Re: [Evolution] LDAPS with own CA cert not functional.

From: Jan Mynarik <mynarikj phoenix inf upol cz>
To: evolution lists ximian com
Subject: Re: [Evolution] LDAPS with own CA cert not functional.
Date: Tue, 26 Oct 2004 22:55:25 +0200

Filed as bug #68826

http://bugzilla.ximian.com/show_bug.cgi?id=68826

Regards,

Jan "Pogo" Mynarik

On Tue, 2004-10-26 at 18:27 +0200, Jan Mynarik wrote:

Now I'm sure that CA certificates from Evolution's certificate store are
not used in Evo's LDAP. Some Googling helped me to find a way how to get
Evolution running without this LDAP problem.

I launched evolution this way:
LDAPTLS_CACERT=<path to file PEM file> evolution

and now it works. I'm going to file a bug.

Jan "Pogo" Mynarik

On Tue, 2004-10-26 at 16:25 +0200, Jan Mynarik wrote:

Hello,

I have following problem. I am not able to use company's LDAP server.
We've got following policy:
 - we're able to connect to LDAP on 389 without SSL from intranet
 - from outside we need to use LDAP via SSL on port 636 and anonymous
query is not allowed

The first case works fine with Evolution 2.0.2 but I need to specify
SSL: Never because SSL: When possible doesn't work.

The second case doesn't work (and haven't ever worked since first
versions of Evolution). All I get is (from separately run
evolution-data-server):

(evolution-data-server:5473): libebookbackend-WARNING **: failed to bind
anonymously while connecting (ldap_error 0x51)
in server_log_handler

It doesn't even ask for password. Our LDAP server is OpenLDAP version
2.0.27.

Exactly the same configuration works with Outlook (tested by some
colleagues, I don't use it), Mozilla, and Mozilla Thunderbird. Even
tested with ldapsearch and with specific LDAP browsers: JXBrowse and
LDAPBrowser (both java).

The problem could be that our LDAP server uses a certificate which is
not signed (directly or indirectly) by globally recognized CA). We have
our own CA certificate here that we use for signing other certificates
(server, personal etc.).

This CA certificate is imported in Evolution's certificates for sure as
I'm able to use it to verify other people's certificates in mail
encryption/signing. It was also needed to import our CA certificate to
already mentioned LDAP browsers to get them working properly with out
LDAPS server.

Using ldapsearch I need to disable certificate verification or to
specify TLS_CACERT to get it working, without it I get:

ldap_bind: Can't contact LDAP server (81)
        additional info: Error in the certificate.

which reminds me of Evolution's problem.

Can anybody help me? Does evolution use imported CA certificates even
for LDAP? Does anybody encountered this problem too?

Am I right with the possible source of problem? If yes, I'll file a bug.

I'm eve able to compile evolution-data-server to test patches ;-)

Regards,

Jan "Pogo" Mynarik

-- 
Jan Mynarik <mynarikj phoenix inf upol cz>

Follow-Ups:
- Re: [Evolution] LDAPS with own CA cert not functional.
  - From: Thomas J. Baker

References:
- [Evolution] LDAPS with own CA cert not functional.
  - From: Jan Mynarik
- Re: [Evolution] LDAPS with own CA cert not functional.
  - From: Jan Mynarik

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]