Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
When I type
openssl s_client -connect my.server.com:389
It says connection refused. When I type the same command with :636 at the end it connects fine.
Could somebody explain to me how to tell slapd to accept secure connections on port 389? I am using the new version of slapd in Debian Testing (2.4.7-1).
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Thanks in advance,
Chris
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
--On Monday, January 28, 2008 2:57 PM +0000 Chris Carr chris.carr@Camden.gov.uk wrote:
Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
When I type
openssl s_client -connect my.server.com:389
If you read the documentation on openssl, it clearly states it doesn't support doing LDAP startTLS over port 389.
I suggest using ldapsearch -ZZ -H ldap://my.server.com:389/
or similar.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Mon, 2008-01-28 at 09:00 -0800, Quanah Gibson-Mount wrote:
--On Monday, January 28, 2008 2:57 PM +0000 Chris Carr
Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
When I type
openssl s_client -connect my.server.com:389
If you read the documentation on openssl, it clearly states it doesn't support doing LDAP startTLS over port 389.
I thought startTLS was supposed to be the replacement for ldaps, so that only one port was needed for both secure and insecure connections. Wasn't that discussed on this list quite recently? I have definitely misunderstood something.
Still, at least I can now focus on why Evolution isn't connecting properly on port 636.
I suggest using ldapsearch -ZZ -H ldap://my.server.com:389/
That gives me "Can't contact LDAP server (-1)". Same if I use :636 in fact.
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
--On Monday, January 28, 2008 5:10 PM +0000 Chris Carr chris.carr@camden.gov.uk wrote:
On Mon, 2008-01-28 at 09:00 -0800, Quanah Gibson-Mount wrote:
--On Monday, January 28, 2008 2:57 PM +0000 Chris Carr
Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
When I type
openssl s_client -connect my.server.com:389
If you read the documentation on openssl, it clearly states it doesn't support doing LDAP startTLS over port 389.
I thought startTLS was supposed to be the replacement for ldaps, so that only one port was needed for both secure and insecure connections. Wasn't that discussed on this list quite recently? I have definitely misunderstood something.
You are correct, startTLS is the replacement for LDAPS. My point is, if you read the documentation about the "openssl s_client" command, the openssl folks have yet to add support for LDAP startTLS to it. Which is why using that command in your case for testing it is pointless.
As for the debian 2.4.7 package, there's a bug already tracking this issue. I'm not clear if it is a GnuTLS bug or an OpenLDAP bug or both. I don't use OpenLDAP with GnuTLS myself. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Chris Carr chris.carr@Camden.gov.uk writes:
Could somebody explain to me how to tell slapd to accept secure connections on port 389? I am using the new version of slapd in Debian Testing (2.4.7-1).
Just to mention, this may well be a problem with the Debian build. We're still trying to sort that out.
Chris Carr skrev, on 28-01-2008 15:57:
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Evo will connect to port 636 ok, *if* you specify 'the_host:636' in your connection box. It works out that this is ssl for itself.
[...]
--Tonni
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Evo will connect to port 636 ok, *if* you specify 'the_host:636' in your connection box. It works out that this is ssl for itself.
But where do you put in your password? At the moment I'm getting "Connection Refused" (from slapd's logs, not from Evo) - I've chosen "Bind using distinguished name" but Evo does not ask me for a password, and it just fails to connect (telling me the URI may be wrong!).
Thanks to Russ and Quanah for correcting me re Debian slapd and openssl.
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
Carr, Chris skrev, on 29-01-2008 13:24:
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Evo will connect to port 636 ok, *if* you specify 'the_host:636' in your connection box. It works out that this is ssl for itself.
But where do you put in your password?
Darn it, you forced me to start up Evo and I'd rather not. The password goes in my IMAP incoming mail tab under authentication types, tick off remember password.
At the moment I'm getting "Connection Refused" (from slapd's logs, not from Evo) - I've chosen "Bind using distinguished name" but Evo does not ask me for a password, and it just fails to connect (telling me the URI may be wrong!).
Oh. if you mean the password for LDAP, does this help? It's been so long since I did it, that ... this is for Evo 2.8.3.
Best,
--Tonni
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Evo will connect to port 636 ok, *if* you specify 'the_host:636' in your connection box. It works out that this is ssl for itself.
But where do you put in your password?
Darn it, you forced me to start up Evo and I'd rather not. The password goes in my IMAP incoming mail tab under authentication types, tick off remember password.
[...]
Oh. if you mean the password for LDAP, does this help? It's been so long since I did it, that ... this is for Evo 2.8.3.
Heh - yes, the LDAP server is distinct from the IMAP server, and requires a different password. I can't find anywhere to enter it in the "LDAP Address Book" config, nor does Evo ask me for it. I have filed a Debian bug about this in the hope that someone will either fix it or enlighten me.
Ho hum. Apologies for interrupting the discussion of unique UUIDs ...
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
Carr, Chris skrev, on 29-01-2008 13:24:
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Evo will connect to port 636 ok, *if* you specify 'the_host:636' in your connection box. It works out that this is ssl for itself.
But where do you put in your password?
Darn it, you forced me to start up Evo and I'd rather not. The password goes in my IMAP incoming mail tab under authentication types, tick off remember password.
At the moment I'm getting "Connection Refused" (from slapd's logs, not from Evo) - I've chosen "Bind using distinguished name" but Evo does not ask me for a password, and it just fails to connect (telling me the URI may be wrong!).
Oh. if you mean the password for LDAP, does this help? http://safari.oreilly.com/0672329298/ch28lev1sec2 It's been so long since I did it, that ... this is for Evo 2.8.3.
Best,
--Tonni
On Monday 28 January 2008 16:57:28 Chris Carr wrote:
Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Which version of Evolution? Mine has a "Use secure connection" drop-down box, with "SSL encryption", "TLS encryption" and "No encryption" options. Since the port doesn't change based on your selection, I'll assume what they actually mean is "ldaps", "STARTTLS", and "No encryption". Naturally, STARTTLS would run on the normal unencrypted port (389 by default), and "upgrade" to SSL/TLS with a STARTTLS command.
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
However, if you select 636 as the port, it greys out the "Use secure connection" drop-down box, and does ldaps.
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from IP=127.0.0.1:54153 (IP=0.0.0.0:636) Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation failure) Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from IP=127.0.0.1:45074 (IP=0.0.0.0:389)
(Can't get it to work right right now with ldaps ...).
Note however that evo caches LDAP connections, it seems you need to restart it for your config changes to take effect.
And, it will only prompt you for the password once the connection is up ...
When I type
openssl s_client -connect my.server.com:389
It says connection refused. When I type the same command with :636 at the end it connects fine.
Could somebody explain to me how to tell slapd to accept secure connections on port 389? I am using the new version of slapd in Debian Testing (2.4.7-1).
start slapd with with no -h flag, or -h "ldaps:/// ldap:///" so it listens on port 636 for ldaps connections, and 389 for ldap connections (which could use START_TLS to upgrade).
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Hmm, SSL/TLS isn't really automatic ...
Regards, Buchan
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS connections on port 636. This has worked with most clients (Outlook, Seamonkey, Thunderbird) but does not work for Evolution. I don't know why not, but Evolution seems to insist on using port 389 for secure connections.
Which version of Evolution?
I'm currently using 2.6.3 (Debian Etch), 2.8.2 (the Windoze port) and 2.12.3 (Debian Lenny), and have also tried 2.10.3 and 2.12.2 in between. The LDAP connection functionality seems unchanged in all these versions.
Mine has a "Use secure connection" drop-down box, with "SSL encryption", "TLS encryption" and "No encryption" options. Since the port doesn't change based on your selection, I'll assume what they actually mean is "ldaps", "STARTTLS", and "No encryption". Naturally, STARTTLS would run on the normal unencrypted port (389 by default), and "upgrade" to SSL/TLS with a STARTTLS command.
I have the same, and I had (belatedly) come to the same assumption.
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
This is encouraging - I guess you are not using the same version of slapd as I am? (I'm using 2.4.7, which apparently has a bug with STARTTLS, at least in Debian it does).
What log level are you choosing to get this output? Is it just "conns"?
However, if you select 636 as the port, it greys out the "Use secure connection" drop-down box, and does ldaps.
Yes.
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from IP=127.0.0.1:54153 (IP=0.0.0.0:636) Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation failure) Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from IP=127.0.0.1:45074 (IP=0.0.0.0:389)
(Can't get it to work right right now with ldaps ...).
Me neither, though I had assumed that was password-related.
Note however that evo caches LDAP connections, it seems you need to restart it for your config changes to take effect.
Ah, I didn't know that - thanks.
And, it will only prompt you for the password once the connection is up ...
Hmmm. If I understand the output correctly, it's rejecting the connection before asking for a password. I will have to investigate this again.
Could somebody explain to me how to tell slapd to accept secure connections on port 389?
start slapd with with no -h flag, or -h "ldaps:/// ldap:///" so it listens on port 636 for ldaps connections, and 389 for ldap connections (which could use START_TLS to upgrade).
I just have -h "ldaps:///" - I presumed the ldap:/// was covered automatically as the default.
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Hmm, SSL/TLS isn't really automatic ...
Sorry, I meant that the connection is upgraded to SSL/TLS if the STARTTLS command is sent by the client (which you have verified Evolution does).
Thanks muchly for your help. I will do some more testing with Evolution until I lose the will to live once again.
I am now even getting errors with Outlook. It seems to connect ok, but whenever I do a search it says "The Properties dialog box could not be displayed. To display the Properties dialog box, you must select exactly one item." - I don't know what this is about, I get the same message whether my search is gibberish (should return no matches), unique (should return a single match) or general (should return multiple matches). No results are returned. It seems to be a completely incorrect error message.
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
On Tuesday 29 January 2008 19:18:15 Carr, Chris wrote:
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
This is encouraging - I guess you are not using the same version of slapd as I am? (I'm using 2.4.7, which apparently has a bug with STARTTLS, at least in Debian it does).
