hi, ldap is working fine without sssd. When sssd enabled, getent works fine it gets all the user info. When I try to make ssh connection to sssd enabled server, I see below debug entries in ldap servers log file. The certs are created in gentoo machines. But I use the certs in centos also. I have one gentoo ldap-provider server and 2 gentoo ldap-consumer server. This centos machine is the 3th ldap consumer server. when I point gentoo ldap servers in sssd.conf file sssd works fine. But when I point centos ldap server in sssd.conf I got error when I try to make ssh connection to that server.
TLS: loaded CA certificate file /etc/openldap/ssl/cacert.pem. TLS: certificate [[email protected],CN=ldap01.jazzy.com,O=Jazzy Hizmetler A.S,L=Istanbul,ST=Sisli,C=TR] is not valid - error -8181:Unknown code ___f 11. TLS: certificate [[email protected],CN=jazzy.com,O=Jazzy Hizmetler A.S.,ST=Sisli,C=TR] is not correct because it is a CA cert and the BasicConstraint CA flag is set to FALSE - allowing for now, but please fix your certs if possible TLS: error: unable to find and verify server's cert and key for certificate PEM Token #0:servercrt.pem - 0 TLS: error: could not initialize moznss security context - error -8156:Unknown code ___f 36 TLS: can't create ssl handle. connection_read(19): TLS accept failure error=-1 id=1001, closing connection_closing: readying conn=1001 sd=19 for close sssd conf: [domain/azldap.jazzy.com] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://172.16.10.48 ldap_search_base = dc=jazzy,dc=com ldap_tls_reqcert = allow cache_credentials = true enumerate = true entry_cache_timeout = 5400 ldap_user_gecos = uid Thanks, AS On Thu, Feb 9, 2012 at 3:12 PM, Jakub Hrozek <[email protected]> wrote: > On Thu, Feb 09, 2012 at 01:44:35PM +0200, Aziz Sasmaz wrote: > > Hi, > > sssd gives below error when it tries to connect to my ldap server . > My > > ldap server is CentOS release 6.2 (Final) and the servers using sssd > is > > the same. > > In one of my datacenters i use gentoo ldap servers and redhat(5) sssd > > servers and i got no errors with the same configuration parameters. > > It says below "something bad happened". what is that something? > could you > > please help me regarding this error? > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [set_server_common_status] (4): Marking server '172.16.10.48' as > 'working' > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [simple_bind_send] (4): Executing simple bind as: > > uid=aziz,ou=People,dc=bilyoner,dc=com > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [sdap_process_result] (4): ldap_result gave -1, something bad happend! > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) > [Internal > > Error (System error)] > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [be_pam_handler_callback] (4): Sending result [4][azldap.bilyoner.com > ] > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [be_pam_handler_callback] (4): Sent result [4][azldap.bilyoner.com] > > Thanks, > > AS > > Unfortunately the LDAP library does not pass any extra information > except the "something bad happened" sentence to the client side. > > Do you have access to the server logs? Can you check if there is any > useful information there? > > My guess would be to check for any certificate issues. > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel >
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
