I need to setup LDAP Authentication to a SLE12 server. My LDAP server is a cluster-based OES 2 SP3 server.
Here’s my sssd.conf:
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.mydomain
ldap_default_base_dn = cn=LDAP,o=MyOrg
ldap_search_base = o=MyOrg
ldap_tls_cacert = /etc/sssd/certs/O=MyOrg,OU=OrganizationalCA.pem
ldap_tls_cacertdir = /etc/sssd/certs
debug_level = 20
case_sensitive = true
create_homedir = true
enumerate = true
cache_credentials = false
ldap_id_use_start_tls = true
tls_reqcert = allow
ldap_pwd_policy = none
ldap_network_timeout = 3
access_provider = ldap
ldap_access_filter = (|(groupMembership=cn=LDAPEnabledUsers,ou=Groups,o=MyOrg))
I have two OES 2 SP3 Servers (server1 and server2) working on a NCS Cluster. The FQDN “ldap.mydomain” points to the Cluster’s “Master IP Address”, so the active server will answer ldap requests.
This used to work on SLE10 and SLE11 (without TLS), but now I’m installing SLE12, I’m facing problems.
When I set up SSSD to use the neutral address, I got the error below:
sle12server sssd[be[MyLDAP]]: Could not start TLS encryption. TLS: hostname does not match CN in peer certificate
I understand that I’m getting this error because the active server isn’t presenting itself as “ldap.mydomain”, but “CN=server1,O=MyORG” (or “CN=server2,O=MyORG” if this is the active server). For instance, if I point “ldap_uri” to server1, authentication works; but what if server1 is offline?
So, I need help to make SSSD accept the server certificates, or maybe try to authenticate in both servers.
Can anyone help me?