Bug 109445 - LDAP Contacts Do Not Work w/SSL
LDAP Contacts Do Not Work w/SSL
Product: Fedora
Classification: Fedora
Component: evolution (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-11-07 16:19 EST by Wil Cooley
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-11-25 10:11:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Wil Cooley 2003-11-07 16:19:28 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)

Description of problem:
Evolution is unable to use SSL/TLS when communicating with an LDAP
server for contacts.  This worked with Ximian 1.4.5, but does not work
with the Fedora Core RPM.  The message I get is:

We were unable to open this addressbook.  This either
means you have entered an incorrect URI, or the LDAP server
is unreachable.

Setting 'Use SSL/TLS' to 'Never' allows me to communicate with the
LDAP server.  Setting it to 'Always' gives the dialog box with the
above message, regardless of whether the port is set to 389 or 636.

I did remove all Ximian packages and replaced them with their Fedora
equivalents prior to testing this.  I also made sure to kill the
Evolution background processes, which do not exit when Evolution
itself is killed.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up an LDAP server using the evolution.schema and set
appropriate ACLs.
2. Create an entry in "Directory Servers" in Evolution and set 'Use
SSL/TLS' to 'Always'.
3. Click on the directory entry in "Other Contacts".

Actual Results:  Received the message above; unable to list any contacts.

Expected Results:  Expected to have normal functionality in the LDAP

Additional info:

Setting severity to "Security" since not being able to use SSL/TLS
when communicating with an LDAP server is a big security problem, for
me at least.  Feel free to downgrade it if that's not appropriate.
Comment 1 Wil Cooley 2003-11-24 19:33:11 EST
Setting 'TLS_REQCERT' in '/etc/openldap/ldap.conf' to 'allow' fixes
this issue with self-signed certs (which also affected GQ and
ldapsearch).  It's somewhat unexpected, since I only thought the CLI
clients used this file, but apparently it's read as part of
ldap_init() or ldap_open().  Bug can be closed as far as I am
concerned.  (Apologies again for setting to 'security'.)

Note You need to log in before you can comment on or make changes to this bug.