Are you able to connect without a Start TLS? ldapsearch -x -h test.example.com -b dc=example,dc=com -w supersecretpassphrase
If that works, then you have no ldap issues, and should be able to go straight to getting sssd running with a keytab. If you want to test the keytab, you can export it to a system, and run .. kinit -kt /path/to/keytab Then take a look to see if you have a ticket ... klist If you have a ticket, then you should be able to auth to the ldap server using SASL ldapsearch -Y GSSAPI -h test.example.com blah blah blah. I have IPA setup with Ubuntu 12 clients, so I'm happy to lend a hand if you need more information along the way. Terry On Tue, Dec 3, 2013 at 2:28 PM, Andrew Precht <andrewprech...@gmail.com>wrote: > Hi IPA users, > I'm having trouble getting the FreeIPA client to work in Ubuntu 12.04. I'm > working my way through the Red Hat sssd troubleshooting guide: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html > > When I try a:* ldapsearch -x -ZZ -h test.example.com > <http://test.example.com> -b dc=example,dc=com* > > I get: *ldap_start_tls: Connect error (-11) additional info: (unknown > error code)* > > I have copied the /etc/ipa/ca.crt from the ipa server to the ubuntu client > and the sssd.conf has: *ldap_tls_cacert = /etc/ipa/ca.crt* > > My syslog file has no mention of a non-trusted certificate. > > Any ideas on where to look next? > > Thanks Andrew Precht > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Terry Soucy - Systems Engineer Salesforce MarketingCloud - http://www.salesforce.com (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users