* Openldap 2.4.48-1 vs my company's pki @ 2019-08-02 15:45 David Goldberg 2019-08-02 17:28 ` Quanah Gibson-Mount ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: David Goldberg @ 2019-08-02 15:45 UTC (permalink / raw) To: cygwin I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now ldapsearch will not connect, complaining that the server provided certificate is self signed. I have set up /etc/pki with my company's certificate chain and that allows 2.4.42-1 (and earlier) and other applications to properly authenticate local services. What has changed in 2.4.48-1 that causes this to not work and how can I fix it. I've downgraded for now; that is not a good long term solution of course. Thanks, Dave Goldberg -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-02 15:45 Openldap 2.4.48-1 vs my company's pki David Goldberg @ 2019-08-02 17:28 ` Quanah Gibson-Mount 2019-08-02 19:13 ` Achim Gratz [not found] ` <F9D491FCA6B56B38D0C0B1D6@192.168.1.39> 2 siblings, 0 replies; 17+ messages in thread From: Quanah Gibson-Mount @ 2019-08-02 17:28 UTC (permalink / raw) To: David Goldberg, cygwin --On Friday, August 02, 2019 12:45 PM -0400 David Goldberg <dsg18096@gmail.com> wrote: > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now > ldapsearch will not connect, complaining that the server provided > certificate is self signed. I have set up /etc/pki with my company's > certificate chain and that allows 2.4.42-1 (and earlier) and other > applications to properly authenticate local services. What has changed in > 2.4.48-1 that causes this to not work and how can I fix it. I've > downgraded for now; that is not a good long term solution of course. What SSL library is being used for each of the two builds (I.e., gnutls? openssl? moznss?) What SSL library version did 2.4.42 link to? What SSL library version does 2.4.48 link to? Generally OpenLDAP should be linked to OpenSSL which uses PEM formatted certificates. Also check whether you have a global ldap.conf file (usually something like /etc/openldap/ldap.conf or /etc/ldap.conf, etc, depending on how OpenLDAP was built) that defines where to find the CA Cert(s), or a ~user/.ldaprc, etc. OpenLDAP client utilities generally by default do not search for a global list of CA certificates. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-02 15:45 Openldap 2.4.48-1 vs my company's pki David Goldberg 2019-08-02 17:28 ` Quanah Gibson-Mount @ 2019-08-02 19:13 ` Achim Gratz 2019-08-02 20:08 ` David Goldberg [not found] ` <F9D491FCA6B56B38D0C0B1D6@192.168.1.39> 2 siblings, 1 reply; 17+ messages in thread From: Achim Gratz @ 2019-08-02 19:13 UTC (permalink / raw) To: cygwin David Goldberg writes: > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now > ldapsearch will not connect, complaining that the server provided > certificate is self signed. I have set up /etc/pki with my company's > certificate chain and that allows 2.4.42-1 (and earlier) and other > applications to properly authenticate local services. The PKI layout was slightly changed a while ago and the newer openssl library used by the fresh openldap build may not pick up on the old locations anymore. What you should do is place the certificates into the /etc/pki/ca-trust/source/anchors/ directory, then run # update-ca-trust extract which should correctly populate the directories that the libaries and applications use. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Terratec KOMPLEXER: http://Synth.Stromeko.net/Downloads.html#KomplexerWaves -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-02 19:13 ` Achim Gratz @ 2019-08-02 20:08 ` David Goldberg 2019-08-03 6:43 ` Achim Gratz 0 siblings, 1 reply; 17+ messages in thread From: David Goldberg @ 2019-08-02 20:08 UTC (permalink / raw) To: cygwin Thanks but unfortunately even after don't that I still get the complaint that they're is a self signed certificate in the chain. We do indeed run our own CA but it seems like that should not really be a problem. On Fri, Aug 2, 2019, 15:13 Achim Gratz <Stromeko@nexgo.de> wrote: > David Goldberg writes: > > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now > > ldapsearch will not connect, complaining that the server provided > > certificate is self signed. I have set up /etc/pki with my company's > > certificate chain and that allows 2.4.42-1 (and earlier) and other > > applications to properly authenticate local services. > > The PKI layout was slightly changed a while ago and the newer openssl > library used by the fresh openldap build may not pick up on the old > locations anymore. What you should do is place the certificates into > the /etc/pki/ca-trust/source/anchors/ directory, then run > > # update-ca-trust extract > > which should correctly populate the directories that the libaries and > applications use. > > > > Regards, > Achim. > -- > +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ > > Wavetables for the Terratec KOMPLEXER: > http://Synth.Stromeko.net/Downloads.html#KomplexerWaves > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-02 20:08 ` David Goldberg @ 2019-08-03 6:43 ` Achim Gratz 2019-08-05 12:22 ` David Goldberg 0 siblings, 1 reply; 17+ messages in thread From: Achim Gratz @ 2019-08-03 6:43 UTC (permalink / raw) To: cygwin David Goldberg writes: > Thanks but unfortunately even after don't that I still get the complaint > that they're is a self signed certificate in the chain. We do indeed run > our own CA but it seems like that should not really be a problem. Wait, are you saying you do run a private CA, but the LDAP server cert is not certified through it? Running openssl s_client -connect ldap:9010 shows the certificate chain as seen by openssl and would tell you if you've registered the right cert to trust. You can compare this to what ldapsearch outputs when run with a sufficiently high debuglevel to see if there's some obvious mismatch that would indicate a configuration error somewhere. As a last resort you can run env LDAP_REQCERT=never ldapsearch ... to skip the certificate check and see if that at least works. But you said it worked before, so that might not be the problem here... So let me guess that you need to point your ldap.conf to /etc/pki/... instead of /etc/ssl/... (which was the earlier default). Also, please read the update announcement about the state of the server components (if you use them). Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Terratec KOMPLEXER: http://Synth.Stromeko.net/Downloads.html#KomplexerWaves -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-03 6:43 ` Achim Gratz @ 2019-08-05 12:22 ` David Goldberg 2019-08-05 19:25 ` Quanah Gibson-Mount ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: David Goldberg @ 2019-08-05 12:22 UTC (permalink / raw) To: cygwin Sorry, was away from work over the weekend. I just tested with openssl s_client and it works just fine. Version is 1.1.1. there is no self signed certificate. It's signed with the company pki rather than commercial and I've properly installed that chain. The problem send to be with the new build, at least the weird ldd output leads me to that conclusion. I'll try to find some time to build from source and see if it works. Thanks On Sat, Aug 3, 2019, 02:43 Achim Gratz <Stromeko@nexgo.de> wrote: > David Goldberg writes: > > Thanks but unfortunately even after don't that I still get the complaint > > that they're is a self signed certificate in the chain. We do indeed run > > our own CA but it seems like that should not really be a problem. > > Wait, are you saying you do run a private CA, but the LDAP server cert > is not certified through it? Running > > openssl s_client -connect ldap:9010 > > shows the certificate chain as seen by openssl and would tell you if > you've registered the right cert to trust. You can compare this to what > ldapsearch outputs when run with a sufficiently high debuglevel to see > if there's some obvious mismatch that would indicate a configuration > error somewhere. As a last resort you can run > > env LDAP_REQCERT=never ldapsearch ... > > to skip the certificate check and see if that at least works. But you > said it worked before, so that might not be the problem here... > > So let me guess that you need to point your ldap.conf to > /etc/pki/... instead of /etc/ssl/... (which was the earlier default). > > Also, please read the update announcement about the state of the server > components (if you use them). > > > Regards, > Achim. > -- > +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ > > Wavetables for the Terratec KOMPLEXER: > http://Synth.Stromeko.net/Downloads.html#KomplexerWaves > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-05 12:22 ` David Goldberg @ 2019-08-05 19:25 ` Quanah Gibson-Mount 2019-08-05 19:39 ` Achim Gratz [not found] ` <228DE7899A9CF9C913C8B1B8@192.168.1.39> 2 siblings, 0 replies; 17+ messages in thread From: Quanah Gibson-Mount @ 2019-08-05 19:25 UTC (permalink / raw) To: David Goldberg, cygwin --On Monday, August 05, 2019 9:22 AM -0400 David Goldberg <dsg18096@gmail.com> wrote: > Sorry, was away from work over the weekend. I just tested with openssl > s_client and it works just fine. Version is 1.1.1. there is no self > signed certificate. It's signed with the company pki rather than > commercial and I've properly installed that chain. The problem send to be > with the new build, at least the weird ldd output leads me to that > conclusion. I'll try to find some time to build from source and see if it Do you mean you connected to the ldap server using OpenSSL s_client to confirm that works? If that works and the ldapsearch (or other ldap client) binary does not, then you likely have a global /etc/ldap.conf (or whereever this build looks for it) or a ~/.ldaprc file that defines the path or file to find the CA certificate that would need updating. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-05 12:22 ` David Goldberg 2019-08-05 19:25 ` Quanah Gibson-Mount @ 2019-08-05 19:39 ` Achim Gratz [not found] ` <228DE7899A9CF9C913C8B1B8@192.168.1.39> 2 siblings, 0 replies; 17+ messages in thread From: Achim Gratz @ 2019-08-05 19:39 UTC (permalink / raw) To: cygwin David Goldberg writes: > Sorry, was away from work over the weekend. I just tested with openssl > s_client and it works just fine. Version is 1.1.1. there is no self > signed certificate. It's signed with the company pki rather than commercial > and I've properly installed that chain. Good. Then, as I suggested before, the most likely culprit is some configuration for openldap that points at a PKI location that is not up-to-date or nonexisting. > The problem send to be with the new build, at least the weird ldd > output leads me to that conclusion. I'll try to find some time to > build from source and see if it works. I can't see how that would help or why you think the ldd output is wierd. There are exactly no changes to the new build vs. the old one other than that it has of course picked up the new openssl as a depency (that was the whole point of updating it) and I've removed some changes to the tests that are not necessary for the current build environment. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <228DE7899A9CF9C913C8B1B8@192.168.1.39>]
* Re: Openldap 2.4.48-1 vs my company's pki [not found] ` <228DE7899A9CF9C913C8B1B8@192.168.1.39> @ 2019-08-05 20:06 ` David Goldberg 2019-08-05 20:31 ` Quanah Gibson-Mount ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: David Goldberg @ 2019-08-05 20:06 UTC (permalink / raw) To: cygwin Correct, openssl s_client works, as does the older build of ldapsearch. I can't find any .ldaprc nor ldap.conf files on my system. Unfortunately I've only set up my system for end user purposes. Building from source will be a challenge. Any guidance (a link is fine) on what packages to install to set that up? And do I need to worry about the .cygport and patch files in the source distribution or will configure pick them up? Thanks On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount <quanah@symas.com> wrote: > --On Monday, August 05, 2019 9:22 AM -0400 David Goldberg > <dsg18096@gmail.com> wrote: > > > Sorry, was away from work over the weekend. I just tested with openssl > > s_client and it works just fine. Version is 1.1.1. there is no self > > signed certificate. It's signed with the company pki rather than > > commercial and I've properly installed that chain. The problem send to be > > with the new build, at least the weird ldd output leads me to that > > conclusion. I'll try to find some time to build from source and see if it > > Do you mean you connected to the ldap server using OpenSSL s_client to > confirm that works? If that works and the ldapsearch (or other ldap > client) binary does not, then you likely have a global /etc/ldap.conf (or > whereever this build looks for it) or a ~/.ldaprc file that defines the > path or file to find the CA certificate that would need updating. