Hi Chris, You seem to not be setting any TLS settings in your slapd. Are you also starting it with "-h ldaps:///"? Also if so can you do a ldapsearch with the -ZZ option which will ensure TLS starts?
eg. in slapd.conf # ssl TLSCipherSuite HIGH TLSCertificateFile /etc/openldap/certs/slapd-cert.pem TLSCertificateKeyFile /etc/openldap/certs/slapd-key.pem TLSVerifyClient never TLSCACertificateFile /etc/openldap/certs/ca-cert.pem Thanks, derek On 7/26/12 5:18 AM, Chris wrote: > Hi. > > I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the > kernel is 2.6.32-279.2.1.el6.x86_64. > The problem I'm having is I get this error message in messages file. > > "sssd[be[default]]: Could not start TLS encryption. TLS error > -5938:Encountered end of file" > Errors I saw in sssd_default.log > > When I add new users I cannot log in with the new names, a ldapseach > shows them but getent passwd nothing. > Not all the users show up on my other machines, only some. > > Any help will be appreciated. > > > My slapd.conf file looks like this. > > /include /etc/openldap/schema/corba.schema > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/duaconf.schema > include /etc/openldap/schema/dyngroup.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/java.schema > include /etc/openldap/schema/misc.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/openldap.schema > include /etc/openldap/schema/ppolicy.schema > include /etc/openldap/schema/collective.schema > > allow bind_v2 > > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > > database bdb > suffix "dc=flamengro,dc=com" > checkpoint 1024 15 > rootdn "cn=Manager,dc=flamengro,dc=com" > > rootpw secret > > directory /var/lib/ldap/flamengro > > index objectClass eq,pres > index ou,cn,mail,surname,givenname eq,pres,sub > index uidNumber,gidNumber,loginShell eq,pres > index uid,memberUid eq,pres,sub > index nisMapName,nisMapEntry eq,pres,sub > > database monitoraccess to * > by dn.exact="cn=Manager,dc=flamengro,dc=com" read > by * none > access to attrs=userPassword,shadowLastChange > by anonymous auth > by self write > by * none/ > > My sssd.conf file looks like this > / > [sssd] > config_file_version = 2 > > reconnection_retries = 3 > > sbus_timeout = 30 > services = nss, pam > > domains = default > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > > [pam] > reconnection_retries = 3 > > [domain/default] > auth_provider = ldap > cache_credentials = True > ldap_id_use_start_tls = True > debug_level = 9 > ldap_search_base = dc=flamengro,dc=com > # krb5_realm = EXAMPLE.COM > chpass_provider = ldap > id_provider = ldap > ldap_uri = ldap://ibm-01.flamengro.co.za > # krb5_kdcip = kerberos.example.com > ldap_tls_cacertdir = /etc/openldap/cacerts > enumerate = True > ldap_sasl_canonicalize = true > # krb5_server = kerberos.example.com > > > > / > > > > > > > > _______________________________________________ > rhelv6-list mailing list > rhelv6-list@redhat.com > https://www.redhat.com/mailman/listinfo/rhelv6-list > -- --- Derek T. Yarnell University of Maryland Institute for Advanced Computer Studies _______________________________________________ rhelv6-list mailing list rhelv6-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv6-list
