[SSSD] LDAP connection with client certificate

Issues related to applications and software problems
Post Reply
Posts: 4
Joined: 2010/06/05 09:38:54
Location: Montpellier - FRANCE

[SSSD] LDAP connection with client certificate

Post by jpminetti » 2011/09/23 09:57:41


I try to install CentOS 6 on a host but I can not connect the SSSD daemon to LDAP.

The problem is that I can not tell it to send the client certificates to LDAP.

[b]strace[/b] tells me it takes the file /etc/pki/tls/cert.pem. But no private key file !

if I did not start sssd as service (/etc/init.d/sssd start):
* sssd attempts to access file /etc/pki/tls/cert.pem
* then it tries to access to files host.pem and host.key specified in /root/.ldaprc (with SELinux disabled)
* and there it work :-)

if I start sssd as service (service sssd start), it doesn't work :-?. In fact, he doesn't read /root/.ldaprc.

My /etc/sssd/sssd.conf:

config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
cache_credentials = False
debug_level = 10
ldap_uri = ldap://ldap.lan.xxxxx.net
ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/openldap/cacerts/ca-xxxxx.pem
ldap_search_base = dc=xxxxx,dc=net
ldap_default_bind_dn = cn=xxxxx,ou=xxxxx,dc=xxxxx,dc=net
ldap_default_authtok = xxxxx
ldap_user_search_base = ou=people,dc=xxxxx,dc=net
ldap_user_search_scope = one
ldap_group_search_base = ou=group,dc=xxxxx,dc=net
ldap_group_search_scope = one

I tried the following options, but obviously it does not work:
ldap_tls_cert = /var/xxxxx/admin/pki/host.pem
ldap_tls_key = /var/xxxxx/admin/pki/host.key

My /root/.ldaprc:

TLS_CERT /var/xxxxx/admin/pki/host.pem
TLS_KEY /var/xxxxx/admin/pki/host.key

Note: I have other hosts that connects to the LDAP and it works great via the settings in file /etc/ldap.conf (No longer exists on CentOS 6).

My question: how to run the sssd demon so that it takes my certificate and private key ?

Thank you and sorry for my bad English.
Jean-Philippe MINETTI

Post Reply

Return to “CentOS 6 - Software Support”