X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:in-reply-to:references:date
	:message-id:mime-version:content-type; q=dns; s=default; b=p2dCb
	8WmRufjpOCnHl+GVqHoCeODqVMOz6Bn1WuSn0+CHRle10eWlvza6QmWFkxaQO7ms
	OFFv2WF3xrpFnjL05Pcm8K9EjfL9lCg3HmQPlYZtTH/n1BIGYf86YYDiWlcME6k+
	+DFhW3p02SwbQTHvIWiWRasoqzp6ef1FVSDBb8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:in-reply-to:references:date
	:message-id:mime-version:content-type; s=default; bh=XaV90CFu1Xy
	i/8VnFEhC+Tboewg=; b=Qqc7kQc3h0w9fyZOew2d+3sAyV22uqsbiB+TVZnSh5G
	3XScAh49M5VBMq26mv/pS+wKMAR1IacekzP5450sDEmMauQ8Q5u1rtJldYyhzGJ5
	YVa12yK5X/is+9jxUfvSgCQjJlNbS8/52vBkpNOsliqjO/2aEQGCMuoTpB2gyjtY
	=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=certified, our, HX-Spam-Relays-External:ESMTPA
X-HELO: mx009.vodafonemail.xion.oxcs.net
From: Achim Gratz <Stromeko AT nexgo DOT de>
To: cygwin AT cygwin DOT com
Subject: Re: Openldap 2.4.48-1 vs my company's pki
In-Reply-To: <CAN9EdkYzh558w=CG3UkzgN0rg98eVx2V0BcdktEwVEW3dS1qCQ@mail.gmail.com>	(David Goldberg's message of "Fri, 2 Aug 2019 16:08:19 -0400")
References: <CAN9EdkY=zrEv31+PD8XXu9rVw4H_eXLEoMk5u=7H02Q1Xu7-Wg AT mail DOT gmail DOT com>	<87ftmje5zb DOT fsf AT Rainer DOT invalid>	<CAN9EdkYzh558w=CG3UkzgN0rg98eVx2V0BcdktEwVEW3dS1qCQ AT mail DOT gmail DOT com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
Date: Sat, 03 Aug 2019 08:43:31 +0200
Message-ID: <874l2y4ulo.fsf@Rainer.invalid>
MIME-Version: 1.0
Content-Type: text/plain

David Goldberg writes:
> Thanks but unfortunately even after don't that I still get the complaint
> that they're is a self signed certificate in the chain. We do indeed run
> our own CA but it seems like that should not really be a problem.

Wait, are you saying you do run a private CA, but the LDAP server cert
is not certified through it?  Running

openssl s_client -connect ldap:9010

shows the certificate chain as seen by openssl and would tell you if
you've registered the right cert to trust.  You can compare this to what
ldapsearch outputs when run with a sufficiently high debuglevel to see
if there's some obvious mismatch that would indicate a configuration
error somewhere.  As a last resort you can run

env LDAP_REQCERT=never ldapsearch ...

to skip the certificate check and see if that at least works.  But you
said it worked before, so that might not be the problem here...

So let me guess that you need to point your ldap.conf to
/etc/pki/... instead of /etc/ssl/... (which was the earlier default).

Also, please read the update announcement about the state of the server
components (if you use them).


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple