Hi,
If you use sssd you don't need nslcd. Because openldap runs on localhost you can use the following configuration option for sssd to disable TLS ( sssd doesn't work without TLS but there is this undocumented option you can use ): ldap_auth_disable_tls_never_use_in_production = true Regards, Andrei On 2013-04-24 00:38, Rodney Simioni wrote: > Hi, I'm getting a weird behavior in LDAP with TLS. > > Using: > > openldap > > Linux Red Hat > > Sssd > > Nslcd > > When I issue a ' ldapsearch -x ZZ', it works flawlessly but when issue a `getent passwd`, I get back the system users in /etc/passwd file but I don't see the ldap users. > > The openldap.log indicates the following when I issue the 'getent passwd' command > > connection_read(14): TLS accept failure error=-1 id=1037 > > But it does not give any errors when doing the ldapsearch -x ZZ. > > So, if I have TLS not correctly configured, shouldn't it not work completely? > > Here's my sssd.conf: > > [domain/local] > > debug_level = 9 > > ldap_id_use_start_tls = True > > cache_credentials = True > > ldap_search_base = dc=wh,dc=local > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_uri = ldap://127.0.0.1/ > > ldap_tls_cacert = /certs/cacert.pem > > [sssd] > > services = nss, pam > > config_file_version = 2 > > domains = local > > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > Here's my nslcd.conf: > > uri ldap://127.0.0.1/ > > base dc=wh,dc=local > > ssl start_tls > > tls_cacertfile /certs/cacert.pem > > tls_reqcert hard > > Here's my /etc/openldap/ldap.conf: > > TLS_CACERT /certs/cacert.pem > > TLS_REQCERT hard > > URI ldap://127.0.0.1/ > > BASE dc=wh,dc=local > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. -- Andrei BĂNARU Internal Support CCNA Security, CCIP StreamWIDE Romania
