NSS-LDAP not working over TLS: do_open: do_start_tls failed:stat=-1

Asked Jul 03 '20 at 14:10

Active Jul 03 '20 at 14:10

Viewed 1,107 times

I'm using NSS-LDAP for authentication. Without TLS, everything works fine. Once I enable TLS (StartTLS) with a self-signed certificate, which I have added to the client, NSS-LDAP won't connect to the LDAP server.

systemctl status nscd

gives

nss-ldap: do_open: do_start_tls failed:stat=-1
nss_ldap: could not search LDAP server - Server is unavailable

I can connect to the server with ldapsearch -Z ... without any problems.

My /etc/ldap.conf looks like this:

...
uri ldap:///192.168.8.8
...
ssl start_tls 
tls_cacertdir /etc/ssl/certs

asked Jul 03 '20 at 14:10

jacobz

1

You have a self-signed cert for an IP address? It's doable, but rare. Does -ZZ work? Also note that ldapsearch usually uses in the configuration in `/etc/ldap/ldap.conf`, while the ns and pam ldap libraries tend to use `/etc/ldap.conf`. – 84104 Jul 03 '20 at 18:21
@84104 Yes, ZZ did work. Though not I've scrapped nss-ldap in favor of sssd, which has resolved the issue – jacobz Jul 03 '20 at 18:41

NSS-LDAP not working over TLS: do_open: do_start_tls failed:stat=-1

0 Answers0