At Thu, 28 Sep 2017 10:19:43 -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
--On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller
> OK, I have narrowed things down to slapd and sssd not playing nice with
> each other. slapd is able to listen on ldaps (port 636) and accept SSL
> connections (eg from openssl s_client and other applications using
> straight SSL). slapd will also listen on ldap (port 389), but refuses
> to negotiate a TLS connection on port 389. It also refuses to negotiate
> TLS connection on port 636. sssd seems to *insist* on negotiating a TLS
> connection on port 636 or port 389 and won't just connect using ssl to
> port 636. (At least that is what I *think* is going on.)
> So, I either need to get slapd to do TLS negotiation on port 389 OR port
> 636, or get sssd to NOT do TLS negotiation on port 636 and just connect
> with SSL.
You're using a bit of a confusing word soup.
ldaps == Deprecated, non-standard way of securing connection to LDAP.
Usually on port 636
startTLS == RFC standard way of securing connections to LDAP. Usually on
If you are using ldaps, then you want startTLS to be disabled
if you are using startTLS, then you want it enabled.
Your SSD config has:
ldap_id_use_start_tls = false
so this would be correct with use with ldaps:///
But SSSD does not work with ldaps:///... It *wants* startTLS over ldap:///,
which does not *seem* to work.
You don't provide any error messages or other useful information, so one
can only specualte what issues you may be having.
Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it.
For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is
wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation,
either it is just not doing it or it is doing it wrong (somehow). Unless SSSD
is not configured properly.
I would note that most versions of openssl s_client do not support startTLS
with LDAP (Thus you cannot use it to test port 389). That feature was only
recently added to OpenSSL.
If you want to test startTLS on port 389, your best bet is to use an ldap
client utility such as ldapwhoami, like:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
-- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services