LDAP Frustration

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

LDAP Frustration

Ilsa Loving
Hi all,

I'm trying to set up Evolution (v3.18.5.2, as installed by Ubuntu
16.04) to pull GAL information from our Active Directory, but it is
unbelievably frustrating.

The biggest problem I have is that you cannot change any settings after
initially creating the Address Book entry!  Any changes are
categorically ignored, forcing me to delete the Address Book entry and
recreate from scratch.  Am I the only one running into this issue?  I
can't believe such a critical bug exists.

After a myriad of attempts trying to get it to work, I'm left with the
impression that LDAP in Evolution is flat out completely broken.
Different settings seem to cause wildly different behaviour.  My most
recent attempt has the following settings.  I kept as much as possible
as default:
Name: unnamed
Birthdays: unchecked (default)
default address book: unchecked (default)
Autocomplete: checked (default)
Copy locally: unchecked (default)
Server: my server
Port: 389  (Nothing else seems to work)
Encryption: StartTLS  

Authetication: DN
Username: my DN

>From here, in the Using LDAP tab, the "Find Searchbases" button works
and populates the search base correctly.

Search Scope: Subtree
Search filter: (&(objectClass=user)(mail=*))

When I click Ok and then try to search, I get the expected entry but
then I also get a big red error bar that says LDAP error 0x1
(Operations Error)

The following appears in /var/log/syslog:


org.gnome.evolution.dataserver.AddressBook9[30010]:
(evolution-addressbook-factory-subprocess:18147):
libebookbackend-WARNING **: ldap_search_handler: 01 (Operations error),
additional info: 000004DC: LdapErr: DSID-0C090752, comment: In order to
perform this operation a successful bind must be completed on the
connection., data 0, v2580


I don't understand why this error comes up.  If I leave the filter
blank, I don't get an error but then I get a whackton of unwanted
results.  If I fiddle with other settings, such as "Copy book content
locally", I get no responses at all, nor do I get any error messages.

What I am trying to do can't possibly be that unusual.

The settings I *want* to use are:
Mark as default address book: on
Autocomplete: on
Copy book locally: on
port: Group Catalogue port 3289
Encryption: LDAP over SSL
Scope: Subtree
Search filter: (&(objectClass=user)(mail=*))

But if I try that, I can't even look up the search base.  It says
Failed to Authenticate with LDAP server.  If I enter the base manually
and click Ok, I get no results when I try to search, nor errors.

If I disable SSL but leave the rest of the settings above as is, it can
detect the search base but I *still* get zero results.

At this point I am beyond frustrated and can't understand how such a
fundamental feature could be so fantastically broken.


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP Frustration

Michael Hirmke
Hi Ilsa,

>Hi all,

>I'm trying to set up Evolution (v3.18.5.2, as installed by Ubuntu
>16.04)  to pull GAL information from our Active Directory, but it is
>unbelievably frustrating.

any reason, why you are using LDAP instead of using the native Exchange
EWS connector and pull the address books as Outlook does?

[...]

>At this point I am beyond frustrated and can't understand how such a
>fundamental feature could be so fantastically broken.

Did you have a look at the windows logs of your domain controller?
You should look in the security log to see if your authentication was
accepted. And perhaps you should switch on LDAP logging to see, what
query exactly was fired against the DC. But be careful with the LDAP log
- it tends to become really big really fast.

Bye.
Michael.
--
Michael Hirmke
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP Frustration

Pete Biggs
On Thu, 2016-12-29 at 19:35 +0100, Michael Hirmke wrote:
> Hi Ilsa,
>
> > Hi all,
> > I'm trying to set up Evolution (v3.18.5.2, as installed by Ubuntu
> > 16.04)  to pull GAL information from our Active Directory, but it is
> > unbelievably frustrating.
>
> any reason, why you are using LDAP instead of using the native Exchange
> EWS connector and pull the address books as Outlook does?

I presume it's because the OP is trying to get information from Active
Directory and not from an Exchange server - they are different things.

