[SSSD-users] Re: Debian10 and self-signed cert
On Wed, Nov 27, 2019 at 2:00 PM Lukas Slebodnik wrote: > > Does "curl --cacert ./path/to/ca/crt ldaps://ldap.$yourhostname" works on > debian ? > Because it might be related to different system defaults on debian-10 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788#14 > > LS It gives me a validation error, I will create internal CA and sign servers cert with it. Regards, ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Debian10 and self-signed cert
On (27/11/19 13:31), Todor Petkov wrote: >On Thu, Nov 21, 2019 at 10:56 AM Jakub Hrozek wrote: >> IIRC the reqcert option only allows you to suppress the CA chain >> verification, so the cert doesn't then have to be signed by a trusted >> CA. But it still has to have the key usage bits set to allow for TLS >> server usage. > >Hello, >even with reqcert set to never, I still get errors. Same sssd.conf >works on CentOS. >I will look into it further. > Does "curl --cacert ./path/to/ca/crt ldaps://ldap.$yourhostname" works on debian ? Because it might be related to different system defaults on debian-10 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788#14 LS ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Debian10 and self-signed cert
On Thu, Nov 21, 2019 at 10:56 AM Jakub Hrozek wrote: > IIRC the reqcert option only allows you to suppress the CA chain > verification, so the cert doesn't then have to be signed by a trusted > CA. But it still has to have the key usage bits set to allow for TLS > server usage. Hello, even with reqcert set to never, I still get errors. Same sssd.conf works on CentOS. I will look into it further. Regards, ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Debian10 and self-signed cert
On Tue, Nov 19, 2019 at 09:38:55AM +0200, Todor Petkov wrote: > Hello, > > I am trying to configure sssd authentication on Debian 10.2, sssd > 1.16.3, against 389-ds with self-signed certificate. > > In /etc/sssd/sssd.conf I have the line "ldap_tls_reqcert = never" > line, but when I start sssd manually on the command line, it says " > [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: > [Connect error] [Key usage violation in certificate has been > detected.]" > > Can someone give me a hint how to teach sssd to ignore the certificate? IIRC the reqcert option only allows you to suppress the CA chain verification, so the cert doesn't then have to be signed by a trusted CA. But it still has to have the key usage bits set to allow for TLS server usage. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org