ad_use_ldaps sssd could not start tls encryption

Asked by Rex Goldsmith on 2021-03-23

New sssd.conf variable ad_use_ldaps not working. On starting sssd it errors with "sssd[be[13765]: Could not start TLS encryption. (unknown error code)"

# lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Note: problem also seen with Ubuntu 20.04.2
# apt-cache policy sssd | grep Installed
  Installed: 1.16.1-1ubuntu1.7

Adding ad_use_ldaps to a working AD integrated /etc/sssd/sssd.conf to use port 636 instead of port 389 due ADV 190023. Reference

Added a working Public root CA cert to the common ca-certificate (/etc/ssl/ca-certificates) and /etc/ldap/ldap.conf has following set:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
An ldapsearch using the above certificate bundle against LDAPS is successful:

# openssl s_client -connect CONNECTED(00000005)
# ldapsearch -v -H ldaps:// -b "dc=company,dc=com" "(sAMAccountName=superduperuser)" ldap_initialize( ldaps:// ) SASL/GSSAPI authentication started SASL username: <email address hidden> SASL SSF: 0 filter: (sAMAccountName=superduperuser) requesting: All userApplication attributes <snip>
# Duperuser\2C Super ADM, Users, Admin, dn: CN=Duperuser\, Super ADM,OU=Internal,OU=Users,OU=Admin,DC=company,DC=com <snip>

sssd.conf is configured with:
domains =
config_file_version = 2
services = nss, pam

ad_domain =
krb5_realm =
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
ldap_id_mapping = True
ad_use_ldaps = True
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
auth_provider = ad
access_provider = simple
simple_allow_groups = linux-admins

Stopping sssd, clearing sssd cache, starting sssd returns following error:
sssd[be[13765]: Could not start TLS encryption. (unknown error code)

Setting debug_level = 4 (or higher) returns following around this unknown error:
[set_server_common_status] (0x0100): Marking server '' as 'name resolved'
[be_resolve_server_process] (0x0200): Found address for server [y.y.y.y] TTL 3600
[ad_resolve_callback] (0x0100): Constructed uri 'ldaps://'
[ad_resolve_callback] (0x0100): Constructed GC uri 'ldaps://'
[sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting
[sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [(unknown error code)]
[sss_ldap_init_state_destructor] (0x0400): calling ldap_unbind_ext for ldap:[0x55d1149ef6e0] sd:[18]
[sss_ldap_init_state_destructor] (0x0400): closing socket [18]
[sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error.
[fo_set_port_status] (0x0100): Marking port 389 of server '' as 'not working'
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server '' as 'not working'

Above asked also on, where it was recommended to open a bug report. Will first try here, before opening a bug report.

Question information

English Edit question
Ubuntu Edit question
No assignee Edit question
Last query:
Last reply:
Bernard Stafford (bernard010) said : #1

Looks as your certs are ok. This i found in documentation for TLS :
Note: LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.
My self I would file a bug report. Please use apport in the terminal to gather information so the bug report is complete.
I will check further for more info.

Can you help with this problem?

Provide an answer of your own, or ask Rex Goldsmith for more information if necessary.

To post a message you must log in.