.2017 21:41, Robert Heller wrote:
> > > Will these spit out useful error messages? If I just get "TLS
> > Negotiation
> > > failure" it is not going to be helpful.
> > >
> >
> > You can make it a little bit more verbose with the option "-d -1"
> >
> > It is only a suggestion, but can you test the parameter
> >
> > TLS_REQCERT allow
> >
> > in your /etc/openldap/ldap.conf
> >
> > This ist not a good option for production systems, but it seems you come
> > in trouble with your certificates.
> >
> > You have to set your
> >
> > TLS_CACERT
> > xor
> > TLS_CACERTDIR
> >
> > correctly in your /etc/openldap/slapd.conf to work stressless with your
> > ssl/tls.
> >
> > best regards
> > Michael
> >
> > > At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com>
> > wrote:
> > >
> > >>
> > >> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
> > >> <heller@deepsoft.com> wrote:
> > >>
> > >>
> > >>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect
> > to
> > >>> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
> > >>> something is wrong with slapd's TLS configuration -- it is failing to
> > do
> > >>> TLS Negotiation, either it is just not doing it or it is doing it
> > wrong
> > >>> (somehow). Unless SSSD is not configured properly.
> > >>
> > >> You need to start with the following:
> > >>
> > >>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
> > >>
> > >> to test startTLS
> > >>
> > >> and
> > >>
> > >> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
> > >>
> > >> to test without startTLS
> > >>
> > >> If you can get those to work, then you can move on to SSSD.
> > >>
> > >> --Quanah
> > >>
> > >> --
> > >>
> > >> Quanah Gibson-Mount
> > >> Product Architect
> > >> Symas Corporation
> > >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> > >> <http://www.symas.com>
> > >>
> > >>
> > >
> >
> >
> > --
> > Michael Wandel
> > Braakstraße 43
> > 33647 Bielefeld
> >
> >
>
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services