Hello,
I am trying to configure sssd authentication on Debian 10.2, sssd 1.16.3, against 389-ds with self-signed certificate.
In /etc/sssd/sssd.conf I have the line "ldap_tls_reqcert = never" line, but when I start sssd manually on the command line, it says " [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [Key usage violation in certificate has been detected.]"
Can someone give me a hint how to teach sssd to ignore the certificate?
Regards,
On Tue, Nov 19, 2019 at 09:38:55AM +0200, Todor Petkov wrote:
Hello,
I am trying to configure sssd authentication on Debian 10.2, sssd 1.16.3, against 389-ds with self-signed certificate.
In /etc/sssd/sssd.conf I have the line "ldap_tls_reqcert = never" line, but when I start sssd manually on the command line, it says " [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [Key usage violation in certificate has been detected.]"
Can someone give me a hint how to teach sssd to ignore the certificate?
IIRC the reqcert option only allows you to suppress the CA chain verification, so the cert doesn't then have to be signed by a trusted CA. But it still has to have the key usage bits set to allow for TLS server usage.
On Thu, Nov 21, 2019 at 10:56 AM Jakub Hrozek jhrozek@redhat.com wrote:
IIRC the reqcert option only allows you to suppress the CA chain verification, so the cert doesn't then have to be signed by a trusted CA. But it still has to have the key usage bits set to allow for TLS server usage.
Hello, even with reqcert set to never, I still get errors. Same sssd.conf works on CentOS. I will look into it further.
Regards,
On (27/11/19 13:31), Todor Petkov wrote:
On Thu, Nov 21, 2019 at 10:56 AM Jakub Hrozek jhrozek@redhat.com wrote:
IIRC the reqcert option only allows you to suppress the CA chain verification, so the cert doesn't then have to be signed by a trusted CA. But it still has to have the key usage bits set to allow for TLS server usage.
Hello, even with reqcert set to never, I still get errors. Same sssd.conf works on CentOS. I will look into it further.
Does "curl --cacert ./path/to/ca/crt ldaps://ldap.$yourhostname" works on debian ? Because it might be related to different system defaults on debian-10 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788#14
LS
On Wed, Nov 27, 2019 at 2:00 PM Lukas Slebodnik lslebodn@redhat.com wrote:
Does "curl --cacert ./path/to/ca/crt ldaps://ldap.$yourhostname" works on debian ? Because it might be related to different system defaults on debian-10 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788#14
LS
It gives me a validation error, I will create internal CA and sign servers cert with it.
Regards,
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Todor Petkov