Re: [rt-users] ExternalAuth to active directory over SSL
No one is using LDAPS with Request Tracker ?
Guillaume Hilt
Le 18/02/2015 15:43, Guillaume Hilt a écrit :
Hello,
I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using
.deb packages.
I'm trying to make ExternalAuth work with LDAP over SSL (Active
Directory on 2008 R2 x64), we an internal CA managed under Windows
2008 R2 x64.
I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
I followed a previous discussion on this matter here :
http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
I'm facing the same issue.
$ openssl s_client -connect srv2.lan.domain.com:636 -CApath
/etc/ssl/certs
Return Verify return code: 21 (unable to verify the first certificate)
$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
Running LDP.exe on the domain controllers running in SSL mode works fine.
RT's log gives the following :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_OPERATIONS_ERROR 1
An ldapsearch gives me this (snipped hex code) :
ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
tls_write: want=117, written=117
tls_read: want=3422, got=1443
tls_read: want=1979, got=1448
tls_read: want=531, got=531
tls_write: want=12, written=12
tls_write: want=267, written=267
tls_write: want=6, written=6
tls_write: want=117, written=117
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=80, got=80
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Here's my configuration :
'AD_LAN' = {
'type' = 'ldap',
'server'= 'srv2.lan.domain.com',
'user' =
'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
'pass' = 'XXX',
'base' =
'CN=Utilisateurs,DC=lan,DC=domain,DC=com',
'filter'=
'((objectClass=organizationalPerson)(mail=*))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' = '',
'group_attr'= '',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [ version = 3, port
= 636, debug = 8 ],
'attr_match_list' = [
'Name',
'EmailAddress',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
Setting tls to 1 give me his different error :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_SERVER_DOWN 81
Regards,
Re: [rt-users] ExternalAuth to active directory over SSL
Review some of your LDAP settings. I think you have CN and DN in places
where you may want OU, and your LDAP user should be in a different format,
see below.
Hopefully this helps.
Use mine(working.. also cleaned..) as example:
Set($ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'server'= 'ldap://domain_name.com',
'user' = 'domain_name\ldapreader',
'pass' = 'ldapreader_password',
'base' = 'ou=users,ou=services,dc=domain_name,dc=com',
'filter'= '(objectClass=person)',
'tls' = 0,
'attr_match_list' = [
'Name',
'EmailAddress',
'RealName',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'department',
'RealName' = 'cn',
'NickName' = 'givenName',
'ExternalAuthId'= 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'MobilePhone' = 'mobile',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
On Tue, Feb 24, 2015 at 9:35 AM, Guillaume Hilt gh...@shadowprojects.org
wrote:
No one is using LDAPS with Request Tracker ?
Guillaume Hilt
Le 18/02/2015 15:43, Guillaume Hilt a écrit :
Hello,
I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb
packages.
I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory
on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64.
I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
I followed a previous discussion on this matter here :
http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
I'm facing the same issue.
$ openssl s_client -connect srv2.lan.domain.com:636 -CApath
/etc/ssl/certs
Return Verify return code: 21 (unable to verify the first certificate)
$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
Running LDP.exe on the domain controllers running in SSL mode works fine.
RT's log gives the following :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_OPERATIONS_ERROR 1
An ldapsearch gives me this (snipped hex code) :
ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
tls_write: want=117, written=117
tls_read: want=3422, got=1443
tls_read: want=1979, got=1448
tls_read: want=531, got=531
tls_write: want=12, written=12
tls_write: want=267, written=267
tls_write: want=6, written=6
tls_write: want=117, written=117
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=80, got=80
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Here's my configuration :
'AD_LAN' = {
'type' = 'ldap',
'server'= 'srv2.lan.domain.com',
'user' =
'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
'pass' = 'XXX',
'base' = 'CN=Utilisateurs,DC=lan,DC=
domain,DC=com',
'filter'= '((objectClass=
organizationalPerson)(mail=*))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' = '',
'group_attr'= '',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [ version = 3, port =
636, debug = 8 ],
'attr_match_list' = [
'Name',
'EmailAddress',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
Setting tls to 1 give me his different error :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_SERVER_DOWN 81
Regards,
[rt-users] ExternalAuth to active directory over SSL
Hello,
I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb
packages.
I'm trying to make ExternalAuth work with LDAP over SSL (Active
Directory on 2008 R2 x64), we an internal CA managed under Windows 2008
R2 x64.
