[rt-users] FW: ExternalAuth to active directory over SSL
Brent Wiese
bwiese at ElementPS.com
Tue Mar 27 13:56:54 EDT 2012
> On 03/27/2012 12:48 PM, Brent Wiese wrote:
> > Alas, no, it didn't help: [Tue Mar 27 16:43:36 2012] [critical]:
> > RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
> > LDAP_OPERATIONS_ERROR 1
> > (/opt/rt4/local/plugins/RT-Authen-
> ExternalAuth/lib/RT/Authen/ExternalA
> > uth/LDAP.pm:492)
>
> Note that you're no longer getting segfaults from Apache, meaning you
> solved the SSL lib conflict between Perl and Apache. The error above
> is a pure bind error.
>
> What's your ExternalAuth config? I suspect you configured it to talk
> TLS to your SSL port.
>
> Thomas
I've tried setting tls to 0 and 1. When it's set to 1, it looks like it sends the bind in cleartext (I see the bind credentials in tcpdump). When set to 0 it looks fully encrypted.
Again, the server/user/pw/port stuff all works right with ldapsearch...
Here is my config at present (sanitized of course):
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ 'My_LDAP' ]);
Set($ExternalInfoPriority, [ 'My_LDAP' ]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { 'My_LDAP' => { ## GENERIC SECTION
'type' => 'ldap',
'server' => 'dc05.my.ad',
'user' => 'CN=Apache LDAP,OU=Service Accounts,DC=my,DC=ad',
'pass' => 'xxx',
'base' => 'DC=my,DC=ad',
'filter' => '(ObjectClass=User)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],
'attr_match_list' => [ 'Name',
'EmailAddress'
],
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName'
}
},
}
);
More information about the rt-users
mailing list