Bug 223236

Summary:	kmail cannot connect to LDAP over SSL
Product:	[Applications] kaddressbook	Reporter:	Andrea Bocci <fwyzard>
Component:	ldap search	Assignee:	kdepim bugs <kdepim-bugs>
Status:	RESOLVED UNMAINTAINED
Severity:	normal	CC:	afalls, asen.christov, gdr-kde, jose.arthur, kdenis, tokoe
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Compiled Sources
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:
Attachments:	log of kmail activity log of kaddressbook "query server" activity working LDAP connection not working LDAP connection

Description Andrea Bocci 2010-01-18 04:23:44 UTC

Version:           4.3.90 (using Devel)
OS:                Linux
Installed from:    Compiled sources

I'm trying to connect to an LDAP server over SSL.
The server configuration should be (https://mmmservices.web.cern.ch/mmmservices/Help/?kbid=022030#Technical_details, my username is "fwyzard"):

    * Hostname: ldap.cern.ch 
    * Bind DN: cn=fwyzard,ou=users,o=cern,c=ch
    * Base DN: o=cern,c=ch
    * Port Number: 636
    * Use secure connection (SSL) together with 'Simple' authentication

In fact, using ldapsearch from the command line works:

ldapsearch -v -H ldaps://ldap.cern.ch:636 -s sub -b 'o=cern,c=ch' -D 'cn=fwyzard,ou=users,o=cern,c=ch' -x -W '(uid=fwyzard)'

ldap_initialize( ldaps://ldap.cern.ch:636/??base )
Enter LDAP Password:
filter: (uid=fwyzard)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <o=cern,c=ch> with scope subtree
# filter: (uid=fwyzard)
# requesting: ALL
#

# Andrea Bocci, People, cern, ch
dn: CN=Andrea Bocci,OU=People,O=cern,C=ch
cn: Andrea Bocci
...

Looking at the network traffic with Wireshark indeed shows the SSL/TLS negotiation with the server, and encrypted traffic afterwards.

Then, I've tried to configure an LDAP host in KAddressbook:
    Security: SSL
    Authentication: Simple
    User: <disabled>
    Bind DN: cn=fwyzard,ou=users,o=cern,c=ch
    Realm: <disabled>
    Password: *************
    Host: ldap.cern.ch
    Port: 636
and everything else set to the default values.

Query Server does indeed work (again, Wireshark shows the SSL/TLS negotiation). I'm not sure what should go in the DN field - I would suppose 'o=cern,c=ch', but querying the server fills it with 'CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}'. 
Looking into the console output from kaddressbook, I see:
...
kaddressbook(12591)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldaps://ldap.cern.ch:636?namingcontexts?base"                                                                 ...
    kaddressbook(12591)/kdepimlibs (kldap) KLDAP::LdapConfigWidget::Private::loadData: object: "dn:
namingContexts: CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}
namingContexts: CN=Schema,CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F
 61D64A2}
namingContexts: O=cern,C=ch
"

I guess the dialog is keeping the first row of data, while in this case the correct thing to do would be to keep the last one.
Anyway, I set the DN field to "o=cern,c=ch", and save the configuration.

Now that I've happily configure the LDAP server in KAddressbook, I try to use it with KMail. I create a New Message, "Select" the recipients, use "Search Directory Services", look for "fwyzard" and hit search.

At this point I get a dialog with an error message:

Could not connect to host ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}??sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))
Additional info: .

The same error message can also be found in the console output of kmail:

...
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://ldap.cern.ch:636o=cern,c=ch??base"                                                          
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://ldap.cern.ch:636o=cern,c=ch?"                                                               
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass"                                                                                
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub"                                                                            
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))"                                                                                                                                                                                               
kmail(12606)/libkdepim KPIM::LdapClient::startQuery: LdapClient: Doing query: "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))"                                                                                                                                                                                                      
kmail(12606)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on  "local:/tmp/ksocket-fwyzard/kmailJ12606.slave-socket"                                                                   
kmail(12606)/kio (Slave) KIO::Slave::createSlave: createSlave "ldap" for KUrl("ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))")                                                                                                                                                                                                     
kmail(12606)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on  "local:/tmp/ksocket-fwyzard/kmailP12606.slave-socket"                                                                   
kmail(12606)/kio (KIOJob) KIO::SlaveInterface::dispatch: error  123   "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch??sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))
Additional info: "                                                                                                                                                                                             
...

