-----BEGIN PGP SIGNED MESSAGE-----
On 08/21/2013 01:58 PM, John Uhlig wrote:
oops! please excuse previous reply re: SHA1. John.
> It would be very helpful if you could include your sssd.conf. I
strongly suspect that you have a typo in your configuration
I have included sssd.conf file. I have tried to keep it as simple
as possible but have tried several iterations on it as well.
debug_level = 9 ldap_id_use_start_tls = True ldap_search_base =
ou=internal,dc=parc,dc=com krb5_realm = EXAMPLE.COM
id_provider = ldap auth_provider = ldap
chpass_provider = ldap ldap_uri = ldap://pldap.parc.com/
cache_credentials = True ldap_tls_cacertdir =
/etc/openldap/cacerts ldap_tls_reqcert = demand [sssd] services =
nss, pam config_file_version = 2 enumerate = True domains =
I have to ask the obvious question: does it work if you set
'ldap_tls_reqcert = allow'? This could suggest that your
/etc/openldap/cacerts directory isn't properly set up. You may have
forgotten to run 'cacertdir_rehash /etc/openldap/cacerts' or to put
the CA cert in that directory at all.
I'd like to see more of the SSSD logs than just
(Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
because that's not a useful piece of the log (it doesn't tell me what
it tried to do before it failed). Including the preceding 50-100 lines
would be better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----