RE: [Evolution] LDAP with Auth



ons, 2003-02-12 kl. 22:32 skrev Chris Toshok:

Perhaps someone could actually try to assist us in figuring out what is
wrong here. I'd like to continue to use EVO, but, I need access to my
company LDAP.

Hmm, I didn't receive this mail that Tony's responding to...  private
mail?

No, it was posted to the list. Had it been private, I'd have forwarded
it.

Anyway, I investigated this a little the last time you (David) sent mail
about it back in December I think?  There wasn't much that could be
determined from my end here..  "openssl s_client" prints out the cert
fine, but ldapsearch hangs, just like evolution does.  The error the
wombat printed out was 0x55 (LDAP_TIMEOUT), which is the same behavior
as the command line tool.  This might be some failing with openssl, I
don't know.

ldapsearch should never hang, but return a result - whatever that is.
There's a list of errors in ldap.h as long as your arm to cope with all
ldap eventualities (not poorly configured DNS or the like, though).

I reckon you're still using a 2.0.x Openldap server. The general advice
on the Openldap list is to make sure that this is the latest version,
2.0.27, but if you have the time - why not go the whole hog and compile
and install 2.1.12 (latest release, with Cyrus SASL and BDB libs)? This
is purely a question of choice, but there's been an awful lot of work
done on Openldap lately, by the developers and all of them recommend
updating to 2.1.x rather than 2.0.x. Furthermore, the difference between
2.1.8 and 2.1.10 is absolutely striking, due to 2.1.10 development work
done by Howard Chu for Stanford University.

[...]

An LDAP client *should* be able to bind with SSL or TLS and strong SASL 
authentication. If the Evo smtp client can do all of this, including a
subset of SASL, then there's no reason that the LDAP client shouldn't.
But only if people work on it.

While I agree that evolution should do both SSL/TLS (which it does for
me here, without problem) and SASL (which is planned), there isn't a
connection between what's possible in the mailer and the addressbook
unfortunately.

O.k.

They're completely separate codebases, and they even use
a different SSL library (a fact that annoys me greatly).  The mailer
also has access to the SSL library at a much lower level than the
openldap api provides us.

O.k.

We just call ldap_start_tls and hope for the
best.

That bit made me smile :-) It's possible to debug in detail at the
server end, and if one's running Openldap clients like ldapsearch,
they can be run at the same debug levels as slapd.

Best,

Tony

- 

Tony Earnshaw

"Can anyone define 'modern enclitic
mediocrity' in terms of the Euro for me?"
- Billy the (Norwegian-Dutch) Cat, Feb '03

e-post:         tonni billy demon nl
www:            http://www.billy.demon.nl




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]