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-05 20:06 ` David Goldberg @ 2019-08-05 20:31 ` Quanah Gibson-Mount 2019-08-05 22:41 ` Brian Inglis 2019-08-06 16:44 ` Achim Gratz 2 siblings, 0 replies; 17+ messages in thread From: Quanah Gibson-Mount @ 2019-08-05 20:31 UTC (permalink / raw) To: David Goldberg, cygwin --On Monday, August 05, 2019 5:06 PM -0400 David Goldberg <dsg18096@gmail.com> wrote: > Correct, openssl s_client works, as does the older build of ldapsearch. I > can't find any .ldaprc nor ldap.conf files on my system. > > Unfortunately I've only set up my system for end user purposes. Building > from source will be a challenge. Any guidance (a link is fine) on what > packages to install to set that up? And do I need to worry about the > .cygport and patch files in the source distribution or will configure pick > them up? I would start with executing ldapsearch with the -d -1 flag added in (full debugging) to see what the client is doing. I.e., if you're doing startTLS, then something like ldapsearch -x -ZZ -d -1 -H ldap://<FQDN> -s base -b "" Or if you're using ldaps, then something like: ldapsearch -x -d -1 -H ldaps://<FQDN> -s base -b "" Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-05 20:06 ` David Goldberg 2019-08-05 20:31 ` Quanah Gibson-Mount @ 2019-08-05 22:41 ` Brian Inglis 2019-08-06 15:23 ` David Goldberg 2019-08-06 16:44 ` Achim Gratz 2 siblings, 1 reply; 17+ messages in thread From: Brian Inglis @ 2019-08-05 22:41 UTC (permalink / raw) To: cygwin On 2019-08-05 14:06, David Goldberg wrote: > On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote: >> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote: >>> Sorry, was away from work over the weekend. I just tested with openssl >>> s_client and it works just fine. Version is 1.1.1. there is no self >>> signed certificate. It's signed with the company pki rather than >>> commercial and I've properly installed that chain. The problem send to be >>> with the new build, at least the weird ldd output leads me to that >>> conclusion. I'll try to find some time to build from source and see if it >> Do you mean you connected to the ldap server using OpenSSL s_client to >> confirm that works? If that works and the ldapsearch (or other ldap >> client) binary does not, then you likely have a global /etc/ldap.conf (or >> whereever this build looks for it) or a ~/.ldaprc file that defines the >> path or file to find the CA certificate that would need updating. > Correct, openssl s_client works, as does the older build of ldapsearch. I > can't find any .ldaprc nor ldap.conf files on my system. > Unfortunately I've only set up my system for end user purposes. Building > from source will be a challenge. Any guidance (a link is fine) on what > packages to install to set that up? And do I need to worry about the > .cygport and patch files in the source distribution or will configure pick > them up? Install the cygport package and all its dependencies, plus the openldap source package, plus any build dependency packages named in the openldap.cygport DEPEND="" list. Change to the directory containing openldap.cygport and type: $ cygport openldap.cygport download all test and deal with any missing lib*-devel packages or other issues arising during the build. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-05 22:41 ` Brian Inglis @ 2019-08-06 15:23 ` David Goldberg 0 siblings, 0 replies; 17+ messages in thread From: David Goldberg @ 2019-08-06 15:23 UTC (permalink / raw) To: cygwin Thank you, Brian that got me to a local build. Unfortunately that has the same error as the binary installation of 2.4.48. Here are relevant snippets of the output from each version: 2.4.42 which works: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 0, subject: /CN=MYCOMPANY BA ROOT, issuer: /CN=MYCOMPANY BA ROOT TLS certificate verification: depth: 1, err: 0, subject: /DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3, issuer: /CN=MYCOMPANY BA ROOT TLS certificate verification: depth: 0, err: 0, subject: /O=mycompany.tld/OU=Servers/CN=uds.mycompany.tld, issuer: /DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3 TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A 2.4.48 which doesn’t: TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 2, err: 19, subject: /CN=MYCOMPANY BA ROOT, issuer: /CN=MYCOMPANY BA ROOT TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). I'm stumped at this point. Thanks On Mon, Aug 5, 2019, 18:41 Brian Inglis <Brian.Inglis@systematicsw.ab.ca> wrote: > On 2019-08-05 14:06, David Goldberg wrote: > > On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote: > >> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote: > >>> Sorry, was away from work over the weekend. I just tested with openssl > >>> s_client and it works just fine. Version is 1.1.1. there is no self > >>> signed certificate. It's signed with the company pki rather than > >>> commercial and I've properly installed that chain. The problem send to > be > >>> with the new build, at least the weird ldd output leads me to that > >>> conclusion. I'll try to find some time to build from source and see if > it > >> Do you mean you connected to the ldap server using OpenSSL s_client to > >> confirm that works? If that works and the ldapsearch (or other ldap > >> client) binary does not, then you likely have a global /etc/ldap.conf > (or > >> whereever this build looks for it) or a ~/.ldaprc file that defines the > >> path or file to find the CA certificate that would need updating. > > Correct, openssl s_client works, as does the older build of ldapsearch. > I > > can't find any .ldaprc nor ldap.conf files on my system. > > Unfortunately I've only set up my system for end user purposes. Building > > from source will be a challenge. Any guidance (a link is fine) on what > > packages to install to set that up? And do I need to worry about the > > .cygport and patch files in the source distribution or will configure > pick > > them up? > > Install the cygport package and all its dependencies, plus the openldap > source > package, plus any build dependency packages named in the openldap.cygport > DEPEND="" list. > > Change to the directory containing openldap.cygport and type: > > $ cygport openldap.cygport download all test > > and deal with any missing lib*-devel packages or other issues arising > during the > build. > > -- > Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada > > This email may be disturbing to some readers as it contains > too much technical detail. Reader discretion is advised. > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-05 20:06 ` David Goldberg 2019-08-05 20:31 ` Quanah Gibson-Mount 2019-08-05 22:41 ` Brian Inglis @ 2019-08-06 16:44 ` Achim Gratz 2019-08-06 19:17 ` David Goldberg 2 siblings, 1 reply; 17+ messages in thread From: Achim Gratz @ 2019-08-06 16:44 UTC (permalink / raw) To: cygwin David Goldberg writes: > Correct, openssl s_client works, as does the older build of ldapsearch. I > can't find any .ldaprc nor ldap.conf files on my system. Then work the other way around and create a configuration file that points to the PKI. It's entirely possible that the compiled-in default (if there even is one) is not correct. If so I'll have to figure out how to change that, but until then it would be useful to know if things start working when the config is pointing to the existing PKI (which, as you tested can be used correctly by openssl). Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-06 16:44 ` Achim Gratz @ 2019-08-06 19:17 ` David Goldberg 2019-08-06 21:20 ` David Goldberg 0 siblings, 1 reply; 17+ messages in thread From: David Goldberg @ 2019-08-06 19:17 UTC (permalink / raw) To: cygwin Thank you, Achim! I should have thought of that myself. Indeed adding an appropriate TLS_CACERT to ldap.conf has solved the problem and 2.4.48 ldapsearch is working now. On Tue, Aug 6, 2019, 12:44 Achim Gratz <Stromeko@nexgo.de> wrote: > David Goldberg writes: > > Correct, openssl s_client works, as does the older build of ldapsearch. > I > > can't find any .ldaprc nor ldap.conf files on my system. > > Then work the other way around and create a configuration file that > points to the PKI. It's entirely possible that the compiled-in default > (if there even is one) is not correct. If so I'll have to figure out > how to change that, but until then it would be useful to know if things > start working when