I’m trying to get sssd/ldap working on SLES 12.1, like we already have it working on SLES 11.4. The issue seems to be that 12.1 requires the use of tls. Our ldap setup has a haproxy frontend but the ldap servers on the backend have expired ssl certs. I don’t have any access to the ldap setup. Is there a way to force the sssd setup to ignore the expired certs?
Thanks,
Matt
I do not know, or probably have any good ideas.
Is there a reason the certificates are not just fixed? There’s a
reason that certificates have expiration dates, an that reason is based on
valid security principles, so this should be fixed.
Bad idea: Set the LDAP boxes’ time back in the past? Yes, I’m kidding.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
I don’t have any access to the ldap servers, but yeah…
Hi Matt,
while I fully second ab’s reply that the LDAP servers NEED FIXING (I understand you have no access - but at least try to escalate the issue!), you can screw TLS security by configuring /etc/sssd/sssd.conf. See “man sssd-ldap” and look out for the “ldap_tls_reqcert” parameter.
Regards,
Jens
… agreed, setting the “ldap_tls_reqcert” directive to “never” may help with your use case. However, the SSSD has such a bias for enforcing encryption it can be told to ignore signing nuances, but may refuse to use an expired certificate. let us know what you find please.
… and see if you can have those certificates fixed 
.
– lawrence