Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
OK, I have narrowed things down to slapd and sssd not playing nice with each other. slapd is able to listen on ldaps (port 636) and accept SSL connections (eg from openssl s_client and other applications using straight SSL). slapd will also listen on ldap (port 389), but refuses to negotiate a TLS connection on port 389. It also refuses to negotiate TLS connection on port 636. sssd seems to *insist* on negotiating a TLS connection on port 636 or port 389 and won't just connect using ssl to port 636. (At least that is what I *think* is going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
here are my config files:
[root@c764guest heller]# cat /etc/openldap/slapd.d/cn=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 ba294eab dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs structuralObjectClass: olcGlobal entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0 creatorsName: cn=config createTimestamp: 20170918163057Z olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem entryCSN: 20170927144348.897441Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170927144348Z
[root@c764guest heller]# cat /etc/sssd/sssd.conf [domain/default]
autofs_provider = ldap cache_credentials = True ldap_search_base = dc=deepsoft,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://192.168.250.98/ ldap_id_use_start_tls = false ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com ldap_default_authtok = sssd [sssd] services = nss, pam, autofs
domains = default [nss] homedir_substring = /home
[pam] debug_level = 0x7770 ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[root@c764guest heller]# cat /etc/openldap/ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com URI ldaps://192.168.250.98/ TLS_CACERT /etc/openldap/certs/ca-cert.pem TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on TLS_REQCERT allow
Robert Heller heller@deepsoft.com writes:
OK, I have narrowed things down to slapd and sssd not playing nice with each other. slapd is able to listen on ldaps (port 636) and accept SSL connections (eg from openssl s_client and other applications using straight SSL). slapd will also listen on ldap (port 389), but refuses to negotiate a TLS connection on port 389. It also refuses to negotiate TLS connection on port 636. sssd seems to *insist* on negotiating a TLS connection on port 636 or port 389 and won't just connect using ssl to port 636. (At least that is what I *think* is going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
[...]
These are two differnt ports and methods to connect. On port 389 a client initiates a secured session by calling startTLS extended operation. While on port 636 the server requests a secured session. Check your init script, or systemctl service script, whether ldap:/// or ldaps:// is initiated, or both.
-Dieter
On Thu, Sep 28, 2017 at 01:08:17PM -0400, Robert Heller wrote:
OK, I have narrowed things down to slapd and sssd not playing nice with each other. slapd is able to listen on ldaps (port 636) and accept SSL connections (eg from openssl s_client and other applications using straight SSL). slapd will also listen on ldap (port 389), but refuses to negotiate a TLS connection on port 389. It also refuses to negotiate TLS connection on port 636. sssd seems to *insist* on negotiating a TLS connection on port 636 or port 389 and won't just connect using ssl to port 636. (At least that is what I *think* is going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
Up until 6 months ago I used to work in a large RHEL based environment using sssd->ldap for authentication. I can suggest a few things based on my memory.
1. IIRC, sssd doesn't look at ldap.conf, so making changes to ldap.conf might not have any effect on sssd. Everything has to be config'd in sssd.conf.
2. TLS negotiation failures typically indicate a problem w/ your certificates. One way to confirm is to alternate setting the 'ldap_tls_reqcert' opt to 'never' and then 'hard', testing each one. If it works with 'never' but fails with 'hard', then your cert is likely the issue.
If both fail, there might still be a problem w/ your cert, though (if IIRC).
3. Turn up verbosity of log output. Set the debug opts in sssd and slapd to produce verbose log/error messages. This should yield detailed info on why TLS negotiation fails.
here are my config files:
[root@c764guest heller]# cat /etc/openldap/slapd.d/cn=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 ba294eab dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs structuralObjectClass: olcGlobal entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0 creatorsName: cn=config createTimestamp: 20170918163057Z olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem entryCSN: 20170927144348.897441Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170927144348Z
[root@c764guest heller]# cat /etc/sssd/sssd.conf [domain/default]
autofs_provider = ldap cache_credentials = True ldap_search_base = dc=deepsoft,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://192.168.250.98/ ldap_id_use_start_tls = false ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com ldap_default_authtok = sssd [sssd] services = nss, pam, autofs
domains = default [nss] homedir_substring = /home
[pam] debug_level = 0x7770 ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[root@c764guest heller]# cat /etc/openldap/ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com URI ldaps://192.168.250.98/ TLS_CACERT /etc/openldap/certs/ca-cert.pem TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on TLS_REQCERT allow
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services
openldap-technical@openldap.org
-
Dieter Kluenter -
Paulm -
Robert Heller