Well, it makes sense it's unable to connect: it's trying to use ldap://, not ldaps://, and there is at least a missing / after the port number. But maybe it's just the error message that's messed up?
Looking at the data stream with Wireshark, I only see stub of SSL negotiation (very different from the two previous cases)... and looking within the SSL data I see my password in clear text!
The TCP stream dump contains:
"0....=...`....4.....cn=fwyzard,ou=users,o=cern,c=ch..clear password"

So, not only this is not working, it's also transmitting the password in clear text!

Comment 1 Andrea Bocci 2010-01-18 04:25:18 UTC

Created attachment 39997 [details]
log of kmail activity

Comment 2 Andrea Bocci 2010-01-18 04:27:16 UTC

Created attachment 39998 [details]
log of kaddressbook "query server" activity

Comment 3 Andrea Bocci 2010-01-18 04:29:35 UTC

Created attachment 39999 [details]
working LDAP connection

this is a screenshot of the Wireshark capture of the working LDAP connection (from the ldapsearch tool)

Comment 4 Andrea Bocci 2010-01-18 04:30:25 UTC

Created attachment 40000 [details]
not working LDAP connection

this is a screenshot of the Wireshark capture of the not working LDAP connection from kmail

Comment 5 asen.christov 2010-05-18 14:24:39 UTC

same here.

Comment 6 Jose Arthur Benetasso Villanova 2011-01-16 03:31:57 UTC

Hi.

I filled this one some time ago: https://bugzilla.redhat.com/show_bug.cgi?id=663210

Its the same bug.

Comment 7 Jose Arthur Benetasso Villanova 2011-05-09 00:36:27 UTC

I've fixed my problem. I did a:

echo "TLS_REQCERT never" > ~/.ldaprc

and now it's working.

Comment 8 afalls 2011-06-11 08:59:49 UTC

I'm having this issue too. created ~/.ldaprc and added TLS_REQCERT never but it did not help.

It appears that 
I verified my LDAP settings were correct and was able to successful connect with ssl turned off. 

When ssl is enabled, slapd returns this error upon kmail attemting a connection


Jun 10 23:54:25 ldap slapd[1062]: <= bdb_equality_candidates: (uid) not indexed 
Jun 10 23:54:25 ldap slapd[1062]: conn=1014 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text= 
Jun 10 23:54:41 ldap slapd[1062]: conn=1070 fd=16 ACCEPT from IP=10.1.1.34:44598 (IP=0.0.0.0:636) 
Jun 10 23:54:41 ldap slapd[1062]: conn=1070 fd=16 closed (TLS negotiation failure) 

which leads me to believe that for some reason kmail isn't setting up a secure ssl connection to it. I also tested to see if the ssl was working on the server by using 'openssl s_client ...' and it worked well.

This is with KMail 1.13.6


Thanks

Comment 9 afalls 2011-06-11 09:07:35 UTC

I did a packet capture and saw that the contents of the packets from kmail were not encrypted. I'd post the capture but it contains my login info (including password).

Comment 10 Denis Kurz 2016-09-24 20:52:09 UTC

This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present?

If noone confirms this bug for a Framework-based version of kaddressbook (version 5.0 or later, as part of KDE Applications 15.08 or later), it gets closed in about three months.

Comment 11 Jose Arthur Benetasso Villanova 2016-09-25 22:49:50 UTC

I dont use kmail anymore, but I remember that I could solve this problem with a dot file.
 I think that it was .ldaprc with "TLS_REQCERT never" inside it.

Comment 12 Denis Kurz 2017-01-07 23:43:34 UTC

Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.