PDA

View Full Version : SLES 12 SP1 Trying to get ldap/sssd to work on SLES 12.1



skunkboy
26-May-2016, 21:07
I'm trying to get sssd/ldap working on SLES 12.1, like we already have it working on SLES 11.4. The issue seems to be that 12.1 requires the use of tls. Our ldap setup has a haproxy frontend but the ldap servers on the backend have expired ssl certs. I don't have any access to the ldap setup. Is there a way to force the sssd setup to ignore the expired certs?

Thanks,
Matt

ab
27-May-2016, 01:15
1. I do not know, or probably have any good ideas.

2. Is there a reason the certificates are not just fixed? There's a
reason that certificates have expiration dates, an that reason is based on
valid security principles, so this should be fixed.

3. Bad idea: Set the LDAP boxes' time back in the past? Yes, I'm kidding.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

skunkboy
27-May-2016, 20:18
I don't have any access to the ldap servers, but yeah...

jmozdzen
30-May-2016, 10:54
Hi Matt,

I'm trying to get sssd/ldap working on SLES 12.1, like we already have it working on SLES 11.4. The issue seems to be that 12.1 requires the use of tls. Our ldap setup has a haproxy frontend but the ldap servers on the backend have expired ssl certs. I don't have any access to the ldap setup. Is there a way to force the sssd setup to ignore the expired certs?

while I fully second ab's reply that the LDAP servers NEED FIXING (I understand you have no access - but at least try to escalate the issue!), you can screw TLS security by configuring /etc/sssd/sssd.conf. See "man sssd-ldap" and look out for the "ldap_tls_reqcert" parameter.

Regards,
Jens

hangarbait
15-Jun-2016, 11:42
... agreed, setting the "ldap_tls_reqcert" directive to "never" may help with your use case. However, the SSSD has such a bias for enforcing encryption it can be told to ignore signing nuances, but may refuse to use an expired certificate. let us know what you find please.

... and see if you can have those certificates fixed :-) .

-- lawrence