TBH my experience of using AD as if it's a native LDAP server has never
been very fruitful. It always seems as if MS has tweaked it to make it
incompatible with "standard" LDAP.  But it is a few years since I tried
it.

In the first instance try running Evolution from the command line -
that should give you any error messages. If nothing obvious is shown,
then enable LDAP debugging on the addressbook - details on how to do
that are at:

  https://wiki.gnome.org/Apps/Evolution/Debugging

I suspect the debugging out will contain private information, so it
would be unwise to share it without sanitizing it first - and it will
be big, so please don't send it to this list - if need be upload it to
something like pastebin and send the link here.

P.
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP Frustration

Adam Tauno Williams
Quoting Pete Biggs <[hidden email]>:
>> > I'm trying to set up Evolution (v3.18.5.2, as installed by Ubuntu
>> > 16.04)  to pull GAL information from our Active Directory, but it is
>> > unbelievably frustrating.
> I presume it's because the OP is trying to get information from Active
> Directory and not from an Exchange server - they are different things.
> TBH my experience of using AD as if it's a native LDAP server has never
> been very fruitful. It always seems as if MS has tweaked it to make it
> incompatible with "standard" LDAP.  But it is a few years since I tried
> it.

I have done alot with AD via LDAP.  Their LDAP is pretty good - but it  
is a very complete LDAP configuration with detailed access control  
provisions, including SSF ... very unlike most Open Source LDAP  
installs which generally play fast-n-loose with security [likely  
because setting things up well in OpenLDAP is crazy tedious - and the  
documentation is awful].  One of ADs real advantages is that it says  
this-is-how-it-works-deal-with-it.

Aside: SSF is Security Strength Factor, so what you can do on a  
connection depends NOT ONLY on who you are authenticated as but HOW  
you authenticated and HOW your connection is protected [signed,  
sealed, TLS, etc...].

If you can't start out using the ldapsearch CLI to see what works and  
what doesn't you are going to have a hard time.  Determining that via  
any kind of client is going to be a hair pulling experience.

At least make sure you have Kerberos authentication working.

However, at the end of the day LDAP makes a ***TERRIBLE*** address  
book solution.  Terrible, just terrible.   I spent countless hours  
trying to create a happy LDAP solution, documenting differences in  
schema, clients, etc...  It looks great on paper, but nobody followed  
the rules [*1], so in practice it isn't good for anything other than a  
basic read-only data source.

[*1] And least of all the Open Source community.  LDAP support in most  
Open Source projects is an i-did-not-bother-to-read-the-docs hacked-in  
train wreck.  In defense, to really do LDAP support well a project  
needs to implement a myriad of configuration parameters and  
preferences ...  which most people are going to ignore anyway - then  
proceed to post on the interwebz about how it doesn't work. :(

LDAP is not simple.  It, like XML, is an open ended standard.

If you can use Exchange or a WebDAV (CalDAV/CardDAV) solution you will  
be much better off with that.


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP Frustration

Michael Hirmke
In reply to this post by Pete Biggs
Hi,

[...]
>> any reason, why you are using LDAP instead of using the native Exchange
>> EWS connector and pull the address books as Outlook does?

>I presume it's because the OP is trying to get information from Active
>Directory and not from an Exchange server - they are different things.

oops, you're right, of course.
I used Exchange with AD for such a long time, that I couldn't imagine an
AD environment without Exchange.

>TBH my experience of using AD as if it's a native LDAP server has never
>been very fruitful. It always seems as if MS has tweaked it to make it
>incompatible with "standard" LDAP.  But it is a few years since I tried
>it.

In fact it is really easy to get information from AD via LDAP and even
LDAPS (if this port is open) *if* you get the authentication right. You
can't get anything using anonymous access, because by default the guest
account is locked. But if you authenticate using a valid dn with a valid
password everything should work smoothly.

[...]
>P.

Bye.
Michael.
--
Michael Hirmke
_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Loading...