Cannot connect to LDAP anymore

[fansari]

After updating my system to Fedora Silverblue 32 I cannot connect to my LDAP server anymore.

I removed ~/.var/app/org.gnome.Evolution to start from scratch but this did also not help.

1. When I add an addressbook I cannot remove it anymore. I always get the error message: The name ist not activatable".

2. When click on "Find possible Search Bases" I get an error message (see screenshot) and when I check the logs from my LDAP server I see that the dn is missing. Since anonymous access is not allowed this fails (I am not sure whether this search worked before, I only used this here for debuging).

5e922250 slap_listener_activate(6): 
5e922250 >>> slap_listener(ldap:///)
5e922250 connection_get(12): got connid=1062
5e922250 connection_read(12): checking for input on id=1062
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
5e922250 op tag 0x60, time 1586635344
ber_get_next
5e922250 conn=1062 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
5e922250 >>> dnPrettyNormal: <>
5e922250 <<< dnPrettyNormal: <>, <>
5e922250 do_bind: version=3 dn="" method=128
5e922250 send_ldap_result: conn=1062 op=0 p=3
5e922250 send_ldap_response: msgid=1 tag=97 err=48
ber_flush2: 39 bytes to sd 12
5e922250 do_bind: v3 anonymous bind
5e922250 connection_get(12): got connid=1062
5e922250 connection_read(12): checking for input on id=1062
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
5e922250 op tag 0x42, time 1586635344
ber_get_next
5e922250 ber_get_next on fd 12 failed errno=0 (Success)
5e922250 conn=1062 op=1 do_unbind
5e922250 connection_close: conn=1062 sd=12

3. When I click on "OK" I again get the message "The name is not activatable".

4. The address book does not work. If I search something nothing is found. Also I don't see any activities in the LDAP logs.

I use version 3.36.1. Before the upgrade everything was working. When I do LDAP request on the command line with ldapsearch it is also working as before.

[fansari]

[fansari]

I have now uninstalled the org.gnome.Evolution flathub version and installed the rpm package instead (evolution-3.36.1-1.fc32.x86_64).

1. I am able to remove the address book after adding it.

2. Here I also get this error message when clicking on "Find Possbile Search Base".

3. When I click on "OK" there is no error.

4. The LDAP address book is working.

So it seems to be some issue with the flathub version.

[Sesivany]

Can you please run in LDAP debug mode and see what you get?

LDAP_DEBUG=1 flatpak run org.gnome.Evolution

[fansari]

There is not much output even when I try to work with the address book:

[fansari@bat ~]$ LDAP_DEBUG=1 flatpak run org.gnome.Evolution
gpg-agent[7]: error binding socket to '/home/fansari/.gnupg/S.gpg-agent': No such file or directory

(evolution.bin:34): e-mail-engine-WARNING **: 19:50:57.510: Failed to add service 'Sendmail' (sendmail): No provider available for protocol “sendmail”

(evolution-alarm-notify:40): GLib-GIO-WARNING **: 19:50:57.701: Your application did not unregister from D-Bus before destruction. Consider using g_application_run().

(evolution-source-registry:14): GLib-GObject-WARNING **: 19:50:57.867: invalid unclassed pointer in cast to 'GTask'

(evolution-source-registry:14): GLib-GIO-CRITICAL **: 19:50:57.868: g_task_get_task_data: assertion 'G_IS_TASK (task)' failed

[fansari]

The issue is not only with the LDAP. I was not able to edit my mail account. Here I also get the error message: "The name is not activatable".

I will deinstall your software and install the rpm package. Something goes completely wrong on Fedora 32 Silverblue with this version.

[fansari]

After deleting and adding a new account when I click "Apply" this appears:

[fansari]

Today I uninstalled again the rpm package and reinstalled the flatpak version. Now it is working. I can edit the account preferences and the address book LDAP Also the LDAP is working. I have no idea what might have changed.

[fansari]

Now with version 3.36.2 LDAP again is not working. I have again uninstalled it and replaced it with the rpm version which is working fine.

[Sesivany]

May I ask which version was the last working for you? 3.36.1? With 3.36.2 I also bumped the version of openldap to 2.4.50. I may just downgrade the component and stick with it.

[Sesivany]

Fedora is pretty much the reference platform for my colleague who works on Evoltuon and it has openldap 2.4.47, so it may make sense to stick with that. BTW we also an Evolution flatpak built from Fedora RPMs, that's another option if it works for you. I think the Fedora flatpak repo is enabled by default in Silverblue.

