Openldap 2.4.48-1 vs my company's pki

Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now
ldapsearch will not connect, complaining that the server provided
certificate is self signed. I have set up /etc/pki with my company's
certificate chain and that allows 2.4.42-1 (and earlier) and other
applications to properly authenticate local services. What has changed in
2.4.48-1 that causes this to not work and how can I fix it. I've downgraded
for now; that is not a good long term solution of course.

Thanks,

Dave Goldberg

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Quanah Gibson-Mount]

--On Friday, August 02, 2019 12:45 PM -0400 David Goldberg 
<dsg18096@gmail.com> wrote:

> I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now
> ldapsearch will not connect, complaining that the server provided
> certificate is self signed. I have set up /etc/pki with my company's
> certificate chain and that allows 2.4.42-1 (and earlier) and other
> applications to properly authenticate local services. What has changed in
> 2.4.48-1 that causes this to not work and how can I fix it. I've
> downgraded for now; that is not a good long term solution of course.

What SSL library is being used for each of the two builds (I.e., gnutls? 
openssl? moznss?)  What SSL library version did 2.4.42 link to?  What SSL 
library version does 2.4.48 link to?  Generally OpenLDAP should be linked 
to OpenSSL which uses PEM formatted certificates.  Also check whether you 
have a global ldap.conf file (usually something like 
/etc/openldap/ldap.conf or /etc/ldap.conf, etc, depending on how OpenLDAP 
was built) that defines where to find the CA Cert(s), or a ~user/.ldaprc, 
etc.  OpenLDAP client utilities generally by default do not search for a 
global list of CA certificates.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Achim Gratz]

David Goldberg writes:
> I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now
> ldapsearch will not connect, complaining that the server provided
> certificate is self signed. I have set up /etc/pki with my company's
> certificate chain and that allows 2.4.42-1 (and earlier) and other
> applications to properly authenticate local services.

The PKI layout was slightly changed a while ago and the newer openssl
library used by the fresh openldap build may not pick up on the old
locations anymore.  What you should do is place the certificates into
the /etc/pki/ca-trust/source/anchors/ directory, then run

# update-ca-trust extract

which should correctly populate the directories that the libaries and
applications use.



Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

Thanks but unfortunately even after don't that I still get the complaint
that they're is a self signed certificate in the chain. We do indeed run
our own CA but it seems like that should not really be a problem.

On Fri, Aug 2, 2019, 15:13 Achim Gratz <Stromeko@nexgo.de> wrote:

> David Goldberg writes:
> > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now
> > ldapsearch will not connect, complaining that the server provided
> > certificate is self signed. I have set up /etc/pki with my company's
> > certificate chain and that allows 2.4.42-1 (and earlier) and other
> > applications to properly authenticate local services.
>
> The PKI layout was slightly changed a while ago and the newer openssl
> library used by the fresh openldap build may not pick up on the old
> locations anymore.  What you should do is place the certificates into
> the /etc/pki/ca-trust/source/anchors/ directory, then run
>
> # update-ca-trust extract
>
> which should correctly populate the directories that the libaries and
> applications use.
>
>
>
> Regards,
> Achim.
> --
> +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
>
> Wavetables for the Terratec KOMPLEXER:
> http://Synth.Stromeko.net/Downloads.html#KomplexerWaves
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

One downside of having to do non-work email on my phone while at work is
that I didn't realize my reply to Quanah was direct, not to the list.
Sorry about that.  Trying again:

I did the following to try to answer

$ ldd /usr/bin/ldapsearch.exe # 2.4.42

        ntdll.dll => /cygdrive/c/WINDOWS/SYSTEM32/ntdll.dll (0x7ffc58b50000)

        KERNEL32.DLL => /cygdrive/c/WINDOWS/System32/KERNEL32.DLL
(0x7ffc57bd0000)

        KERNELBASE.dll => /cygdrive/c/WINDOWS/System32/KERNELBASE.dll
(0x7ffc554b0000)

