SSSD integration with Ldap Error 'Could not start TLS encryption. TLS: hostname does not match CN in peer certificate'

Question

We are currently using Wildcard certificate with SAN. I can successfully run ldapsearch from my client machine when I added TLS_REQSAN allow in openldap configuration.

Now i'm trying to integrate SSSD with secure LDAP but getting the below error

'Could not start TLS encryption. TLS: hostname does not match CN in peer certificate'

How can I force SSSD to check for Subject Alternate Name(SAN) instead of CN.

Is there a property I could set in SSSD configuration.

score 0 · Accepted Answer · edited Apr 01 '21 at 06:09

0

I was able to resolve this error by adding the below property in sssd.conf under domain

krb5_use_enterprise_principal = True

edited Apr 01 '21 at 06:09

bjoster

4,805
5
25
33

answered Mar 31 '21 at 21:06

Jos

11
1
5

SSSD integration with Ldap Error 'Could not start TLS encryption. TLS: hostname does not match CN in peer certificate'

1 Answers1