LDAP authentication is not right, Thunderbird use everytime anonymous binding

UNCONFIRMED
Unassigned

Status

MailNews Core
LDAP Integration
--
major
UNCONFIRMED
11 years ago
8 years ago

People

(Reporter: Stefan Klatt, Unassigned)

Tracking

1.8 Branch
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Version 2.0.0.0 (20070326) german

Hi,

if i use a LDAP directory for the addressbook 

Server-Adresse: cac.is-a-geek.com
Basis-DN: o=default,dc=kronos,dc=local
Port-Nummer: 389
Bind-DN: uid=stefan,ou=email_user,o=default,dc=kronos,dc=local

i get from my openldap server the following log:

fd=17 ACCEPT from IP=192.168.76.199:2321 (IP=0.0.0.0:389)
op=0 BIND dn="" method=128
op=0 RESULT tag=97 err=0 text=
op=1 SRCH base="o=default,dc=kronos,dc=local" scope=2 deref=0 filter="(objectClass=*)"
op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
Searchfilter: (objectclass=*)

Thats not right because thunderbird use a anonymous connection and it sees only a few ou objects (nentries=5), not more because i use ACLs on my OpenLDAP server. The useraccounts lies one ou deeper and "Unterverzeichnisse" is activated.
I activated LDAP at my account and global configration.

Mfg.
Stefan Klatt

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

10 years ago
I too have come across this bug. It appears that Thunderbird expects everyone to allow anonymous binds to their LDAP directory. That is not the case at my site.  While Thunderbird will prompt for a password when searching the directory from the address book, it does not provide a means to enter a password so that one can download the offline address book. At least not that I have been able to find...

Lightweight-Directory-Access-Protocol
    LDAPMessage searchRequest(2) "cn=users,dc=xyz,dc=com" wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: cn=users,dc=xyz,dc=com
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 0
                timeLimit: 0
                typesOnly: False
--
Lightweight-Directory-Access-Protocol
    LDAPMessage searchResDone(2) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece) [0 results]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: operationsError (1)
                matchedDN: 
                errorMessage: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

We use Active Directory for LDAP, and unfortunately it is configured to require authenticated binds to the directory.
(In reply to comment #1)
> I too have come across this bug. It appears that Thunderbird expects everyone
> to allow anonymous binds to their LDAP directory. That is not the case at my
> site.  While Thunderbird will prompt for a password when searching the
> directory from the address book, it does not provide a means to enter a
> password so that one can download the offline address book. At least not that I
> have been able to find...

Downloading the offline address book is bug 316170 which has been fixed for TB 3. I think the original reporter's comment here was about not returning entries due to ACL.

Updated

10 years ago
Assignee: mscott → nobody

Updated

9 years ago
Component: Address Book → LDAP Integration
Product: Thunderbird → MailNews Core
QA Contact: address-book → ldap-integration
Version: unspecified → 1.8 Branch

Comment 3

9 years ago
I get this from my 389 server (on localhost):

        389-Directory/1.2.2 B2009.254.1548
        bradford.ceplovi.cz:389 (/etc/dirsrv/slapd-bradford)

[08/Oct/2009:11:51:20 +0200] conn=5 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[08/Oct/2009:11:51:20 +0200] conn=5 op=0 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:11:51:20 +0200] conn=5 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:11:51:28 +0200] conn=5 op=1 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:11:51:28 +0200] conn=5 op=1 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:11:51:34 +0200] conn=5 op=3 SRCH base="dc=ceplovi,dc=cz" scope=2 filter="(|(cn=kaa*)(mail=kaa*)(sn=kaa*))" attrs="cn mail"
[08/Oct/2009:11:51:34 +0200] conn=5 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[08/Oct/2009:11:51:35 +0200] conn=5 op=4 SRCH base="dc=ceplovi,dc=cz" scope=2 filter="(|(cn=kasa*)(mail=kasa*)(sn=kasa*))" attrs="cn mail"
[08/Oct/2009:11:51:35 +0200] conn=5 op=4 RESULT err=0 tag=101 nentries=1 etime=1
[08/Oct/2009:11:53:41 +0200] conn=5 op=6 UNBIND
[08/Oct/2009:11:53:41 +0200] conn=5 op=6 fd=64 closed - U1
        389-Directory/1.2.2 B2009.254.1548
        bradford.ceplovi.cz:389 (/etc/dirsrv/slapd-bradford)

[08/Oct/2009:20:35:30 +0200] conn=1 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1
[08/Oct/2009:20:35:30 +0200] conn=1 op=0 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:20:35:30 +0200] conn=1 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:20:35:38 +0200] conn=1 op=1 BIND dn="cn=Manager,dc=ceplovi,dc=cz" method=128 version=3
[08/Oct/2009:20:35:38 +0200] conn=1 op=1 RESULT err=48 tag=97 nentries=0 etime=0
[08/Oct/2009:20:35:48 +0200] conn=1 op=3 UNBIND
[08/Oct/2009:20:35:48 +0200] conn=1 op=3 fd=64 closed - U1

Conclusion, it seems to work, TB autocompletes, but it always asks on the password (maybe that's bug 151447?) and apparently always provides some nonsense.
Flags: wanted1.9.2?
(In reply to comment #3)
> Conclusion, it seems to work, TB autocompletes, but it always asks on the
> password (maybe that's bug 151447?)

Yes, that is that bug.
Flags: wanted1.9.2?
You need to log in before you can comment on or make changes to this bug.