From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 108901 invoked by alias); 3 Aug 2019 06:43:54 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 108894 invoked by uid 89); 3 Aug 2019 06:43:54 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=certified, our, HX-Spam-Relays-External:ESMTPA X-HELO: mx009.vodafonemail.xion.oxcs.net Received: from mx009.vodafonemail.xion.oxcs.net (HELO mx009.vodafonemail.xion.oxcs.net) (153.92.174.39) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Sat, 03 Aug 2019 06:43:51 +0000 Received: from vsmx002.vodafonemail.xion.oxcs.net (unknown [192.168.75.192]) by mta-6-out.mta.xion.oxcs.net (Postfix) with ESMTP id 41C64D9B39C for ; Sat, 3 Aug 2019 06:43:49 +0000 (UTC) Received: from Rainer.invalid (unknown [91.47.53.40]) by mta-6-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 18958199C33 for ; Sat, 3 Aug 2019 06:43:46 +0000 (UTC) From: Achim Gratz To: cygwin@cygwin.com Subject: Re: Openldap 2.4.48-1 vs my company's pki In-Reply-To: (David Goldberg's message of "Fri, 2 Aug 2019 16:08:19 -0400") References: <87ftmje5zb.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Date: Sat, 03 Aug 2019 06:43:00 -0000 Message-ID: <874l2y4ulo.fsf@Rainer.invalid> MIME-Version: 1.0 Content-Type: text/plain X-SW-Source: 2019-08/txt/msg00036.txt.bz2 David Goldberg writes: > Thanks but unfortunately even after don't that I still get the complaint > that they're is a self signed certificate in the chain. We do indeed run > our own CA but it seems like that should not really be a problem. Wait, are you saying you do run a private CA, but the LDAP server cert is not certified through it? Running openssl s_client -connect ldap:9010 shows the certificate chain as seen by openssl and would tell you if you've registered the right cert to trust. You can compare this to what ldapsearch outputs when run with a sufficiently high debuglevel to see if there's some obvious mismatch that would indicate a configuration error somewhere. As a last resort you can run env LDAP_REQCERT=never ldapsearch ... to skip the certificate check and see if that at least works. But you said it worked before, so that might not be the problem here... So let me guess that you need to point your ldap.conf to /etc/pki/... instead of /etc/ssl/... (which was the earlier default). Also, please read the update announcement about the state of the server components (if you use them). Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Terratec KOMPLEXER: http://Synth.Stromeko.net/Downloads.html#KomplexerWaves -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple