At Thu, 28 Sep 2017 16:08:42 -0700 Quanah Gibson-Mount <[email protected]> wrote:
> > --On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller > <[email protected]> wrote: > > > At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <[email protected]> > > wrote: > > > >> > >> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller > >> <[email protected]> wrote: > >> > >> > >> > Slapd is reporting TLS Negotiation failure when SSSD tries to connect > >> > to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess > >> > something is wrong with slapd's TLS configuration -- it is failing to > >> > do TLS Negotiation, either it is just not doing it or it is doing it > >> > wrong (somehow). Unless SSSD is not configured properly. > >> > >> You need to start with the following: > >> > >> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w > >> > >> to test startTLS > >> > >> and > >> > >> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w > >> > >> to test without startTLS > >> > >> If you can get those to work, then you can move on to SSSD. > > > > [heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D > > cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) > > additional info: TLS error -8157:Certificate extension not found. > > This may be of help: > <https://serverfault.com/questions/640910/my-certificate-doesnt-work-on-all-machines> > > > [heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D > > cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > This may mean slapd isn't listening on port 636 (With no -d -1 info, hard > to know for sure). It may also simply be a different manifistation of the > error above. I added a -d option (picked 10), and discovered that it wanted the full name as specificed in the certificate. That fixed ldapwhoami and I put that in ldap.conf, smb.conf, and in sssd.conf, but sssd is still not behaving (samba is though, mostly -- it might also be having issues since sssd is not working)... > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > -- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services [email protected] -- Webhosting Services
