GNOME Bugzilla – Bug 356541
LDAP not contactable
Last modified: 2012-01-27 10:30:57 UTC
Please describe the problem: I have a LDAP server on the LAN and configure directory services to store my contacts. I's working well with other mail clients other than Evolution 2.6.0. Its giving error "LDAP server is unreachable". Steps to reproduce: 1. Go to contacts and add new address book 2. Select the LDAP server from "On LDAP server" tab 3. Actual results: Showing error message "We were unable to open this addressbook. This either means you have entered an incorrect URI, or the LDAP server is unreachable." Expected results: It sould list all contact stored in the LDAP server Does this happen every time? yes Other information: This problem was not there in the previous version I had used. I had to select "No login" under "Login method" of properties window.
I have the same problem, but only when I try to connect to ldaps. (port ldaps, SSL encryption), Evolution seems to try TLS connection, that fails. As my ldap server isn't accessible from outside without SSL, I had to create a SSL tunnel on my laptop and configure Evolution to connect to ldap://localhost to make the connection working I use Gnome evolution-2.6 2.6.3
SOFTWARE USED: mail-client/evolution-2.8.3-r2 gnome-extra/evolution-data-server-1.8.3-r4 net-nds/openldap-2.3.35-r1 dev-libs/openssl-0.9.8d mail-client/mozilla-thunderbird-2.0.0.0 PRECONDITION: openldap is up and running STEPS: 1. Create your own ca, issue a ldap server-cert, ldap-private-key like shown at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2 2. Include these files in your ldap server config via: TLSCertificateFile /pathTo/servercrt.pem TLSCertificateKeyFile /pathTo/serverkey.pem TLSCACertificateFile /pathTo/cacert.pem and set TLSVerifyClient never (slapd will not ask the client for a certificate) 3. Test your ldap setup via openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca cert> as shown at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#6.1 4. Goto Edit --> Preferences --> Certificates --> Authorities 5. Import your newly created certificate authority and enable all three trust settings (identify web sites, email users, software developers) 6. Create a new ldap adressbook with port "389" and "TLS encryption" 7. Try to query the ldap adressbook 8. Create a new ldap adressbook with port "636" and "SSL encryption" 9. Try to query the ldap adressbook 10. change to thunderbird 11. create a new ldap adressbook (port number=636, enable "Use secure connection SSL") 12. Try to query the ldap adressbook 13. Accept the certificate RESULTS: After step 1: You have the files - servercrt.pem (your servercert) - serverkey.pem (private key for your servercert) - cacert.pem ( the certificate of your newly created certification authority) After step 3: No client certificate CA names sent --- SSL handshake has read 1788 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: A46FA141A668E77A8984DAD7E2F0F0D064059CC8BE0D13782DB84563143F17CF Session-ID-ctx: Master-Key: 1DF38A35A7644481B43164B5517AFF1ADE391743E3C520FAF653D4174503BFBEB3D07DAFAD0DBEB3DB076CB044F24B50 Key-Arg : None Start Time: 1180732457 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) After step 7: see attached screenshot details of error After step 9: Same result as after step 7 After step 12: A dialogue is shown "Website certified by an unknown authority" After step 13: You did a successfull ldap adressbook query EXPECTED RESULTS: Evolution is able to connect to ldap via port 636 using ssl Evolution is able to connect to ldap via port 389 using tls Does this happen every time? yes Additional infos: from sldapd log when trying to connect via evolution: slapd[13348]: conn=9 fd=13 ACCEPT from IP=62.143.179.16:64667 (IP=0.0.0.0:636) slapd[13348]: conn=9 fd=13 closed (TLS negotiation failure) from whireshark when trying to connect via evolution: TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA) Connections via port 389 work properly
Created attachment 89211 [details] shot
evolution-2.6 had issues with LDAP with self signed certificates. Could you try to update to 2.8 or even better 2.10 ?
Evolution 2.10 is in debian unstable, but cannot migrate waiting for gtkhtml3.14 2.18 did not reached testing, either.
(In reply to comment #5) I got exactly the same problem with Evolution 2.12.1 on Ubuntu 7.10 Gutsy.
Confirm with Evolution 2.12.3/Gentoo.
Confirm with Evolution 2.24.2/Gentoo. Clarification: _Unencrypted_ connections via port 389 work properly. Maybe it's time to mark this bug as confirmed. If you need more information please ask. I would really like to see this show-stopper fixed.
Correction: TLS connections via port 389 do work properly even with self-signed CAs if /etc/openldap/ldap.conf is properly set up - importing the CA into evolution is not necessary! If ldap.conf is changed restart evolution _and_ evolution-data-server.
I have confirmed that this bug is present in: OpenSUSE 11.2 GNU/Linux evolution-2.28.2-0.1.2.x86_64 evolution-data-server-2.28.2-0.2.13.x86_64 evolution-data-server-32bit-2.28.2-0.3.1.x86_64 evolution-pilot-2.28.2-0.1.2.x86_64 MeeGo 1.1 GNU/Linux evolution-2.30.1~20100423-7.2.i586 evolution-data-server-2.30.2~20100629-1.5.i586 evolution-libs-2.30.1~20100423-7.2.i586 Why is this bug open many years now with neither resolution nor status change? The status is set to UNCONFIRMED as it was years ago. What's the problem?
gnomebugs@encambio: Way more information needed - see comment 9 for a good example and provide information about port configurations if this is still a problem.
I'm now using evolution 3.2.2 under Ununtu 11.10, and there is no more problem connecting to ldaps
Oh great! Thanks for the quick update.