I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Which version of Evolution?
I'm currently using 2.6.3 (Debian Etch), 2.8.2 (the Windoze port) and 2.12.3 (Debian Lenny), and have also tried 2.10.3 and 2.12.2 in between. The LDAP connection functionality seems unchanged in all these versions.
Mine has a "Use secure connection" drop-down box, with "SSL encryption", "TLS encryption" and "No encryption" options. Since the port doesn't change based on your selection, I'll assume what they actually mean is "ldaps", "STARTTLS", and "No encryption". Naturally, STARTTLS would run on the normal unencrypted port (389 by default), and "upgrade" to SSL/TLS with a STARTTLS command.
I have the same, and I had (belatedly) come to the same assumption.
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
This is encouraging - I guess you are not using the same version of slapd as I am? (I'm using 2.4.7, which apparently has a bug with STARTTLS, at least in Debian it does).
What log level are you choosing to get this output? Is it just "conns"?
However, if you select 636 as the port, it greys out the "Use secure connection" drop-down box, and does ldaps.
Yes.
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from IP=127.0.0.1:54153 (IP=0.0.0.0:636) Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation failure) Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from IP=127.0.0.1:45074 (IP=0.0.0.0:389)
(Can't get it to work right right now with ldaps ...).
Me neither, though I had assumed that was password-related.
Note however that evo caches LDAP connections, it seems you need to restart it for your config changes to take effect.
Ah, I didn't know that - thanks.
And, it will only prompt you for the password once the connection is up ...
Hmmm. If I understand the output correctly, it's rejecting the connection before asking for a password. I will have to investigate this again.
Could somebody explain to me how to tell slapd to accept secure connections on port 389?
start slapd with with no -h flag, or -h "ldaps:/// ldap:///" so it listens on port 636 for ldaps connections, and 389 for ldap connections (which could use START_TLS to upgrade).
I just have -h "ldaps:///" - I presumed the ldap:/// was covered automatically as the default.
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Hmm, SSL/TLS isn't really automatic ...
Sorry, I meant that the connection is upgraded to SSL/TLS if the STARTTLS command is sent by the client (which you have verified Evolution does).
Thanks muchly for your help. I will do some more testing with Evolution until I lose the will to live once again.
I am now even getting errors with Outlook. It seems to connect ok, but whenever I do a search it says "The Properties dialog box could not be displayed. To display the Properties dialog box, you must select exactly one item." - I don't know what this is about, I get the same message whether my search is gibberish (should return no matches), unique (should return a single match) or general (should return multiple matches). No results are returned. It seems to be a completely incorrect error message.
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer