[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
Robert Heller <heller@deepsoft.com> writes:
R> At Thu, 28 Sep 2017 10:19:43 -0700 Quanah Gibson-Mount <quanah@symas.com> wrote:
>
>>
>> --On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller
>> <heller@deepsoft.com> wrote:
>>
>> > OK, I have narrowed things down to slapd and sssd not playing nice with
>> > each other. slapd is able to listen on ldaps (port 636) and accept SSL
>> > connections (eg from openssl s_client and other applications using
>> > straight SSL). slapd will also listen on ldap (port 389), but refuses
>> > to negotiate a TLS connection on port 389. It also refuses to negotiate
>> > TLS connection on port 636. sssd seems to *insist* on negotiating a TLS
>> > connection on port 636 or port 389 and won't just connect using ssl to
>> > port 636. (At least that is what I *think* is going on.)
>> >
>> > So, I either need to get slapd to do TLS negotiation on port 389 OR port
>> > 636, or get sssd to NOT do TLS negotiation on port 636 and just connect
>> > with SSL.
>>
>> You're using a bit of a confusing word soup.
>
> Well, yes...
>
>>
>> ldaps == Deprecated, non-standard way of securing connection to LDAP.
>> Usually on port 636
>> startTLS == RFC standard way of securing connections to LDAP. Usually on
>> port 389
>
>
>
>>
>> If you are using ldaps, then you want startTLS to be disabled
>> if you are using startTLS, then you want it enabled.
>>
>> Your SSD config has:
>>
>> ldap_id_use_start_tls = false
>>
>> so this would be correct with use with ldaps:///
>
> But SSSD does not work with ldaps:///... It *wants* startTLS over ldap:///,
> which does not *seem* to work.
>
>>
>> You don't provide any error messages or other useful information, so one
>> can only specualte what issues you may be having.
>
> Slapd is reporting TLS Negotiation failure when SSSD tries to connect to it.
> For both port 389 (ldap:///) and 636 (ldaps:///). So I guess something is
> wrong with slapd's TLS configuration -- it is failing to do TLS Negotiation,
> either it is just not doing it or it is doing it wrong (somehow). Unless SSSD
> is not configured properly.
>>
>> I would note that most versions of openssl s_client do not support startTLS
>> with LDAP (Thus you cannot use it to test port 389). That feature was only
>> recently added to OpenSSL.
OK, back to basics,
1. check whether sssd is compiled with openssl's libcrypto:
ldd sssd
which should present something like
libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0
2. check whether slapd has been build with openssl
ldd slapd, which should present:
libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0
libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0
3. verify your certificates:
openssl verify -CAfile <file> <hostcert>
4. run slapd -h ldaps:///;
than test connection:
openssl s_client -connect <host:636> -CAfile <file>
-Dieter
>> If you want to test startTLS on port 389, your best bet is to use an ldap
>> client utility such as ldapwhoami, like:
>>
>> ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w
[...]
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E