In my experiences, TLS failures are almost always due to a small
handful of problems.
Two that come to mind immediately are
1. Common name matching.
Check the common name for the cert and make sure your requests are
going to that name.
2. Not including certs.
Make sure you are including all certs needed to validate your server's
SSL endpoint.
Make sure you are pointing to the correct directory that includes these
certs i.e. ldap_tls_cacertdir
Dan
On Mon, 2017-10-02 at 11:01 -0700, Jeff White wrote:
> I'm attempting to enable LDAP server TLS certificate validation with
> "ldap_tls_reqcert = demand". However, when I set that value to
> anything
> other than "never", sssd does not work. By that I mean sssd will
> start
> as normal but no ID lookups are successful and I see "Input/output
> error" in the log. This occurs regardless of what CA certificate
> chain
> I give it (via ldap_tls_cacert). I have even tried using a known
> working chain that I use to access yum repos which uses TLS
> certificates
> from the same CA as our Active Directory.
>
> Any ideas?
>
> libsss_sudo-1.14.0-43.el7_3.11.x86_64
> libsss_autofs-1.14.0-43.el7_3.11.x86_64
> sssd-proxy-1.14.0-43.el7_3.11.x86_64
> sssd-ad-1.14.0-43.el7_3.11.x86_64
> sssd-1.14.0-43.el7_3.11.x86_64
> libsss_nss_idmap-1.14.0-43.el7_3.11.x86_64
> sssd-krb5-common-1.14.0-43.el7_3.11.x86_64
> sssd-ldap-1.14.0-43.el7_3.11.x86_64
> libsss_idmap-1.14.0-43.el7_3.11.x86_64
> python-sssdconfig-1.14.0-43.el7_3.11.noarch
> sssd-client-1.14.0-43.el7_3.11.x86_64
> sssd-common-pac-1.14.0-43.el7_3.11.x86_64
> sssd-krb5-1.14.0-43.el7_3.11.x86_64
> sssd-ipa-1.14.0-43.el7_3.11.x86_64
> sssd-common-1.14.0-43.el7_3.11.x86_64
>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> rg
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
