-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That's very strange. The code in SSSD here for this TLS setup is as follows:
ret = ldap_install_tls(state->sh->ldap);
if (ret != LDAP_SUCCESS) {
optret = ldap_get_option(state->sh->ldap,
SDAP_DIAGNOSTIC_MESSAGE,
(void*)&tlserr);
if (optret == LDAP_SUCCESS) {
DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
ldap_err2string(ret),
tlserr));
ldap_memfree(tlserr);
}
else {
DEBUG(3, ("ldap_install_tls failed: [%s]\n",
ldap_err2string(ret)));
}
So we're relying entirely on the openldap libraries to perform this
connection for us. What's very strange is that we're getting back ret !=
LDAP_SUCCESS, but asking the openldap library for the error message is
reporting "Start TLS request
accepted.Server willing to negotiate SSL."
This sounds like a bug in openldap-libs to me.
However, I would like to ask you to try one more experiment. Instead of
'ldapsearch -x -Z", please try 'ldapsearch -x -ZZ'. A single Z means
only "try to use TLS, and then fall back to unencrypted if it doesn't
work", whereas two Z's means "Use TLS, and if it fails, exit". I suspect
you'll find that your TLS setup is broken for ldapsearch as well.
If it's not, please check that the ldap_tls_cacert or ldap_tls_cacertdir
options in your /etc/sssd/sssd.conf are pointing at the correct CA
certificate.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0LTPMACgkQeiVVYja6o6OgLACeI40p4GTtGqVvOdce1mxjfN3Q
31MAn0zLTuLFljH6uCRJwhrD3S0KFFd/
=FeZX
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
