[Bug 223236] New: kmail cannot connect to LDAP over SSL

Andrea Bocci fwyzard at gmail.com
Mon Jan 18 03:23:49 GMT 2010 

https://bugs.kde.org/show_bug.cgi?id=223236

           Summary: kmail cannot connect to LDAP over SSL
           Product: kaddressbook
           Version: unspecified
          Platform: Compiled Sources
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: NOR
         Component: ldap search
        AssignedTo: kdepim-bugs at kde.org
        ReportedBy: fwyzard at gmail.com
                CC: tokoe at kde.org


Version:           4.3.90 (using Devel)
OS:                Linux
Installed from:    Compiled sources

I'm trying to connect to an LDAP server over SSL.
The server configuration should be
(https://mmmservices.web.cern.ch/mmmservices/Help/?kbid=022030#Technical_details,
my username is "fwyzard"):

    * Hostname: ldap.cern.ch 
    * Bind DN: cn=fwyzard,ou=users,o=cern,c=ch
    * Base DN: o=cern,c=ch
    * Port Number: 636
    * Use secure connection (SSL) together with 'Simple' authentication

In fact, using ldapsearch from the command line works:

ldapsearch -v -H ldaps://ldap.cern.ch:636 -s sub -b 'o=cern,c=ch' -D
'cn=fwyzard,ou=users,o=cern,c=ch' -x -W '(uid=fwyzard)'

ldap_initialize( ldaps://ldap.cern.ch:636/??base )
Enter LDAP Password:
filter: (uid=fwyzard)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <o=cern,c=ch> with scope subtree
# filter: (uid=fwyzard)
# requesting: ALL
#

# Andrea Bocci, People, cern, ch
dn: CN=Andrea Bocci,OU=People,O=cern,C=ch
cn: Andrea Bocci
...

Looking at the network traffic with Wireshark indeed shows the SSL/TLS
negotiation with the server, and encrypted traffic afterwards.

Then, I've tried to configure an LDAP host in KAddressbook:
    Security: SSL
    Authentication: Simple
    User: <disabled>
    Bind DN: cn=fwyzard,ou=users,o=cern,c=ch
    Realm: <disabled>
    Password: *************
    Host: ldap.cern.ch
    Port: 636
and everything else set to the default values.

Query Server does indeed work (again, Wireshark shows the SSL/TLS negotiation).
I'm not sure what should go in the DN field - I would suppose 'o=cern,c=ch',
but querying the server fills it with
'CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}'. 
Looking into the console output from kaddressbook, I see:
...
kaddressbook(12591)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL
updateQuery(): "ldaps://ldap.cern.ch:636?namingcontexts?base"                  
                                              ...
    kaddressbook(12591)/kdepimlibs (kldap)
KLDAP::LdapConfigWidget::Private::loadData: object: "dn:
namingContexts: CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}
namingContexts: CN=Schema,CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F
 61D64A2}
namingContexts: O=cern,C=ch
"

I guess the dialog is keeping the first row of data, while in this case the
correct thing to do would be to keep the last one.
Anyway, I set the DN field to "o=cern,c=ch", and save the configuration.

Now that I've happily configure the LDAP server in KAddressbook, I try to use
it with KMail. I create a New Message, "Select" the recipients, use "Search
Directory Services", look for "fwyzard" and hit search.

At this point I get a dialog with an error message:

Could not connect to host
ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636CN=Configuration,CN={03CB562D-3C59-4644-A112-52E6F61D64A2}??sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))
Additional info: .

The same error message can also be found in the console output of kmail:

...
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL
updateQuery(): "ldap://ldap.cern.ch:636o=cern,c=ch??base"                       
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL
updateQuery(): "ldap://ldap.cern.ch:636o=cern,c=ch?"                            
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL
updateQuery():
"ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass" 
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL
updateQuery():
"ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub" 
kmail(12606)/kdepimlibs (kldap) KLDAP::LdapUrl::updateQuery: LDAP URL
updateQuery():
"ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))" 
kmail(12606)/libkdepim KPIM::LdapClient::startQuery: LdapClient: Doing query:
"ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))" 
kmail(12606)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote:
Listening on  "local:/tmp/ksocket-fwyzard/kmailJ12606.slave-socket"             
kmail(12606)/kio (Slave) KIO::Slave::createSlave: createSlave "ldap" for
KUrl("ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch?l,Company,co,department,description,mail,facsimileTelephoneNumber,cn,homePhone,mobile,o,pager,postalCode,postalAddress,st,street,title,uid,telephoneNumber,objectClass?sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))") 
kmail(12606)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote:
Listening on  "local:/tmp/ksocket-fwyzard/kmailP12606.slave-socket"             
kmail(12606)/kio (KIOJob) KIO::SlaveInterface::dispatch: error  123  
"ldap://cn%3Dfwyzard%2Cou%3Dusers%2Co%3Dcern%2Cc%3Dch@ldap.cern.ch:636o=cern,c=ch??sub?(&(|(objectclass=person)(objectclass=groupofnames)(mail=*))(|(cn=*fwyzard*)(sn=*fwyzard*)))
Additional info: "                                                              
...

Well, it makes sense it's unable to connect: it's trying to use ldap://, not
ldaps://, and there is at least a missing / after the port number. But maybe
it's just the error message that's messed up?
Looking at the data stream with Wireshark, I only see stub of SSL negotiation
(very different from the two previous cases)... and looking within the SSL data
I see my password in clear text!
The TCP stream dump contains:
"0....=...`....4.....cn=fwyzard,ou=users,o=cern,c=ch..clear password"

So, not only this is not working, it's also transmitting the password in clear
text!

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list