Robert Heller <[email protected]> writes: > OK, I have narrowed things down to slapd and sssd not playing nice with each > other. slapd is able to listen on ldaps (port 636) and accept SSL > connections > (eg from openssl s_client and other applications using straight SSL). slapd > will also listen on ldap (port 389), but refuses to negotiate a TLS > connection > on port 389. It also refuses to negotiate TLS connection on port 636. sssd > seems to *insist* on negotiating a TLS connection on port 636 or port 389 and > won't just connect using ssl to port 636. (At least that is what I *think* > is > going on.) > > So, I either need to get slapd to do TLS negotiation on port 389 OR port 636, > or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL. > > How the hell do I get that to happen? [...]
These are two differnt ports and methods to connect. On port 389 a client initiates a secured session by calling startTLS extended operation. While on port 636 the server requests a secured session. Check your init script, or systemctl service script, whether ldap:/// or ldaps:// is initiated, or both. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
