[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL/TLS connection on port 389



> > I've been running slapd with "-h ldaps:///" so that it 
> > takes SSL/TLS connections on port 636. This has worked 
> > with most clients (Outlook, Seamonkey, Thunderbird) 
> > but does not work for Evolution. I don't know why not, 
> > but Evolution seems to insist on using port 389 for 
> > secure connections.
> 
> Which version of Evolution? 

I'm currently using 2.6.3 (Debian Etch), 2.8.2 (the Windoze port) and
2.12.3 (Debian Lenny), and have also tried 2.10.3 and 2.12.2 in between.
The LDAP connection functionality seems unchanged in all these versions.


> Mine has a "Use secure connection" drop-down box, with 
> "SSL encryption", "TLS encryption" and "No encryption" 
> options. Since the port doesn't change based on your 
> selection, I'll assume what they actually mean is 
> "ldaps", "STARTTLS", and "No encryption". Naturally, 
> STARTTLS would run on the normal unencrypted port (389 
> by default), and "upgrade" to SSL/TLS with a STARTTLS 
> command.

I have the same, and I had (belatedly) come to the same assumption. 

> It seems that no matter what you select here, if the port is 
> 389, it does STARTTLS:
> 
> Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from 
> IP=127.0.0.1:53243 (IP=0.0.0.0:389)
> Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS
> Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= 
> err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 
> fd=15 TLS established tls_ssf=256 ssf=256

This is encouraging - I guess you are not using the same version of
slapd as I am? (I'm using 2.4.7, which apparently has a bug with
STARTTLS, at least in Debian it does). 

What log level are you choosing to get this output? Is it just "conns"?
 
> However, if you select 636 as the port, it greys out the "Use secure 
> connection" drop-down box, and does ldaps.

Yes.
 
> Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from 
> IP=127.0.0.1:54153 (IP=0.0.0.0:636)
> Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed 
> (TLS negotiation 
> failure)
> Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from 
> IP=127.0.0.1:45074 (IP=0.0.0.0:389)
> 
> (Can't get it to work right right now with ldaps ...).

Me neither, though I had assumed that was password-related.
 
> Note however that evo caches LDAP connections, it seems you 
> need to restart it for your config changes to take effect.

Ah, I didn't know that - thanks.

> And, it will only prompt you for the password once the 
> connection is up ...

Hmmm. If I understand the output correctly, it's rejecting the
connection before asking for a password. I will have to investigate this
again.
 
> > Could somebody explain to me how to tell slapd to accept secure 
> > connections on port 389? 
> 
> start slapd with with no -h flag, or -h "ldaps:/// ldap:///"; 
> so it listens on port 636 for ldaps connections, and 389 for 
> ldap connections (which could use START_TLS to upgrade).

I just have -h "ldaps:///" - I presumed the ldap:/// was covered
automatically as the default. 
 
> > Sorry if this is a really stupid question, but according to 
> > the docs the "startTLS" process should be automatic if a 
> > secure connection comes in on port 389. Something is 
> > obviously not quite right.
> 
> Hmm, SSL/TLS isn't really automatic ...

Sorry, I meant that the connection is upgraded to SSL/TLS if the
STARTTLS command is sent by the client (which you have verified
Evolution does). 

Thanks muchly for your help. I will do some more testing with Evolution
until I lose the will to live once again.

I am now even getting errors with Outlook. It seems to connect ok, but
whenever I do a search it says "The Properties dialog box could not be
displayed. To display the Properties dialog box, you must select exactly
one item." - I don't know what this is about, I get the same message
whether my search is gibberish (should return no matches), unique
(should return a single match) or general (should return multiple
matches). No results are returned. It seems to be a completely incorrect
error message. 

CC

This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer