[rt-users] ExternalAuth to active directory over SSL (SOLVED)
Brent Wiese
bwiese at ElementPS.com
Tue Mar 27 18:48:38 EDT 2012
>
> On 03/27/2012 01:56 PM, Brent Wiese wrote:
> > 'tls' =>
> 0,
> > 'ssl_version' =>
> 3,
> > 'net_ldap_args' =>
> [ version => 3, port => 636, debug => 8 ],
>
> You're mixing TLS with the SSL port. Try this:
>
> tls => 1,
> net_ldap_args => [ version => 3, debug => 8 ],
>
> Don't include ssl_version or port.
>
> Thomas
Yep, that was the ticket.
Thank you very much for the help!
In case anyone experiences the same situation, here is the quick-n-dirty list of what I had to do to get it working:
1: make sure the CA chain for whatever domain controller(s) you're connecting to is added to your cert bundle. On my system (CentOS 6), it was /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)
Afterwards, I was able to connect without any cert errors:
openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs
2: for ldapsearch (I believe its installed with openldap-clients, or maybe openldap-devel) to work properly, I had to add this to /etc/openldap/ldap.conf:
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
Once I added that line, this ldapsearch worked:
ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU…,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn
3: NET::SSLeay wasn't installed on my system, so I installed through CPAN.
4: #3 broke apache (segmentation faults) on my system using mod_perl. I switched to mod_fcgid. Plenty of posts on how to configure this. It wasn't hard - the only catch was to make sure the directory you set for the socket file (I used /tmp/fcgid/sock.rt4) is writeable by apache (root creates it before it switching to your apache user). I also had to modify the perms on rt-server.log so apache could write to it.
5: I installed ExternalAuth via cpan prior to #3. Since I wasn't sure if it compiled correctly (I don't recall any errors, but it's been over a week now so my memory has faded), I grabbed the latest stable from the site and compiled it myself. I know it found NET::SSLeay this time around. This may not be a necessary step if you're just starting out - installing via cpan is easier.
6: Here is my config as it relates to ExternalAuth after the changes Thomas mentions above:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ 'My_LDAP' ]);
Set($ExternalInfoPriority, [ 'My_LDAP' ]);
Set($ExternalServiceUsesSSLorTLS, 1);
# We set below to true because we support external customers via email.
# We only need to use AD to authenticate our support reps that work the tickets.
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { 'My_LDAP' => {
'type' => 'ldap',
'server' => 'dc05.my.ad',
'user' => 'CN=Apache LDAP,OU=Service Accounts,DC=my,DC=ad',
'pass' => 'xxx',
'base' => 'DC=my,DC=ad',
'filter' => '(ObjectClass=User)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' => 1,
'net_ldap_args' => [ version => 3, debug => 8 ],
'attr_match_list' => [ 'Name',
'EmailAddress'
],
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName'
}
},
}
);
Hopefully I remembered everything!
Cheers,
Brent
More information about the rt-users
mailing list