Hi! As you use IP addresses to connect, do your certificates specify those IP addresses as alternate subjects, too?
Regards, Ulrich >>> Jarett DeAngelis <[email protected]> schrieb am 09.01.2023 um 22:10 in Nachricht <[email protected]>: > hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like > the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to > the LDAP server's TLS port. A machine I have running Rocky 8.6, however, with > OpenSSL 1.1.1k, connects just fine. This is using self-generated > certificates, but the correct CA cert and server cert have been provided to > SSSD to use for login. The two machines are using identical certificates and > SSSD configuration files. > > How do we begin to troubleshoot this? The trouble is seen in the SSSD log: > > (2023-01-09 21:08:26): [be[default]] [fo_resolve_service_send] (0x0100): > [RID#13] Trying to resolve service 'LDAP' > (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] > Status of server '10.8.8.60' is 'name not resolved' > (2023-01-09 21:08:26): [be[default]] [get_port_status] (0x1000): [RID#13] > Port status of port 636 for server '10.8.8.60' is 'neutral' > (2023-01-09 21:08:26): [be[default]] [fo_resolve_service_activate_timeout] > (0x2000): [RID#13] Resolve timeout [dns_resolver_timeout] set to 6 seconds > (2023-01-09 21:08:26): [be[default]] [get_server_status] (0x1000): [RID#13] > Status of server '10.8.8.60' is 'name not resolved' > (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): > [RID#13] Marking server '10.8.8.60' as 'resolving name' > (2023-01-09 21:08:26): [be[default]] [check_if_online_delayed] (0x2000): > [RID#12] Check online req created. > (2023-01-09 21:08:26): [be[default]] [set_server_common_status] (0x0100): > [RID#13] Marking server '10.8.8.60' as 'name resolved' > (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x1000): > [RID#13] Saving the first resolved server > (2023-01-09 21:08:26): [be[default]] [be_resolve_server_process] (0x0200): > [RID#13] Found address for server 10.8.8.60: [10.8.8.60] TTL 7200 > (2023-01-09 21:08:26): [be[default]] [sdap_uri_callback] (0x0400): [RID#13] > Constructed uri 'ldaps://10.8.8.60:636' > (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x4000): > [RID#13] Using file descriptor [23] for the connection. > (2023-01-09 21:08:26): [be[default]] [sssd_async_socket_init_send] (0x0400): > [RID#13] Setting 60 seconds timeout [ldap_network_timeout] for connecting > (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_sys_connect_done] > (0x0020): [RID#13] ldap_install_tls failed: [Connect error] [unknown error] > (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] > (0x0400): [RID#13] calling ldap_unbind_ext for ldap:[0x55c44d26c1b0] sd:[23] > (2023-01-09 21:08:26): [be[default]] [sss_ldap_init_state_destructor] > (0x0400): [RID#13] closing socket [23] > (2023-01-09 21:08:26): [be[default]] [sdap_sys_connect_done] (0x0020): > [RID#13] sdap_async_connect_call request failed: [5]: Input/output error. > (2023-01-09 21:08:26): [be[default]] [sdap_handle_release] (0x2000): > [RID#13] Trace: sh[0x55c44d24a740], connected[0], ops[(nil)], ldap[(nil)], > destructor_lock[0], release_memory[0] > (2023-01-09 21:08:26): [be[default]] [_be_fo_set_port_status] (0x8000): > [RID#13] Setting status: PORT_NOT_WORKING. Called from: > ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1633 > (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0100): [RID#13] > Marking port 636 of server '10.8.8.60' as 'not working' > (2023-01-09 21:08:26): [be[default]] [fo_set_port_status] (0x0400): [RID#13] > Marking port 636 of duplicate server '10.8.8.60' as 'not working' > > Thanks, > Jarett
