Bug 1569709
Summary: | After upgrading to RHEL 7.5 sssd/ldap authentication fails when using ldaps/ssl | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | aheverle |
Component: | openldap | Assignee: | Matus Honek <mhonek> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.5 | CC: | apeddire, cobrown, jvilicic, mhonek, paul.whitney, pkis, tmihinto, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-07 15:31:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
aheverle
2018-04-19 20:51:09 UTC
Given the workaround no. 2 form the Description, my guess is the /etc/openldap/cacerts directory is not properly maintained by the openssl c_rehash command as described in ldap.conf(5).
First, backup the directory and then run the c_rehash on it:
> c_rehash -v /etc/openldap/cacerts
Then, after restarting the SSSD service all should be back to normal. Also, please attach the output of c_rehash for a future reference or, should there be still errors, for further issue solving.
Thank you.
I am still having this issue with my openldap client. Why is this bug closed? None of the solutions above worked to resolve the issue. Versions: openldap-2.4.44-15 openldap-clients-2.4.44-15 Still getting this error: [sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)] (In reply to Paul from comment #8) > I am still having this issue with my openldap client. Why is this bug > closed? None of the solutions above worked to resolve the issue. > > Versions: > > openldap-2.4.44-15 > openldap-clients-2.4.44-15 > > Still getting this error: > > [sssd[be[default]]] [sss_ldap_init_sys_connect_done] (0x0020): > ldap_install_tls failed: [Connect error] [error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed (self signed > certificate in certificate chain)] Correction, I had to downgrade a couple of version of openldap and client to get back to operational state. Currently running version 2.4.44-5. Paul, please, file an issue with our customer support or, if unable to do so, please file a new bugzilla bug, with detailed information (configuration and outputs of both openldap (e.g. ldapsearch, and ldap.conf) and sssd, it will probably be necessary to assess correctness of the certs themselves as well; if you could test with `openssl s_client` it would be useful, too). The user cases related to this bug were of various configuration issues and no particular issue was asserted to be in the software itself. So, please, do not follow with hereby bug for not to mix too much a possibly unrelated stuff together, better file a separate thread. Thanks! |