SSSD – Fixing TLS Encryption Error with LDAP Integration

ldapopenldapsslsssd

We are currently using Wildcard certificate with SAN. I can successfully run ldapsearch from my client machine when I added TLS_REQSAN allow in openldap configuration.

Now i'm trying to integrate SSSD with secure LDAP but getting the below error

'Could not start TLS encryption. TLS: hostname does not match CN in peer certificate'

How can I force SSSD to check for Subject Alternate Name(SAN) instead of CN.

Is there a property I could set in SSSD configuration.

Best Answer

I was able to resolve this error by adding the below property in sssd.conf under domain

krb5_use_enterprise_principal = True

Related Solutions

Ldap – TLS: hostname does not match CN in peer certificate

Try

TLS_REQCERT never

in /etc/ldap/ldap.conf. This will prevent checking of the certificate. Note that it makes the connection even less secure.

/etc/ldap.conf should not affect ldapsearch(1)

Also try dropping the second -Z on the command line. That might be what's forcing the fail even though you have TLS_REQCERT allow.

Ssl – phpldapadmin not being able to connect to LDAP server using ldaps

Ok, I was able to solve it.
I needed a symlink from /usr/local/etc/openlad/ldap.conf to /etc/ldap/ldap.conf

Best Answer

Related Solutions

Ldap – TLS: hostname does not match CN in peer certificate

Ssl – phpldapadmin not being able to connect to LDAP server using ldaps

Related Topic