RE: [Evolution] LDAP with Auth

From: Tony Earnshaw <tonni billy demon nl>
To: Chris Toshok <toshok ximian com>
Cc: evolution lists ximian com
Subject: RE: [Evolution] LDAP with Auth
Date: 14 Feb 2003 08:09:22 +0100

fre, 2003-02-14 kl. 00:53 skrev Chris Toshok:

ldapsearch should never hang, but return a result - whatever that is.
There's a list of errors in ldap.h as long as your arm to cope with all
ldap eventualities (not poorly configured DNS or the like, though).


In conditions where it's possible to induce a hang, ldapsearch will
*always* hang unless you give it an explicit timeout.  It defaults to
infinite wait.  but that doesn't matter, as it turns out in this
instance i was just being stupid and using -ZZ on the command line
instead of -H ldaps://....  I get the successful (but empty) search with
that.


That's why I keep on going on about upgrading Openldap. Look inside
ldap.h at the 80-90 errors, especially.

It's troubling that I have essentially the same set up here (SSL/TLS set
to Always, port set to 636 - I don't even allow connections on 389 on
this particular box) and it works fine for me.


The normal procedure for TLS is for the client to connect to 389 and do
a starttls. slapd from Openldap 2.1.x can be configured so that it won't
initiate a bind unless starttls is given.

My point with the above line was that we can't do all the nice stuff the
mailer can wrt self signed certs, popping up dialogs, asking for user
confirmation and all that.  There's no way we can recover from what the
ldap library considers to be a fatal error, or (as far as I can tell,
please correct me if I'm wrong) cause a connection to fail because of
what we/the user considers a fatal error.  We're stuck with the openldap
client lib's policy decisions.


I can't comment there, because I don't know Ximian's policy. All I can
say that could possibly be of interest, is that GQ for Gnome, for
example, uses the Openssl and Openldap libldap and liblber libs and
0.7.0beta2 has everything except SASL working at the moment (development
would seem to be dead for the time being). The code is available, I
compile my own.

As time goes on and more and more people/orgs start using ldap in one
form or another, there will be more and more demand. Minimum security is
SSL on port 636 (eDirectory, Windows AD) and SASL in one form or another
will become ever more common.

With regard to certs, Openldap 2.1.x is picky and CA-signed certs are de
rigeur. Nothing to stop a site becoming its own CA, though.

Best,

Tony

-- 

Tony Earnshaw

When you rob a person of his illusions,
you are robbing him of his happiness


e-post:         tonni billy demon nl
www:            http://www.billy.demon.nl

References:
- RE: [Evolution] LDAP with Auth
  - From: Tony Earnshaw
- RE: [Evolution] LDAP with Auth
  - From: Chris Toshok
- RE: [Evolution] LDAP with Auth
  - From: Tony Earnshaw
- RE: [Evolution] LDAP with Auth
  - From: Chris Toshok

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]