Hi Lukas,
By eliminating the link libs to SSSD, i rebuilt nss and noticed that there
is no libnsspem.so from the src [0] which seems to be required for reading
PEM cert.
After rebuilding nss with nss_pem.git[1] for cento5 and PAM passwd + auth
works now.
Sat Aug 23 01:15:02:652979 2014) [sssd[be[LDAP]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to with fd
[27].
(Sat Aug 23 01:15:02:652999 2014) [sssd[be[LDAP]]] [sdap_sys_connect_done]
(0x0100): Executing START TLS
(Sat Aug 23 01:15:02:653682 2014) [sssd[be[LDAP]]] [sdap_connect_done]
(0x0080): START TLS result: Success(0), (null)
Openldap user land tools and openssh were able to create TLS connections to
the ldap server without this rebuilt of NSS with libnsspem, which seems to
indicate that when sssd was built it didnt have approprate dependency to
read the pem file properly for centos5 > 5.6. I havent heard from anyone on
the list to say that PAM + AUTH + SSSD is working on centos 5.6 and up yet.
I found this to be very unsettling. Could you please verify?
Thanks
[0]
http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_4_R...
[1]
https://git.fedorahosted.org/cgit/nss-pem.git/
On Fri, Aug 22, 2014 at 3:23 PM, Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (22/08/14 15:17), Daniel Jung wrote:
>Have already tested on different LDAP servers but running same version,
the
>latest avail from openldap, 2.4.39 and still same failure with TLS.
>
There should not be problem with openldap-server-2.4.39.
Do you use the same valid certificate (even self-signed) on server and
client?
Could you send me log files with debug_level = 10?
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users