the config is pointing to the existing PKI (which, as > you tested can be used correctly by openssl). > > > Regards, > Achim. > -- > +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ > > SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: > http://Synth.Stromeko.net/Downloads.html#WaldorfSDada > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-06 19:17 ` David Goldberg @ 2019-08-06 21:20 ` David Goldberg 2019-08-07 18:35 ` Achim Gratz 0 siblings, 1 reply; 17+ messages in thread From: David Goldberg @ 2019-08-06 21:20 UTC (permalink / raw) To: cygwin I found the problem. I guess there's a number of locations where .ldaprc can be found. I have an old backup of a Linux home directory under my cygwin home and that contained a .ldaprc with a TLS_CACERTDIR setting that makes no sense on my windows box. I removed it and also the ldap.conf I just created and ldapsearch worked as expected. I can't understand why 2.4.42 ignored that file while 2.4.48 tried to use it but it seems local to my oddball situation and not a broader issue. Thanks again for all the help and advice. On Tue, Aug 6, 2019, 15:17 David Goldberg <dsg18096@gmail.com> wrote: > Thank you, Achim! I should have thought of that myself. Indeed adding an > appropriate TLS_CACERT to ldap.conf has solved the problem and 2.4.48 > ldapsearch is working now. > > On Tue, Aug 6, 2019, 12:44 Achim Gratz <Stromeko@nexgo.de> wrote: > >> David Goldberg writes: >> > Correct, openssl s_client works, as does the older build of >> ldapsearch. I >> > can't find any .ldaprc nor ldap.conf files on my system. >> >> Then work the other way around and create a configuration file that >> points to the PKI. It's entirely possible that the compiled-in default >> (if there even is one) is not correct. If so I'll have to figure out >> how to change that, but until then it would be useful to know if things >> start working when the config is pointing to the existing PKI (which, as >> you tested can be used correctly by openssl). >> >> >> Regards, >> Achim. >> -- >> +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ >> >> SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: >> http://Synth.Stromeko.net/Downloads.html#WaldorfSDada >> >> -- >> Problem reports: http://cygwin.com/problems.html >> FAQ: http://cygwin.com/faq/ >> Documentation: http://cygwin.com/docs.html >> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >> >> -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Openldap 2.4.48-1 vs my company's pki 2019-08-06 21:20 ` David Goldberg @ 2019-08-07 18:35 ` Achim Gratz 0 siblings, 0 replies; 17+ messages in thread From: Achim Gratz @ 2019-08-07 18:35 UTC (permalink / raw) To: cygwin David Goldberg writes: > I found the problem. I guess there's a number of locations where .ldaprc > can be found. I have an old backup of a Linux home directory under my > cygwin home and that contained a .ldaprc with a TLS_CACERTDIR setting that > makes no sense on my windows box. I looked through the sources and I didnÄt find a place that would pick up a config file in a random directory. The user config is indeed picked up in the $CWD of the running process, but all other configs are in fixed places. > I removed it and also the ldap.conf I just created and ldapsearch > worked as expected. I can't understand why 2.4.42 ignored that file > while 2.4.48 tried to use it but it seems local to my oddball > situation and not a broader issue. OK, so I consider the case closed. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Samples for the Waldorf Blofeld: http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <F9D491FCA6B56B38D0C0B1D6@192.168.1.39>]
