The common name is correct and the exact same CA chain works with
yum on a server signed by the same CA our Active Directory servers
are signed with. So we know the CA chain file includes everything
it needs.
-- Jeff White HPC Systems Engineer Information Technology Services - WSU
In my experiences, TLS failures are almost always due to a small handful of problems.
Two that come to mind immediately are
1. Common name matching.Check the common name for the cert and make sure your requests are going to that name.
2. Not including certs.Make sure you are including all certs needed to validate your server's SSL endpoint.Make sure you are pointing to the correct directory that includes these certs i.e. ldap_tls_cacertdir
Dan
On Mon, 2017-10-02 at 11:01 -0700, Jeff White wrote:I'm attempting to enable LDAP server TLS certificate validation with "ldap_tls_reqcert = demand". However, when I set that value to anything other than "never", sssd does not work. By that I mean sssd will start as normal but no ID lookups are successful and I see "Input/output error" in the log. This occurs regardless of what CA certificate chain I give it (via ldap_tls_cacert). I have even tried using a known working chain that I use to access yum repos which uses TLS certificates from the same CA as our Active Directory. Any ideas? libsss_sudo-1.14.0-43.el7_3.11.x86_64 libsss_autofs-1.14.0-43.el7_3.11.x86_64 sssd-proxy-1.14.0-43.el7_3.11.x86_64 sssd-ad-1.14.0-43.el7_3.11.x86_64 sssd-1.14.0-43.el7_3.11.x86_64 libsss_nss_idmap-1.14.0-43.el7_3.11.x86_64 sssd-krb5-common-1.14.0-43.el7_3.11.x86_64 sssd-ldap-1.14.0-43.el7_3.11.x86_64 libsss_idmap-1.14.0-43.el7_3.11.x86_64 python-sssdconfig-1.14.0-43.el7_3.11.noarch sssd-client-1.14.0-43.el7_3.11.x86_64 sssd-common-pac-1.14.0-43.el7_3.11.x86_64 sssd-krb5-1.14.0-43.el7_3.11.x86_64 sssd-ipa-1.14.0-43.el7_3.11.x86_64 sssd-common-1.14.0-43.el7_3.11.x86_64_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org