Please attach y2logs. If you are in doubt follow:

http://en.opensuse.org/Bugs/YaST


Thanks!

Created attachment 121447 [details]
YaST logs as requested

It took me a while, as I reinstalled completely. This is now alpha1plus and still unchanged.

Which "browser configuration" do you have in mind? Is there somethink in ldap-server module? Or do you mean the stand-alone yast2 ldap_browser? Screenshot could help.

BTW the error looks like you have required TLS but it is not configured on the server.

Created attachment 122034 [details]
Setting up ldap with YaST

Created attachment 122035 [details]
Copnnecting to ldap with YaST LDAP browser

Created attachment 122036 [details]
Setting up ldap client with YaST LDAP client

You actually had the right notion about TLS, which I inadvertently set in the YaST ldap client.

So the "Bug" lies not really in the YaST ldap browser, but rather in the cryptic error message.

Thank you for putting me right.

Well, we've been solving the problem with cryptic error message already, I don't know if Ralf wants to comment on this...

(In reply to comment #7)
> Well, we've been solving the problem with cryptic error message already, I
> don't know if Ralf wants to comment on this...
I am not sure  what you are talking about.

In the Browser, we should probably offer the user to "downgrade" to an unprotected connection if StartTLS failed. (Asking him if he wants to do so, of course)

> I am not sure  what you are talking about.

I mean that "unsupported extended operation" doesn't really explain to user, where is the problem. I think we have such discussion already.

(In reply to comment #9)
> I mean that "unsupported extended operation" doesn't really explain to user,
> where is the problem. I think we have such discussion already.
I don't remember that. That doesn't mean of course that we did not have such a discussion :).

This error message is what you get from the server, and compared to other Vendor's servers this is already quite meaningful ;). To make something useful for user out of such an error message (or error code) is IMO a task of the client application as only that really knows (hopefully) in what context these errormessages are to interpreted.
That said yast2 should probably display something like
"Could not setup a TLS connection with the LDAP Server. Do you would to re-try without TLS/SSL encryption?"
(With the [x] Show Details Checkbox allowing to see the Server Error, as it is currently already)

I'll try.

Created attachment 122054 [details]
Screenshot of error message in SMB setup

Something similar to this would be helpful for the reported situation.

OK, so I'll try to show different popup when I detect an error while setting up TLS in ldap agent. What about something like this:

"Connection to the LDAP server cannot be established.

Possible problem of failed connection is that
you have your client configured for TLS/SSL
which is not supported by server.

Connect again, without TLS/SSL?"

(The first sentence is actually the same as the one in normal failure, see comment #5.)

Rebecca, could you check?

So you're just appending the other stuff?

"A possible cause of the failed connection may be that your client is configured for TLS/SSL but the server does not support it.

Retry connection without TLS/SSL?"

But to make sure I am clear here: the error is not _definitely_  the TLS/SSL issue, correct?  We are just pretty sure it is so we'll take another shot without it?  We are also just guessing that the server doesn't support it, right?

Well, yes and no. I could show this only when the internal routine responsible for starting TLS connection fails, which would indicate that it's exactly error of this. But they may also be other issues (like wrong server name etc.) _in addition to this one_ wrong.

Implemented in yast2-ldap-2.15.1 and yast2-ldap-client-2.15.5.

After a complete reinstall and update to openSuSE 10.3 alpha 2 plus I ran into the same problem again, it appears that the default settings for TLS do not match in LDAP server and LDAP client setup.

LDAP Server is set to TLS=NO per default, while LDAP Client has TLS checked per default.

This should be changed to avoid confusion.

LDAP Client default is based on /etc/ldap.conf settings.
(The fixed part in comment 16 is a new kind of popup in case of TLS problems.)

Would it be possible to do connection test from yast2-ldap-client before writing the config (e.g. by performing a search for the Root-DSE and if that fails with "unsupported extended operation" try again without TLS and inform the user about that and switch of TLS? That would probably be the best fix from a user point-of-view.

I can't really fix this in the ldap-server module. To enable TLS the CA-Management Module has to be run beforehand to create the common server certificate. (And then still the user can decide to switch of TLS for the LDAP Server). Changing /etc/ldap.conf from yast2-ldap-server is IMO not really an option as well as /etc/ldap.conf does not necessarily need point to the local LDAP Server).

The connection Test would BTW also solve the problem if the LDAP Server is not on localhost.

Well, I gave it to you not because of ldap-server, but because of that default (comment #17). Don't you think the default value in /etc/ldap.conf should be different?

(In reply to comment #20)
> Well, I gave it to you not because of ldap-server, but because of that default
> (comment #17).
Ok, so I missunderstood that.

> Don't you think the default value in /etc/ldap.conf should be
> different?
Hm, I think trying with SSL enabled first is a good choice. If just for security reasons.

"Hm, I think trying with SSL enabled first is a good choice. If just for
security reasons."

We are talking client here, you will have to follow the security of the server anyway.

As LDAP setup during installation suggests "127.0.0.1" as server, you would probably agree, that it is some form of overkill to enforce SSL here.

In addition I suggest adding a setup procedure for the LDAP server to the installation process, so you can fix everything while you are at it and don't have to dig back into matters later.

I.e. if 127.0.0.1 is left as server, this could trigger the process for setting up the local LDAP server ( with or without SSL ).

Hm, maybe we can add some checks for the case of server on 127.0.0.1 set up during installation.

Still there after clean install from alpha4 DVD, I was under the impression that Comment #10 had been implemented already ?

Not from comment 10, but from comment 13/14. There really isn't such "Retry connection without TLS/SSL?" question? Please attach log files if there is no such message.

OK, you had me searching quite some time here :-)

Do the following: Start YaST, then select Network Services

1. Select LDAP Browser, enter the LDAP Password, now you get your neat new message and another try without TLS/SSL

2. Select LDAP Client and just press "Fetch DN", now you get your plain old error message :-(

3. Select "Security and Users" from YaST, then "User Management" or "Group Management", then select " LDAP User and Group Configuration" from "LDAP Options...", again you get your plain, old error message :-( 

I think fixing should take place where the Error is generated, rather than in just one component ( LDAP Browser ) making use of it.

Hmm... right.

fixed in yast2-ldap-client-2.15.8 and yast2-users-2.15.27.

Note: when you allow unencrypted connection even when you have the encrypted one set, it will not be saved, it will work just for the one allowed instance. This is by intention, user should change the settings in ldap-client configuration (even clicking "Fetch DN" and going through our new popup won't change the checkbox automatically).

"fixed in yast2-ldap-client-2.15.8 and yast2-users-2.15.27."

It's back in yast2-users-2.15.28-3 :-(

Created attachment 143158 [details]
Screenshot of message

Hm, what exactly did you do? And how does your ldap setup look like?
Also, attach the fresh log files.

While testing the install workflow, I did, a "clean" install from the alpha4 DVD, updating everything from the repositories at download.opensuse.org, then setting up LDAP server, and went straight to yast2 users to set up the LDAP part, without unchecking TLS in the client.

So there the "old" message looked at me again.

Created attachment 143249 [details]
/var/log/YaST2

Regarding LDAP setup:

Server & Client on the same machine as 127.0.0.1, local users = root, LDAP users all others, works nicely. 

No serious application currently, testing for common contact repository for Evolution and Outlook clients.

Created attachment 143415 [details]
patch for /usr/share/YaST2/include/ldap/ui.ycp

I hope this patch "fixes" the problem.

Yes, it does. 

fixed in ysat2-ldap-client-2.15.9