        SYSFER.DLL => /cygdrive/c/WINDOWS/System32/SYSFER.DLL (0x59e30000)

        ADVAPI32.dll => /cygdrive/c/WINDOWS/System32/ADVAPI32.dll
(0x7ffc57b20000)

        msvcrt.dll => /cygdrive/c/WINDOWS/System32/msvcrt.dll
(0x7ffc57950000)

        sechost.dll => /cygdrive/c/WINDOWS/System32/sechost.dll
(0x7ffc563a0000)

        RPCRT4.dll => /cygdrive/c/WINDOWS/System32/RPCRT4.dll
(0x7ffc581d0000)

        cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000)

        cyglber-2-4-2.dll => /usr/bin/cyglber-2-4-2.dll (0x3fbd60000)

        cygsasl2-3.dll => /usr/bin/cygsasl2-3.dll (0x3faae0000)

        cygldap-2-4-2.dll => /usr/bin/cygldap-2-4-2.dll (0x3fb9b0000)

        cygcrypto-1.0.0.dll => /usr/bin/cygcrypto-1.0.0.dll (0x3fe480000)

        cygz.dll => /usr/bin/cygz.dll (0x3fa000000)

        cygssl-1.0.0.dll => /usr/bin/cygssl-1.0.0.dll (0x3fa860000)

And

$ ldd /usr/bin/ldapsearch.exe # 2.4.48

        ntdll.dll => /cygdrive/c/WINDOWS/SYSTEM32/ntdll.dll (0x7ffc58b50000)

        KERNEL32.DLL => /cygdrive/c/WINDOWS/System32/KERNEL32.DLL
(0x7ffc57bd0000)

        KERNELBASE.dll => /cygdrive/c/WINDOWS/System32/KERNELBASE.dll
(0x7ffc554b0000)

        SYSFER.DLL => /cygdrive/c/WINDOWS/System32/SYSFER.DLL (0x59e30000)

        ADVAPI32.dll => /cygdrive/c/WINDOWS/System32/ADVAPI32.dll
(0x7ffc57b20000)

        msvcrt.dll => /cygdrive/c/WINDOWS/System32/msvcrt.dll
(0x7ffc57950000)

        sechost.dll => /cygdrive/c/WINDOWS/System32/sechost.dll
(0x7ffc563a0000)

        RPCRT4.dll => /cygdrive/c/WINDOWS/System32/RPCRT4.dll
(0x7ffc581d0000)

        cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000)

        cyglber-2-4-2.dll => /usr/bin/cyglber-2-4-2.dll (0x3fbd60000)

        cygsasl2-3.dll => /usr/bin/cygsasl2-3.dll (0x3faae0000)

        cygldap-2-4-2.dll => /usr/bin/cygldap-2-4-2.dll (0x3fb9b0000)

        cygssl-1.1.dll => /usr/bin/cygssl-1.1.dll (0x3fa7d0000)

        ??? => ??? (0xe80000)

        cygcrypto-1.1.dll => /usr/bin/cygcrypto-1.1.dll (0x3fe210000)

        cygz.dll => /usr/bin/cygz.dll (0x3fa000000)

So something seems weird with one showing cygssl 1.1 and maybe something
missing while the working one shows cygssl 1.0.  any idea how I might
resolve that?

Thanks
-- 
Dave Goldberg
dsg18096@gmail.com


On Fri, Aug 2, 2019 at 1:28 PM Quanah Gibson-Mount <quanah@symas.com> wrote:

> --On Friday, August 02, 2019 12:45 PM -0400 David Goldberg
> <dsg18096@gmail.com> wrote:
>
> > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now
> > ldapsearch will not connect, complaining that the server provided
> > certificate is self signed. I have set up /etc/pki with my company's
> > certificate chain and that allows 2.4.42-1 (and earlier) and other
> > applications to properly authenticate local services. What has changed in
> > 2.4.48-1 that causes this to not work and how can I fix it. I've
> > downgraded for now; that is not a good long term solution of course.
>
> What SSL library is being used for each of the two builds (I.e., gnutls?
> openssl? moznss?)  What SSL library version did 2.4.42 link to?  What SSL
> library version does 2.4.48 link to?  Generally OpenLDAP should be linked
> to OpenSSL which uses PEM formatted certificates.  Also check whether you
> have a global ldap.conf file (usually something like
> /etc/openldap/ldap.conf or /etc/ldap.conf, etc, depending on how OpenLDAP
> was built) that defines where to find the CA Cert(s), or a ~user/.ldaprc,
> etc.  OpenLDAP client utilities generally by default do not search for a
> global list of CA certificates.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Achim Gratz]

David Goldberg writes:
> Thanks but unfortunately even after don't that I still get the complaint
> that they're is a self signed certificate in the chain. We do indeed run
> our own CA but it seems like that should not really be a problem.

Wait, are you saying you do run a private CA, but the LDAP server cert
is not certified through it?  Running

openssl s_client -connect ldap:9010

shows the certificate chain as seen by openssl and would tell you if
you've registered the right cert to trust.  You can compare this to what
ldapsearch outputs when run with a sufficiently high debuglevel to see
if there's some obvious mismatch that would indicate a configuration
error somewhere.  As a last resort you can run

env LDAP_REQCERT=never ldapsearch ...

to skip the certificate check and see if that at least works.  But you
said it worked before, so that might not be the problem here...

So let me guess that you need to point your ldap.conf to
/etc/pki/... instead of /etc/ssl/... (which was the earlier default).

Also, please read the update announcement about the state of the server
components (if you use them).


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

Sorry, was away from work over the weekend. I just tested with openssl
s_client and it works just fine.  Version is 1.1.1.  there is no self
signed certificate. It's signed with the company pki rather than commercial
and I've properly installed that chain. The problem send to be with the new
build, at least the weird ldd output leads me to that conclusion. I'll try
to find some time to build from source and see if it works.

Thanks

On Sat, Aug 3, 2019, 02:43 Achim Gratz <Stromeko@nexgo.de> wrote:

> David Goldberg writes:
> > Thanks but unfortunately even after don't that I still get the complaint
> > that they're is a self signed certificate in the chain. We do indeed run
> > our own CA but it seems like that should not really be a problem.
>
> Wait, are you saying you do run a private CA, but the LDAP server cert
> is not certified through it?  Running
>
> openssl s_client -connect ldap:9010
>
> shows the certificate chain as seen by openssl and would tell you if
> you've registered the right cert to trust.  You can compare this to what
> ldapsearch outputs when run with a sufficiently high debuglevel to see
> if there's some obvious mismatch that would indicate a configuration
> error somewhere.  As a last resort you can run
>
> env LDAP_REQCERT=never ldapsearch ...
>
> to skip the certificate check and see if that at least works.  But you
> said it worked before, so that might not be the problem here...
>
> So let me guess that you need to point your ldap.conf to
> /etc/pki/... instead of /etc/ssl/... (which was the earlier default).
>
> Also, please read the update announcement about the state of the server
> components (if you use them).
>
>
> Regards,
> Achim.
> --
> +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
>
> Wavetables for the Terratec KOMPLEXER:
> http://Synth.Stromeko.net/Downloads.html#KomplexerWaves
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Quanah Gibson-Mount]

--On Monday, August 05, 2019 9:22 AM -0400 David Goldberg 
<dsg18096@gmail.com> wrote:

> Sorry, was away from work over the weekend. I just tested with openssl
> s_client and it works just fine.  Version is 1.1.1.  there is no self
> signed certificate. It's signed with the company pki rather than
> commercial and I've properly installed that chain. The problem send to be
> with the new build, at least the weird ldd output leads me to that
> conclusion. I'll try to find some time to build from source and see if it

Do you mean you connected to the ldap server using OpenSSL s_client to 
confirm that works?  If that works and the ldapsearch (or other ldap 
client) binary does not, then you likely have a global /etc/ldap.conf (or 
whereever this build looks for it) or a ~/.ldaprc file that defines the 
path or file to find the CA certificate that would need updating.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Achim Gratz]

David Goldberg writes:
> Sorry, was away from work over the weekend. I just tested with openssl
> s_client and it works just fine.  Version is 1.1.1.  there is no self
> signed certificate. It's signed with the company pki rather than commercial
> and I've properly installed that chain.

