TLS problems with OpenLDAP Client

I ran into an interesting problem sometime back that I only now resolved.

Originally, I was running Scientific Linux on most of my VM. I have since upgraded most of them to Centos 6.0 - and converted on in particular to Centos CR.

That “broke” my ldapauthentication- when connecting to the server with the ldapuser credentials, sssd returns with the following:

Could not start TLS encryption. TLS error -8172:Unknown code ___f 20

At the time, I thought that there was a bug with the updated sssd package on Centos CR, so I ignored it for while - until I logged into a fairly new Scientific Linux 6.1 VM today - and it gave me the same message.

That was curious.So I dug deep into searching for a solution.

As it turns out, the problem was my configuration. Apparently I had been connecting with a self-signed certificate, which the following:

[root@localhost ~]# openssl verify cacert.pem
backup.cacert.pem: C = US, ST = Georgia, O = Monzell Management Systems, OU = IT, CN = example.com, emailAddress = rilindo.foster@example.com
error 18 at 0 depth lookup:self signed certificate
OK

It seems with the initial version of sssd with 6.0 , it was allowing me to connect without complaining about it being a self-sign cert. With the updated version, it is now refusing to connect without a valid certificate. I can confirm that by running:

>
ldapsearch -d -1 -vvvvv -w PASSWORD -ZZZ  -H ldap://ldap.example.com  -D "cn=root,dc=example,dc=com"   "(uid=joeuser)"
<snip>
                     ..        
TLS: certificate [CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL] is not valid - error -8172:Unknown code ___f 20.
tls_write: want=7, written=7
 0000: 15 03 01 00 02 02 30                ......0     
TLS: error: connect - force handshake failure: errno 0 - moznss error -8172
TLS: can't connect: TLS error -8172:Unknown code ___f 20.

After I put in the correct certificate, I was able to connect:

<snip>

tls_read: want=48, got=48   0000:  f0 85 60 72 54 c1 3b c8  6f 53 c4 f0 89 82 27 17   ..`rT.;.oS....'.     0010:  3c 3f 99 8f 18 64 22 ae  41 28 d4 a6 0b 0f a4 de   <?...d".A(......     0020:  36 10 3e d4 6c f5 73 fb  cb 12 04 af 64 7f 14 69   6.>.l.s.....d..i   TLS certificate verification: subject: E=webmaster@example.com,CN=kerberos.example.com, <REDACTED> ldap_sasl_bind ldap_send_initial_request ldap_send_server_request

[<snip>]{}

[
]{}

And openssl returned with no errors: 
[root@localhost cacerts]# openssl verify cacert.pem  cacert.pem: OK
[ ]{}
[ ]{}