Open Bug 378323 Opened 17 years ago Updated 2 years ago

LDAP authentication is not right, Thunderbird use everytime anonymous binding

Categories

(MailNews Core :: LDAP Integration, defect)

Product:
MailNews Core
Component:
LDAP Integration
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: stefan.klatt, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Version 2.0.0.0 (20070326) german

Hi,

if i use a LDAP directory for the addressbook 

Server-Adresse: cac.is-a-geek.com
Basis-DN: o=default,dc=kronos,dc=local
Port-Nummer: 389
Bind-DN: uid=stefan,ou=email_user,o=default,dc=kronos,dc=local

i get from my openldap server the following log:

fd=17 ACCEPT from IP=192.168.76.199:2321 (IP=0.0.0.0:389)
op=0 BIND dn="" method=128
op=0 RESULT tag=97 err=0 text=
op=1 SRCH base="o=default,dc=kronos,dc=local" scope=2 deref=0 filter="(objectClass=*)"
op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
Searchfilter: (objectclass=*)

Thats not right because thunderbird use a anonymous connection and it sees only a few ou objects (nentries=5), not more because i use ACLs on my OpenLDAP server. The useraccounts lies one ou deeper and "Unterverzeichnisse" is activated.
I activated LDAP at my account and global configration.

Mfg.
Stefan Klatt

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
I too have come across this bug. It appears that Thunderbird expects everyone to allow anonymous binds to their LDAP directory. That is not the case at my site.  While Thunderbird will prompt for a password when searching the directory from the address book, it does not provide a means to enter a password so that one can download the offline address book. At least not that I have been able to find...

Lightweight-Directory-Access-Protocol
    LDAPMessage searchRequest(2) "cn=users,dc=xyz,dc=com" wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: cn=users,dc=xyz,dc=com
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 0
                timeLimit: 0
                typesOnly: False
--
Lightweight-Directory-Access-Protocol
    LDAPMessage searchResDone(2) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece) [0 results]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: operationsError (1)
                matchedDN: 
                errorMessage: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

We use Active Directory for LDAP, and unfortunately it is configured to require authenticated binds to the directory.

(In reply to comment #1)
> I too have come across this bug. It appears that Thunderbird expects everyone
> to allow anonymous binds to their LDAP directory. That is not the case at my
> site.  While Thunderbird will prompt for a password when searching the
> directory from the address book, it does not provide a means to enter a
> password so that one can download the offline address book. At least not that I
> have been able to find...

Downloading the offline address book is bug 316170 which has been fixed for TB 3. I think the original reporter's comment here was about not returning entries due to ACL.
Assignee: mscott → nobody
Component: Address Book → LDAP Integration
Product: Thunderbird → MailNews Core
QA Contact: address-book → ldap-integration
Version: unspecified → 1.8 Branch
I get this from my 389 server (on localhost):

        389-Directory/1.2.2 B2009.254.1548
        bradford.ceplovi.cz:389 (/etc/dirsrv/slapd-bradford)

[08/Oct/2009:11:51:20 +0200] conn=5 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[08/Oct/2009:11:51:20 +0200] conn=5 op=0 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:11:51:20 +0200] conn=5 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:11:51:28 +0200] conn=5 op=1 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:11:51:28 +0200] conn=5 op=1 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:11:51:34 +0200] conn=5 op=3 SRCH base="dc=ceplovi,dc=cz" scope=2 filter="(|(cn=kaa*)(mail=kaa*)(sn=kaa*))" attrs="cn mail"
[08/Oct/2009:11:51:34 +0200] conn=5 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[08/Oct/2009:11:51:35 +0200] conn=5 op=4 SRCH base="dc=ceplovi,dc=cz" scope=2 filter="(|(cn=kasa*)(mail=kasa*)(sn=kasa*))" attrs="cn mail"
[08/Oct/2009:11:51:35 +0200] conn=5 op=4 RESULT err=0 tag=101 nentries=1 etime=1
[08/Oct/2009:11:53:41 +0200] conn=5 op=6 UNBIND
[08/Oct/2009:11:53:41 +0200] conn=5 op=6 fd=64 closed - U1
        389-Directory/1.2.2 B2009.254.1548
        bradford.ceplovi.cz:389 (/etc/dirsrv/slapd-bradford)

[08/Oct/2009:20:35:30 +0200] conn=1 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[08/Oct/2009:20:35:30 +0200] conn=1 op=0 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:20:35:30 +0200] conn=1 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:20:35:38 +0200] conn=1 op=1 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:20:35:38 +0200] conn=1 op=1 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:20:35:48 +0200] conn=1 op=3 UNBIND
[08/Oct/2009:20:35:48 +0200] conn=1 op=3 fd=64 closed - U1

Conclusion, it seems to work, TB autocompletes, but it always asks on the password (maybe that's bug 151447?) and apparently always provides some nonsense.
Flags: wanted1.9.2?
(In reply to comment #3)
> Conclusion, it seems to work, TB autocompletes, but it always asks on the
> password (maybe that's bug 151447?)

Yes, that is that bug.
Flags: wanted1.9.2?
Severity: major → normal
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.