Good.  Then, as I suggested before, the most likely culprit is some
configuration for openldap that points at a PKI location that is not
up-to-date or nonexisting.

> The problem send to be with the new build, at least the weird ldd
> output leads me to that conclusion. I'll try to find some time to
> build from source and see if it works.

I can't see how that would help or why you think the ldd output is
wierd.  There are exactly no changes to the new build vs. the old one
other than that it has of course picked up the new openssl as a depency
(that was the whole point of updating it) and I've removed some
changes to the tests that are not necessary for the current build
environment.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Waldorf MIDI Implementation & additional documentation:
http://Synth.Stromeko.net/Downloads.html#WaldorfDocs

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

Correct, openssl s_client works, as does the older build of ldapsearch.  I
can't find any .ldaprc nor ldap.conf files on my system.

Unfortunately I've only set up my system for end user purposes. Building
from source will be a challenge. Any guidance (a link is fine) on what
packages to install to set that up? And do I need to worry about the
.cygport and patch files in the source distribution or will configure pick
them up?

Thanks

On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount <quanah@symas.com> wrote:

> --On Monday, August 05, 2019 9:22 AM -0400 David Goldberg
> <dsg18096@gmail.com> wrote:
>
> > Sorry, was away from work over the weekend. I just tested with openssl
> > s_client and it works just fine.  Version is 1.1.1.  there is no self
> > signed certificate. It's signed with the company pki rather than
> > commercial and I've properly installed that chain. The problem send to be
> > with the new build, at least the weird ldd output leads me to that
> > conclusion. I'll try to find some time to build from source and see if it
>
> Do you mean you connected to the ldap server using OpenSSL s_client to
> confirm that works?  If that works and the ldapsearch (or other ldap
> client) binary does not, then you likely have a global /etc/ldap.conf (or
> whereever this build looks for it) or a ~/.ldaprc file that defines the
> path or file to find the CA certificate that would need updating.
>
> Regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Quanah Gibson-Mount]

--On Monday, August 05, 2019 5:06 PM -0400 David Goldberg 
<dsg18096@gmail.com> wrote:

> Correct, openssl s_client works, as does the older build of ldapsearch.  I
> can't find any .ldaprc nor ldap.conf files on my system.
>
> Unfortunately I've only set up my system for end user purposes. Building
> from source will be a challenge. Any guidance (a link is fine) on what
> packages to install to set that up? And do I need to worry about the
> .cygport and patch files in the source distribution or will configure pick
> them up?

I would start with executing ldapsearch with the -d -1 flag added in (full 
debugging) to see what the client is doing.

I.e., if you're doing startTLS, then something like

ldapsearch -x -ZZ -d -1 -H ldap://<FQDN> -s base -b ""

Or if you're using ldaps, then something like:

ldapsearch -x -d -1 -H ldaps://<FQDN> -s base -b ""

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Brian Inglis]

On 2019-08-05 14:06, David Goldberg wrote:
> On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote:
>> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote:
>>> Sorry, was away from work over the weekend. I just tested with openssl
>>> s_client and it works just fine.  Version is 1.1.1.  there is no self
>>> signed certificate. It's signed with the company pki rather than
>>> commercial and I've properly installed that chain. The problem send to be
>>> with the new build, at least the weird ldd output leads me to that
>>> conclusion. I'll try to find some time to build from source and see if it
>> Do you mean you connected to the ldap server using OpenSSL s_client to
>> confirm that works?  If that works and the ldapsearch (or other ldap
>> client) binary does not, then you likely have a global /etc/ldap.conf (or
>> whereever this build looks for it) or a ~/.ldaprc file that defines the
>> path or file to find the CA certificate that would need updating.
> Correct, openssl s_client works, as does the older build of ldapsearch.  I
> can't find any .ldaprc nor ldap.conf files on my system.
> Unfortunately I've only set up my system for end user purposes. Building
> from source will be a challenge. Any guidance (a link is fine) on what
> packages to install to set that up? And do I need to worry about the
> .cygport and patch files in the source distribution or will configure pick
> them up?

Install the cygport package and all its dependencies, plus the openldap source
package, plus any build dependency packages named in the openldap.cygport
DEPEND="" list.

Change to the directory containing openldap.cygport and type:

	$ cygport openldap.cygport download all test

and deal with any missing lib*-devel packages or other issues arising during the
build.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

Thank you, Brian that got me to a local build. Unfortunately that has the
same error as the binary installation of 2.4.48.  Here are relevant
snippets of the output from each version:


2.4.42 which works:



TLS trace: SSL_connect:before/connect initialization

TLS trace: SSL_connect:SSLv2/v3 write client hello A

TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 2, err: 0, subject: /CN=MYCOMPANY BA
ROOT, issuer: /CN=MYCOMPANY BA ROOT

TLS certificate verification: depth: 1, err: 0, subject:
/DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3, issuer: /CN=MYCOMPANY BA ROOT

TLS certificate verification: depth: 0, err: 0, subject:
/O=mycompany.tld/OU=Servers/CN=uds.mycompany.tld, issuer:
/DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3

TLS trace: SSL_connect:SSLv3 read server certificate A

TLS trace: SSL_connect:SSLv3 read server key exchange A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

TLS trace: SSL_connect:SSLv3 flush data

TLS trace: SSL_connect:SSLv3 read finished A



2.4.48 which doesn’t:



TLS trace: SSL_connect:before SSL initialization

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL_connect:SSLv3/TLS read server hello

TLS certificate verification: depth: 2, err: 19, subject: /CN=MYCOMPANY BA
ROOT, issuer: /CN=MYCOMPANY BA ROOT

TLS certificate verification: Error, self signed certificate in certificate
chain

TLS trace: SSL3 alert write:fatal:unknown CA

TLS trace: SSL_connect:error in error

TLS: can't connect: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (self
signed certificate in certificate chain).


 I'm stumped at this point.

Thanks


On Mon, Aug 5, 2019, 18:41 Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
wrote:

> On 2019-08-05 14:06, David Goldberg wrote:
> > On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote:
> >> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote:
> >>> Sorry, was away from work over the weekend. I just tested with openssl
> >>> s_client and it works just fine.  Version is 1.1.1.  there is no self
> >>> signed certificate. It's signed with the company pki rather than
> >>> commercial and I've properly installed that chain. The problem send to
> be
> >>> with the new build, at least the weird ldd output leads me to that
> >>> conclusion. I'll try to find some time to build from source and see if
> it
> >> Do you mean you connected to the ldap server using OpenSSL s_client to
> >> confirm that works?  If that works and the ldapsearch (or other ldap
> >> client) binary does not, then you likely have a global /etc/ldap.conf
> (or
> >> whereever this build looks for it) or a ~/.ldaprc file that defines the
> >> path or file to find the CA certificate that would need updating.
> > Correct, openssl s_client works, as does the older build of ldapsearch.
> I
> > can't find any .ldaprc nor ldap.conf files on my system.
> > Unfortunately I've only set up my system for end user purposes. Building
> > from source will be a challenge. Any guidance (a link is fine) on what
> > packages to install to set that up? And do I need to worry about the
> > .cygport and patch files in the source distribution or will configure
> pick
> > them up?
>
> Install the cygport package and all its dependencies, plus the openldap
> source
> package, plus any build dependency packages named in the openldap.cygport
> DEPEND="" list.
>
> Change to the directory containing openldap.cygport and type:
>
>         $ cygport openldap.cygport download all test
>
> and deal with any missing lib*-devel packages or other issues arising
> during the
> build.
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
>
> This email may be disturbing to some readers as it contains
> too much technical detail. Reader discretion is advised.
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Achim Gratz]

David Goldberg writes:
> Correct, openssl s_client works, as does the older build of ldapsearch.  I
> can't find any .ldaprc nor ldap.conf files on my system.

