Hi,
If you use sssd you don't need nslcd. Because openldap runs on localhost you can use the following configuration option for sssd to disable TLS ( sssd doesn't work without TLS but there is this undocumented option you can use ):
ldap_auth_disable_tls_never_use_in_production = true
Regards,
Andrei
On 2013-04-24 00:38, Rodney Simioni wrote:
Hi, I’m getting a weird behavior in LDAP with TLS.
Using:
openldap
Linux Red Hat
Sssd
Nslcd
When I issue a ‘ ldapsearch –x ZZ’, it works flawlessly but when issue a `getent passwd`, I get back the system users in /etc/passwd file but I don’t see the ldap users.
The openldap.log indicates the following when I issue the ‘getent passwd’ command
connection_read(14): TLS accept failure error=-1 id=1037
But it does not give any errors when doing the ldapsearch –x ZZ.
So, if I have TLS not correctly configured, shouldn’t it not work completely?
Here’s my sssd.conf:
[domain/local]
debug_level = 9
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=wh,dc=local
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://127.0.0.1/
ldap_tls_cacert = /certs/cacert.pem
[sssd]
services = nss, pam
config_file_version = 2
domains = local
[nss]
[pam]
[sudo]
[autofs]
[ssh]
Here’s my nslcd.conf:
uri ldap://127.0.0.1/
base dc=wh,dc=local
ssl start_tls
tls_cacertfile /certs/cacert.pem
tls_reqcert hard
Here’s my /etc/openldap/ldap.conf:
TLS_CACERT /certs/cacert.pem
TLS_REQCERT hard
URI ldap://127.0.0.1/
BASE dc=wh,dc=local
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
--
Andrei BÄNARU Internal Support CCNA Security, CCIP StreamWIDE Romania