-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's very strange. The code in SSSD here for this TLS setup is as follows:

    ret = ldap_install_tls(state->sh->ldap);
    if (ret != LDAP_SUCCESS) {

        optret = ldap_get_option(state->sh->ldap,
                                 SDAP_DIAGNOSTIC_MESSAGE,
                                 (void*)&tlserr);
        if (optret == LDAP_SUCCESS) {
            DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
                      ldap_err2string(ret),
                      tlserr));
            ldap_memfree(tlserr);
        }
        else {
            DEBUG(3, ("ldap_install_tls failed: [%s]\n",
                      ldap_err2string(ret)));
        }

So we're relying entirely on the openldap libraries to perform this
connection for us. What's very strange is that we're getting back ret !=
LDAP_SUCCESS, but asking the openldap library for the error message is
reporting "Start TLS request
accepted.Server willing to negotiate SSL."

This sounds like a bug in openldap-libs to me.

However, I would like to ask you to try one more experiment. Instead of
'ldapsearch -x -Z", please try 'ldapsearch -x -ZZ'. A single Z means
only "try to use TLS, and then fall back to unencrypted if it doesn't
work", whereas two Z's means "Use TLS, and if it fails, exit". I suspect
you'll find that your TLS setup is broken for ldapsearch as well.


If it's not, please check that the ldap_tls_cacert or ldap_tls_cacertdir
options in your /etc/sssd/sssd.conf are pointing at the correct CA
certificate.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0LTPMACgkQeiVVYja6o6OgLACeI40p4GTtGqVvOdce1mxjfN3Q
31MAn0zLTuLFljH6uCRJwhrD3S0KFFd/
=FeZX
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to