* Re: Openldap 2.4.48-1 vs my company's pki [not found] ` <F9D491FCA6B56B38D0C0B1D6@192.168.1.39> @ 2019-08-03 2:42 ` David Goldberg 0 siblings, 0 replies; 17+ messages in thread From: David Goldberg @ 2019-08-03 2:42 UTC (permalink / raw) To: cygwin One downside of having to do non-work email on my phone while at work is that I didn't realize my reply to Quanah was direct, not to the list. Sorry about that. Trying again: I did the following to try to answer $ ldd /usr/bin/ldapsearch.exe # 2.4.42 ntdll.dll => /cygdrive/c/WINDOWS/SYSTEM32/ntdll.dll (0x7ffc58b50000) KERNEL32.DLL => /cygdrive/c/WINDOWS/System32/KERNEL32.DLL (0x7ffc57bd0000) KERNELBASE.dll => /cygdrive/c/WINDOWS/System32/KERNELBASE.dll (0x7ffc554b0000) SYSFER.DLL => /cygdrive/c/WINDOWS/System32/SYSFER.DLL (0x59e30000) ADVAPI32.dll => /cygdrive/c/WINDOWS/System32/ADVAPI32.dll (0x7ffc57b20000) msvcrt.dll => /cygdrive/c/WINDOWS/System32/msvcrt.dll (0x7ffc57950000) sechost.dll => /cygdrive/c/WINDOWS/System32/sechost.dll (0x7ffc563a0000) RPCRT4.dll => /cygdrive/c/WINDOWS/System32/RPCRT4.dll (0x7ffc581d0000) cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000) cyglber-2-4-2.dll => /usr/bin/cyglber-2-4-2.dll (0x3fbd60000) cygsasl2-3.dll => /usr/bin/cygsasl2-3.dll (0x3faae0000) cygldap-2-4-2.dll => /usr/bin/cygldap-2-4-2.dll (0x3fb9b0000) cygcrypto-1.0.0.dll => /usr/bin/cygcrypto-1.0.0.dll (0x3fe480000) cygz.dll => /usr/bin/cygz.dll (0x3fa000000) cygssl-1.0.0.dll => /usr/bin/cygssl-1.0.0.dll (0x3fa860000) And $ ldd /usr/bin/ldapsearch.exe # 2.4.48 ntdll.dll => /cygdrive/c/WINDOWS/SYSTEM32/ntdll.dll (0x7ffc58b50000) KERNEL32.DLL => /cygdrive/c/WINDOWS/System32/KERNEL32.DLL (0x7ffc57bd0000) KERNELBASE.dll => /cygdrive/c/WINDOWS/System32/KERNELBASE.dll (0x7ffc554b0000) SYSFER.DLL => /cygdrive/c/WINDOWS/System32/SYSFER.DLL (0x59e30000) ADVAPI32.dll => /cygdrive/c/WINDOWS/System32/ADVAPI32.dll (0x7ffc57b20000) msvcrt.dll => /cygdrive/c/WINDOWS/System32/msvcrt.dll (0x7ffc57950000) sechost.dll => /cygdrive/c/WINDOWS/System32/sechost.dll (0x7ffc563a0000) RPCRT4.dll => /cygdrive/c/WINDOWS/System32/RPCRT4.dll (0x7ffc581d0000) cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000) cyglber-2-4-2.dll => /usr/bin/cyglber-2-4-2.dll (0x3fbd60000) cygsasl2-3.dll => /usr/bin/cygsasl2-3.dll (0x3faae0000) cygldap-2-4-2.dll => /usr/bin/cygldap-2-4-2.dll (0x3fb9b0000) cygssl-1.1.dll => /usr/bin/cygssl-1.1.dll (0x3fa7d0000) ??? => ??? (0xe80000) cygcrypto-1.1.dll => /usr/bin/cygcrypto-1.1.dll (0x3fe210000) cygz.dll => /usr/bin/cygz.dll (0x3fa000000) So something seems weird with one showing cygssl 1.1 and maybe something missing while the working one shows cygssl 1.0. any idea how I might resolve that? Thanks -- Dave Goldberg dsg18096@gmail.com On Fri, Aug 2, 2019 at 1:28 PM Quanah Gibson-Mount <quanah@symas.com> wrote: > --On Friday, August 02, 2019 12:45 PM -0400 David Goldberg > <dsg18096@gmail.com> wrote: > > > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now > > ldapsearch will not connect, complaining that the server provided > > certificate is self signed. I have set up /etc/pki with my company's > > certificate chain and that allows 2.4.42-1 (and earlier) and other > > applications to properly authenticate local services. What has changed in > > 2.4.48-1 that causes this to not work and how can I fix it. I've > > downgraded for now; that is not a good long term solution of course. > > What SSL library is being used for each of the two builds (I.e., gnutls? > openssl? moznss?) What SSL library version did 2.4.42 link to? What SSL > library version does 2.4.48 link to? Generally OpenLDAP should be linked > to OpenSSL which uses PEM formatted certificates. Also check whether you > have a global ldap.conf file (usually something like > /etc/openldap/ldap.conf or /etc/ldap.conf, etc, depending on how OpenLDAP > was built) that defines where to find the CA Cert(s), or a ~user/.ldaprc, > etc. OpenLDAP client utilities generally by default do not search for a > global list of CA certificates. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2019-08-07 18:35 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-08-02 15:45 Openldap 2.4.48-1 vs my company's pki David Goldberg 2019-08-02 17:28 ` Quanah Gibson-Mount 2019-08-02 19:13 ` Achim Gratz 2019-08-02 20:08 ` David Goldberg 2019-08-03 6:43 ` Achim Gratz 2019-08-05 12:22 ` David Goldberg 2019-08-05 19:25 ` Quanah Gibson-Mount 2019-08-05 19:39 ` Achim Gratz [not found] ` <228DE7899A9CF9C913C8B1B8@192.168.1.39> 2019-08-05 20:06 ` David Goldberg 2019-08-05 20:31 ` Quanah Gibson-Mount 2019-08-05 22:41 ` Brian Inglis 2019-08-06 15:23 ` David Goldberg 2019-08-06 16:44 ` Achim Gratz 2019-08-06 19:17 ` David Goldberg 2019-08-06 21:20 ` David Goldberg 2019-08-07 18:35 ` Achim Gratz [not found] ` <F9D491FCA6B56B38D0C0B1D6@192.168.1.39> 2019-08-03 2:42 ` David Goldberg
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).