Then work the other way around and create a configuration file that
points to the PKI.  It's entirely possible that the compiled-in default
(if there even is one) is not correct.  If so I'll have to figure out
how to change that, but until then it would be useful to know if things
start working when the config is pointing to the existing PKI (which, as
you tested can be used correctly by openssl).


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

Thank you, Achim!  I should have thought of that myself. Indeed adding an
appropriate TLS_CACERT to ldap.conf has solved the problem and 2.4.48
ldapsearch is working now.

On Tue, Aug 6, 2019, 12:44 Achim Gratz <Stromeko@nexgo.de> wrote:

> David Goldberg writes:
> > Correct, openssl s_client works, as does the older build of ldapsearch.
> I
> > can't find any .ldaprc nor ldap.conf files on my system.
>
> Then work the other way around and create a configuration file that
> points to the PKI.  It's entirely possible that the compiled-in default
> (if there even is one) is not correct.  If so I'll have to figure out
> how to change that, but until then it would be useful to know if things
> start working when the config is pointing to the existing PKI (which, as
> you tested can be used correctly by openssl).
>
>
> Regards,
> Achim.
> --
> +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
>
> SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
> http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[David Goldberg]

I found the problem. I guess there's a number of locations where .ldaprc
can be found. I have an old backup of a Linux home directory under my
cygwin home and that contained a .ldaprc with a TLS_CACERTDIR setting that
makes no sense on my windows box.  I removed it and also the ldap.conf I
just created and ldapsearch worked as expected. I can't understand why
2.4.42 ignored that file while 2.4.48 tried to use it but it seems local to
my oddball situation and not a broader issue.

Thanks again for all the help and advice.

On Tue, Aug 6, 2019, 15:17 David Goldberg <dsg18096@gmail.com> wrote:

> Thank you, Achim!  I should have thought of that myself. Indeed adding an
> appropriate TLS_CACERT to ldap.conf has solved the problem and 2.4.48
> ldapsearch is working now.
>
> On Tue, Aug 6, 2019, 12:44 Achim Gratz <Stromeko@nexgo.de> wrote:
>
>> David Goldberg writes:
>> > Correct, openssl s_client works, as does the older build of
>> ldapsearch.  I
>> > can't find any .ldaprc nor ldap.conf files on my system.
>>
>> Then work the other way around and create a configuration file that
>> points to the PKI.  It's entirely possible that the compiled-in default
>> (if there even is one) is not correct.  If so I'll have to figure out
>> how to change that, but until then it would be useful to know if things
>> start working when the config is pointing to the existing PKI (which, as
>> you tested can be used correctly by openssl).
>>
>>
>> Regards,
>> Achim.
>> --
>> +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
>>
>> SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
>> http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
>>
>> --
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>
>>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Openldap 2.4.48-1 vs my company's pki

[Achim Gratz]

David Goldberg writes:
> I found the problem. I guess there's a number of locations where .ldaprc
> can be found. I have an old backup of a Linux home directory under my
> cygwin home and that contained a .ldaprc with a TLS_CACERTDIR setting that
> makes no sense on my windows box.

I looked through the sources and I didnÄt find a place that would pick
up a config file in a random directory.  The user config is indeed
picked up in the $CWD of the running process, but all other configs are
in fixed places.

> I removed it and also the ldap.conf I just created and ldapsearch
> worked as expected. I can't understand why 2.4.42 ignored that file
> while 2.4.48 tried to use it but it seems local to my oddball
> situation and not a broader issue.

OK, so I consider the case closed.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Samples for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple