[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
Robert Heller <heller@deepsoft.com> writes:
> OK, I have narrowed things down to slapd and sssd not playing nice with each
> other. slapd is able to listen on ldaps (port 636) and accept SSL connections
> (eg from openssl s_client and other applications using straight SSL). slapd
> will also listen on ldap (port 389), but refuses to negotiate a TLS connection
> on port 389. It also refuses to negotiate TLS connection on port 636. sssd
> seems to *insist* on negotiating a TLS connection on port 636 or port 389 and
> won't just connect using ssl to port 636. (At least that is what I *think* is
> going on.)
>
> So, I either need to get slapd to do TLS negotiation on port 389 OR port 636,
> or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
>
> How the hell do I get that to happen?
[...]
These are two differnt ports and methods to connect. On port 389 a
client initiates a secured session by calling startTLS extended
operation. While on port 636 the server requests a secured session.
Check your init script, or systemctl service script, whether ldap:/// or
ldaps:// is initiated, or both.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E