delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2019/08/02/13:29:12

X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:reply-to:to:subject:message-id
:in-reply-to:references:mime-version:content-type
:content-transfer-encoding; q=dns; s=default; b=yIzQn6URZesUvHzW
KrPe8RnFwjTYaHjJ9ehdXgxUSNfvzjZ+TMrgoJqeQ9yioGj8e5tH7obyi/cqSL8F
GmihTnwtAolfoKO2KRu7/wfn+g69H9IZJeK3peR3ET0ourm634qA/4bSX8dQjfF1
yXAVIJZsc3bI8UsKlkro9J9RXv0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
:list-unsubscribe:list-subscribe:list-archive:list-post
:list-help:sender:date:from:reply-to:to:subject:message-id
:in-reply-to:references:mime-version:content-type
:content-transfer-encoding; s=default; bh=zaAoYKorzSJ05ZqWpNLqmJ
K+Ngo=; b=kNI9gR6ZK/PmAYwIULZVZ/jbZPV7vD+pOK9DBO6qeW5v/RFG4Qqzpr
SN94CuL2V1WCqj5jT/Pin5G812T3hoHBFXbXkOrrXkmm436wPy5OsKimcBB6FZJ2
DkZTN+GUUbBmBYAh3w7gQoGSC+bQBfg4eKXqfVvSPUZM6HZynSYvM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=openldap, 2448, 2.4.48, packaged
X-HELO: zmcc-2-mx.zmailcloud.com
Date: Fri, 02 Aug 2019 10:28:08 -0700
From: Quanah Gibson-Mount <quanah AT symas DOT com>
Reply-To: Quanah Gibson-Mount <quanah AT symas DOT com>
To: David Goldberg <dsg18096 AT gmail DOT com>, cygwin AT cygwin DOT com
Subject: Re: Openldap 2.4.48-1 vs my company's pki
Message-ID: <F9D491FCA6B56B38D0C0B1D6@[192.168.1.39]>
In-Reply-To: <CAN9EdkY=zrEv31+PD8XXu9rVw4H_eXLEoMk5u=7H02Q1Xu7-Wg@mail.gmail.com>
References: <CAN9EdkY=zrEv31+PD8XXu9rVw4H_eXLEoMk5u=7H02Q1Xu7-Wg AT mail DOT gmail DOT com>
MIME-Version: 1.0
X-IsSubscribed: yes 

--On Friday, August 02, 2019 12:45 PM -0400 David Goldberg 
<dsg18096 AT gmail DOT com> wrote:

> I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now
> ldapsearch will not connect, complaining that the server provided
> certificate is self signed. I have set up /etc/pki with my company's
> certificate chain and that allows 2.4.42-1 (and earlier) and other
> applications to properly authenticate local services. What has changed in
> 2.4.48-1 that causes this to not work and how can I fix it. I've
> downgraded for now; that is not a good long term solution of course.

What SSL library is being used for each of the two builds (I.e., gnutls? 
openssl? moznss?)  What SSL library version did 2.4.42 link to?  What SSL 
library version does 2.4.48 link to?  Generally OpenLDAP should be linked 
to OpenSSL which uses PEM formatted certificates.  Also check whether you 
have a global ldap.conf file (usually something like 
/etc/openldap/ldap.conf or /etc/ldap.conf, etc, depending on how OpenLDAP 
was built) that defines where to find the CA Cert(s), or a ~user/.ldaprc, 
etc.  OpenLDAP client utilities generally by default do not search for a 
global list of CA certificates.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019