[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
- To: Quanah Gibson-Mount <quanah@symas.com>
- Subject: Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
- From: Robert Heller <heller@deepsoft.com>
- Date: Thu, 28 Sep 2017 15:41:48 -0400 (EDT)
- Cc: Robert Heller <heller@deepsoft.com>, Openldap Technical <openldap-technical@openldap.org>
- Dkim-filter: OpenDKIM Filter v2.11.0 sharky3.deepsoft.com 9B6D973231B
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deepsoft.com; s=deepsoft.com; t=1506627708; bh=g/o/XzTbxzuFGKM+DfvEffBJAXE5DP51xPa8jTOE10s=; h=From:Subject:In-Reply-To:References:To:Cc:Date:From; b=aX1JHJVUrh0JU96MRTCiv+ZcDEVFCjQkLsD7wx/lOEaYHVLsrEnE/LWFHCDQwBgCS cOUt4lhJvCwVRGDnYjX9IToJZbObFJQ3di/X9SXlPD2bV/8B552a1AhQ4QDGB+UAMQ 4jSUc2yKwEKH5rcthNaEbSZEJUpq7CrY+3bdhtKc=
- In-reply-to: <5A6DACC51CF6F5156270C77F@[192.168.1.30]>
- Organization: Deepwoods Software
- References: <20170928170817.DE268732A40@sharky3.deepsoft.com> <WM!3841d97ef9fe61874abde790669c89cda7491f751a8d1d42d6fedcad23ad03723369227f2cf988e1296a97f7d1455a45!@mailstronghold-2.zmailcloud.com> <3631C46B10C6A6D96C92A6CA@[192.168.1.30]> <20170928183434.C52377323F2@sharky3.deepsoft.com> <WM!d02d61414b21d1174b6888ab449c4269fa38d934004f76ade936b18cd00ea29eb903d4c22a82e75a76373bb72667b68d!@mailstronghold-3.zmailcloud.com> <5A6DACC51CF6F5156270C77F@[192.168.1.30]>
Will these spit out useful error messages? If I just get "TLS Negotiation
failure" it is not going to be helpful.
At Thu, 28 Sep 2017 12:29:19 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
> --On Thursday, September 28, 2017 3:34 PM -0400 Robert Heller
> <heller@deepsoft.com> wrote:
>
>
> > Slapd is reporting TLS Negotiation failure when SSSD tries to connect to
> > it. For both port 389 (ldap:///) and 636 (ldaps:///). So I guess
> > something is wrong with slapd's TLS configuration -- it is failing to do
> > TLS Negotiation, either it is just not doing it or it is doing it wrong
> > (somehow). Unless SSSD is not configured properly.
>
> You need to start with the following:
>
> >> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
>
> to test startTLS
>
> and
>
> ldapwhoami -x -H ldaps://myhost:636 -D binddn -w
>
> to test without startTLS
>
> If you can get those to work, then you can move on to SSSD.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services