RT Authen: External Auth won't work over ssl

rtjoe · May 11, 2011, 2:31pm

Hello Guys

I have a problem to run the Auth. Plugin over ssl…

My settings are:

AD Server Windows 2008
Client Linux Ubuntu Lynx 10.04 LTS Version

So what i have done on the ServerSide:

Create a zertificate refered by this Document

Microsoft

I had tested the ldap connection over ssl on the server side, by the help
of ldp.exe … this works perfectly

On the client side:

I had converted the certifiacte from the server Server with openssl in an pm
file and installed the imported Certificate in the directory
/etc/ssl/certs.

But no ssl connections take place … the plugin makes an fallback (
proofed with thshark,perfmon and ssldump) on port 389 ( i wonder why).

so here is my plugin config:

##RT Authenth#############
Set( @Plugins,qw(RT::Authen::ExternalAuth));

Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalInfoPriority,[‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS,1);
Set($AutoCreateNonExternalUsers,1);
Set($AutoCreate,{Privileged => 1});

Set($ExternalSettings,{‘My_LDAP’ =>{ ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘xxxxxxxxxxxxxx’,
‘user’ => ‘CN=xxxxxxxxx,OU=xxxxxxxxx,OU=xxxx,DC=xxxxxxxxxxxl’,
‘pass’ => ‘xxxxxxxxxxxxx’,
‘base’ => ‘OU=Benutzer,OU=xxxx,DC=xxxx,DC=xxx’,
‘filter’ =>
‘(memberOf=CN=xxxx,OU=Gruppen,OU=xxxx,DC=xxxxxxxx)’,
‘d_filter’ =>
‘(userAccountControl=514)’,
‘tls’ => 1,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version =>
3 ],
#‘group’ => ‘’,
#‘group_attr’ => ‘’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],
‘attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘RealName’ => ‘cn’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ =>
‘streetAddress’,
‘City’ => ‘l’,
‘Zip’ => ‘postalCode’,

Does the plugin need an self signed certificate ?.. if so, how i can create
this with windows 2008 server?

or do i need some software like likewise , that the server can authorize
against the linux client ?

i tried to make an ldapsearch with the following command:

ldapsearch -h xxx.local -p 636 -Z -D “sbah\admin” -w “password” -b "
CN=Configuration,DC=xxx,DC=local" -s sub “sAMAccountName=USER”

comes an error:

ldap_start_tls: Can’t contact LDAP server (-1) ldap_sasl_bind(SIMPLE): Can’t
contact LDAP server (-1)

don’t have a clue whats wrong

best regards skyerjoe

View this message in context: http://old.nabble.com/RT-Authen%3A-External-Auth-won't-work-over-ssl-tp31594799p31594799.html

rtjoe · May 12, 2011, 11:10am

So… now i have tested an ldap conection over openssl

the command is

openssl s_client -connect xxx.xxx.xxx.xxx:636

it comes the following:

CONNECTED(00000003)
Certificate chain
0 s:/CN=xxx.xxx.local
i:/CN=xxxx.xxxx.local
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/CN=xxx.xxx.local
issuer=/CN=xxxx.xxxx.local
Acceptable client certificate CA names
/DC=local/DC=xxx/CN=xxxx-xxxx-CA
/CN=CAxxx
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root
/C=DE/ST=none/L=none/O=SBA/CN=xxx.xxx.local
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
SSL handshake has read 1754 bytes and written 459 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
324i0ßi0ß234i0ß234i0ß234i0ß234230i0ß234E6235DF2B6863A365ABB04043
Session-ID-ctx:
Master-Key:
000000000000000000000000000000000000000000000529CE6AA71521FCA6A6E5C73446B201651FD2F8
Key-Arg : None
Start Time: 1305192634
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

Whas does the return code reveal?

best regards john s.

View this message in context: http://old.nabble.com/RT-Authen%3A-External-Auth-won't-work-over-ssl-tp31594799p31602076.html

rtjoe · May 17, 2011, 12:40pm

Solved you have to set some symlink

Described in this 2 links:

Matthias

http://gagravarr.org/writing/openssl...tml#ca-openssl gagravarr

Important: plz. use the symlink syntax from the text which is described in
the link from matthias…

Example: sudo ln -s CACert_root.pem 5ed36f9.0

best regards

john s.

View this message in context: http://old.nabble.com/RT-Authen%3A-External-Auth-won't-work-over-ssl-tp31594799p31637188.html