I don't use Debian, and on production platforms I don't use the packages supplied by the distro, but the rebuilds (which are available at http://staff.telkomsa.net/packages/) of the Mandriva package, for which I am the maintainer. The output in my reply was from my Mandriva 2008.0 x86_64, running the 2.3.38 package supplied with the distro. I will try and test the 2.4.7 packages sometime later today.
What log level are you choosing to get this output? Is it just "conns"?
stats (256).
However, if you select 636 as the port, it greys out the "Use secure connection" drop-down box, and does ldaps.
Yes.
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from IP=127.0.0.1:54153 (IP=0.0.0.0:636) Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation failure) Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from IP=127.0.0.1:45074 (IP=0.0.0.0:389)
(Can't get it to work right right now with ldaps ...).
Note that this may simply be due to me using self-signed certs ...
Me neither, though I had assumed that was password-related.
Note however that evo caches LDAP connections, it seems you need to restart it for your config changes to take effect.
Ah, I didn't know that - thanks.
And, it will only prompt you for the password once the connection is up ...
Hmmm. If I understand the output correctly, it's rejecting the connection before asking for a password. I will have to investigate this again.
Could somebody explain to me how to tell slapd to accept secure connections on port 389?
start slapd with with no -h flag, or -h "ldaps:/// ldap:///" so it listens on port 636 for ldaps connections, and 389 for ldap connections (which could use START_TLS to upgrade).
I just have -h "ldaps:///" - I presumed the ldap:/// was covered automatically as the default.
No, logically there should be a way to prevent the use of a port which could be used by some other application ...
Sorry if this is a really stupid question, but according to the docs the "startTLS" process should be automatic if a secure connection comes in on port 389. Something is obviously not quite right.
Hmm, SSL/TLS isn't really automatic ...
Sorry, I meant that the connection is upgraded to SSL/TLS if the STARTTLS command is sent by the client (which you have verified Evolution does).
Thanks muchly for your help. I will do some more testing with Evolution until I lose the will to live once again.
I am now even getting errors with Outlook. It seems to connect ok, but whenever I do a search it says "The Properties dialog box could not be displayed. To display the Properties dialog box, you must select exactly one item." - I don't know what this is about, I get the same message whether my search is gibberish (should return no matches), unique (should return a single match) or general (should return multiple matches). No results are returned. It seems to be a completely incorrect error message.
It seems Outlook doesn't like self-signed certs, so I'll look at this later once I've had time to sort out certificates for these boxes.
Regards, Buchan
Buchan Milne skrev, on 30-01-2008 10:57:
It seems that no matter what you select here, if the port is 389, it does STARTTLS:
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from IP=127.0.0.1:53243 (IP=0.0.0.0:389) Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text= Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
This is encouraging - I guess you are not using the same version of slapd as I am? (I'm using 2.4.7, which apparently has a bug with STARTTLS, at least in Debian it does).
I don't use Debian, and on production platforms I don't use the packages supplied by the distro, but the rebuilds (which are available at http://staff.telkomsa.net/packages/) of the Mandriva package, for which I am the maintainer. The output in my reply was from my Mandriva 2008.0 x86_64, running the 2.3.38 package supplied with the distro. I will try and test the 2.4.7 packages sometime later today.
FWIW your rhl5 src rpm rebuilt on Fedora FC6 has no problems with ldaps, ldap starttls or ldapi; it does everything perfectly normally - otherwise I'd have reacted negatively far sooner.
[...]
Best,
--Tonni
Tony Earnshaw wrote:
Buchan Milne skrev, on 30-01-2008 10:57:
This is encouraging - I guess you are not using the same version of slapd as I am? (I'm using 2.4.7, which apparently has a bug with STARTTLS, at least in Debian it does).
I don't use Debian, and on production platforms I don't use the packages supplied by the distro, but the rebuilds (which are available at http://staff.telkomsa.net/packages/) of the Mandriva package, for which I am the maintainer. The output in my reply was from my Mandriva 2008.0 x86_64, running the 2.3.38 package supplied with the distro. I will try and test the 2.4.7 packages sometime later today.
FWIW your rhl5 src rpm rebuilt on Fedora FC6 has no problems with ldaps, ldap starttls or ldapi; it does everything perfectly normally - otherwise I'd have reacted negatively far sooner.
Probably because it still uses OpenSSL, and not GnuTLS like Debian does.
Howard Chu skrev, on 30-01-2008 12:12:
[...]
FWIW your rhl5 src rpm rebuilt on Fedora FC6 has no problems with ldaps, ldap starttls or ldapi; it does everything perfectly normally - otherwise I'd have reacted negatively far sooner.
Probably because it still uses OpenSSL, and not GnuTLS like Debian does.
Ah. Indeed. I just knew there had to be one more reason why I don't use Debian if I can avoid it.
Then Buchan will have to redesign his spec and rpms to add GnuTLS to Red Hat and use that, which should be fun. It's available from Red Hat for rhl5.
--Tonni
openldap-technical@openldap.org
-
Buchan Milne -
Carr, Chris -
Chris Carr
-
Howard Chu -
Quanah Gibson-Mount -
Russ Allbery -
Tony Earnshaw