Re: Openldap 2.4.48-1 vs my company's pki

David Goldberg writes: > I found the problem. I guess there's a number of locations where .ldaprc > can be found. I have an old backup of a Linux home directory under my > cygwin home and that contained a .ldaprc with a TLS_CACERTDIR setting that > makes no sense on my windows box. I looked throug

Re: Openldap 2.4.48-1 vs my company's pki

I found the problem. I guess there's a number of locations where .ldaprc can be found. I have an old backup of a Linux home directory under my cygwin home and that contained a .ldaprc with a TLS_CACERTDIR setting that makes no sense on my windows box. I removed it and also the ldap.conf I just cre

Re: Openldap 2.4.48-1 vs my company's pki

Thank you, Achim! I should have thought of that myself. Indeed adding an appropriate TLS_CACERT to ldap.conf has solved the problem and 2.4.48 ldapsearch is working now. On Tue, Aug 6, 2019, 12:44 Achim Gratz wrote: > David Goldberg writes: > > Correct, openssl s_client works, as does the older

Re: Openldap 2.4.48-1 vs my company's pki

David Goldberg writes: > Correct, openssl s_client works, as does the older build of ldapsearch. I > can't find any .ldaprc nor ldap.conf files on my system. Then work the other way around and create a configuration file that points to the PKI. It's entirely possible that the compiled-in default

Re: Openldap 2.4.48-1 vs my company's pki

Thank you, Brian that got me to a local build. Unfortunately that has the same error as the binary installation of 2.4.48. Here are relevant snippets of the output from each version: 2.4.42 which works: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 writ

Re: Openldap 2.4.48-1 vs my company's pki

On 2019-08-05 14:06, David Goldberg wrote: > On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote: >> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote: >>> Sorry, was away from work over the weekend. I just tested with openssl >>> s_client and it works just fine. Version is 1.1.1. th

Re: Openldap 2.4.48-1 vs my company's pki

--On Monday, August 05, 2019 5:06 PM -0400 David Goldberg wrote: Correct, openssl s_client works, as does the older build of ldapsearch. I can't find any .ldaprc nor ldap.conf files on my system. Unfortunately I've only set up my system for end user purposes. Building from source will be a c

Re: Openldap 2.4.48-1 vs my company's pki

Correct, openssl s_client works, as does the older build of ldapsearch. I can't find any .ldaprc nor ldap.conf files on my system. Unfortunately I've only set up my system for end user purposes. Building from source will be a challenge. Any guidance (a link is fine) on what packages to install to

Re: Openldap 2.4.48-1 vs my company's pki

David Goldberg writes: > Sorry, was away from work over the weekend. I just tested with openssl > s_client and it works just fine. Version is 1.1.1. there is no self > signed certificate. It's signed with the company pki rather than commercial > and I've properly installed that chain. Good. The

Re: Openldap 2.4.48-1 vs my company's pki

--On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote: Sorry, was away from work over the weekend. I just tested with openssl s_client and it works just fine. Version is 1.1.1. there is no self signed certificate. It's signed with the company pki rather than commercial and I've pro

Re: Openldap 2.4.48-1 vs my company's pki

Sorry, was away from work over the weekend. I just tested with openssl s_client and it works just fine. Version is 1.1.1. there is no self signed certificate. It's signed with the company pki rather than commercial and I've properly installed that chain. The problem send to be with the new build,

Re: Openldap 2.4.48-1 vs my company's pki

David Goldberg writes: > Thanks but unfortunately even after don't that I still get the complaint > that they're is a self signed certificate in the chain. We do indeed run > our own CA but it seems like that should not really be a problem. Wait, are you saying you do run a private CA, but the LDA

Re: Openldap 2.4.48-1 vs my company's pki

One downside of having to do non-work email on my phone while at work is that I didn't realize my reply to Quanah was direct, not to the list. Sorry about that. Trying again: I did the following to try to answer $ ldd /usr/bin/ldapsearch.exe # 2.4.42 ntdll.dll => /cygdrive/c/WINDOWS/SYS

Re: Openldap 2.4.48-1 vs my company's pki

Thanks but unfortunately even after don't that I still get the complaint that they're is a self signed certificate in the chain. We do indeed run our own CA but it seems like that should not really be a problem. On Fri, Aug 2, 2019, 15:13 Achim Gratz wrote: > David Goldberg writes: > > I updated

Re: Openldap 2.4.48-1 vs my company's pki

David Goldberg writes: > I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now > ldapsearch will not connect, complaining that the server provided > certificate is self signed. I have set up /etc/pki with my company's > certificate chain and that allows 2.4.42-1 (and earlier) and other

Re: Openldap 2.4.48-1 vs my company's pki

--On Friday, August 02, 2019 12:45 PM -0400 David Goldberg wrote: I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now ldapsearch will not connect, complaining that the server provided certificate is self signed. I have set up /etc/pki with my company's certificate chain and that

Openldap 2.4.48-1 vs my company's pki

I updated openldap from 2.4.42-1 to 2.4.48-1 this morning and now ldapsearch will not connect, complaining that the server provided certificate is self signed. I have set up /etc/pki with my company's certificate chain and that allows 2.4.42-1 (and earlier) and other applications to properly authen