Search code examples
ldapsingle-sign-onnsssssdgoogle-cloud-identity

sssd Error: Could not start TLS encryption. (unknown error code)

I am trying to configure Linux machine authentication with Google secure LDAP, adding the steps below that I have done

Added the LDAP client with below permission:

  1. Access permission: Entire Domain
  2. Read user information: Entire Domain
  3. Read group information: ON

Installed SSSd in my Ubuntu box(which is running in Azure)

sudo apt install -y sssd sssd-tools

My sssd.conf file

[sssd]
debug_level = 7
services = nss, pam
domains = mydomain.com

[pam]
debug_level = 7

[nss]
debug_level = 7

[domain/mydomain.com]
debug_level = 7
cache_credentials = true
ldap_id_use_start_tls = true
ldap_tls_cacertdir = /home/ubuntu/ssl_Linux
ldap_tls_cacert = /home/ubuntu/ssl_Linux/gldap.crt
ldap_tls_cert = /home/ubuntu/ssl_Linux/gldap.crt
ldap_tls_key = /home/ubuntu/ssl_Linux/gldap.key
ldap_uri = ldaps://ldap.google.com:636
ldap_search_base = ou=Users,dc=mydomain,dc=com
ldap_group_name = uniqueMember
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_groups_use_matching_rule_in_chain = true
ldap_initgroups_use_matching_rule_in_chain = true
enumerate = false

Here I'm able to start the SSSD service bt getting the below error

Nov 15 09:14:54 myserver systemd[1]: Started System Security Services Daemon.
Nov 15 09:14:55 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:16:11 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:16:11 myserver sssd[be[67530]: Backend is offline
Nov 15 09:17:19 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:19:48 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)
Nov 15 09:24:02 myserver sssd[be[67530]: Could not start TLS encryption. (unknown error code)

FYI: I'm able to successfully authenticate with the google secure LDAP using below command

LDAPTLS_CERT=mycrt.crt LDAPTLS_KEY=mykey.key ldapsearch -H ldaps://ldap.google.com:636 -b "ou=Users,dc=mydomain,dc=com" -D "[email protected]" "(uid=my.user)" -W

Refrance: https://helpcenter.itopia.com/en/articles/2394004-configuring-google-cloud-identity-ldap-on-ubuntu-16-04-for-user-logins

Please help me on this,

Thanks :)

Solution

  • I had tried the same document with the new Virtual-Machine, It works fine for me.

    Just need to make sure after configuring google LDAP client in http://admin.google.com/ portal may take up to 24 hours to take effect.

    Thanks