LDAPimport with TLS in RT 4.4.4?

tobiasbp · September 13, 2019, 10:02am

Hello there…

At the dawn of time (June 2017) I was setting up LDAPImport with TLS. This was possible using a patch of LDAPImport.pm, as described in the original thread.

Now, I’m doing the same thing with RT 4.4.4. As far as I can tell, TLS is still not supported in LDAPImport. Correct?

I have tried to use the version of LDAPImport linked to above. I am unable to make it work. I get the message Unable to run rt-ldapimport without dependencies. Rerun configure with the --enable-externalauth option when running rt-ldapimport --verbose with the alternative LDAPImport.pm.

Any suggestions?

Thanks,
Tobias

Marit_Hoen · September 14, 2019, 9:34am

Hi Tobias,

We use an overlay (running RT 4.4.3 on Debian) so we can use Net::LDAPS instead of Net:LDAP. We have added LDAPImport_Overlay.pm to /usr/local/share/request-tracker4/lib/RT:

use strict;
no warnings qw(redefine);

package RT::LDAPImport;

use Net::LDAPS;

# Provide a way to pass more options to Net::LDAP 
# https://github.com/bestpractical/rt/commit/4c288fce0f42427d306347bc8e6c72bb0df18537#diff-d2ecc6d6ca3396532c7faac9bed15487

sub connect_ldap {
    my $self = shift;

    $RT::LDAPOptions = [] unless $RT::LDAPOptions;
    my $ldap = Net::LDAPS->new($RT::LDAPHost, raw => 'qr/(?i:^sn|;binary)/', verify => 'require', sslversion => 'tlsv1_2', capath => '/etc/ssl/certs/', timeout => 2);

    $RT::Logger->debug("connecting to $RT::LDAPHost");
    unless ($ldap) {
        $RT::Logger->error("Can't connect to $RT::LDAPHost");
        return;
    }

    my $msg;
    if ($RT::LDAPUser) {
        $RT::Logger->debug("binding as $RT::LDAPUser");
        $msg = $ldap->bind($RT::LDAPUser, password => $RT::LDAPPassword);
    } else {
        $RT::Logger->debug("binding anonymously");
        $msg = $ldap->bind;
    }

    if ($msg->code) {
        $RT::Logger->error("LDAP bind failed " . $msg->error);
        return;
    }

    $self->_ldap($ldap);
    return $ldap;

}

1;

Furthermore, we needed to explicitely enforce TLSv1.2, hence the extra sslversion => 'tlsv1_2'. We did something similar for LDAP.pm, rewriting the subroutines sub GetAuth and sub _GetBoundLdapObj.

And you need to install, of course, relevant perl modules if not present.

Hope this helps.

Best, Marit