On Thu, 14 Jun 2018, Patrick Begou wrote: > Hi, > > I'm facing a problem with setting up LDAP+TLS client authentication in a > kickstart script on CentOS7 for several days. > > Setting up manualy the config with system-config-authentication works but I > need to automate this in kickstart for deploying cluster nodes. > This show that the server side is running fine. > > At this time the message is > > #systemctl status sssd > > | .... > sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed (self signed > certificate)| > > In my kickstart file I use: > auth --useshadow --enableldaptls --enablecache --passalgo=sha512 > --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" > --ldapbasedn=dc=my,dc=base,dc=dn > > Then in a post install script I download the server and ca certificates and > stops nslcd that I do not use: > > echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf > cd /etc/openldap/cacerts/ && wget > http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s > ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0 > cd /etc/openldap/certs/ && wget > http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt > cd / > systemctl disable nslcd > > I'm unable to see what system-config-authentication is doing more in it's > setup. > > Thanks for your help I'm a bit stumped. My recipe was similar: authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enableldap --enableldapauth --ldapserver=ldap.ourcompany.com --ldapbasedn=dc=ourcompany,dc=com --enablecache --enableldaptls then, in %post: curl http://www.ourcompany.com/ca/ca.crt \ -s -o /etc/openldap/cacerts/ca.ourcompany.com.pem /usr/sbin/cacertdir_rehash /etc/openldap/cacerts And that did the trick. The main difference is that you install a bundle of certifcates rather than a single one. There are two issues: 1. Hashing a certificate bundle does no good as far as I know. Hashes only work on a single cert, right? 2. Unless told otherwise, openssl looks in only one place for a cert bundle: ${OPENSSLDIR}/cert.pem (where the value of OPENSSLDIR can be discovered by running "openssl version -d"). You might take a peek at the ldap_tls_cacertdir discussion in the sssd-ldap(5) man page, which specifies that certificates should be in individual files. My suggestion would be to isolate the CA certificate used to sign your LDAP server certs, install that as a separate file in ldap_tls_cacertdir, and run cacertdir_rehash to get the hash correct. -- Paul Heinlein heinlein at madboa.com 45°38' N, 122°6' W