[rt-users] ExternalAuth to active directory over SSL

Guillaume Hilt ghilt at shadowprojects.org
Tue Feb 24 09:35:06 EST 2015 

No one is using LDAPS with Request Tracker ?

   Guillaume Hilt

Le 18/02/2015 15:43, Guillaume Hilt a écrit :
> Hello,
>
> I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using 
> .deb packages.
>
> I'm trying to make ExternalAuth work with LDAP over SSL (Active 
> Directory on 2008 R2 x64), we an internal CA managed under Windows 
> 2008 R2 x64.
> I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
>
> I followed a previous discussion on this matter here : 
> http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
> I'm facing the same issue.
>
> $ openssl s_client -connect srv2.lan.domain.com:636 -CApath 
> /etc/ssl/certs
> Return Verify return code: 21 (unable to verify the first certificate)
>
> $ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem 
> /etc/ssl/certs/srv2.lan.domain.com_cert.pem
> /etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
>
> Running LDP.exe on the domain controllers running in SSL mode works fine.
>
>
> RT's log gives the following :
>
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: 
> LDAP_OPERATIONS_ERROR 1
>
>
> An ldapsearch gives me this (snipped hex code) :
>
> ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
> tls_write: want=117, written=117
> tls_read: want=3422, got=1443
> tls_read: want=1979, got=1448
> tls_read: want=531, got=531
> tls_write: want=12, written=12
> tls_write: want=267, written=267
> tls_write: want=6, written=6
> tls_write: want=117, written=117
> tls_read: want=5, got=5
> tls_read: want=1, got=1
> tls_read: want=5, got=5
> tls_read: want=80, got=80
> TLS: can't connect: (unknown error code).
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
> Here's my configuration :
>
>         'AD_LAN' => {
>                 'type'                      =>  'ldap',
>                 'server'                    => 'srv2.lan.domain.com',
>                 'user'                      => 
> 'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
>                 'pass'                      =>  'XXXXXXX',
>
>                 'base'                      => 
> 'CN=Utilisateurs,DC=lan,DC=domain,DC=com',
>                 'filter'                    => 
> '(&(objectClass=organizationalPerson)(mail=*))',
>                 'd_filter'                  => 
> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>
>                 'group'                     =>  '',
>                 'group_attr'                =>  '',
>
>                 'tls'                       =>  0,
>                 'ssl_version'               =>  3,
>                 'net_ldap_args'             =>  [ version => 3, port 
> => 636, debug => 8 ],
>
>                 'attr_match_list' => [
>                         'Name',
>                         'EmailAddress',
>                 ],
>                 'attr_map' => {
>                         'Name' => 'sAMAccountName',
>                         'EmailAddress' => 'mail',
>                         'Organization' => 'physicalDeliveryOfficeName',
>                         'RealName' => 'cn',
>                         'ExternalAuthId' => 'sAMAccountName',
>                         'Gecos' => 'sAMAccountName',
>                         'WorkPhone' => 'telephoneNumber',
>                         'Address1' => 'streetAddress',
>                         'City' => 'l',
>                         'State' => 'st',
>                         'Zip' => 'postalCode',
>                         'Country' => 'co'
>                 },
>         },
>
>
> Setting tls to 1 give me his different error :
>
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: 
> LDAP_SERVER_DOWN 81
>
>
> Regards,
>

More information about the rt-users mailing list