Re: [Evolution] LDAPS with own CA cert not functional.

["Thomas J. Baker" <tjb unh edu>]

On Tue, 2004-10-26 at 22:55 +0200, Jan Mynarik wrote:
> Filed as bug #68826
> 
> http://bugzilla.ximian.com/show_bug.cgi?id=68826
> 
> Regards,
> 
> Jan "Pogo" Mynarik
> 
> On Tue, 2004-10-26 at 18:27 +0200, Jan Mynarik wrote:
> > Now I'm sure that CA certificates from Evolution's certificate store are
> > not used in Evo's LDAP. Some Googling helped me to find a way how to get
> > Evolution running without this LDAP problem.
> > 
> > I launched evolution this way:
> > LDAPTLS_CACERT=<path to file PEM file> evolution
> > 
> > and now it works. I'm going to file a bug.
> > 
> > Jan "Pogo" Mynarik
> > 
> > On Tue, 2004-10-26 at 16:25 +0200, Jan Mynarik wrote:
> > > Hello,
> > > 
> > > I have following problem. I am not able to use company's LDAP server.
> > > We've got following policy:
> > >  - we're able to connect to LDAP on 389 without SSL from intranet
> > >  - from outside we need to use LDAP via SSL on port 636 and anonymous
> > > query is not allowed
> > > 
> > > The first case works fine with Evolution 2.0.2 but I need to specify
> > > SSL: Never because SSL: When possible doesn't work.
> > > 
> > > The second case doesn't work (and haven't ever worked since first
> > > versions of Evolution). All I get is (from separately run
> > > evolution-data-server):
> > > 
> > > (evolution-data-server:5473): libebookbackend-WARNING **: failed to bind
> > > anonymously while connecting (ldap_error 0x51)
> > > in server_log_handler
> > > 
> > > It doesn't even ask for password. Our LDAP server is OpenLDAP version
> > > 2.0.27.
> > > 
> > > Exactly the same configuration works with Outlook (tested by some
> > > colleagues, I don't use it), Mozilla, and Mozilla Thunderbird. Even
> > > tested with ldapsearch and with specific LDAP browsers: JXBrowse and
> > > LDAPBrowser (both java).
> > > 
> > > The problem could be that our LDAP server uses a certificate which is
> > > not signed (directly or indirectly) by globally recognized CA). We have
> > > our own CA certificate here that we use for signing other certificates
> > > (server, personal etc.).
> > > 
> > > This CA certificate is imported in Evolution's certificates for sure as
> > > I'm able to use it to verify other people's certificates in mail
> > > encryption/signing. It was also needed to import our CA certificate to
> > > already mentioned LDAP browsers to get them working properly with out
> > > LDAPS server.
> > > 
> > > Using ldapsearch I need to disable certificate verification or to
> > > specify TLS_CACERT to get it working, without it I get:
> > > 
> > > ldap_bind: Can't contact LDAP server (81)
> > >         additional info: Error in the certificate.
> > > 
> > > which reminds me of Evolution's problem.
> > > 
> > > Can anybody help me? Does evolution use imported CA certificates even
> > > for LDAP? Does anybody encountered this problem too?
> > > 
> > > Am I right with the possible source of problem? If yes, I'll file a bug.
> > > 
> > > I'm eve able to compile evolution-data-server to test patches ;-)
> > > 
> > > Regards,
> > > 
> > > Jan "Pogo" Mynarik
> > > 

On Red Hat systems, I find that if you add the following line to
your /etc/openldap/ldap.conf file, it works:

TLS_REQCERT     allow

It will probably work on any openldap based system.

tjb
-- 
=======================================================================
| Thomas Baker                                  email: tjb unh edu    |
| Systems Programmer                                                  |
| Research Computing Center                     voice: (603) 862-4490 |
| University of New Hampshire                     fax: (603) 862-1761 |
| 332 Morse Hall                                                      |
| Durham, NH 03824 USA              http://wintermute.sr.unh.edu/~tjb |
=======================================================================