On 08/16/2013 06:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network
Support) wrote:
I know this forum is about sssd, but I am working with a customer that
cannot run sssd due to a
configuration issue on their ldap servers. I didn’t know where
else to ask this question other
than to raise a formal elevation which I can do if so requested or
this is found to be a bug.
This customer has opted to use nslcd over encrypted links. In
testing this configuration I noticed
two oddities. These two lines are required in nslcd.conf to get the
encryption started:
ssl start_tls
ssl on
I was always under the impression that if you use ssl, you shouldn’t
use or start TLS and visa versa,
if TLS has been started, then don’t start ssl. Am I
misinterpreting what is being enabled with these
two options.
What is even stranger, is that they are position dependent. The
start_tls line must come before the
ssl on line otherwise the encryption will not start correctly and the
connections will fail.
To my knowledge this seems to be the only position dependent option I
have run it to so far.
Was this intended ?
Al Licause
HP L2 UNIX Network Services
HP Customer Support Center
Hours 7am-3pm Pacific time USA
Manager: tom.cernilli(a)hp.com
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
My guess is that the position dependence you mention means that when you
specify more than one setting for ssl in nslcd.conf (see
http://linux.die.net/man/5/nslcd.conf or 'man nslcd.conf' on your local
system), only the first one is used and subsequent ones are ignored
(contrary to other configs where only the last reference is the one used.)
The syntax of the nslcd.conf file allows for one of three settings to
ssl: on, off, or start_tls, so the two lines you're using are actually
two different settings. Your customer is using tls (as they should,
since it supercedes ssl), so the correct setting in nslcd.conf is 'ssl
start_tls'. The second line, 'ssl on' shouldn't be needed, and the fact
that the configuration breaks when that's the first setting suggests
that it's being ignored once start_tls is triggered.
Have you tried removing the 'ssl on' line from nslcd.conf? The customer
configuration /should/ work correctly without that, if it doesn't then
I'm thinking that's a bug.
/Harry