Also, i tried other versions, 1.8.6, 1.5.7 etc. but still having issue with
TLS. Any ideas guys?
On Wed, Aug 20, 2014 at 1:57 PM, Daniel Jung <mimianddaniel(a)gmail.com>
wrote:
I did try modifying the above two parameters with longer timeouts
15secs
and these didnt make any difference, still seeing sssd[be[LDAP]]: Could not
start TLS encryption. unknown error.
I think there is an issue with way sssd calls ldap lib which may be
contributing to this problem. Could someone who uses centos > 5.8 confirm
sssd is actually working with pam auth?
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [sdap_get_generic_step] (7):
Requesting attrs: [highestCommittedUSN]
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]]
[sdap_get_server_opts_from_rootdse] (5): No known USN scheme is supported
by this server!
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [simple_bind_send] (4):
Executing simple bind as: (null)
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [simple_bind_done] (5): Server
returned no controls.
(Fri Aug 15 01:25:04 2014) [sssd[be[LDAP]]] [simple_bind_done] (3): Bind
result: Success(0), (null)
http://www.openldap.org/its/index.cgi/Incoming?id=6789
based on the previous url, (null) return meaning, there was an issue but
sssd didnt get the appropriate msg back from LDAP?
Also, i see slap_global_control: unrecognized control:
1.3.6.1.4.1.42.2.27.8.5.1 in the ldap.log on the ldap server which seems to
indicate that sssd is trying to use password policy? but i dont see this
behaviour on the sssd running on centos6 as welll on <= centos5.6. Has
there been change in the way sssd connects to LDAP?
On Wed, Aug 20, 2014 at 12:44 AM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
> On (19/08/14 16:37), Daniel Jung wrote:
> >Still seeing sssd[be[LDAP]]: Could not start TLS encryption. unknown
> error
> >
> >Wed Aug 20 01:27:53:174091 2014) [sssd[be[LDAP]]] [sdap_sys_connect_done]
> >(0x0100): Executing START TLS
> >(Wed Aug 20 01:27:53:174891 2014) [sssd[be[LDAP]]] [sdap_connect_done]
> >(0x0080): START TLS result: Success(0), (null)
> >(Wed Aug 20 01:27:53:174930 2014) [sssd[be[LDAP]]] [sdap_connect_done]
> >(0x0080): ldap_install_tls failed: [Connect error] [unknown error]
> >
> >As a recap, openldap user land tools works using -ZZ. upgraded sssd to
> >1.9.6, upgraded openldap lib to 2.4.39. Any other ideas?
> >
> >By the way, what was the main decision for compiling against openldap 2.4
> >when other critical package still compiles against 2.3 ldap lib? Making
> the
> >upgrade path to openldap 2.4 very difficult.
> >
> Patch from previous mail just fixed crash.
> SSSD can try to reconnect after few seconds (value of "offline_timeout")
>
> It is not clear from previous log file; It can be problem with long
> synchronous
> calls. You can try to modify some timeout options:
>
> ldap_network_timeout (integer)
> Specifies the timeout (in seconds) after which the
> poll(2)/select(2) following a connect(2) returns in case of no
> activity.
>
> Default: 6
>
> ldap_opt_timeout (integer)
> Specifies a timeout (in seconds) after which calls to
> synchronous
> LDAP APIs will abort if no response is received. Also controls
> the
> timeout when communicating with the KDC in case of SASL bind.
>
> Default: 6
>
> other options in man sssd-ldap
>
> LS
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>