[rt-users] ExternalAuth to active directory over SSL

Wed Feb 18 09:43:06 EST 2015

Hello,

I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb 
packages.

I'm trying to make ExternalAuth work with LDAP over SSL (Active 
Directory on 2008 R2 x64), we an internal CA managed under Windows 2008 
R2 x64.
I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.

I followed a previous discussion on this matter here : 
http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
I'm facing the same issue.

$ openssl s_client -connect srv2.lan.domain.com:636 -CApath /etc/ssl/certs
Return Verify return code: 21 (unable to verify the first certificate)

$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem 
/etc/ssl/certs/srv2.lan.domain.com_cert.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK

Running LDP.exe on the domain controllers running in SSL mode works fine.

RT's log gives the following :

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: 
LDAP_OPERATIONS_ERROR 1

An ldapsearch gives me this (snipped hex code) :

ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
tls_write: want=117, written=117
tls_read: want=3422, got=1443
tls_read: want=1979, got=1448
tls_read: want=531, got=531
tls_write: want=12, written=12
tls_write: want=267, written=267
tls_write: want=6, written=6
tls_write: want=117, written=117
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=80, got=80
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Here's my configuration :

         'AD_LAN' => {
                 'type'                      =>  'ldap',
                 'server'                    => 'srv2.lan.domain.com',
                 'user'                      => 
'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
                 'pass'                      =>  'XXXXXXX',

                 'base'                      => 
'CN=Utilisateurs,DC=lan,DC=domain,DC=com',
                 'filter'                    => 
'(&(objectClass=organizationalPerson)(mail=*))',
                 'd_filter'                  => 
'(userAccountControl:1.2.840.113556.1.4.803:=2)',

                 'group'                     =>  '',
                 'group_attr'                =>  '',

                 'tls'                       =>  0,
                 'ssl_version'               =>  3,
                 'net_ldap_args'             =>  [ version => 3, port => 
636, debug => 8 ],

                 'attr_match_list' => [
                         'Name',
                         'EmailAddress',
                 ],
                 'attr_map' => {
                         'Name' => 'sAMAccountName',
                         'EmailAddress' => 'mail',
                         'Organization' => 'physicalDeliveryOfficeName',
                         'RealName' => 'cn',
                         'ExternalAuthId' => 'sAMAccountName',
                         'Gecos' => 'sAMAccountName',
                         'WorkPhone' => 'telephoneNumber',
                         'Address1' => 'streetAddress',
                         'City' => 'l',
                         'State' => 'st',
                         'Zip' => 'postalCode',
                         'Country' => 'co'
                 },
         },

Setting tls to 1 give me his different error :

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: 
LDAP_SERVER_DOWN 81

Regards,

-- 
   Guillaume Hilt