I'm trying to set up openldap + pam + sssd and everything seems to be working except sssd is not able to use TLS to communicate with my ldap server. When I use ldap_auth_disable_tls_never_use_in_production=True, everything works.
Here are the relevant log messages: (Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -8157:Certificate extension not found.]
There's not much to be found on google, except this promising RHKB entry that requires a subscription to see the solution. https://access.redhat.com/solutions/185883
Can someone tell me what this error is supposed to be telling me about what's wrong with my certificate?
Chris
On Mon, Jun 22, 2015 at 11:43:59AM -0600, Chris Lajoie wrote:
I'm trying to set up openldap + pam + sssd and everything seems to be working except sssd is not able to use TLS to communicate with my ldap server. When I use ldap_auth_disable_tls_never_use_in_production=True, everything works.
Here are the relevant log messages: (Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [TLS error -8157:Certificate extension not found.]
There's not much to be found on google, except this promising RHKB entry that requires a subscription to see the solution. https://access.redhat.com/solutions/185883
Can someone tell me what this error is supposed to be telling me about what's wrong with my certificate?
There might be various reasons, e.g. if your certificate has the Subject Alternative Name attributes set, it has to match the fully qualified domain name of your LDAP server. The issue in the KB article was about missing the Basic Constraint Extension in self-signed certificates, but it says that this is fixed in recent OpenLDAP versions.
bye, Sumit
Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 06/23/2015 01:29 AM, Sumit Bose wrote:
There might be various reasons, e.g. if your certificate has the Subject Alternative Name attributes set, it has to match the fully qualified domain name of your LDAP server. The issue in the KB article was about missing the Basic Constraint Extension in self-signed certificates, but it says that this is fixed in recent OpenLDAP versions.
Thanks! You mentioned the Subject Alternative Name but I am not using that in my cert. In my case I had to set the Common Name (CN) to the FQDN of the server. After I generated a new cert with the correct CN it started working. I'm not sure where the error message itself comes from (openssl?), but it was not in any way indicative of what the problem was.
Chris
On Tue, Jun 23, 2015 at 03:23:35PM -0600, Chris Lajoie wrote:
On 06/23/2015 01:29 AM, Sumit Bose wrote:
There might be various reasons, e.g. if your certificate has the Subject Alternative Name attributes set, it has to match the fully qualified domain name of your LDAP server. The issue in the KB article was about missing the Basic Constraint Extension in self-signed certificates, but it says that this is fixed in recent OpenLDAP versions.
Thanks! You mentioned the Subject Alternative Name but I am not using that in my cert. In my case I had to set the Common Name (CN) to the FQDN of the server. After I generated a new cert with the correct CN it started working. I'm not sure where the error message itself comes from (openssl?), but it was not in any way indicative of what the problem was.
Thank you for the feedback. Btw the error message came from NSS in this case, but other LDAP client libraries might use OpenSSL as well.
bye, Sumit
Chris _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org