I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
I followed a previous discussion on this matter here :
http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
I'm facing the same issue.
$ openssl s_client -connect srv2.lan.domain.com:636 -CApath /etc/ssl/certs
Return Verify return code: 21 (unable to verify the first certificate)
$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
Running LDP.exe on the domain controllers running in SSL mode works fine.
RT's log gives the following :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_OPERATIONS_ERROR 1
An ldapsearch gives me this (snipped hex code) :
ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
tls_write: want=117, written=117
tls_read: want=3422, got=1443
tls_read: want=1979, got=1448
tls_read: want=531, got=531
tls_write: want=12, written=12
tls_write: want=267, written=267
tls_write: want=6, written=6
tls_write: want=117, written=117
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=80, got=80
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Here's my configuration :
'AD_LAN' = {
'type' = 'ldap',
'server'= 'srv2.lan.domain.com',
'user' =
'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
'pass' = 'XXX',
'base' =
'CN=Utilisateurs,DC=lan,DC=domain,DC=com',
'filter'=
'((objectClass=organizationalPerson)(mail=*))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' = '',
'group_attr'= '',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [ version = 3, port =
636, debug = 8 ],
'attr_match_list' = [
'Name',
'EmailAddress',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
Setting tls to 1 give me his different error :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_SERVER_DOWN 81
Regards,
--
Guillaume Hilt
[rt-users] ExternalAuth to active directory over SSL
On Fri, 2012-03-23 at 15:05 -0700, Brent Wiese wrote: I noticed in the notes that when you enable SSL/TLS, it invokes NET::SSLeay. This is why RT::Authen::ExternalAuth prompts about SSL LDAP Connections when you run `perl Makefile.PL`. I'd installed via cpan so didn't notice that before. Didn’t appear to be installed. I installed via cpan… and now Apache seg faults when I try to start it. It’s seg faulting on: This generally means that you're running mod_perl, and Net::SSLeay is disagreeing with something else in the system (be it Apache, or your database handle) which also wants to load the SSL libraries -- and the libraries are ending up in an inconsistent state. As a first step, try disabling Apache's SSL, or switching from mod_perl to mod_fcgid or mod_fastcgi, and see if it helps. - Alex I switched to fcgid and was able to get apache running again. Still same problems with the external auth. Figuring maybe there was an issue when I first installed because Net::SSLeay wasn't installed, I grabbed the latest stable and manually built. Looks like it found everything correctly: *** Module::AutoInstall version 1.04 *** Checking for Perl dependencies... [SSL LDAP Connections] - Net::SSLeay ...loaded. (1.45) [External LDAP Sources] - Net::LDAP ...loaded. (0.44) [External DBI Sources] - DBI ...loaded. (1.618) [SSO Cookie Sources] - CGI::Cookie ...loaded. (1.30) *** Module::AutoInstall configuration finished. Checking if your kit is complete... Looks good Alas, no, it didn't help: [Tue Mar 27 16:43:36 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) I'm not convinced it works. I challenge someone to respond with yes, I can successfully use ExternalAuth against AD via SSL and post their challenges/config. :) I just don't know where to go from here.
Re: [rt-users] ExternalAuth to active directory over SSL
On Tue, Mar 27, 2012 at 09:48:54AM -0700, Brent Wiese wrote: Alas, no, it didn't help: [Tue Mar 27 16:43:36 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) And what's in your AD server configs? I'm not convinced it works. I challenge someone to respond with yes, I can successfully use ExternalAuth against AD via SSL and post their challenges/config. :) I've configured ExternalAuth against AD using SSL, but since these were client installs I'm not allowed to copy/paste their configurations. -kevin pgp0rZifGNP5C.pgp Description: PGP signature
Re: [rt-users] ExternalAuth to active directory over SSL
On 03/27/2012 12:48 PM, Brent Wiese wrote: I'm not convinced it works. I challenge someone to respond with yes, I can successfully use ExternalAuth against AD via SSL and post their challenges/config. :) Just a couple weeks ago I setup RT::Authen::ExternalAuth against AD via SSL for a customer. It _does_ work.
