hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, but the correct CA cert and server cert have been provided to SSSD to use for login. The two machines are using identical certificates and SSSD configuration files.
How do we begin to troubleshoot this? The trouble is seen in the SSSD log:
(2023-01-09 21:08:26): [be[default]] [fo_resolve_service_send] (0x0100): [RID#13] Trying to resolve service 'LDAP' (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved' (2023-01-09 21:08:26): [be[default]] [get_port_status] (0x1000): [RID#13] Port status of port 636 for server '10.8.8.60' is 'neutral' (2023-01-09 21:08:26): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#13] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved' (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'resolving name' (2023-01-09 21:08:26): [be[default]] [check_if_online_delayed] (0x2000): [RID#12] Check online req created. (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'name resolved' (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x1000): [RID#13] Saving the first resolved server (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x0200): [RID#13] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 (2023-01-09 21:08:26): [be[default]] [sdap_uri_callback] (0x0400): [RID#13] Constructed uri 'ldaps://10.8.8.60:636' (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#13] Using file descriptor [23] for the connection. (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#13] Setting 60 seconds timeout [ldap_network_timeout] for connecting (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#13] ldap_install_tls failed: [Connect error] [unknown error] (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] calling ldap_unbind_ext for ldap:[0x55c44d26c1b0] sd:[23] (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] closing socket [23] (2023-01-09 21:08:26): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#13] sdap_async_connect_call request failed: [5]: Input/output error. (2023-01-09 21:08:26): [be[default]] [sdap_handle_release] (0x2000): [RID#13] Trace: sh[0x55c44d24a740], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (2023-01-09 21:08:26): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#13] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0100): [RID#13] Marking port 636 of server '10.8.8.60' as 'not working' (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0400): [RID#13] Marking port 636 of duplicate server '10.8.8.60' as 'not working'
Thanks, Jarett
On 09.01.23 22:10, Jarett DeAngelis wrote:
hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, but the correct CA cert and server cert have been provided to SSSD to use for login. The two machines are using identical certificates and SSSD configuration files.
Ubuntu's libldap is linked agaings gnutls, not openssl.
Maybe you will find the solution in
https://github.com/SSSD/sssd/issues/5444
Best regards Ulf
On Jan 10, 2023, at 1:25 AM, Jarett jarett@bioteam.net wrote:
I have actually read this post before, and it describes the problem I’m having exactly, but the purported fix does not work for me. My SSSD configuration file contains “ldap_tls_reqcert = never,” “ldap_tls_cacert = (certificate path for ca)” and “ldap_tls_cert = (certificate path for server).”
Ulrich: I actually don’t even remember what SANs or CNs are in the certificate, but it shouldn’t matter as we have reqcert set to never. Too, if I turn verification off in SSSD entirely with “certificate_verification = no_verification,” I have the exact same problem. (We really could not care less about TLS security on this particular network, but SSSD simply will not work without at least nominally connecting over TLS/SSL.)
SSSD uses the openldap client config on a particular machine. So, you can sidestep (SSSD) by issuing command line operations from the same machine, to troubleshoot. Ldapsearch, ldapwhoami, ...
It’s almost always something wrong with the CA cert, e.g. can’t find it, doesn’t match the server, etc. Meaning, TLS paras in the ldap.conf file
— Shawn
Hi!
As you use IP addresses to connect, do your certificates specify those IP addresses as alternate subjects, too?
Regards, Ulrich
Jarett DeAngelis jarett@bioteam.net schrieb am 09.01.2023 um 22:10 in
Nachricht 768DFC4E-53A9-4F05-AD61-61C00ED52BC8@bioteam.net:
hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, but the correct CA cert and server cert have been provided to SSSD to use for login. The two machines are using identical certificates and SSSD configuration files.
How do we begin to troubleshoot this? The trouble is seen in the SSSD log:
(2023-01-09 21:08:26): [be[default]] [fo_resolve_service_send] (0x0100): [RID#13] Trying to resolve service 'LDAP' (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved' (2023-01-09 21:08:26): [be[default]] [get_port_status] (0x1000): [RID#13] Port status of port 636 for server '10.8.8.60' is 'neutral' (2023-01-09 21:08:26): [be[default]] [fo_resolve_service_activate_timeout] (0x2000): [RID#13] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] Status of server '10.8.8.60' is 'name not resolved' (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'resolving name' (2023-01-09 21:08:26): [be[default]] [check_if_online_delayed] (0x2000): [RID#12] Check online req created. (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): [RID#13] Marking server '10.8.8.60' as 'name resolved' (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x1000): [RID#13] Saving the first resolved server (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x0200): [RID#13] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 (2023-01-09 21:08:26): [be[default]] [sdap_uri_callback] (0x0400): [RID#13] Constructed uri 'ldaps://10.8.8.60:636' (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x4000): [RID#13] Using file descriptor [23] for the connection. (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x0400): [RID#13] Setting 60 seconds timeout [ldap_network_timeout] for connecting (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_sys_connect_done] (0x0020): [RID#13] ldap_install_tls failed: [Connect error] [unknown error] (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] calling ldap_unbind_ext for ldap:[0x55c44d26c1b0] sd:[23] (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] (0x0400): [RID#13] closing socket [23] (2023-01-09 21:08:26): [be[default]] [sdap_sys_connect_done] (0x0020): [RID#13] sdap_async_connect_call request failed: [5]: Input/output error. (2023-01-09 21:08:26): [be[default]] [sdap_handle_release] (0x2000): [RID#13] Trace: sh[0x55c44d24a740], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (2023-01-09 21:08:26): [be[default]] [_be_fo_set_port_status] (0x8000): [RID#13] Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0100): [RID#13] Marking port 636 of server '10.8.8.60' as 'not working' (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0400): [RID#13] Marking port 636 of duplicate server '10.8.8.60' as 'not working'
Thanks, Jarett
openldap-technical@openldap.org
-
Jarett -
Jarett DeAngelis
-
Shawn McKinney -
Ulf Volmer -
Ulrich Windl