10:08 a.m.
OK, I have narrowed things down to slapd and sssd not playing nice with each
other. slapd is able to listen on ldaps (port 636) and accept SSL connections
(eg from openssl s_client and other applications using straight SSL). slapd
will also listen on ldap (port 389), but refuses to negotiate a TLS connection
on port 389. It also refuses to negotiate TLS connection on port 636. sssd
seems to *insist* on negotiating a TLS connection on port 636 or port 389 and
won't just connect using ssl to port 636. (At least that is what I *think* is
going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636,
or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
here are my config files:
[root@c764guest heller]# cat /etc/openldap/slapd.d/cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ba294eab
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
structuralObjectClass: olcGlobal
entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
entryCSN: 20170927144348.897441Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170927144348Z
[root@c764guest heller]# cat /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=deepsoft,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.250.98/
ldap_id_use_start_tls = false
ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem
ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com
ldap_default_authtok = sssd
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
debug_level = 0x7770
ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[root@c764guest heller]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com
URI ldaps://192.168.250.98/
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
TLS_REQCERT allow
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services
10:34 a.m.
Robert Heller <heller(a)deepsoft.com> writes:
OK, I have narrowed things down to slapd and sssd not playing nice
with each
other. slapd is able to listen on ldaps (port 636) and accept SSL connections
(eg from openssl s_client and other applications using straight SSL). slapd
will also listen on ldap (port 389), but refuses to negotiate a TLS connection
on port 389. It also refuses to negotiate TLS connection on port 636. sssd
seems to *insist* on negotiating a TLS connection on port 636 or port 389 and
won't just connect using ssl to port 636. (At least that is what I *think* is
going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636,
or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
[...]
These are two differnt ports and methods to connect. On port 389 a
client initiates a secured session by calling startTLS extended
operation. While on port 636 the server requests a secured session.
Check your init script, or systemctl service script, whether ldap:/// or
ldaps:// is initiated, or both.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
1:05 p.m.
On Thu, Sep 28, 2017 at 01:08:17PM -0400, Robert Heller wrote:
OK, I have narrowed things down to slapd and sssd not playing nice
with each
other. slapd is able to listen on ldaps (port 636) and accept SSL connections
(eg from openssl s_client and other applications using straight SSL). slapd
will also listen on ldap (port 389), but refuses to negotiate a TLS connection
on port 389. It also refuses to negotiate TLS connection on port 636. sssd
seems to *insist* on negotiating a TLS connection on port 636 or port 389 and
won't just connect using ssl to port 636. (At least that is what I *think* is
going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636,
or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
Up until 6 months ago I used to work in a large RHEL based environment
using sssd->ldap for authentication. I can suggest a few things based
on my memory.
1. IIRC, sssd doesn't look at ldap.conf, so making changes to
ldap.conf might not have any effect on sssd. Everything has to be
config'd in sssd.conf.
2. TLS negotiation failures typically indicate a problem w/ your
certificates. One way to confirm is to alternate setting the
'ldap_tls_reqcert' opt to 'never' and then 'hard', testing each
one.
If it works with 'never' but fails with 'hard', then your cert is
likely the issue.
If both fail, there might still be a problem w/ your cert, though (if
IIRC).
3. Turn up verbosity of log output. Set the debug opts in sssd and
slapd to produce verbose log/error messages. This should yield
detailed info on why TLS negotiation fails.
here are my config files:
[root@c764guest heller]# cat /etc/openldap/slapd.d/cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ba294eab
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
structuralObjectClass: olcGlobal
entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
entryCSN: 20170927144348.897441Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170927144348Z
[root@c764guest heller]# cat /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=deepsoft,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.250.98/
ldap_id_use_start_tls = false
ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem
ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com
ldap_default_authtok = sssd
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
debug_level = 0x7770
ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[root@c764guest heller]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com
URI ldaps://192.168.250.98/
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
TLS_REQCERT allow
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services
2252
days inactive
2252
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Dieter Kluenter -
Paulm -
Robert Heller