Description of problem: using an LDAP addressbook and non-anonymous authentication evo passes the username and password in the clear in a simple bind request. since the server requires TLS encryption an 'invalid credentials' response is returned. evo doesn't prompt for a new password - it just tries again.. continuously, five times per second for as long as evolution is running. this happens even if "Use secure connection" is set to "TLS encryption". Version-Release number of selected component (if applicable): 2.22.3.1-1.fc9
For the issue of "poking server for ever" is an upstream bug [1] which has been committed to the trunk (2.23.x branch) and will be available in 2.24 series. The other issue with non-TLS bind even explicitly required, I think it's sort of known, but I cannot find the upstream bug for that at the moment. [1] http://bugzilla.gnome.org/show_bug.cgi?id=547308
thanks for finding that. as far as i understand it, if we can get the non-TLS thing fixed then the 'poking the server forever' thing will go away anyway since it'll stop getting the 'invalid credentials' response. i can't find a gnome bug for the non-TLS thing either so i've created one: http://bugzilla.gnome.org/show_bug.cgi?id=548838 can we up the priority on this? i don't know how many people use LDAP address books non-anonymously but surely an awful lot of people are currently transmitting their passwords in the clear across the public internet without realising it?
(In reply to comment #2) > thanks for finding that. > > as far as i understand it, if we can get the non-TLS thing fixed then the > 'poking the server forever' thing will go away anyway since it'll stop getting > the 'invalid credentials' response. Yes, that's truth. > i can't find a gnome bug for the non-TLS thing either so i've created one: > http://bugzilla.gnome.org/show_bug.cgi?id=548838 > > can we up the priority on this? i don't know how many people use LDAP address > books non-anonymously but surely an awful lot of people are currently > transmitting their passwords in the clear across the public internet without > realising it? Thanks for filling the bug upstream, I would really like to have this fixed in upstream version, with their acknowledge, so I'll close this as upstream. I understand your point, but I'm afraid we are quite late in the release cycle, but will see, hopefully someone will fix it soon.