[rt-users] RT-Authen-ExternalAuth - how to confirm that ssl ldap bind is used?
Jonathan Mills
jonmills at renci.org
Tue Oct 16 09:25:33 EDT 2012
You know, I looked into the same thing. What I found was that it was
*not* so easy to use RT-Authen-ExternlAuth -- that is, if your LDAP
server is secure enough. My LDAP server requires a certificate to build
an SSL or STARTTLS connection, as part of our baseline security.
RT-Authen-ExternalAuth, by default, does not support a method to pass
the path to a certificate, and the reqcert setting, to the underlying
perl-Net-LDAP library (even though this library supports all that stuff).
I had to apply this patch to RT-Authen-ExternalAuth
http://old.nabble.com/attachment/23889671/0/RT-Authen-ExternalAuth-19912-start_tls-options.patch
Patch applies perfectly. Afterwards, I did something like this in my
config (note the tls_args segment):
Set($ExternalSettings, {
'LDAP' => {
'type' => 'ldap',
'auth' => 1,
'info' => 1,
'server' => 'ldap.example.com',
'base' => 'dc=example,dc=com',
'filter' => '(objectClass=posixAccount)',
'tls' => 1,
# What other args should I pass to net::LDAP->new($host, at args)?
'net_ldap_args' => [
version => 3,
port => 389,
debug => 8,
],
# Special argument for start_tls (see perldoc com::LDAP for details)
'tls_args' => [
'verify' => 'require',
'cafile' => '/etc/openldap/cacerts/example_ca.pem',
],
# This MUST be a full DN
'group' => 'cn=admins,ou=PosixGroups,dc=example,dc=com',
'group_attr' => 'memberUid',
'group_attr_value' => 'uid',
'attr_match_list' => [
'Name',
'EmailAddress',
'RealName',
'Gecos',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'Gecos' => 'cn',
} # end NAME
}, # end LDAP
}, # end $ExternalSettings
); # end Set
(Server is OpenLDAP 2.4.x using rfc2307 style posixAccount and
posixGroup objectclasses)
--
Jonathan Mills
Systems Administrator
Renaissance Computing Institute
UNC-Chapel Hill
On 10/16/2012 08:19 AM, Darin Perusich wrote:
> On Tue, Oct 16, 2012 at 6:46 AM, Marko Cupać <marko.cupac at gmail.com> wrote:
>> I have been using rt4 for some time now in plain protocols (site is on
>> http, fetchmail is plain pop3, external auth is done from ldap without
>> ssl). Now, I am increasing security by switching to encrypted
>> protocols.
>>
>> Switching apache to https was easy thing to do, and I spent a few hours
>> with fetchmail and certificates but it also works now.
>>
>> RT::Extension::LDAPimport "just worked" when switching ldaphost to
>> ldaps:
>>
>> Set($LDAPHost,'ldaps://ldap.company.tld');
>>
>> Also, after setting
>> Set($ExternalAuthPriority,['My_LDAP']);
>> Set($ExternalInfoPriority,['My_LDAP']);
>> Set($ExternalServiceUsesSSLorTLS,1);
>> Set($ExternalSettings,{
>> 'My_LDAP' => {
>> ...
>> 'tls' => 1,
>> 'ssl_version' => 3,
>> ...
>> }
>> }
>>
>> ... i can still authenticate.
>>
>> I can not believe this can be so simple :) Is there a way to check that
>> ssl is really used?
>>
>
> Check your ldap servers logs or run wireshark/tcpdump from the RT
> server and inspect the traffic.
>
> --------
> Final RT training for 2012 in Atlanta, GA - October 23 & 24
> http://bestpractical.com/training
>
> We're hiring! http://bestpractical.com/jobs
>
More information about the rt-users
mailing list