Are you able to connect without a Start TLS?

ldapsearch -x -h -b dc=example,dc=com -w

If that works, then you have no ldap issues, and should be able to go
straight to getting sssd running with a keytab. If you want to test the
keytab, you can export it to a system, and run ..

kinit -kt /path/to/keytab

Then take a look to see if you have a ticket ...


If you have a ticket, then you should be able to auth to the ldap server
using SASL

ldapsearch -Y GSSAPI -h blah blah blah.

I have IPA setup with Ubuntu 12 clients, so I'm happy to lend a hand if you
need more information along the way.


On Tue, Dec 3, 2013 at 2:28 PM, Andrew Precht <>wrote:

> Hi IPA users,
> I'm having trouble getting the FreeIPA client to work in Ubuntu 12.04. I'm
> working my way through the Red Hat sssd troubleshooting guide:
> When I try a:* ldapsearch -x -ZZ -h
> <> -b dc=example,dc=com*
> I get: *ldap_start_tls: Connect error (-11) additional info: (unknown
> error code)*
> I have copied the /etc/ipa/ca.crt from the ipa server to the ubuntu client
> and the sssd.conf has: *ldap_tls_cacert = /etc/ipa/ca.crt*
> My syslog file has no mention of a non-trusted certificate.
> Any ideas on where to look next?
> Thanks Andrew Precht
> _______________________________________________
> Freeipa-users mailing list

Terry Soucy - Systems Engineer
Salesforce MarketingCloud -
(o) 506.631.7445 (c) 506.609.3247 | (e)
Freeipa-users mailing list

Reply via email to