Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
--On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller heller@deepsoft.com wrote:
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller heller@deepsoft.com wrote:
Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation, either it is just not doing it or it is doing it wrong (somehow). Unless SSSD is not configured properly.
You need to start with the following:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found.
This may be of help: https://serverfault.com/questions/640910/my-certificate-doesnt-work-on-all-machines
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This may mean slapd isn't listening on port 636 (With no -d -1 info, hard to know for sure). It may also simply be a different manifistation of the error above.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
At Thu, 28 Sep 2017 16:08:42 -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller heller@deepsoft.com wrote:
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller heller@deepsoft.com wrote:
Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation, either it is just not doing it or it is doing it wrong (somehow). Unless SSSD is not configured properly.
You need to start with the following:
ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
to test startTLS
and
ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
to test without startTLS
If you can get those to work, then you can move on to SSSD.
[heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found.
This may be of help: https://serverfault.com/questions/640910/my-certificate-doesnt-work-on-all-machines
[heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This may mean slapd isn't listening on port 636 (With no -d -1 info, hard to know for sure). It may also simply be a different manifistation of the error above.
I added a -d option (picked 10), and discovered that it wanted the full name as specificed in the certificate. That fixed ldapwhoami and I put that in ldap.conf, smb.conf, and in sssd.conf, but sssd is still not behaving (samba is though, mostly -- it might also be having issues since sssd is not working)...
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Robert Heller