Re: [rt-users] ExternalAuth to active directory over SSL
On 03/27/2012 12:48 PM, Brent Wiese wrote: Alas, no, it didn't help: [Tue Mar 27 16:43:36 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) Note that you're no longer getting segfaults from Apache, meaning you solved the SSL lib conflict between Perl and Apache. The error above is a pure bind error. What's your ExternalAuth config? I suspect you configured it to talk TLS to your SSL port. Thomas
[rt-users] ExternalAuth to active directory over SSL (SOLVED)
On 03/27/2012 01:56 PM, Brent Wiese wrote:
'tls' =
0,
'ssl_version' =
3,
'net_ldap_args' =
[ version = 3, port = 636, debug = 8 ],
You're mixing TLS with the SSL port. Try this:
tls = 1,
net_ldap_args = [ version = 3, debug = 8 ],
Don't include ssl_version or port.
Thomas
Yep, that was the ticket.
Thank you very much for the help!
In case anyone experiences the same situation, here is the quick-n-dirty list
of what I had to do to get it working:
1: make sure the CA chain for whatever domain controller(s) you're connecting
to is added to your cert bundle. On my system (CentOS 6), it was
/etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to
/etc/ssl/certs/ca-bundle.crt)
Afterwards, I was able to connect without any cert errors:
openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs
2: for ldapsearch (I believe its installed with openldap-clients, or maybe
openldap-devel) to work properly, I had to add this to /etc/openldap/ldap.conf:
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
Once I added that line, this ldapsearch worked:
ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b
'DC=mydomain,DC=local' -D 'CN=Apache,OU…,DC= mydomain,DC=local' -w '**pass**'
'(sn=smith)' cn sn
3: NET::SSLeay wasn't installed on my system, so I installed through CPAN.
4: #3 broke apache (segmentation faults) on my system using mod_perl. I
switched to mod_fcgid. Plenty of posts on how to configure this. It wasn't hard
- the only catch was to make sure the directory you set for the socket file (I
used /tmp/fcgid/sock.rt4) is writeable by apache (root creates it before it
switching to your apache user). I also had to modify the perms on rt-server.log
so apache could write to it.
5: I installed ExternalAuth via cpan prior to #3. Since I wasn't sure if it
compiled correctly (I don't recall any errors, but it's been over a week now so
my memory has faded), I grabbed the latest stable from the site and compiled it
myself. I know it found NET::SSLeay this time around. This may not be a
necessary step if you're just starting out - installing via cpan is easier.
6: Here is my config as it relates to ExternalAuth after the changes Thomas
mentions above:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ 'My_LDAP' ]);
Set($ExternalInfoPriority, [ 'My_LDAP' ]);
Set($ExternalServiceUsesSSLorTLS,1);
# We set below to true because we support external customers via email.
# We only need to use AD to authenticate our support reps that work the tickets.
Set($AutoCreateNonExternalUsers,1);
Set($ExternalSettings, { 'My_LDAP' = {
'type' = 'ldap',
'server'= 'dc05.my.ad',
'user' = 'CN=Apache LDAP,OU=Service
Accounts,DC=my,DC=ad',
'pass' = 'xxx',
'base' = 'DC=my,DC=ad',
'filter'= '(ObjectClass=User)',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' = 1,
'net_ldap_args' = [ version = 3, debug = 8 ],
'attr_match_list' = ['Name',
'EmailAddress'
],
'attr_map' = { 'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'ExternalAuthId' =
'sAMAccountName',
'Gecos' = 'sAMAccountName'
}
},
}
);
Hopefully I remembered everything!
