Sergio and I have continued to attempt to reproduce, and we have modeled our config based on yours, and we think we see the issue. ldapsearch works, but sssd does not.
If we comment out the line below in the sssd config, then sssd starts working.
Can you comment this line out with a # and restart sssd.service?
We took a look at this list of ciphersuites that w2k19 is sending, and ECDHE-RSA-AES256-GCM-SHA384 is included in that list, but if we change ldap_tls_cipher_suite to something like HIGH:-SSLv2, tls handshake still fails. It only works when we comment out ldap_tls_cipher_suite entirely.
We have also seen the same happen with Fedora 34 and Fedora 35 running in LXC containers, and the same thing happens with the sssd 2.6.0 upstream package in my previous comment.
So please, comment out ldap_tls_cipher_suite and see if ti makes a difference.
Could you also see if you see the same under Fedora, and not just RHEL or CentOS?
Also, how are you installing your CA certificates on the client? Are you copying them to /usr/local/share/ca-certificates/ and running update-ca-certificates?
Hi Snakekick,
Sergio and I have continued to attempt to reproduce, and we have modeled our config based on yours, and we think we see the issue. ldapsearch works, but sssd does not.
If we comment out the line below in the sssd config, then sssd starts working.
ldap_tls_ cipher_ suite = ECDHE-RSA- AES256- GCM-SHA384
Can you comment this line out with a # and restart sssd.service?
We took a look at this list of ciphersuites that w2k19 is sending, and ECDHE-RSA- AES256- GCM-SHA384 is included in that list, but if we change ldap_tls_ cipher_ suite to something like HIGH:-SSLv2, tls handshake still fails. It only works when we comment out ldap_tls_ cipher_ suite entirely.
We have also seen the same happen with Fedora 34 and Fedora 35 running in LXC containers, and the same thing happens with the sssd 2.6.0 upstream package in my previous comment.
So please, comment out ldap_tls_ cipher_ suite and see if ti makes a difference.
Could you also see if you see the same under Fedora, and not just RHEL or CentOS?
Also, how are you installing your CA certificates on the client? Are you copying them to /usr/local/ share/ca- certificates/ and running update- ca-certificates ?
Thanks,
Matthew