Hi Lukas,

thanks for the explanation.

After some more testing I found that sssd version 1.16 works with SSL even if the version of openldap are not compiled with SSL support. SSSD suddenly requires ldap_tls_cacert to find the CA, even when you use SSL (ldaps in the uri). Does it make any sense?

I expected sssd to use SSL or not depending on the openldap version and not sssd itself.
Also, if I specify ldpas, why any TLS parameter is relevant?

We can upgrade sssd in SL7, only few RH6/SL6 will special upgrade processes...

Thanks,

Arnau

On Fri, 27 Mar 2020 at 16:32, Lukas Slebodnik <lslebodn@redhat.com> wrote:

On (27/03/20 16:12), Arnau Bria wrote:
>Hi all,
>
>something I've found is that the openldap behaivour I've described really
>depend on the openldap version. With versions older that 2.4.44-15 (in SL)
>openldap only knows about Mozilla DB whereas in newer version it fallsback
>to OpenSSL and openldap then reads the certificates from the PKI store.
>IOW, with newer openldap there's no need to create the Mozilla DB.
>

Yes, it depends which crypto was used in openldap.

centos7 and old version of fedora was compiled with NSS
later version moved to openssl but some distribution has some compatibility
with NSS (convert NSS on the fly to format which works with openssl)
Tha compatibility was remove in fedora29 and thus newer version
support just openssl.

LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org