Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
12:29 p.m.
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
<heller(a)deepsoft.com> wrote:
Slapd is reporting TLS Negotiation failure when SSSD tries to connect
to
it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
something is wrong with slapd's TLS configuration -- it is failing to do
TLS Negotiation, either it is just not doing it or it is doing it wrong
(somehow). Unless SSSD is not configured properly.
You need to start with the following:
> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
12:41 p.m.
New subject: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
Will these spit out useful error messages? If I just get "TLS Negotiation
failure" it is not going to be helpful.
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
<heller(a)deepsoft.com> wrote:
> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
> something is wrong with slapd's TLS configuration -- it is failing to do
> TLS Negotiation, either it is just not doing it or it is doing it wrong
> (somehow). Unless SSSD is not configured properly.
You need to start with the following:
>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services
11:18 p.m.
New subject: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
On 28.09.2017 21:41, Robert Heller wrote:
Will these spit out useful error messages? If I just get "TLS
Negotiation
failure" it is not going to be helpful.
You can make it a little bit more verbose with the option "-d -1"
It is only a suggestion, but can you test the parameter
TLS_REQCERT allow
in your /etc/openldap/ldap.conf
This ist not a good option for production systems, but it seems you come
in trouble with your certificates.
You have to set your
TLS_CACERT
xor
TLS_CACERTDIR
correctly in your /etc/openldap/slapd.conf to work stressless with your
ssl/tls.
best regards
Michael
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
>
> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
> <heller(a)deepsoft.com> wrote:
>
>
>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
>> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
>> something is wrong with slapd's TLS configuration -- it is failing to do
>> TLS Negotiation, either it is just not doing it or it is doing it wrong
>> (somehow). Unless SSSD is not configured properly.
>
> You need to start with the following:
>
>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>
> to test startTLS
>
> and
>
> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>
> to test without startTLS
>
> If you can get those to work, then you can move on to SSSD.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
--
Michael Wandel
Braakstraße 43
33647 Bielefeld
4:52 a.m.
New subject: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
Late ti the thread, so forgive the stupid question, but why arent you using
SASL and forgoing all the OpenSSL vs MozNSS kerfuffle? If you have OpenLDAP
and SSSD going on, surely Kerberos is something you are able to setup.
On Sep 29, 2017 2:20 AM, "Michael Wandel" <m.wandel(a)t-online.de> wrote:
On 28.09.2017 21:41, Robert Heller wrote:
> Will these spit out useful error messages? If I just get "TLS
Negotiation
> failure" it is not going to be helpful.
>
You can make it a little bit more verbose with the option "-d -1"
It is only a suggestion, but can you test the parameter
TLS_REQCERT allow
in your /etc/openldap/ldap.conf
This ist not a good option for production systems, but it seems you come
in trouble with your certificates.
You have to set your
TLS_CACERT
xor
TLS_CACERTDIR
correctly in your /etc/openldap/slapd.conf to work stressless with your
ssl/tls.
best regards
Michael
> At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>>
>> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
>> <heller(a)deepsoft.com> wrote:
>>
>>
>>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect
to
>>> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
>>> something is wrong with slapd's TLS configuration -- it is failing to
do
>>> TLS Negotiation, either it is just not doing it or it is doing it
wrong
>>> (somehow). Unless SSSD is not configured properly.
>>
>> You need to start with the following:
>>
>>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>>
>> to test startTLS
>>
>> and
>>
>> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>>
>> to test without startTLS
>>
>> If you can get those to work, then you can move on to SSSD.
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Product Architect
>> Symas Corporation
>> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>> <http://www.symas.com>
>>
>>
>
--
Michael Wandel
Braakstraße 43
33647 Bielefeld
3:28 p.m.
New subject: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
<heller(a)deepsoft.com> wrote:
> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
> something is wrong with slapd's TLS configuration -- it is failing to do
> TLS Negotiation, either it is just not doing it or it is doing it wrong
> (somehow). Unless SSSD is not configured properly.
You need to start with the following:
>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D
cn=Manager,dc=deepsoft,dc=com -W
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D
cn=Manager,dc=deepsoft,dc=com -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The certificate is from my own CA and I *think* I have things set up properly,
but it is a openssl cert and I know that slapd (and sssd) are built with
MozNSS.
ldap.conf contains:
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
and /etc/openldap/slapd.d/ contains:
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services
1482
days inactive
1483
days old
openldap-technical@openldap.org
4 comments
4 participants
participants (4)
-
brendan kearney -
Michael Wandel -
Quanah Gibson-Mount -
Robert Heller