> > On 03/27/2012 01:56 PM, Brent Wiese wrote: > > 'tls' => > 0, > > 'ssl_version' => > 3, > > 'net_ldap_args' => > [ version => 3, port => 636, debug => 8 ], > > You're mixing TLS with the SSL port. Try this: > > tls => 1, > net_ldap_args => [ version => 3, debug => 8 ], > > Don't include ssl_version or port. > > Thomas
Yep, that was the ticket. Thank you very much for the help! In case anyone experiences the same situation, here is the quick-n-dirty list of what I had to do to get it working: 1: make sure the CA chain for whatever domain controller(s) you're connecting to is added to your cert bundle. On my system (CentOS 6), it was /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt) Afterwards, I was able to connect without any cert errors: openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs 2: for ldapsearch (I believe its installed with openldap-clients, or maybe openldap-devel) to work properly, I had to add this to /etc/openldap/ldap.conf: TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt Once I added that line, this ldapsearch worked: ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU…,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn 3: NET::SSLeay wasn't installed on my system, so I installed through CPAN. 4: #3 broke apache (segmentation faults) on my system using mod_perl. I switched to mod_fcgid. Plenty of posts on how to configure this. It wasn't hard - the only catch was to make sure the directory you set for the socket file (I used /tmp/fcgid/sock.rt4) is writeable by apache (root creates it before it switching to your apache user). I also had to modify the perms on rt-server.log so apache could write to it. 5: I installed ExternalAuth via cpan prior to #3. Since I wasn't sure if it compiled correctly (I don't recall any errors, but it's been over a week now so my memory has faded), I grabbed the latest stable from the site and compiled it myself. I know it found NET::SSLeay this time around. This may not be a necessary step if you're just starting out - installing via cpan is easier. 6: Here is my config as it relates to ExternalAuth after the changes Thomas mentions above: Set( @Plugins, qw(RT::Authen::ExternalAuth) ); Set($ExternalAuthPriority, [ 'My_LDAP' ]); Set($ExternalInfoPriority, [ 'My_LDAP' ]); Set($ExternalServiceUsesSSLorTLS, 1); # We set below to true because we support external customers via email. # We only need to use AD to authenticate our support reps that work the tickets. Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'dc05.my.ad', 'user' => 'CN=Apache LDAP,OU=Service Accounts,DC=my,DC=ad', 'pass' => 'xxx', 'base' => 'DC=my,DC=ad', 'filter' => '(ObjectClass=User)', 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' => 1, 'net_ldap_args' => [ version => 3, debug => 8 ], 'attr_match_list' => [ 'Name', 'EmailAddress' ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName' } }, } ); Hopefully I remembered everything! Cheers, Brent