Version: 4.3.90 (using Devel) OS: Linux Installed from: Compiled sources I'm trying to connect to an LDAP server over SSL. The server configuration should be (https://mmmservices.web.cern.ch/mmmservices/Help/?kbid=022030#Technical_details, my username is "fwyzard"): * Hostname: ldap.cern.ch * Bind DN: cn=fwyzard,ou=users,o=cern,c=ch * Base DN: o=cern,c=ch * Port Number: 636 * Use secure connection (SSL) together with 'Simple' authentication In fact, using ldapsearch from the command line works: ldapsearch -v -H ldaps://ldap.cern.ch:636 -s sub -b 'o=cern,c=ch' -D 'cn=fwyzard,ou=users,o=cern,c=ch' -x -W '(uid=fwyzard)' ldap_initialize( ldaps://ldap.cern.ch:636/??base ) Enter LDAP Password: filter: (uid=fwyzard) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <o=cern,c=ch> with scope subtree # filter: (uid=fwyzard) # requesting: ALL # # Andrea Bocci, People, cern, ch dn: CN=Andrea Bocci,OU=People,O=cern,C=ch cn: Andrea Bocci ... Looking at the network traffic with Wireshark indeed shows the SSL/TLS negotiation with the server, and encrypted traffic afterwards. Then, I've tried to configure an LDAP host in KAddressbook: Security: SSL Authentication: Simple User: <disabled> Bind DN: cn=fwyzard,ou=users,o=cern,c=ch Realm: <disabled> Password: ************* Host: ldap.cern.ch Port: 636 and everything else set to the default values. Query Server does indeed work (again, Wireshark shows the SSL/TLS negotiation). I'm not sure what should go in the DN field - I would suppose 'o=cern,c=ch', but querying the server fills it with 'CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}'. Looking into the console output from kaddressbook, I see: ... kaddressbook(12591)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldaps://ldap.cern.ch:636?namingcontexts?base" ... kaddressbook(12591)/kdepimlibs (kldap) KLDAP::LdapConfigWidget::Private::loadData: object: "dn: namingContexts: CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2} namingContexts: CN=Schema,CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F 61D64A2} namingContexts: O=cern,C=ch " I guess the dialog is keeping the first row of data, while in this case the correct thing to do would be to keep the last one. Anyway, I set the DN field to "o=cern,c=ch", and save the configuration. Now that I've happily configure the LDAP server in KAddressbook, I try to use it with KMail. I create a New Message, "Select" the recipients, use "Search Directory Services", look for "fwyzard" and hit search. At this point I get a dialog with an error message: Could not connect to host ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}??sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*))) Additional info: . The same error message can also be found in the console output of kmail: ... kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://ldap.cern.ch:636o=cern,c=ch??base" kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://ldap.cern.ch:636o=cern,c=ch?" kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass" kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub" kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL updateQuery(): "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))" kmail(12606)/libkdepim KPIM::LdapClient::startQuery: LdapClient: Doing query: "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))" kmail(12606)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on "local:/tmp/ksocket-fwyzard/kmailJ12606.slave-socket" kmail(12606)/kio (Slave) KIO::Slave::createSlave: createSlave "ldap" for KUrl("ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))") kmail(12606)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on "local:/tmp/ksocket-fwyzard/kmailP12606.slave-socket" kmail(12606)/kio (KIOJob) KIO::SlaveInterface::dispatch: error 123 "ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch??sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*))) Additional info: " ... Well, it makes sense it's unable to connect: it's trying to use ldap://, not ldaps://, and there is at least a missing / after the port number. But maybe it's just the error message that's messed up? Looking at the data stream with Wireshark, I only see stub of SSL negotiation (very different from the two previous cases)... and looking within the SSL data I see my password in clear text! The TCP stream dump contains: "0....=...`....4.....cn=fwyzard,ou=users,o=cern,c=ch..clear password" So, not only this is not working, it's also transmitting the password in clear text!
Created attachment 39997 [details] log of kmail activity
Created attachment 39998 [details] log of kaddressbook "query server" activity
Created attachment 39999 [details] working LDAP connection this is a screenshot of the Wireshark capture of the working LDAP connection (from the ldapsearch tool)
Created attachment 40000 [details] not working LDAP connection this is a screenshot of the Wireshark capture of the not working LDAP connection from kmail
same here.
Hi. I filled this one some time ago: https://bugzilla.redhat.com/show_bug.cgi?id=663210 Its the same bug.
I've fixed my problem. I did a: echo "TLS_REQCERT never" > ~/.ldaprc and now it's working.
I'm having this issue too. created ~/.ldaprc and added TLS_REQCERT never but it did not help. It appears that I verified my LDAP settings were correct and was able to successful connect with ssl turned off. When ssl is enabled, slapd returns this error upon kmail attemting a connection Jun 10 23:54:25 ldap slapd[1062]: <= bdb_equality_candidates: (uid) not indexed Jun 10 23:54:25 ldap slapd[1062]: conn=1014 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 10 23:54:41 ldap slapd[1062]: conn=1070 fd=16 ACCEPT from IP=10.1.1.34:44598 (IP=0.0.0.0:636) Jun 10 23:54:41 ldap slapd[1062]: conn=1070 fd=16 closed (TLS negotiation failure) which leads me to believe that for some reason kmail isn't setting up a secure ssl connection to it. I also tested to see if the ssl was working on the server by using 'openssl s_client ...' and it worked well. This is with KMail 1.13.6 Thanks
I did a packet capture and saw that the contents of the packets from kmail were not encrypted. I'd post the capture but it contains my login info (including password).
This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present? If noone confirms this bug for a Framework-based version of kaddressbook (version 5.0 or later, as part of KDE Applications 15.08 or later), it gets closed in about three months.
I dont use kmail anymore, but I remember that I could solve this problem with a dot file. I think that it was .ldaprc with "TLS_REQCERT never" inside it.
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.