[rt-users] ExternalAuth to active directory over SSL

Brent Wiese bwiese at ElementPS.com
Fri Mar 23 18:05:42 EDT 2012 

In case anyone is following this thread...

I noticed in the notes that when you enable SSL/TLS, it invokes NET::SSLeay.

Didn't appear to be installed. I installed via cpan... and now Apache seg faults when I try to start it. It's seg faulting on:
                Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");

If I comment that line out, apache will start, but it doesn't do anything (500 server errors).

I've seen some posts about this on the list, but nothing that solved my issue.

I tried upgrading all my cpan pm's and "yum update" (I'm running CentOS) everything to see if that helped... no go.

So I'm dead in the water now. Thankfully, this is my test/play system, so my prod system is still running, but unless someone here has a solution, I'm looking at a fresh reload of everything and starting over from scratch...


From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Brent Wiese
Sent: Wednesday, March 21, 2012 2:11 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth to active directory over SSL

I answered part of my question... I can successfully ldapsearch now. I added

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

To /etc/openldap/ldap.conf.

But RT is still failing. If I set:

                                      'tls'                       =>  1,
                                      'ssl_version'               =>  3,
                                      'net_ldap_args'             => [ version =>  3, port => 636, debug => 8 ],

I get:
[Wed Mar 21 21:05:14 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

If I change to this:

                                      'tls'                       =>  0,
                                      'ssl_version'               =>  3,
                                      'net_ldap_args'             => [ version =>  3, port => 636, debug => 8 ],

I get:
[Wed Mar 21 21:09:27 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm further, but still stuck.


From: rt-users-bounces at lists.bestpractical.com<mailto:rt-users-bounces at lists.bestpractical.com> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Brent Wiese
Sent: Wednesday, March 21, 2012 12:23 PM
To: rt-users at lists.bestpractical.com<mailto:rt-users at lists.bestpractical.com>
Subject: [rt-users] ExternalAuth to active directory over SSL

I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons.

We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)

This runs successfully (used to error before I added the CA certs to the bundle):

openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

I've also verified the cert/cert chain:
openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem
dc.mydomain.local.pem: OK

However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine):

ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**'  '(sn=smith)' cn sn

Results (snipped hex code):

ldap_initialize( ldaps://dc.mydomain.local:636/??base )
tls_write: want=60, written=60
tls_read: want=3, got=3
tls_read: want=2, got=2
tls_read: want=2724, got=2724
TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13.
tls_write: want=7, written=7
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Unknown code ___f 13.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Running LDP.exe on the domain controllers running in SSL mode works fine.

RT's log gives the following:
[Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm guessing it's probably getting that same "is not valid" error... but why?

I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing?

Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too).

Brent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120323/2e4e3e69/attachment.htm>

More information about the rt-users mailing list