-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fails to validate certificate of recent OpenLDAP; vague error message #5444
Comments
(Just to be clear: this same setup worked before upgrading the LDAP servers. After the upgrade, all sssd instances failed the same way, but due to caching being enabled, it wasn't immediately obvious.) |
Hi, could you please set |
Hi, how does your LDAP server certificate look like? There is a change in OpenLDAP-2.4.52 where a new option HTH bye, |
Hi,
I'm not sure I see how that's relevant; the default setting is the least strict (any certificate that fails it should have failed before too). FWIW, my certificate should match even with the strictest setting; it looks like this:
I'll try to see what |
Hah!
So I need to specify I wonder why this wasn't a problem before. Either way, this issue needs to be easier to troubleshoot, and there should be sensible defaults for these ldap_tls settings (settable at compile time, I guess, so that distributions can set them as appropriate). What I mean is: while my specific problem is apparently solved, others will run into this issue and the vague error message isn't going to help them either. |
Hi, thanks for the feedback, it's good to know that OpenLDAP with gnutls does not support TLS_CACERTDIR, after checking the ldap,conf man page I found 'This parameter is ignored with GnuTLS'. I'm currently not aware of a way to check the OpenLDAP crypto backend at runtime. Doing this a compile time is tricky as well since the system where SSSD is complied might not reflect the setting on the system where SSSD is run. So it might be a configure option but then distributors building OpenLDAP with gnutls have to actively use this option when building SSSD. So, I'm currently not sure what might be the best solution but at least we can add a comment to the ldap_tls_cacertdir man page entry mentioning the issue. bye, |
Apparently this is a bug in libldap, because gnutls does have the required feature; see http://bugs.debian.org/979995.
I don't think this is necessary, fwiw.
I agree; however, such consistency is exactly the point of distributions. If a distribution has a sensible default for something, it should be possible to compile packages such that they use this sensible default. For example, Debian has a standard location for system-wide trusted CA certificates, and I think it'd be great if sssd could use it without requiring explicit configuration.
That would be a good start. However, it still doesn't help with the vague error message ("unknown error"). I don't know, maybe you could suggest |
Hi, with respect to system defaults, if you do not set bye, |
Do you mean this literally? As in, if I set e.g. Or do you mean that any options not explicitly overridden in Anyway, this bug report is primarily about the unhelpful error message; so while I really, unironically appreciate you taking the time to answer what are essentially support questions, let's not lose sight of that. :) |
I will just write down my problem I experienced after this error message: We have Let's Encrypt Certificates for our LDAP servers and use sssd on network switches. However, my certificates - freshly created - still contain the Broken Chain:
Known Good Chain:
I am not sure right now why I have those broken certificates - other certificates on other LDAP servers have the correct chain, but you can convince sssd to accept this certificate by providing the ISRG Root Certificate - which is actually be used to sign the certificates.
I think, they cross signed the ISRG Root CA with the old DST Root CA X3 certificate to keep compatability with old devices, but this certificate is expired now. I will keep you updated if I find out more. |
Dear Contributor/User, Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints. After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested. We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities. Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can. Best regards, |
I recently upgraded my OpenLDAP servers from 2.4.50+dfsg-1 to 2.4.56+dfsg-1 (Debian sid; since these were dist-upgrades, all library dependencies were also upgraded). Since then, sssd is (I think) unable to verify the server certificate and fails thusly:
The
slapd
log shows:Adding
ldap_tls_reqcert = allow
to the sssd configfile masks the error.openssl s_client
from the same box as where sssd runs can connect to ldapserver:636 and verify the certificate with no problem:My
sssd.conf
looks like this:Commenting out
ldap_tls_cipher_suite
results in no change.Raising debug level to 9 still results in no meaningful error message:
Cf. #4046.
I get the same behaviour with sssd
2.4.0-1
(as shipped by Debian) and2.3.1-3
. I didn't try other versions.The text was updated successfully, but these errors were encountered: