#2011 new
Norman Gray

LDAP hidden preference doesn't work as expected

Reported by Norman Gray | May 9th, 2018 @ 04:19 PM

Following the advice at https://manual.mailmate-app.com/hidden_preferences I tried to set up a connection to a local IMAP server. It didn't work as expected, but this may be a documentation problem rather than a code one.

Following these docs, (I closed MailMate and) I created ~/Library/Application\ Support/MailMate/LDAP.plist containing

{ servers = (
  { requireSSL = 1;
    hostname = "my-ldap.example.ac.uk";
    username = "cn=foo,ou=staff,o=gla";
    searchBase = "ou=staff,o=gla";
    },
  );
}

(a command such as the following works: ldapsearch -xZ -H ldap://my-ldap.example.ac.uk -D cn=foo,ou=staff,o=gla -W -b ou=staff,o=gla '(givenname=*norman*)' cn sn mail).

I then manually added the password to the Keychain:

I then created a new email message, and started typing a name, each of givenName, sn, and mail, but nothing was filled in. I had the activity viewer open as I did this, but couldn't see any LDAP activity.

The LDAP server in question is an Active Directory one -- I don't know about version. There is potentially a certificate problem, since the LDAP server's cert is signed by a local CA, though that CA's signing certificate is present and marked as trusted, in my Keychain.

So the problem might be either:

  • I've configured this wrongly, and it might be worth adjusting the documentation.
  • There is a certificate error, but I'm not getting any feedback about what the problem is.

Comments and changes to this ticket

  • Ján Rusnák

    Ján Rusnák June 8th, 2018 @ 11:37 AM

    Hi,

    I have similar problem:

    1. LDAP.plist is created in dir ~/Library/Application Support/MailMate/.
    2. Keychain account item is created by adding new LDAP account to OSX Contacts.app:
      In keychain 'Local Items':
      Name: com.apple.account.LDAP.password
      Kind: application password
      Account: cn=read,ou=test,ou=person,dc=domain@ldap.domain
      Where: com.apple.account.LDAP.password

    Then, if I write some to address box in the composer window, no search result appear.
    Here is log item from system console:
    MailMate[1291]/1#-1 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-25303 "attribute dflt not found in class inet" (errKCNoSuchAttr / errSecNoSuchAttr: / The attribute does not exist.) UserInfo={NSDescription=attribute dflt not found in class inet}

    OpenLDAP log show that MailMate try bind to directory without password:
    slapd[15561]: daemon: activity on 1 descriptor
    slapd[15561]: >>> dnPrettyNormal:
    slapd[15561]: <<< dnPrettyNormal: ,
    slapd[15561]: conn=1024 op=0 BIND dn="cn=read,ou=test,ou=person,dc=domain" method=128
    slapd[15561]: daemon: activity on:
    slapd[15561]: do_bind: version=3 dn="cn=read,ou=test,ou=person,dc=domain" method=128
    slapd[15561]:
    slapd[15561]: send_ldap_result: conn=1024 op=0 p=3
    slapd[15561]: daemon: epoll: listen=9 active_threads=0 tvp=zero
    slapd[15561]: send_ldap_result: err=53 matched="" text="unauthenticated bind (DN with no password) disallowed"

    It looks like that MailMate can't find correct password in keychain??.

    LDAP in OSX Contacts.app is also broken in Sierra and High Sierra OS (long time), all search attempt fail with message in system console:
    Could not get password: Error Domain=SecKeychain Code=-25300 "Password for cn=read,ou=test,ou=person,dc=domain@ldap.domain:0 not found" UserInfo={NSLocalizedDescription=Password for cn=read,ou=test,ou=person,dc=domain@ldap.domain:0 not found} Password for cn=read,ou=test,ou=person,dc=domain@ldap.domain:0 not found

    What is correct format of MailMate LDAP Keychain item, for manually add it to keychain?. This missing in documentation.

    Or where is problem with LDAP contacts search in MailMate.

    Withouout LDAP addressbook search feature, MailMate is unusable in some corporate environment!

  • benny

    benny June 8th, 2018 @ 12:13 PM

    To be honest, I'm actually not sure anyone has ever successfully used the (somewhat experimental) LDAP support with authentication enabled.

    You can confirm if this is a keychain issue by enabling some debug output:

    defaults write com.freron.MailMate MmDebugLDAP -bool YES
    

    And then launch from a Terminal window to see the output:

    /Applications/MailMate.app/Contents/MacOS/MailMate
    

    (Unfortunately, I do not currently have access to an LDAP server which supports authentication which makes testing a bit hard.)

  • Norman Gray

    Norman Gray June 8th, 2018 @ 02:09 PM

    I've tried this, and when I typed 'gray' into the to field of a new mail message, the following showed up (server and DN adjusted):

    LDAP: Connect to 'ldap://my-ldap.example.ac.uk:389'
     Parsed
     Initialized (my-ldap.example.ac.uk:389)
    SecKeychainFindInternetPassword failed with error: -25300
    Warning: Failed to retrieve LDAP password from keychain (cn=foo,ou=OU,o=O@my-ldap.example.ac.uk:389)
     Bind with 'cn=foo,ou=OU,o=O'
    ldap connection failed (ldap://my-ldap.example.ac.uk:389): Inappropriate authentication
    Find matches for 'gra'
    Result:
    Find matches for 'gray'
    Result:
    LDAP: Connect to 'ldap://my-ldap.example.ac.uk:389'
     Parsed
     Initialized (my-ldap.example.ac.uk:389)
    SecKeychainFindInternetPassword failed with error: -25300
    Warning: Failed to retrieve LDAP password from keychain (cn=foo,ou=OU,o=O@my-ldap.example.ac.uk:389)
     Bind with 'cn=foo,ou=OU,o=O'
    ldap connection failed (ldap://my-ldap.example.ac.uk:389): Inappropriate authentication
    

    In Keychain Access (the login keychain) I have an entry with:

    • Account: cn=foo,ou=OU,o=O
    • Where: my-ldap.example.ac.uk

    I've also tried it with Where being my-ldap.example.ac.uk:389 and ldap://my-ldap.example.ac.uk (which might be what Mail.app puts in there).

    It's a separate matter, but the Keychain Access interface is, as usual, almost good but not quite, so that the straightforward 'New Password Item...' does not get things into quite the right-seeming place.

  • Ján Rusnák

    Ján Rusnák June 8th, 2018 @ 02:10 PM

    defaults write com.freron.MailMate MmDebugLDAP -bool YES  
    /Applications/MailMate.app/Contents/MacOS/MailMate
    
    Here is my log from terminal:  
    Warning: Decoding empty text body for id 936  
    Warning: Decoding empty text body for id 936  
    Find matches for 'jr'  
    Result:  
    LDAP: Connect to 'ldap://ldap.domain:389'  
     Parsed
     Initialized (ldap.domain:389)
    SecKeychainFindInternetPassword failed with error: -25300  
    Warning: Failed to retrieve LDAP password from keychain (cn=read,ou=test,ou=person,dc=domain@ldap.domain:389)  
     Bind with 'cn=read,ou=test,ou=person,dc=domain'
    ldap connection failed (ldap://ldap.domain:389): Server is unwilling to perform  
    Find matches for 'jr@'  
    Result:  
    LDAP: Connect to 'ldap://ldap.domain:389'  
     Parsed
     Initialized (ldap.domain:389)
    SecKeychainFindInternetPassword failed with error: -25300  
    Warning: Failed to retrieve LDAP password from keychain (cn=read,ou=test,ou=person,dc=domain@ldap.domain:389)  
     Bind with 'cn=read,ou=test,ou=person,dc=domain'
    ldap connection failed (ldap://ldap.domain:389): Server is unwilling to perform  
    Warning: Decoding empty text body for id 936  
    Warning: Decoding empty text body for id 937  
    Find matches for 'ja'  
    Result:  
    LDAP: Connect to 'ldap://ldap.domain:389'  
     Parsed
     Initialized (ldap.domain:389)
    SecKeychainFindInternetPassword failed with error: -25300  
    Warning: Failed to retrieve LDAP password from keychain (cn=read,ou=test,ou=person,dc=domain@ldap.domain:389)  
     Bind with 'cn=read,ou=test,ou=person,dc=domain'
    ldap connection failed (ldap://ldap.domain:389): Server is unwilling to perform  
    Find matches for 'jan'  
    Result:  
    LDAP: Connect to 'ldap://ldap.domain:389'  
     Parsed
     Initialized (ldap.domain:389)
    SecKeychainFindInternetPassword failed with error: -25300  
    Warning: Failed to retrieve LDAP password from keychain (cn=read,ou=test,ou=person,dc=domain@ldap.domain:389)  
     Bind with 'cn=read,ou=test,ou=person,dc=domain'
    ldap connection failed (ldap://ldap.domain:389): Server is unwilling to perform
    
  • Norman Gray

    Norman Gray June 8th, 2018 @ 02:13 PM

    Parenthetically: I should mention that I'm currently having difficulties getting MailMate to use an X.509 certificate from my keychain (I get User canceled the operation. (error code -128) when I press Send). Thus it's possible that my keychain is somehow messed up in a way that tools don't report, so if the log messages I'm reporting don't make sense, that's a possible explanation.

  • Ján Rusnák

    Ján Rusnák June 8th, 2018 @ 02:20 PM

    Benny,

    (Unfortunately, I do not currently have access to an LDAP server which supports authentication which makes testing a bit hard.) I can help with testing environment, if yes please contact me (--removed--).

  • benny

    benny June 11th, 2018 @ 08:03 AM

    It certainly looks like the primary problem here is that MailMate isn't able to retrieve the password from the keychain. We could probably debug that with a test account, but @Ján if you can help with a test account then I would appreciate that. Preferably with me getting access to as little as possible of course :-) I'll write you offline.

    (I'll also remove your email address here to avoid scraping.)

  • Eelco Chaudron

    Eelco Chaudron August 29th, 2018 @ 09:11 AM

    I was wondering how you query the LDAP server? Asking as I can match on first name, but not on last or "first last" name?

    Here is a log entry:

    Find matches for 'eelco chau'
    Result:
    2018-08-29 10:56:26.931 MailMate[3549:323607] Warning: Unable to reformat “Eelco Chaud”
    Find matches for 'eelco chaud'
    Result:
    Find matches for 'chau'
    Result:
    Find matches for 'chaud'
    Result:
    Find matches for 'chaudr'
    Result:
    Find matches for 'chaudro'
    Result:
    Find matches for 'chaudron'
    Result:
    

    On my last name only, it finds nothing.

    This is my CN name:

    cn: Eelco Chaudron
    

    When I manually search it does work (no authentication is used or ssl is used):

    ldapsearch -x -H ldap://ldap.corp.XXXXX.com -LLL cn="eelco cha*" | grep -E "cn:|uid:"
    uid: echaudro
    cn: Eelco Chaudron
    
  • benny

    benny August 29th, 2018 @ 03:06 PM

    You can enable debug output like this:

    defaults write com.freron.MailMate MmDebugLDAP -bool YES
    

    Then launch from a Terminal window to see how MailMate interacts with the server:

    /Applications/MailMate.app/Contents/MacOS/MailMate
    

    As far as I recall, it was tricky to create a query which worked with all of the LDAP servers I used for testing (but it was a long time ago).

    Note that I'm not an LDAP expert. It's not unlikely I've done something wrong :)

  • Eelco Chaudron

    Eelco Chaudron January 22nd, 2019 @ 12:04 PM

    Looking at the debug you do the following:

    LDAP search ou=users,dc=redhat,dc=com/subtree/(|(mail=ch*)(cn=ch*)(cn=* ch*))

    However this will turn 390 entries, where the one I'm looking for is number 202. Could it be you only except the first x entries? From the debug log I see you only report about 118 replies.

  • Raza Rizvi

    Raza Rizvi September 25th, 2020 @ 12:59 PM

    I decided to give this a try with the Tuffmail LDAP server.

    { servers = ( { requireSSL = 1; hostname = "ldap.mxes.net"; port = 636; username = "cn=raza_tuffmail.com,ou=auth,dc=mxes,dc=net"; searchBase = "ou=raza_tuffmail.com,ou=ab,dc=mxes,dc=net"; searchScope = "subtree"; // base, oneLevel, or subtree (default) }, ); }

    So I have set that it does require SSL and I specified the well known port 636 as well.

    Debugging shows:

    Result:
    LDAP: Connect to 'ldap://ldap.mxes.net:636&#39;
    Parsed Initialized (ldap.mxes.net:636) Warning: Failed starting TLS. Can't contact LDAP server

    I believe this is because it needs to do ldaps:// in observance of the requireSSL field.

  • benny

    benny September 28th, 2020 @ 12:59 PM

    @Raza: I've added that it uses ldaps when port 636 is configured. Maybe it should also default to port 636 when requireSSL is eanbled...

    @Eelco: Sorry about the late response. You are correct that MailMate sets a maximum of 200 results to be returned from the server. I don't currently have time to look into how to improve that, but if know what I should change in the query then let me know.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Pages