From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 836 invoked by alias); 2 Aug 2019 17:28:14 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 829 invoked by uid 89); 2 Aug 2019 17:28:14 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.1 spammy=openldap, 2448, 2.4.48, packaged X-HELO: zmcc-2-mx.zmailcloud.com Received: from zmcc-2-mx.zmailcloud.com (HELO zmcc-2-mx.zmailcloud.com) (52.37.197.7) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 02 Aug 2019 17:28:13 +0000 Received: from zmcc-2.zmailcloud.com (zmcc-2-mta-1.zmailcloud.com [146.148.52.56]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by zmcc-2-mx.zmailcloud.com (Postfix) with ESMTPS id 5D59E4063D; Fri, 2 Aug 2019 13:44:22 -0400 (EDT) Received: from zmcc-2.zmailcloud.com (localhost [127.0.0.1]) by zmcc-2-mta-1.zmailcloud.com (Postfix) with ESMTPS id 56C51CE10D; Fri, 2 Aug 2019 12:28:11 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by zmcc-2-mta-1.zmailcloud.com (Postfix) with ESMTP id 49C4BCE10C; Fri, 2 Aug 2019 12:28:11 -0500 (CDT) Received: from zmcc-2.zmailcloud.com ([127.0.0.1]) by localhost (zmcc-2-mta-1.zmailcloud.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id llFQDLYOGpDj; Fri, 2 Aug 2019 12:28:11 -0500 (CDT) Received: from [192.168.1.39] (47-208-128-44.erkacmtk03.res.dyn.suddenlink.net [47.208.128.44]) by zmcc-2-mta-1.zmailcloud.com (Postfix) with ESMTPSA id DE29DCE10A; Fri, 2 Aug 2019 12:28:10 -0500 (CDT) Date: Fri, 02 Aug 2019 17:28:00 -0000 From: Quanah Gibson-Mount Reply-To: Quanah Gibson-Mount To: David Goldberg , cygwin@cygwin.com Subject: Re: Openldap 2.4.48-1 vs my company's pki Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-IsSubscribed: yes X-SW-Source: 2019-08/txt/msg00025.txt.bz2 --On Friday, August 02, 2019 12:45 PM -0400 David Goldberg wrote: > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now > ldapsearch will not connect, complaining that the server provided > certificate is self signed. I have set up /etc/pki with my company's > certificate chain and that allows 2.4.42-1 (and earlier) and other > applications to properly authenticate local services. What has changed in > 2.4.48-1 that causes this to not work and how can I fix it. I've > downgraded for now; that is not a good long term solution of course. What SSL library is being used for each of the two builds (I.e., gnutls? openssl? moznss?) What SSL library version did 2.4.42 link to? What SSL library version does 2.4.48 link to? Generally OpenLDAP should be linked to OpenSSL which uses PEM formatted certificates. Also check whether you have a global ldap.conf file (usually something like /etc/openldap/ldap.conf or /etc/ldap.conf, etc, depending on how OpenLDAP was built) that defines where to find the CA Cert(s), or a ~user/.ldaprc, etc. OpenLDAP client utilities generally by default do not search for a global list of CA certificates. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple