At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
<heller(a)deepsoft.com> wrote:
> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
> something is wrong with slapd's TLS configuration -- it is failing to do
> TLS Negotiation, either it is just not doing it or it is doing it wrong
> (somehow). Unless SSSD is not configured properly.
You need to start with the following:
>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D
cn=Manager,dc=deepsoft,dc=com -W
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D
cn=Manager,dc=deepsoft,dc=com -W
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The certificate is from my own CA and I *think* I have things set up properly,
but it is a openssl cert and I know that slapd (and sssd) are built with
MozNSS.
ldap.conf contains:
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
and /etc/openldap/slapd.d/ contains:
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services