[rt-users] ExternalAuth to active directory over SSL
Trev
trevor at onepost.net
Tue Feb 24 12:41:42 EST 2015
Review some of your LDAP settings. I think you have CN and DN in places
where you may want OU, and your LDAP user should be in a different format,
see below.
Hopefully this helps.
Use mine(working.. also cleaned..) as example:
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'ldap://domain_name.com',
'user' => 'domain_name\ldapreader',
'pass' => 'ldapreader_password',
'base' => 'ou=users,ou=services,dc=domain_name,dc=com',
'filter' => '(objectClass=person)',
'tls' => 0,
'attr_match_list' => [
'Name',
'EmailAddress',
'RealName',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'department',
'RealName' => 'cn',
'NickName' => 'givenName',
'ExternalAuthId'=> 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'MobilePhone' => 'mobile',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
},
},
On Tue, Feb 24, 2015 at 9:35 AM, Guillaume Hilt <ghilt at shadowprojects.org>
wrote:
> No one is using LDAPS with Request Tracker ?
>
> Guillaume Hilt
>
> Le 18/02/2015 15:43, Guillaume Hilt a écrit :
>
> Hello,
>>
>> I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb
>> packages.
>>
>> I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory
>> on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64.
>> I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.
>>
>> I followed a previous discussion on this matter here :
>> http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
>> I'm facing the same issue.
>>
>> $ openssl s_client -connect srv2.lan.domain.com:636 -CApath
>> /etc/ssl/certs
>> Return Verify return code: 21 (unable to verify the first certificate)
>>
>> $ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem
>> /etc/ssl/certs/srv2.lan.domain.com_cert.pem
>> /etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK
>>
>> Running LDP.exe on the domain controllers running in SSL mode works fine.
>>
>>
>> RT's log gives the following :
>>
>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
>> LDAP_OPERATIONS_ERROR 1
>>
>>
>> An ldapsearch gives me this (snipped hex code) :
>>
>> ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
>> tls_write: want=117, written=117
>> tls_read: want=3422, got=1443
>> tls_read: want=1979, got=1448
>> tls_read: want=531, got=531
>> tls_write: want=12, written=12
>> tls_write: want=267, written=267
>> tls_write: want=6, written=6
>> tls_write: want=117, written=117
>> tls_read: want=5, got=5
>> tls_read: want=1, got=1
>> tls_read: want=5, got=5
>> tls_read: want=80, got=80
>> TLS: can't connect: (unknown error code).
>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>
>>
>> Here's my configuration :
>>
>> 'AD_LAN' => {
>> 'type' => 'ldap',
>> 'server' => 'srv2.lan.domain.com',
>> 'user' =>
>> 'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
>> 'pass' => 'XXXXXXX',
>>
>> 'base' => 'CN=Utilisateurs,DC=lan,DC=
>> domain,DC=com',
>> 'filter' => '(&(objectClass=
>> organizationalPerson)(mail=*))',
>> 'd_filter' =>
>> '(userAccountControl:1.2.840.113556.1.4.803:=2)',
>>
>> 'group' => '',
>> 'group_attr' => '',
>>
>> 'tls' => 0,
>> 'ssl_version' => 3,
>> 'net_ldap_args' => [ version => 3, port =>
>> 636, debug => 8 ],
>>
>> 'attr_match_list' => [
>> 'Name',
>> 'EmailAddress',
>> ],
>> 'attr_map' => {
>> 'Name' => 'sAMAccountName',
>> 'EmailAddress' => 'mail',
>> 'Organization' => 'physicalDeliveryOfficeName',
>> 'RealName' => 'cn',
>> 'ExternalAuthId' => 'sAMAccountName',
>> 'Gecos' => 'sAMAccountName',
>> 'WorkPhone' => 'telephoneNumber',
>> 'Address1' => 'streetAddress',
>> 'City' => 'l',
>> 'State' => 'st',
>> 'Zip' => 'postalCode',
>> 'Country' => 'co'
>> },
>> },
>>
>>
>> Setting tls to 1 give me his different error :
>>
>> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
>> LDAP_SERVER_DOWN 81
>>
>>
>> Regards,
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150224/ff70d924/attachment.htm>
More information about the rt-users
mailing list