Problems with LDAP 2.6.2 and self-certificates

Hi everyone

Does anyone have LDAP 2.6.2 in production environment?

It is not possible to self-certify LDAP and connect between servers with Rocky 9 and sssd without a valid certificate.

We are implementing this version 2.6.2 on a vm with Rocky 9 and to connect from old Centos 7 there is no problem through authconfig but with Rocky9 and sssd it is not possible if it does not have a valid certificate.

I have tried several methods to self-certify but the log says that it is not valid as a certificate. Does anyone have a valid method to create the certificate on the same server as a verified identity instead of buying one?

According to the ldap-sssd documentation sssd-ldap(5): config file for SSSD - Linux man page

LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identity provider, an encrypted channel is not needed. Please refer to “ldap_access_filter” config option for more information about using LDAP as an access provider.

Stay tuned to your comments

Thank you

Self-signed certificates are generally a no-go. Your best bet is to create your own certificate authority first and then use it to sign certificates that your openldap server(s) will use. Afterwards, all clients will need your CA certificate.

I cover this in a (now aging) document that I once maintained here. It may have some outdated information, but the certificate portion should still be slightly relevant.

1 Like

Thank you for your prompt response, I will review the documentation and let you know how it goes

Thanks again

1 Like