I need to setup LDAP Authentication to a SLE12 server. My LDAP server is a cluster-based OES 2 SP3 server.
Here's my sssd.conf:
I have two OES 2 SP3 Servers (server1 and server2) working on a NCS Cluster. The FQDN "ldap.mydomain" points to the Cluster's "Master IP Address", so the active server will answer ldap requests.
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.mydomain
ldap_default_base_dn = cn=LDAP,o=MyOrg
ldap_search_base = o=MyOrg
ldap_tls_cacert = /etc/sssd/certs/O=MyOrg,OU=OrganizationalCA.pem
ldap_tls_cacertdir = /etc/sssd/certs
debug_level = 20
case_sensitive = true
create_homedir = true
enumerate = true
cache_credentials = false
ldap_id_use_start_tls = true
tls_reqcert = allow
ldap_pwd_policy = none
ldap_network_timeout = 3
access_provider = ldap
ldap_access_filter = (|(groupMembership=cn=LDAPEnabledUsers,ou=Groups,o=MyOrg))
This used to work on SLE10 and SLE11 (without TLS), but now I'm installing SLE12, I'm facing problems.
When I set up SSSD to use the neutral address, I got the error below:
I understand that I'm getting this error because the active server isn't presenting itself as "ldap.mydomain", but "CN=server1,O=MyORG" (or "CN=server2,O=MyORG" if this is the active server). For instance, if I point "ldap_uri" to server1, authentication works; but what if server1 is offline?
sle12server sssd[be[MyLDAP]]: Could not start TLS encryption. TLS: hostname does not match CN in peer certificate
So, I need help to make SSSD accept the server certificates, or maybe try to authenticate in both servers.
Can anyone help me?