SSSD should be configured to bind TLS with ldap:389 not ldaps:636. Increase SSSD log verbosity to get more information. I have also found that slapd logging can help determine bind issues.
How does one estalish their own CA that's trusted by other Root CA's? Perhaps try disabling verification of the chain then see if bind happens. On Sep 28, 2017 9:14 PM, "Robert Heller" <[email protected]> wrote: > At Thu, 28 Sep 2017 16:08:42 -0700 Quanah Gibson-Mount <[email protected]> > wrote: > > > > > --On Thursday, September 28, 2017 7:28 PM -0400 Robert Heller > > <[email protected]> wrote: > > > > > At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount < > [email protected]> > > > wrote: > > > > > >> > > >> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller > > >> <[email protected]> wrote: > > >> > > >> > > >> > Slapd is reporting TLS Negotiation failure when SSSD tries to > connect > > >> > to it. For both port 389 (ldap:///) and 636 (ldaps:///). So I > guess > > >> > something is wrong with slapd's TLS configuration -- it is failing > to > > >> > do TLS Negotiation, either it is just not doing it or it is doing > it > > >> > wrong (somehow). Unless SSSD is not configured properly. > > >> > > >> You need to start with the following: > > >> > > >> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w > > >> > > >> to test startTLS > > >> > > >> and > > >> > > >> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w > > >> > > >> to test without startTLS > > >> > > >> If you can get those to work, then you can move on to SSSD. > > > > > > [heller@c764guest ~]$ ldapwhoami -x -ZZ -H ldap://c764guest:389 -D > > > cn=Manager,dc=deepsoft,dc=com -W ldap_start_tls: Connect error (-11) > > > additional info: TLS error -8157:Certificate extension not > found. > > > > This may be of help: > > <https://urldefense.proofpoint.com/v2/url?u=https- > 3A__serverfault.com_questions_640910_my-2Dcertificate- > 2Ddoesnt-2Dwork-2Don-2Dall-2Dmachines&d=DwIBAg&c= > lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- > CbhH6xUjnRkaqPFUS2wTJ2cw&m=fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s= > h0ZJ27HydY4c7iw8uXd-1iadz94M-ZzNGL7KMfOsi2w&e=> > > > > > [heller@c764guest ~]$ ldapwhoami -x -H ldaps://c764guest:636 -D > > > cn=Manager,dc=deepsoft,dc=com -W Enter LDAP Password: > > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > > This may mean slapd isn't listening on port 636 (With no -d -1 info, hard > > to know for sure). It may also simply be a different manifistation of > the > > error above. > > I added a -d option (picked 10), and discovered that it wanted the full > name > as specificed in the certificate. That fixed ldapwhoami and I put that in > ldap.conf, smb.conf, and in sssd.conf, but sssd is still not behaving > (samba > is though, mostly -- it might also be having issues since sssd is not > working)... > > > > > --Quanah > > > > > > -- > > > > Quanah Gibson-Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > <https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.symas.com&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=4Jyip- > C583CeHTI2N1wXllUKzrjwwvY9tqyl3tZVq8w&e=> > > > > > > -- > Robert Heller -- 978-544-6933 > Deepwoods Software -- Custom Software Services > https://urldefense.proofpoint.com/v2/url?u=http-3A__www. > deepsoft.com_&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > fNmr-KFWiEhP0yGMfSAsdSa6NOnIS_lb6cSsPujmQZ8&s=hf9o7fTr6iLSDpsS6xK6nGDWhZo- > N7aXcKoRAXfrPUE&e= -- Linux Administration Services > [email protected] -- Webhosting Services > > >
