I have been testing different configurations of sssd and RHEL V6.3 and V6.4.
The sssd version on RHEL V6.3 is sssd-1.8.0-32.el6.x86_64
The sssd version on RHEL V6.4 is sssd-1.9.2-82.el6.x86_64
Recently in reviewing my configuration and comparing same to a customers sssd.conf I
noticed
that I was not able to authenticate ldap users on the RHEL V6.3 system without some
reference
to a TLS security certificate. More to the point, you must point specifically at the
certificate itself and not just the directory in which the certificate can be found:
# This doesn't seem to work in RHEL V6.3
#ldap_tls_cacertdir = /etc/openldap/osncerts
# This line seems to be required for RHEL v6.3
ldap_tls_cacert = /etc/openldap/osncerts/server.pem
If this line is commented or is not in the sssd.conf, authentication fails and I see this
error in the /var/log/messages file:
Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user.
I also see that no reference what so ever to the TLS certificate is required in RHEL V6.4
running the later version of sssd.
Can anyone explain this ?
Are there any plans to require a security certificate in sssd when using ldap for
authentication ?
Are there any plans to force encrypted communicates in sssd when using ldap for
authentication ?
Al Licause