On Mon, Jun 22, 2015 at 11:43:59AM -0600, Chris Lajoie wrote:
I'm trying to set up openldap + pam + sssd and everything seems
to be
working except sssd is not able to use TLS to communicate with my ldap
server.
When I use ldap_auth_disable_tls_never_use_in_production=True, everything
works.
Here are the relevant log messages:
(Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0100): Executing START TLS
(Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080):
START TLS result: Success(0), (null)
(Mon Jun 22 10:50:04 2015) [sssd[be[default]]] [sdap_connect_done] (0x0080):
ldap_install_tls failed: [Connect error] [TLS error -8157:Certificate
extension not found.]
There's not much to be found on google, except this promising RHKB entry
that requires a subscription to see the solution.
https://access.redhat.com/solutions/185883
Can someone tell me what this error is supposed to be telling me about
what's wrong with my certificate?
There might be various reasons, e.g. if your certificate has the Subject
Alternative Name attributes set, it has to match the fully qualified
domain name of your LDAP server. The issue in the KB article was about
missing the Basic Constraint Extension in self-signed certificates, but
it says that this is fixed in recent OpenLDAP versions.
bye,
Sumit
Chris
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users