Hi Lukas, thanks for the explanation. After some more testing I found that sssd version 1.16 works with SSL even if the version of openldap are not compiled with SSL support. SSSD suddenly requires ldap_tls_cacert to find the CA, even when you use SSL (ldaps in the uri). Does it make any sense?
- I expected sssd to use SSL or not depending on the openldap version and not sssd itself. - Also, if I specify ldpas, why any TLS parameter is relevant? We can upgrade sssd in SL7, only few RH6/SL6 will special upgrade processes... Thanks, Arnau On Fri, 27 Mar 2020 at 16:32, Lukas Slebodnik <[email protected]> wrote: > On (27/03/20 16:12), Arnau Bria wrote: > >Hi all, > > > >something I've found is that the openldap behaivour I've described really > >depend on the openldap version. With versions older that 2.4.44-15 (in SL) > >openldap only knows about Mozilla DB whereas in newer version it fallsback > >to OpenSSL and openldap then reads the certificates from the PKI store. > >IOW, with newer openldap there's no need to create the Mozilla DB. > > > > Yes, it depends which crypto was used in openldap. > > centos7 and old version of fedora was compiled with NSS > later version moved to openssl but some distribution has some compatibility > with NSS (convert NSS on the fly to format which works with openssl) > Tha compatibility was remove in fedora29 and thus newer version > support just openssl. > > LS > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Arnau Bria
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