Cheers,
Brent
Re: [rt-users] ExternalAuth to active directory over SSL
In case anyone is following this thread... I noticed in the notes that when you enable SSL/TLS, it invokes NET::SSLeay. Didn't appear to be installed. I installed via cpan... and now Apache seg faults when I try to start it. It's seg faulting on: Plack::Handler::Apache2-preload(/opt/rt4/sbin/rt-server); If I comment that line out, apache will start, but it doesn't do anything (500 server errors). I've seen some posts about this on the list, but nothing that solved my issue. I tried upgrading all my cpan pm's and yum update (I'm running CentOS) everything to see if that helped... no go. So I'm dead in the water now. Thankfully, this is my test/play system, so my prod system is still running, but unless someone here has a solution, I'm looking at a fresh reload of everything and starting over from scratch... From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Brent Wiese Sent: Wednesday, March 21, 2012 2:11 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] ExternalAuth to active directory over SSL I answered part of my question... I can successfully ldapsearch now. I added TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt To /etc/openldap/ldap.conf. But RT is still failing. If I set: 'tls' = 1, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3, port = 636, debug = 8 ], I get: [Wed Mar 21 21:05:14 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) If I change to this: 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3, port = 636, debug = 8 ], I get: [Wed Mar 21 21:09:27 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) So I'm further, but still stuck. From: rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Brent Wiese Sent: Wednesday, March 21, 2012 12:23 PM To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: [rt-users] ExternalAuth to active directory over SSL I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons. We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt) This runs successfully (used to error before I added the CA certs to the bundle): openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs I've also verified the cert/cert chain: openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem dc.mydomain.local.pem: OK However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine): ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn Results (snipped hex code): ldap_initialize( ldaps://dc.mydomain.local:636/??base ) tls_write: want=60, written=60 tls_read: want=3, got=3 tls_read: want=2, got=2 tls_read: want=2724, got=2724 TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13. tls_write: want=7, written=7 TLS: error: connect - force handshake failure: errno 21 - moznss error -8179 TLS: can't connect: TLS error -8179:Unknown code ___f 13. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Running LDP.exe on the domain controllers running in SSL mode works fine. RT's log gives the following: [Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) So I'm guessing it's probably getting that same is not valid error... but why? I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing? Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too). Brent
Re: [rt-users] ExternalAuth to active directory over SSL
On Fri, 2012-03-23 at 15:05 -0700, Brent Wiese wrote: I noticed in the notes that when you enable SSL/TLS, it invokes NET::SSLeay. This is why RT::Authen::ExternalAuth prompts about SSL LDAP Connections when you run `perl Makefile.PL`. Didn’t appear to be installed. I installed via cpan… and now Apache seg faults when I try to start it. It’s seg faulting on: This generally means that you're running mod_perl, and Net::SSLeay is disagreeing with something else in the system (be it Apache, or your database handle) which also wants to load the SSL libraries -- and the libraries are ending up in an inconsistent state. As a first step, try disabling Apache's SSL, or switching from mod_perl to mod_fcgid or mod_fastcgi, and see if it helps. - Alex
[rt-users] ExternalAuth to active directory over SSL
I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons. We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt) This runs successfully (used to error before I added the CA certs to the bundle): openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs I've also verified the cert/cert chain: openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem dc.mydomain.local.pem: OK However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine): ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn Results (snipped hex code): ldap_initialize( ldaps://dc.mydomain.local:636/??base ) tls_write: want=60, written=60 tls_read: want=3, got=3 tls_read: want=2, got=2 tls_read: want=2724, got=2724 TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13. tls_write: want=7, written=7 TLS: error: connect - force handshake failure: errno 21 - moznss error -8179 TLS: can't connect: TLS error -8179:Unknown code ___f 13. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Running LDP.exe on the domain controllers running in SSL mode works fine. RT's log gives the following: [Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) So I'm guessing it's probably getting that same is not valid error... but why? I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing? Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too). Brent
Re: [rt-users] ExternalAuth to active directory over SSL
I answered part of my question... I can successfully ldapsearch now. I added TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt To /etc/openldap/ldap.conf. But RT is still failing. If I set: 'tls' = 1, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3, port = 636, debug = 8 ], I get: [Wed Mar 21 21:05:14 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) If I change to this: 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3, port = 636, debug = 8 ], I get: [Wed Mar 21 21:09:27 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) So I'm further, but still stuck. From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Brent Wiese Sent: Wednesday, March 21, 2012 12:23 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] ExternalAuth to active directory over SSL I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons. We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt) This runs successfully (used to error before I added the CA certs to the bundle): openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs I've also verified the cert/cert chain: openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem dc.mydomain.local.pem: OK However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine): ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn Results (snipped hex code): ldap_initialize( ldaps://dc.mydomain.local:636/??base ) tls_write: want=60, written=60 tls_read: want=3, got=3 tls_read: want=2, got=2 tls_read: want=2724, got=2724 TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13. tls_write: want=7, written=7 TLS: error: connect - force handshake failure: errno 21 - moznss error -8179 TLS: can't connect: TLS error -8179:Unknown code ___f 13. ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Running LDP.exe on the domain controllers running in SSL mode works fine. RT's log gives the following: [Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492) So I'm guessing it's probably getting that same is not valid error... but why? I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing? Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too). Brent
