ExternalAuth to active directory over SSL (SOLVED)

                                  'tls'                       =>

0,

                                  'ssl_version'               =>

3,

                                  'net_ldap_args'             =>

[ version => 3, port => 636, debug => 8 ],

You’re mixing TLS with the SSL port. Try this:

tls => 1,
net_ldap_args => [ version => 3, debug => 8 ],

Don’t include ssl_version or port.

Thomas

Yep, that was the ticket.

Thank you very much for the help!

In case anyone experiences the same situation, here is the quick-n-dirty list of what I had to do to get it working:

1: make sure the CA chain for whatever domain controller(s) you’re connecting to is added to your cert bundle. On my system (CentOS 6), it was /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)

Afterwards, I was able to connect without any cert errors:
openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

2: for ldapsearch (I believe its installed with openldap-clients, or maybe openldap-devel) to work properly, I had to add this to /etc/openldap/ldap.conf:
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

Once I added that line, this ldapsearch worked:
ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b ‘DC=mydomain,DC=local’ -D ‘CN=Apache,OU…,DC= mydomain,DC=local’ -w ‘pass’ ‘(sn=smith)’ cn sn

3: NET::SSLeay wasn’t installed on my system, so I installed through CPAN.

4: #3 broke apache (segmentation faults) on my system using mod_perl. I switched to mod_fcgid. Plenty of posts on how to configure this. It wasn’t hard - the only catch was to make sure the directory you set for the socket file (I used /tmp/fcgid/sock.rt4) is writeable by apache (root creates it before it switching to your apache user). I also had to modify the perms on rt-server.log so apache could write to it.

5: I installed ExternalAuth via cpan prior to #3. Since I wasn’t sure if it compiled correctly (I don’t recall any errors, but it’s been over a week now so my memory has faded), I grabbed the latest stable from the site and compiled it myself. I know it found NET::SSLeay this time around. This may not be a necessary step if you’re just starting out - installing via cpan is easier.

6: Here is my config as it relates to ExternalAuth after the changes Thomas mentions above:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);

Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);

Set($ExternalServiceUsesSSLorTLS, 1);

We set below to true because we support external customers via email.

We only need to use AD to authenticate our support reps that work the tickets.

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, { ‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc05.my.ad’,
‘user’ => ‘CN=Apache LDAP,OU=Service Accounts,DC=my,DC=ad’,
‘pass’ => ‘xxx’,
‘base’ => ‘DC=my,DC=ad’,
‘filter’ => ‘(ObjectClass=User)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 1,
‘net_ldap_args’ => [ version => 3, debug => 8 ],
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’
}
},
}
);

Hopefully I remembered everything!

Cheers,
Brent