RT-Authen-ExternalAuth - how to confirm that ssl ldap bind is used?

I have been using rt4 for some time now in plain protocols (site is on
http, fetchmail is plain pop3, external auth is done from ldap without
ssl). Now, I am increasing security by switching to encrypted
protocols.

Switching apache to https was easy thing to do, and I spent a few hours
with fetchmail and certificates but it also works now.

RT::Extension::LDAPimport “just worked” when switching ldaphost to
ldaps:

Set($LDAPHost,‘ldaps://ldap.company.tld’);

Also, after setting
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalInfoPriority,[‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS,1);
Set($ExternalSettings,{
‘My_LDAP’ => {

‘tls’ => 1,
‘ssl_version’ => 3,

}
}

… i can still authenticate.

I can not believe this can be so simple :slight_smile: Is there a way to check that
ssl is really used?

Thank you in advance,

Marko Cupać

I have been using rt4 for some time now in plain protocols (site is on
http, fetchmail is plain pop3, external auth is done from ldap without
ssl). Now, I am increasing security by switching to encrypted
protocols.

Switching apache to https was easy thing to do, and I spent a few hours
with fetchmail and certificates but it also works now.

RT::Extension::LDAPimport “just worked” when switching ldaphost to
ldaps:

Set($LDAPHost,‘ldaps://ldap.company.tld’);

Also, after setting
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalInfoPriority,[‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS,1);
Set($ExternalSettings,{
‘My_LDAP’ => {

‘tls’ => 1,
‘ssl_version’ => 3,

}
}

… i can still authenticate.

I can not believe this can be so simple :slight_smile: Is there a way to check that
ssl is really used?

Check your ldap servers logs or run wireshark/tcpdump from the RT
server and inspect the traffic.

You know, I looked into the same thing. What I found was that it was
not so easy to use RT-Authen-ExternlAuth – that is, if your LDAP
server is secure enough. My LDAP server requires a certificate to build
an SSL or STARTTLS connection, as part of our baseline security.
RT-Authen-ExternalAuth, by default, does not support a method to pass
the path to a certificate, and the reqcert setting, to the underlying
perl-Net-LDAP library (even though this library supports all that stuff).

I had to apply this patch to RT-Authen-ExternalAuth

http://old.nabble.com/attachment/23889671/0/RT-Authen-ExternalAuth-19912-start_tls-options.patch

Patch applies perfectly. Afterwards, I did something like this in my
config (note the tls_args segment):

Set($ExternalSettings, {
‘LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘ldap.example.com’,
‘base’ => ‘dc=example,dc=com’,
‘filter’ => ‘(objectClass=posixAccount)’,
‘tls’ => 1,

What other args should I pass to net::LDAP->new($host,@args)?

‘net_ldap_args’ => [
version => 3,
port => 389,
debug => 8,
],

Special argument for start_tls (see perldoc com::LDAP for details)

‘tls_args’ => [
‘verify’ => ‘require’,
‘cafile’ => ‘/etc/openldap/cacerts/example_ca.pem’,
],

This MUST be a full DN

‘group’ => ‘cn=admins,ou=PosixGroups,dc=example,dc=com’,
‘group_attr’ => ‘memberUid’,
‘group_attr_value’ => ‘uid’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
‘Gecos’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘Gecos’ => ‘cn’,
} # end NAME
}, # end LDAP
}, # end $ExternalSettings
); # end Set

(Server is OpenLDAP 2.4.x using rfc2307 style posixAccount and
posixGroup objectclasses)

Jonathan Mills
Systems Administrator
Renaissance Computing Institute
UNC-Chapel HillOn 10/16/2012 08:19 AM, Darin Perusich wrote:

On Tue, Oct 16, 2012 at 6:46 AM, Marko Cupać marko.cupac@gmail.com wrote:

I have been using rt4 for some time now in plain protocols (site is on
http, fetchmail is plain pop3, external auth is done from ldap without
ssl). Now, I am increasing security by switching to encrypted
protocols.

Switching apache to https was easy thing to do, and I spent a few hours
with fetchmail and certificates but it also works now.

RT::Extension::LDAPimport “just worked” when switching ldaphost to
ldaps:

Set($LDAPHost,‘ldaps://ldap.company.tld’);

Also, after setting
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalInfoPriority,[‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS,1);
Set($ExternalSettings,{
‘My_LDAP’ => {

‘tls’ => 1,
‘ssl_version’ => 3,

}
}

… i can still authenticate.

I can not believe this can be so simple :slight_smile: Is there a way to check that
ssl is really used?

Check your ldap servers logs or run wireshark/tcpdump from the RT
server and inspect the traffic.


Final RT training for 2012 in Atlanta, GA - October 23 & 24
http://bestpractical.com/training

We’re hiring! Careers — Best Practical Solutions