directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Broadhead <matthew.broadh...@nbmlaw.co.uk>
Subject Re: apache DS + thunderbird : issue with TLS, while clear is functional
Date Mon, 06 Nov 2017 18:25:52 GMT
hi, i haven't read the entire thread but are you trying to get 
autocomplete to work with ldap on thunderbird?  i am using a letsencrypt 
certificate on apache ds without problem.  did you do preferences -> 
composition -> addressing -> directory server in thunderbird?

On 06/11/2017 19:19, Serge Pouliquen wrote:
> Hi,
>
> I reply on my own message.
>
> I made additionnal tests.
> I generated a new certificate to server called 'testldap' and place an 
> exception in thunderbird in order to have it valid in thuderbird.
>
> steps to reproduce : start computer, start thunderbird, open compose 
> window, type some letters in recipient field in order to auto-complete 
> with ldap search
>
> test1 : testldap is set to 127.0.0.1 (in /etc/hosts)
>  -> result is no auto complete on the first request (after stop start 
> thunderbird, ldap auto-complete is fine)
>
> test2 : testldap is set (in /etc/hosts) to isp router and isp router 
> is set to redirect port to the computer
>  -> result is auto complete is functional on the first request (and 
> futures)
> I identified that auto complete is really longer to display proposed 
> addresses
>
> My apache ds instance is request with localhost and the filesystem for 
> apache ds is a ramdisk. So it's really fast, almost instantly.
>
> I don't really believe that a bug report like that will be processed 
> by thunderbird developpers.
> Do you have any idea to improve my bug report ?
>
> Is there an option to slowing or delaying apache ds ?
> Ideally only the first request from a client.
> Do you think it is possible to do something like that with interceptor ?
> (http://directory.apache.org/apacheds/advanced-ug/6-implementing-interceptor.html) 
>
>
> I still find that strange.
> Regards,
> Serge
>
>
> On 06/11/17 00:20, Serge Pouliquen wrote:
>> Hi,
>>
>> When trying with thunderbird log, I noticed that the first 
>> auto-complete request was producing logs on apache ds (with 
>> -Djavax.net.debug=all) and not the later.
>> I suspected my certificate (generated by me with my own CA). I tried 
>> a certificate generated with the tuto from apache ds website. It 
>> looks like auto-complete is more frequent.
>> http://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html#in-case-you-want-to-use-an-external-keystore

>>
>>
>> With the certificate generated according to apache ds website, I can 
>> stop/start thunderbirdand apacheds in almost any order, it will still 
>> autocomplete once auto-complete has succeeded. I only found that to 
>> have the issue back is to restart computer or restart apache ds while 
>> thundebird is still running (thunderbird restart will restore auto 
>> complete back). It looks like a cache is cleaned on restart (amazing 
>> question to find which one...) or ldap connection are not inited 
>> again on failed status (maybe a feature).
>>
>>
>> I still don't know what is the root cause issue but it looks related 
>> or interfered by data in certificate.
>> The first request may ask some resource, not provided in time. So 
>> current request is considered timeout, connection is considered 
>> failed. But resource are loaded.
>> Future request may fail if based on the failed connection (that may 
>> be the reason why I wasn't seeing any traffic on the network) or 
>> succeded if a new connection is inited (with resource in a cache). I 
>> don't know how I can check above.
>> In thunderbird, adress book window and auto-complete may not be 
>> processing request the same way.
>>
>> Below, there is some logs (I didn't noticed any issue, but I may be 
>> wrong)
>>
>> Is someone using a certificate made by a similar command (apache ds 
>> tuto) with thunderbird without issue ?
>>
>> Is that possible that localhost is so fast, that it produced error 
>> that are not visible in real network world ?
>>
>> Thanks for the previous suggestions, it helps me to move a bit forward,
>>
>> Serge
>>
>>
>>
>> On 05/11/17 00:02, Emmanuel Lécharny wrote:
>>> Le 04/11/2017 à 19:57, Jason a écrit :
>>>> If you are using the auto generated self signed certificates try a 
>>>> version
>>>> 1.7 jvm or generate your own certs. I think the DS selfsigned certs 
>>>> are not
>>>> created correctly in a 1.8 Jvm due to changes in supported crypto
>>>> algorithms.
>>> You can change the self-signed certificate. It's provided for
>>> convenience only.
>>>
>>> We may generate a new one for Java 8 in a later release.
>>>
>>
>


Mime
View raw message