[rt-users] ExternalAuth to active directory over SSL (SOLVED)

Brent Wiese bwiese at ElementPS.com
Tue Mar 27 18:48:38 EDT 2012


> 
> On 03/27/2012 01:56 PM, Brent Wiese wrote:
> >                                       'tls'                       =>
> 0,
> >                                       'ssl_version'               =>
> 3,
> >                                       'net_ldap_args'             =>
> [ version =>  3, port => 636, debug => 8 ],
> 
> You're mixing TLS with the SSL port.  Try this:
> 
>     tls => 1,
>     net_ldap_args => [ version => 3, debug => 8 ],
> 
> Don't include ssl_version or port.
> 
> Thomas

Yep, that was the ticket.

Thank you very much for the help!

In case anyone experiences the same situation, here is the quick-n-dirty list of what I had to do to get it working:

1: make sure the CA chain for whatever domain controller(s) you're connecting to is added to your cert bundle. On my system (CentOS 6), it was /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)

Afterwards, I was able to connect without any cert errors:
openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

2: for ldapsearch (I believe its installed with openldap-clients, or maybe openldap-devel) to work properly, I had to add this to /etc/openldap/ldap.conf:
		TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Once I added that line, this ldapsearch worked:
ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU…,DC= mydomain,DC=local' -w '**pass**'  '(sn=smith)' cn sn

3: NET::SSLeay wasn't installed on my system, so I installed through CPAN.

4: #3 broke apache (segmentation faults) on my system using mod_perl. I switched to mod_fcgid. Plenty of posts on how to configure this. It wasn't hard - the only catch was to make sure the directory you set for the socket file (I used /tmp/fcgid/sock.rt4) is writeable by apache (root creates it before it switching to your apache user). I also had to modify the perms on rt-server.log so apache could write to it.

5: I installed ExternalAuth via cpan prior to #3. Since I wasn't sure if it compiled correctly (I don't recall any errors, but it's been over a week now so my memory has faded), I grabbed the latest stable from the site and compiled it myself. I know it found NET::SSLeay this time around. This may not be a necessary step if you're just starting out - installing via cpan is easier.

6: Here is my config as it relates to ExternalAuth after the changes Thomas mentions above:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority,  [   'My_LDAP'   ]);

Set($ExternalInfoPriority,  [   'My_LDAP' ]);

Set($ExternalServiceUsesSSLorTLS,    1);

# We set below to true because we support external customers via email. 
# We only need to use AD to authenticate our support reps that work the tickets.
Set($AutoCreateNonExternalUsers,    1);

Set($ExternalSettings,      { 'My_LDAP'       =>  {   
          'type'                      =>  'ldap',
          'server'                    =>  'dc05.my.ad',
          'user'                      =>  'CN=Apache LDAP,OU=Service Accounts,DC=my,DC=ad',
          'pass'                      =>  'xxx',
          'base'                      =>  'DC=my,DC=ad',
          'filter'                    =>  '(ObjectClass=User)',
          'd_filter'                  =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',
          'tls'                       =>  1,
          'net_ldap_args'             => [ version =>  3, debug => 8 ],
          'attr_match_list'           => [    'Name',
                                              'EmailAddress'
                                         ],
          'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                              'EmailAddress' => 'mail',
                                              'ExternalAuthId' => 'sAMAccountName',
                                               'Gecos' => 'sAMAccountName'
                                          }
                             				},
                              }
);

Hopefully I remembered everything!

Cheers,
Brent


More information about the rt-users mailing list