On 28.09.2017 21:41, Robert Heller wrote: > Will these spit out useful error messages? If I just get "TLS Negotiation > failure" it is not going to be helpful. >
You can make it a little bit more verbose with the option "-d -1" It is only a suggestion, but can you test the parameter TLS_REQCERT allow in your /etc/openldap/ldap.conf This ist not a good option for production systems, but it seems you come in trouble with your certificates. You have to set your TLS_CACERT xor TLS_CACERTDIR correctly in your /etc/openldap/slapd.conf to work stressless with your ssl/tls. best regards Michael > At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <[email protected]> > wrote: > >> >> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller >> <[email protected]> wrote: >> >> >>> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to >>> it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess >>> something is wrong with slapd's TLS configuration -- it is failing to do >>> TLS Negotiation, either it is just not doing it or it is doing it wrong >>> (somehow). Unless SSSD is not configured properly. >> >> You need to start with the following: >> >>>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w >> >> to test startTLS >> >> and >> >> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w >> >> to test without startTLS >> >> If you can get those to work, then you can move on to SSSD. >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> <http://www.symas.com> >> >> > -- Michael Wandel Braakstraße 43 33647 Bielefeld
