After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 356541 - LDAP not contactable
LDAP not contactable
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Contacts
2.28.x (obsolete)
Other All
: Normal major
: ---
Assigned To: evolution-addressbook-maintainers
Evolution QA team
evolution[ldap]
Depends on:
Blocks:
 
 
Reported: 2006-09-18 14:15 UTC by Arun
Modified: 2012-01-27 10:30 UTC
See Also:
GNOME target: ---
GNOME version: 2.27/2.28


Attachments
shot (16.23 KB, image/png)
2007-06-01 21:59 UTC, Marc Arens
Details

Description Arun 2006-09-18 14:15:46 UTC
Please describe the problem:
I have a LDAP server on the LAN and configure directory services to store my contacts. I's working well with other mail clients other than Evolution 2.6.0. Its giving error "LDAP server is unreachable". 

Steps to reproduce:
1. Go to contacts and add new address book
2. Select the LDAP server from "On LDAP server" tab
3. 


Actual results:
Showing error message "We were unable to open this addressbook.  This either means you have entered an incorrect URI, or the LDAP server is unreachable."

Expected results:
It sould list all contact stored in the LDAP server

Does this happen every time?
yes

Other information:
This problem was not there in the previous version I had used. I had to select "No login" under "Login method" of properties window.
Comment 1 Bastien Durel 2007-01-24 13:14:43 UTC
I have the same problem, but only when I try to connect to ldaps. (port ldaps, SSL encryption), Evolution seems to try TLS connection, that fails. As my ldap server isn't accessible from outside without SSL, I had to create a SSL tunnel on my laptop and configure Evolution to connect to ldap://localhost to make the connection working

I use Gnome evolution-2.6 2.6.3
Comment 2 Marc Arens 2007-06-01 21:48:58 UTC
SOFTWARE USED:
mail-client/evolution-2.8.3-r2
gnome-extra/evolution-data-server-1.8.3-r4
net-nds/openldap-2.3.35-r1
dev-libs/openssl-0.9.8d
mail-client/mozilla-thunderbird-2.0.0.0

PRECONDITION:
openldap is up and running

STEPS:
1. Create your own ca, issue a ldap server-cert, ldap-private-key like shown at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2

2. Include these files in your ldap server config via:
TLSCertificateFile /pathTo/servercrt.pem
TLSCertificateKeyFile /pathTo/serverkey.pem
TLSCACertificateFile /pathTo/cacert.pem

and set TLSVerifyClient never (slapd will not ask the client for a certificate)                     

3. Test your ldap setup via openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca cert> as shown at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#6.1

4. Goto Edit --> Preferences --> Certificates --> Authorities

5. Import your newly created certificate authority and enable all three trust settings (identify web sites, email users, software developers)

6. Create a new ldap adressbook with port "389" and "TLS encryption"

7. Try to query the ldap adressbook

8. Create a new ldap adressbook with port "636" and "SSL encryption"

9. Try to query the ldap adressbook

10. change to thunderbird

11. create a new ldap adressbook (port number=636, enable "Use secure connection SSL")

12. Try to query the ldap adressbook

13. Accept the certificate





RESULTS:
After step 1: You have the files 
- servercrt.pem (your servercert)
- serverkey.pem (private key for your servercert)
- cacert.pem ( the certificate of your newly created certification authority)

After step 3:
No client certificate CA names sent
---
SSL handshake has read 1788 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: A46FA141A668E77A8984DAD7E2F0F0D064059CC8BE0D13782DB84563143F17CF
    Session-ID-ctx: 
    Master-Key: 1DF38A35A7644481B43164B5517AFF1ADE391743E3C520FAF653D4174503BFBEB3D07DAFAD0DBEB3DB076CB044F24B50
    Key-Arg   : None
    Start Time: 1180732457
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

After step 7:
see attached screenshot details of error

After step 9:
Same result as after step 7

After step 12:
A dialogue is shown "Website certified by an unknown authority"

After step 13:
You did a successfull ldap adressbook query


EXPECTED RESULTS:
Evolution is able to connect to ldap via port 636 using ssl
Evolution is able to connect to ldap via port 389 using tls

Does this happen every time?
yes

Additional infos:
from sldapd log when trying to connect via evolution:
slapd[13348]: conn=9 fd=13 ACCEPT from IP=62.143.179.16:64667 (IP=0.0.0.0:636)
slapd[13348]: conn=9 fd=13 closed (TLS negotiation failure)

from whireshark when trying to connect via evolution:
TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)


Connections via port 389 work properly
Comment 3 Marc Arens 2007-06-01 21:59:33 UTC
Created attachment 89211 [details]
shot
Comment 4 Gilles Dartiguelongue 2007-07-05 13:21:30 UTC
evolution-2.6 had issues with LDAP with self signed certificates.

Could you try to update to 2.8 or even better 2.10 ?
Comment 5 Bastien Durel 2007-07-05 13:28:05 UTC
Evolution 2.10 is in debian unstable, but cannot migrate waiting for gtkhtml3.14

2.18 did not reached testing, either.
Comment 6 Richard Gabriel 2008-03-06 21:08:38 UTC
(In reply to comment #5)

I got exactly the same problem with Evolution 2.12.1 on Ubuntu 7.10 Gutsy.
Comment 7 petter 2008-03-11 07:01:44 UTC
Confirm with Evolution 2.12.3/Gentoo.
Comment 8 gnome 2009-01-19 15:22:12 UTC
Confirm with Evolution 2.24.2/Gentoo.

Clarification: _Unencrypted_ connections via port 389 work properly.

Maybe it's time to mark this bug as confirmed. If you need more information please ask. I would really like to see this show-stopper fixed.
Comment 9 gnome 2009-01-19 17:26:26 UTC
Correction: TLS connections via port 389 do work properly even with self-signed CAs if /etc/openldap/ldap.conf is properly set up - importing the CA into evolution is not necessary! If ldap.conf is changed restart evolution _and_ evolution-data-server.
Comment 10 gnomebugs 2010-11-23 14:55:07 UTC
I have confirmed that this bug is present in:

OpenSUSE 11.2 GNU/Linux
evolution-2.28.2-0.1.2.x86_64
evolution-data-server-2.28.2-0.2.13.x86_64
evolution-data-server-32bit-2.28.2-0.3.1.x86_64
evolution-pilot-2.28.2-0.1.2.x86_64

MeeGo 1.1 GNU/Linux
evolution-2.30.1~20100423-7.2.i586
evolution-data-server-2.30.2~20100629-1.5.i586
evolution-libs-2.30.1~20100423-7.2.i586

Why is this bug open many years now with neither resolution nor status change? The status is set to UNCONFIRMED as it was years ago. What's the problem?
Comment 11 André Klapper 2012-01-27 09:30:49 UTC
gnomebugs@encambio: Way more information needed - see comment 9 for a good example and provide information about port configurations if this is still a problem.
Comment 12 Bastien Durel 2012-01-27 10:14:06 UTC
I'm now using evolution 3.2.2 under Ununtu 11.10, and there is no more problem connecting to ldaps
Comment 13 André Klapper 2012-01-27 10:30:57 UTC
Oh great! Thanks for the quick update.