Hello there…
At the dawn of time (June 2017) I was setting up LDAPImport with TLS. This was possible using a patch of LDAPImport.pm, as described in the original thread.
Now, I’m doing the same thing with RT 4.4.4. As far as I can tell, TLS is still not supported in LDAPImport. Correct?
I have tried to use the version of LDAPImport linked to above. I am unable to make it work. I get the message Unable to run rt-ldapimport without dependencies. Rerun configure with the --enable-externalauth option
when running rt-ldapimport --verbose
with the alternative LDAPImport.pm.
Any suggestions?
Thanks,
Tobias
Hi Tobias,
We use an overlay (running RT 4.4.3 on Debian) so we can use Net::LDAPS instead of Net:LDAP. We have added LDAPImport_Overlay.pm
to /usr/local/share/request-tracker4/lib/RT
:
use strict;
no warnings qw(redefine);
package RT::LDAPImport;
use Net::LDAPS;
# Provide a way to pass more options to Net::LDAP
# https://github.com/bestpractical/rt/commit/4c288fce0f42427d306347bc8e6c72bb0df18537#diff-d2ecc6d6ca3396532c7faac9bed15487
sub connect_ldap {
my $self = shift;
$RT::LDAPOptions = [] unless $RT::LDAPOptions;
my $ldap = Net::LDAPS->new($RT::LDAPHost, raw => 'qr/(?i:^sn|;binary)/', verify => 'require', sslversion => 'tlsv1_2', capath => '/etc/ssl/certs/', timeout => 2);
$RT::Logger->debug("connecting to $RT::LDAPHost");
unless ($ldap) {
$RT::Logger->error("Can't connect to $RT::LDAPHost");
return;
}
my $msg;
if ($RT::LDAPUser) {
$RT::Logger->debug("binding as $RT::LDAPUser");
$msg = $ldap->bind($RT::LDAPUser, password => $RT::LDAPPassword);
} else {
$RT::Logger->debug("binding anonymously");
$msg = $ldap->bind;
}
if ($msg->code) {
$RT::Logger->error("LDAP bind failed " . $msg->error);
return;
}
$self->_ldap($ldap);
return $ldap;
}
1;
Furthermore, we needed to explicitely enforce TLSv1.2, hence the extra sslversion => 'tlsv1_2'
. We did something similar for LDAP.pm
, rewriting the subroutines sub GetAuth
and sub _GetBoundLdapObj
.
And you need to install, of course, relevant perl modules if not present.
Hope this helps.
Best, Marit