RE: [Evolution] LDAP with Auth



On Thu, 2003-02-13 at 02:13, Tony Earnshaw wrote:
ons, 2003-02-12 kl. 22:32 skrev Chris Toshok:

Perhaps someone could actually try to assist us in figuring out what is
wrong here. I'd like to continue to use EVO, but, I need access to my
company LDAP.

Hmm, I didn't receive this mail that Tony's responding to...  private
mail?

No, it was posted to the list. Had it been private, I'd have forwarded
it.

Strange, I don't remember seeing it... *shrug*, not important.

Anyway, I investigated this a little the last time you (David) sent mail
about it back in December I think?  There wasn't much that could be
determined from my end here..  "openssl s_client" prints out the cert
fine, but ldapsearch hangs, just like evolution does.  The error the
wombat printed out was 0x55 (LDAP_TIMEOUT), which is the same behavior
as the command line tool.  This might be some failing with openssl, I
don't know.

ldapsearch should never hang, but return a result - whatever that is.
There's a list of errors in ldap.h as long as your arm to cope with all
ldap eventualities (not poorly configured DNS or the like, though).

In conditions where it's possible to induce a hang, ldapsearch will
*always* hang unless you give it an explicit timeout.  It defaults to
infinite wait.  but that doesn't matter, as it turns out in this
instance i was just being stupid and using -ZZ on the command line
instead of -H ldaps://....  I get the successful (but empty) search with
that.

It's troubling that I have essentially the same set up here (SSL/TLS set
to Always, port set to 636 - I don't even allow connections on 389 on
this particular box) and it works fine for me.

We just call ldap_start_tls and hope for the
best.

That bit made me smile :-) It's possible to debug in detail at the
server end, and if one's running Openldap clients like ldapsearch,
they can be run at the same debug levels as slapd.

yeah.  actually there's code in the ldap backend to enable debugging but
it doesn't appear to be working.  hrm..

My point with the above line was that we can't do all the nice stuff the
mailer can wrt self signed certs, popping up dialogs, asking for user
confirmation and all that.  There's no way we can recover from what the
ldap library considers to be a fatal error, or (as far as I can tell,
please correct me if I'm wrong) cause a connection to fail because of
what we/the user considers a fatal error.  We're stuck with the openldap
client lib's policy decisions.

Chris



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]