zhenech, 2 months ago

@CyrilBrulebois none of the "S"s in sssd stands for "simple" ;)

CyrilBrulebois, 2 months ago

@zhenech I can't share any corporate backstory, but believe you me, simple was never part of the equation.

CyrilBrulebois, 2 months ago

While #sssd supports settings for the CA certs directory, those aren't actually used, and the TLS connection to the LDAP is delegated to #openldap functions, which require… /etc/ldap/ldap.conf to point somewhere. Without that file, the server certificate is not trusted…

And while libldap-common was pulled via the libldap-<ABI> library which was itself pulled by sssd-ldap in Debian 10, that's no longer the case in Debian 11.

CyrilBrulebois, 2 months ago

TL;DR: make sure to install libldap-common, which ships /etc/ldap/ldap.conf (which points to the ca-certificates bundle).

CyrilBrulebois, 2 months ago

Brought to you by #strace-ing sssd to the connect(), getrandom(), and few read()/write() calls before switching to #GnuTLS localization files to get the “error message”, where it became obvious no actual certificates were being checked locally… Then checking #sssd's source code, diving into the #openldap rabbit hole and its dedicated config file, ending with:

TLS certificates (needed for GnuTLS)

TLS_CACERT /etc/ssl/certs/ca-certificates.crt

hyc, 22 days ago

@CyrilBrulebois >While #sssd supports settings for the CA certs directory, those aren't actually used

Sounds like an sssd bug, they could easily use ldap_set_option() to make libldap use their CA cert settings.

CyrilBrulebois, 22 days ago

@hyc Thanks for the pointer. I think I'm seeing code that's supposed to do that and that's been here for a while, so maybe I just failed to configure this setting in the right place. I've encountered a ton of different issues, so maybe the testing hasn't been as rigorous as it should have been…

Just thought I'd give others a warning about that config file shipped in ldap-common that definitely helps, even if it's not pulled for sure via dependencies.