[rt-users] ExternalAuth to active directory over SSL

Trev trevor at onepost.net
Tue Feb 24 12:41:42 EST 2015


Review some of your LDAP settings. I think you have CN and DN in places
where you may want OU, and your LDAP user should be in a different format,
see below.

Hopefully this helps.

Use mine(working.. also cleaned..) as example:

Set($ExternalSettings, {
    'My_LDAP'       =>  {
        'type'          =>  'ldap',
        'server'        =>  'ldap://domain_name.com',
        'user'          =>  'domain_name\ldapreader',
        'pass'          =>  'ldapreader_password',
        'base'          =>  'ou=users,ou=services,dc=domain_name,dc=com',
        'filter'        =>  '(objectClass=person)',
        'tls'           =>  0,

        'attr_match_list' => [
            'Name',
            'EmailAddress',
            'RealName',
        ],

        'attr_map'      => {
        'Name'          => 'sAMAccountName',
        'EmailAddress'  => 'mail',
        'Organization'  => 'department',
        'RealName'      => 'cn',
        'NickName'      => 'givenName',
        'ExternalAuthId'=> 'sAMAccountName',
        'Gecos'         => 'sAMAccountName',
        'WorkPhone'     => 'telephoneNumber',
        'MobilePhone'   => 'mobile',
        'Address1'      => 'streetAddress',
        'City'          => 'l',
        'State'         => 'st',
        'Zip'           => 'postalCode',
        'Country'       => 'co'
        },
    },








On Tue, Feb 24, 2015 at 9:35 AM, Guillaume Hilt <ghilt at shadowprojects.org>
wrote:

> No one is using LDAPS with Request Tracker ?
>
>   Guillaume Hilt
>
> Le 18/02/2015 15:43, Guillaume Hilt a écrit :
>
>  Hello,
>>
>> I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb
>> packages.
>>
>> I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory
>> on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64.
>> I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
>>
>> I followed a previous discussion on this matter here :
>> http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
>> I'm facing the same issue.
>>
>> $ openssl s_client -connect srv2.lan.domain.com:636 -CApath
>> /etc/ssl/certs
>> Return Verify return code: 21 (unable to verify the first certificate)
>>
>> $ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem
>> /etc/ssl/certs/srv2.lan.domain.com_cert.pem
>> /etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
>>
>> Running LDP.exe on the domain controllers running in SSL mode works fine.
>>
>>
>> RT's log gives the following :
>>
>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
>> LDAP_OPERATIONS_ERROR 1
>>
>>
>> An ldapsearch gives me this (snipped hex code) :
>>
>> ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
>> tls_write: want=117, written=117
>> tls_read: want=3422, got=1443
>> tls_read: want=1979, got=1448
>> tls_read: want=531, got=531
>> tls_write: want=12, written=12
>> tls_write: want=267, written=267
>> tls_write: want=6, written=6
>> tls_write: want=117, written=117
>> tls_read: want=5, got=5
>> tls_read: want=1, got=1
>> tls_read: want=5, got=5
>> tls_read: want=80, got=80
>> TLS: can't connect: (unknown error code).
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>
>>
>> Here's my configuration :
>>
>>         'AD_LAN' => {
>>                 'type'                      =>  'ldap',
>>                 'server'                    => 'srv2.lan.domain.com',
>>                 'user'                      =>
>> 'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
>>                 'pass'                      =>  'XXXXXXX',
>>
>>                 'base'                      => 'CN=Utilisateurs,DC=lan,DC=
>> domain,DC=com',
>>                 'filter'                    => '(&(objectClass=
>> organizationalPerson)(mail=*))',
>>                 'd_filter'                  =>
>> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>
>>                 'group'                     =>  '',
>>                 'group_attr'                =>  '',
>>
>>                 'tls'                       =>  0,
>>                 'ssl_version'               =>  3,
>>                 'net_ldap_args'             =>  [ version => 3, port =>
>> 636, debug => 8 ],
>>
>>                 'attr_match_list' => [
>>                         'Name',
>>                         'EmailAddress',
>>                 ],
>>                 'attr_map' => {
>>                         'Name' => 'sAMAccountName',
>>                         'EmailAddress' => 'mail',
>>                         'Organization' => 'physicalDeliveryOfficeName',
>>                         'RealName' => 'cn',
>>                         'ExternalAuthId' => 'sAMAccountName',
>>                         'Gecos' => 'sAMAccountName',
>>                         'WorkPhone' => 'telephoneNumber',
>>                         'Address1' => 'streetAddress',
>>                         'City' => 'l',
>>                         'State' => 'st',
>>                         'Zip' => 'postalCode',
>>                         'Country' => 'co'
>>                 },
>>         },
>>
>>
>> Setting tls to 1 give me his different error :
>>
>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
>> LDAP_SERVER_DOWN 81
>>
>>
>> Regards,
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150224/ff70d924/attachment.htm>


More information about the rt-users mailing list