[fansari]

Version 3.36.1 did first not work with LDAP after updating to Fedora 32.

I had opened this bug at Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=1823124

As it turned out this was some bug in libsecret in the Gnome 3.36 runtime.

https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/52

After this was fixed LDAP worked, but only "unencrypted" without "StartTLS".

Then with 3.36.2 it did not work again and I changed back to the rpm version.

If I use the rpm version instead (as far as I remember this is not default, you have to install it as "overlay") the LDAP is working, also with StartTLS.

I will use the rpm version at least as long as this is not fixed. If you say the flatpak version works for you I have no idea what the difference might be.

[fansari]

After upgrading to Fedora 33 Silverblue I made another LDAP test with the flathub version: it still does not work.

This command shows nothing about LDAP.

LDAP_DEBUG=1 flatpak run org.gnome.Evolution

I tried both to use encryption "StartTLS" and "None". With "StartTLS" the database is not reachable at all. There is an error message "TLS not available".

The test with no encryption also fails. There is an error message "The query did not complete successfully. LDAP error 0x20 (No such object).

As before only the rpm based version works with LDAP.

[fansari]

Here some logs of the ldap container. With the flatpak installation it is not working. The rpm installation is working with the ldap and finds a matching record.

ldap-flatpak.log ldap-rpm.log

[fansari]

I tried again to reinstall it. This time I removed the addressbook "Contacts" and recreated it.

Now LDAP is working - but only when I use it without encryption. The TLS error still remains.

[Sesivany]

I see that in Fedora openldap we have quite a lot of build options which we don't use in the manifest: https://src.fedoraproject.org/rpms/openldap/blob/master/f/openldap.spec#_144 It may be worth trying to build openldap with those and see if it helps with your problem.

[Sesivany]

We have just tried to connect TLS LDAP and it worked for us. Can you check your settings for TLS port and TLS auth?

[fansari]

What I am doing is to change from encryption "none" to "StartTLS". This means all settings must be ok since it works without TLS. Also it works with the rpm package even with TLS.

I tried with "ldapsearch -ZZ" from a container to force TLS. Here I noticed that I either have to use "LDAPTLS_REQCERT=never" or to copy my self-signed CA certificate into /etc/pki/ca-trust/source/anchors and run "update-ca-trust". This was a clue since I never faced this problem on my host because there the import was done after setting up the ldap container.

As far as I understood flatpaks are also some kind of environment like containers - maybe for this reason they don't know about my certificate (which is imported on my host). For this reason the next try was to import it into "Certificates -> Authorities". I was asked to setup a new password (no idea why) and then I imported it. Unfortunately even after restart of Evolution this changed nothing.

I am not even sure that the self-signed certificate is the reason since this error "TLS not available" is not very specific.

[Sesivany]

Can you please try killing all evolution process that are in /app (ps ax | grep evolution and kill those running in /app) and then running LDAP_DEBUG=1 flatpak run org.gnome.Evolution?

It should give you info about what the backend is doing.

[fansari]

[fansari@bat ~]$ LDAP_DEBUG=1 flatpak run org.gnome.Evolution

gpg-agent[7]: error binding socket to '/home/fansari/.gnupg/S.gpg-agent': No such file or directory

(evolution.bin:52): e-mail-engine-WARNING **: 17:44:18.496: Failed to add service 'Sendmail' (sendmail): No provider available for protocol “sendmail”
book_backend_ldap_open ... 
simple auth as cn=proxyuser,dc=localdomain
e_book_backend_ldap_connect ... 
e-book-backend-ldap-Message: 17:44:18.884: TLS not available (fatal version), (ldap_error 0xfffffff5)

This "TLS not availble" message is what I also get from the GUI. But I have no idea what causes this and how to fix it.

[Sesivany]

The message comes from openldap. Hard to say what it could actually mean in this case, we're not really familiar with the codebase of openldap and we can't reproduce it with our testing instances of LDAP server. We only got a similar error when we were using non-TLS port. All we can suggest is to try different combinations of encryption and ports in the address book properties.

[fansari]

Unfortunately this is not the only issue with the flatpak version. Also I noticed then when I have opened Evolution and close it and then later reopen it I only get a "turning wheel" and the GUI does not open.

I again installed the rpm version which behaves more stable and I don't have all these issues.

I was under the impression that the idea of flatpak is to bring more stability but what I experience with Evolution is just the opposite.