I did try modifying the above two parameters with longer timeouts 15secs
and these didnt make any difference, still seeing sssd[be[LDAP]]: Could not
start TLS encryption. unknown error.
I think there is an issue with way sssd calls ldap lib which may be
contributing to this problem. Could someone who uses centos > 5.8 confirm
sssd is actually working with pam auth?
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [sdap_get_generic_step] (7):
Requesting attrs: [highestCommittedUSN]
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]]
[sdap_get_server_opts_from_rootdse] (5): No known USN scheme is supported
by this server!
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [simple_bind_send] (4):
Executing simple bind as: (null)
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [simple_bind_done] (5): Server
returned no controls.
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind
result: Success(0), (null)
http://www.openldap.org/its/index.cgi/Incoming?id=6789
based on the previous url, (null) return meaning, there was an issue but
sssd didnt get the appropriate msg back from LDAP?
Also, i see slap_global_control: unrecognized control:
1.3.6.1.4.1.42.2.27.8.5.1 in the ldap.log on the ldap server which seems to
indicate that sssd is trying to use password policy? but i dont see this
behaviour on the sssd running on centos6 as welll on <= centos5.6. Has
there been change in the way sssd connects to LDAP?
On Wed, Aug 20, 2014 at 12:44 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (19/08/14 16:37), Daniel Jung wrote:
>Still seeing sssd[be[LDAP]]: Could not start TLS encryption. unknown error
>
>Wed Aug 20 01:27:53:174091 2014) [sssd[be[LDAP]]] [sdap_sys_connect_done]
>(0x0100): Executing START TLS
>(Wed Aug 20 01:27:53:174891 2014) [sssd[be[LDAP]]] [sdap_connect_done]
>(0x0080): START TLS result: Success(0), (null)
>(Wed Aug 20 01:27:53:174930 2014) [sssd[be[LDAP]]] [sdap_connect_done]
>(0x0080): ldap_install_tls failed: [Connect error] [unknown error]
>
>As a recap, openldap user land tools works using -ZZ. upgraded sssd to
>1.9.6, upgraded openldap lib to 2.4.39. Any other ideas?
>
>By the way, what was the main decision for compiling against openldap 2.4
>when other critical package still compiles against 2.3 ldap lib? Making
the
>upgrade path to openldap 2.4 very difficult.
>
Patch from previous mail just fixed crash.
SSSD can try to reconnect after few seconds (value of "offline_timeout")
It is not clear from previous log file; It can be problem with long
synchronous
calls. You can try to modify some timeout options:
ldap_network_timeout (integer)
Specifies the timeout (in seconds) after which the
poll(2)/select(2) following a connect(2) returns in case of no
activity.
Default: 6
ldap_opt_timeout (integer)
Specifies a timeout (in seconds) after which calls to
synchronous
LDAP APIs will abort if no response is received. Also controls
the
timeout when communicating with the KDC in case of SASL bind.
Default: 6
other options in man sssd-ldap
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users