Hi all,
something I've found is that the openldap behaivour I've described really depend on the openldap version. With versions older that 2.4.44-15 (in SL) openldap only knows about Mozilla DB whereas in newer version it fallsback to OpenSSL and openldap then reads the certificates from the PKI store. IOW, with newer openldap there's no need to create the Mozilla DB.
# ldapsearch -d1 -x -H ldaps://ldapserver:3269 -b dc=domain,dc=com
[101/4798]
ldap_url_parse_ext(ldaps://ldapserver:3269) ldap_create ldap_url_parse_ext(ldaps://ldapserver:3269/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver:3269 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:3269 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/cacerts' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/cacerts'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap` prefix `cacerts`. tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 0, subject: /DC=com/DC=domain/CN=[....] TLS certificate verification: depth: 1, err: 0, subject: /DC=com/DC=domain/CN=[...] TLS certificate verification: depth: 0, err: 0, subject: /CN=ldapserver/emailAddress=[...] ing CA 01 TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful
HTH, Arnau
On Thu, 26 Mar 2020 at 15:34, John Beranek john@redux.org.uk wrote:
On Thu, 26 Mar 2020 at 13:00, Arnau Bria wrote:
Hi John,
first of all thanks for your answer.
I'm not and AD/LDAP/SSSD expert, sorry in advance for my ignorance.
I'm certainly no expert, I was just pointing you in the direction of a recent thread on this topic.
this is what I understand:
those changes might require to use LDAP with TLS either with START_TLS
on the LDAP port or using LDAPS.
I understand that we have to enforce TLS or LDAPS (which bring to my
original email, how?).
Additionally SSSD uses SASL/GSSAPI/GSS-SPNEGO for encryption with cannot
for the above methods (and according to
https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html) I must join the computer to the domain (something I cannot do). so, back to ldap with TSL/SSL?
It certainly looks that way, so if your machines can't be domain-joined then you do need to config LDAPS or LDAP+STARTLS.
I still don't understand why ldaps is not required for encrypted comms.
Could you please elaborate a little your answer?
If we stick to ldap provider , who should we configure sssd if we cannot
join the server to the domain?
GSSAPI is used to encrypt traffic over an LDAP session which is otherwise not transport-encrypted, as I understand it.
Cheers,
John
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...