[rt-users] ExternalAuth to active directory over SSL
Guillaume Hilt
ghilt at shadowprojects.org
Wed Feb 18 09:43:06 EST 2015
Hello,
I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb
packages.
I'm trying to make ExternalAuth work with LDAP over SSL (Active
Directory on 2008 R2 x64), we an internal CA managed under Windows 2008
R2 x64.
I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
I followed a previous discussion on this matter here :
http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
I'm facing the same issue.
$ openssl s_client -connect srv2.lan.domain.com:636 -CApath /etc/ssl/certs
Return Verify return code: 21 (unable to verify the first certificate)
$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
Running LDP.exe on the domain controllers running in SSL mode works fine.
RT's log gives the following :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_OPERATIONS_ERROR 1
An ldapsearch gives me this (snipped hex code) :
ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
tls_write: want=117, written=117
tls_read: want=3422, got=1443
tls_read: want=1979, got=1448
tls_read: want=531, got=531
tls_write: want=12, written=12
tls_write: want=267, written=267
tls_write: want=6, written=6
tls_write: want=117, written=117
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=80, got=80
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Here's my configuration :
'AD_LAN' => {
'type' => 'ldap',
'server' => 'srv2.lan.domain.com',
'user' =>
'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
'pass' => 'XXXXXXX',
'base' =>
'CN=Utilisateurs,DC=lan,DC=domain,DC=com',
'filter' =>
'(&(objectClass=organizationalPerson)(mail=*))',
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' => '',
'group_attr' => '',
'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3, port =>
636, debug => 8 ],
'attr_match_list' => [
'Name',
'EmailAddress',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
},
},
Setting tls to 1 give me his different error :
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_SERVER_DOWN 81
Regards,
--
Guillaume Hilt
More information about the rt-users
mailing list