Re: [Evolution] LDAPS with own CA cert not functional.

[Jan Mynarik <mynarikj phoenix inf upol cz>]

Now I'm sure that CA certificates from Evolution's certificate store are
not used in Evo's LDAP. Some Googling helped me to find a way how to get
Evolution running without this LDAP problem.

I launched evolution this way:
LDAPTLS_CACERT=<path to file PEM file> evolution

and now it works. I'm going to file a bug.

Jan "Pogo" Mynarik

On Tue, 2004-10-26 at 16:25 +0200, Jan Mynarik wrote:
> Hello,
> 
> I have following problem. I am not able to use company's LDAP server.
> We've got following policy:
>  - we're able to connect to LDAP on 389 without SSL from intranet
>  - from outside we need to use LDAP via SSL on port 636 and anonymous
> query is not allowed
> 
> The first case works fine with Evolution 2.0.2 but I need to specify
> SSL: Never because SSL: When possible doesn't work.
> 
> The second case doesn't work (and haven't ever worked since first
> versions of Evolution). All I get is (from separately run
> evolution-data-server):
> 
> (evolution-data-server:5473): libebookbackend-WARNING **: failed to bind
> anonymously while connecting (ldap_error 0x51)
> in server_log_handler
> 
> It doesn't even ask for password. Our LDAP server is OpenLDAP version
> 2.0.27.
> 
> Exactly the same configuration works with Outlook (tested by some
> colleagues, I don't use it), Mozilla, and Mozilla Thunderbird. Even
> tested with ldapsearch and with specific LDAP browsers: JXBrowse and
> LDAPBrowser (both java).
> 
> The problem could be that our LDAP server uses a certificate which is
> not signed (directly or indirectly) by globally recognized CA). We have
> our own CA certificate here that we use for signing other certificates
> (server, personal etc.).
> 
> This CA certificate is imported in Evolution's certificates for sure as
> I'm able to use it to verify other people's certificates in mail
> encryption/signing. It was also needed to import our CA certificate to
> already mentioned LDAP browsers to get them working properly with out
> LDAPS server.
> 
> Using ldapsearch I need to disable certificate verification or to
> specify TLS_CACERT to get it working, without it I get:
> 
> ldap_bind: Can't contact LDAP server (81)
>         additional info: Error in the certificate.
> 
> which reminds me of Evolution's problem.
> 
> Can anybody help me? Does evolution use imported CA certificates even
> for LDAP? Does anybody encountered this problem too?
> 
> Am I right with the possible source of problem? If yes, I'll file a bug.
> 
> I'm eve able to compile evolution-data-server to test patches ;-)
> 
> Regards,
> 
> Jan "Pogo" Mynarik
> 
-- 
Jan Mynarik <mynarikj phoenix inf upol cz>