Check the permissions on your certificates. I've had this happen a couple of times and it was due to the ldap user not being able to read the certificate on start up. If they are wrong, correct them and restart slapd.
Matt ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Chris Sent: Thursday, 26 July 2012 8:56 PM To: [email protected] Subject: Openldap Problem Hi. I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the kernel is 2.6.32-279.2.1.el6.x86_64. The problem I'm having is I get this error message in messages file. "sssd[be[default]]: Could not start TLS encryption. TLS error -5938:Encountered end of file" I started sssd with debugging set to 9. Errors I saw in sssd_default.log is: [dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1 [get_port_status] (0x1000): Port status of port 389 for server 'ibm-01.flamengro.co.za' is 'not working' When I add new users I cannot log in with the new names, a ldapseach shows them but getent passwd nothing. Not all the users show up on my other machines either. Any help will be appreciated. My slapd.conf file looks like this. include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=flamengro,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=flamengro,dc=com" rootpw secret directory /var/lib/ldap/flamengro index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitoraccess to * by dn.exact="cn=Manager,dc=flamengro,dc=com" read by * none access to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none My sssd.conf file looks like this [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] auth_provider = ldap cache_credentials = True ldap_id_use_start_tls = True debug_level = 9 ldap_search_base = dc=flamengro,dc=com # krb5_realm = EXAMPLE.COM chpass_provider = ldap id_provider = ldap ldap_uri = ldap://ibm-01.flamengro.co.za # krb5_kdcip = kerberos.example.com ldap_tls_cacertdir = /etc/openldap/cacerts enumerate = True ldap_sasl_canonicalize = true # krb5_server = kerberos.example.com Click here<https://www.mailcontrol.com/sr/OGlurKsQR7vTndxI!oX7UskfEqpntbSQDiToKpcFEO7YanKaXmpJkmiEUdQMrUno9kouYwjzuxnieLvRJKIvyA==> to report this email as spam. ************************************************************************************************** This email message (including any file attachments transmitted with it) is for the sole use of the intended recipient(s) and may contain confidential and legally privileged information. Any unauthorised review, use, alteration, disclosure or distribution of this email (including any attachments) by an unintended recipient is prohibited. If you have received this email in error, please notify the sender by return email and destroy all copies of the original message. Any confidential or legal professional privilege is not waived or lost by any mistaken delivery of the email. SPARQ Solutions accepts no responsibility for the content of any email which is sent by an employee which is of a personal nature. Sender Details: SPARQ Solutions PO Box 15760 City East, Brisbane QLD Australia 4002 +61 7 4931 2222 SPARQ Solutions policy is to not send unsolicited electronic messages. Suspected breaches of this policy can be reported by replying to this message including the original message and the word "UNSUBSCRIBE" in the subject. **************************************************************************************************
