RT::Authen::ExternalAuth LDAPS

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

I noticed someone else had a similar problem but was lacking
Net::SSLeay. Not my case here (I don’t see how you can use Net::LDAP
without Net:SSLeay)

[root@rtir-test ~]# cpan -i Net::SSLeay
CPAN: Storable loaded ok (v2.20)
Reading '/root/.cpan/Metadata’
Database was generated on Mon, 03 Mar 2014 20:17:02 GMT
CPAN: Module::CoreList loaded ok (v2.18)
Net::SSLeay is up to date (1.58).
[root@rtir-test ~]#

I have debug logging enabled in RT, but it doesn’t seem to tell me
anything useful since nothing is failing.

RT-Authen-ExternalAuth-0.17

TLS would still be over port 389 if it was being used.

Regards,
KenOn Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote:

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

I noticed someone else had a similar problem but was lacking
Net::SSLeay. Not my case here (I don’t see how you can use Net::LDAP
without Net:SSLeay)

[root@rtir-test ~]# cpan -i Net::SSLeay
CPAN: Storable loaded ok (v2.20)
Reading '/root/.cpan/Metadata’
Database was generated on Mon, 03 Mar 2014 20:17:02 GMT
CPAN: Module::CoreList loaded ok (v2.18)
Net::SSLeay is up to date (1.58).
[root@rtir-test ~]#

I have debug logging enabled in RT, but it doesn’t seem to tell me
anything useful since nothing is failing.

RT-Authen-ExternalAuth-0.17

Is the CA certificate which signed your LDAP servers certs on your RT
host? It would need to be installed in /etc/ssl/certs or
/etc/pki/trust/anchors and hashed to be trusted.
Later,
DarinOn Tue, Mar 4, 2014 at 12:29 PM, Dewhirst, Rob robdewhirst@gmail.com wrote:

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

I noticed someone else had a similar problem but was lacking
Net::SSLeay. Not my case here (I don’t see how you can use Net::LDAP
without Net:SSLeay)

[root@rtir-test ~]# cpan -i Net::SSLeay
CPAN: Storable loaded ok (v2.20)
Reading ‘/root/.cpan/Metadata’
Database was generated on Mon, 03 Mar 2014 20:17:02 GMT
CPAN: Module::CoreList loaded ok (v2.18)
Net::SSLeay is up to date (1.58).
[root@rtir-test ~]#

I have debug logging enabled in RT, but it doesn’t seem to tell me
anything useful since nothing is failing.

RT-Authen-ExternalAuth-0.17

RT Training London, March 19-20 and Dallas May 20-21
Training — Best Practical Solutions

thanks, I should have clarified that LDAP over TLS on 389 is not an
option for us. We can only do LDAPS over 636.On Tue, Mar 4, 2014 at 11:32 AM, ktm@rice.edu ktm@rice.edu wrote:

TLS would still be over port 389 if it was being used.

Regards,
Ken

On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote:

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

I noticed someone else had a similar problem but was lacking
Net::SSLeay. Not my case here (I don’t see how you can use Net::LDAP
without Net:SSLeay)

[root@rtir-test ~]# cpan -i Net::SSLeay
CPAN: Storable loaded ok (v2.20)
Reading ‘/root/.cpan/Metadata’
Database was generated on Mon, 03 Mar 2014 20:17:02 GMT
CPAN: Module::CoreList loaded ok (v2.18)
Net::SSLeay is up to date (1.58).
[root@rtir-test ~]#

I have debug logging enabled in RT, but it doesn’t seem to tell me
anything useful since nothing is failing.

RT-Authen-ExternalAuth-0.17

It’s always much easier to help if you post the full settings instead of
some parts.

Did you use ldaps in the server definition or did you add ldaps or the
different port number in net_ldap_args?

-GeraldOn 05.03.2014 17:08, Dewhirst, Rob wrote:

thanks, I should have clarified that LDAP over TLS on 389 is not an
option for us. We can only do LDAPS over 636.

On Tue, Mar 4, 2014 at 11:32 AM, ktm@rice.edu ktm@rice.edu wrote:

TLS would still be over port 389 if it was being used.

Regards,
Ken

On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote:

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

I noticed someone else had a similar problem but was lacking
Net::SSLeay. Not my case here (I don’t see how you can use Net::LDAP
without Net:SSLeay)

[root@rtir-test ~]# cpan -i Net::SSLeay
CPAN: Storable loaded ok (v2.20)
Reading ‘/root/.cpan/Metadata’
Database was generated on Mon, 03 Mar 2014 20:17:02 GMT
CPAN: Module::CoreList loaded ok (v2.18)
Net::SSLeay is up to date (1.58).
[root@rtir-test ~]#

I have debug logging enabled in RT, but it doesn’t seem to tell me
anything useful since nothing is failing.

RT-Authen-ExternalAuth-0.17

thanks, I should have clarified that LDAP over TLS on 389 is not an
option for us. We can only do LDAPS over 636.

If you want to do LDAPS to the LDAPS port and not STARTTLS on the
standard port, you probably want
server => 'ldaps://my.server’
Net::LDAP’s default LDAPS port is 636 so you don’t need to specify it.

It’s possibly you’ll need to turn off tls if Net::LDAP::start_tls
breaks you. It’s also possible you might need some extra things in
net_ldap_args, refer to the Net::LDAP documentation for that.

-kevin> > On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote:

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

It’ always a judgement call what to post and what to leave out. I
can’t post the full settings, strictly speaking.

    'server'                    =>  'ldaps://server',

seems to have fixed it. Thanks all.On Wed, Mar 5, 2014 at 10:22 AM, Gerald Vogt vogt@spamcop.net wrote:

It’s always much easier to help if you post the full settings instead of
some parts.

Did you use ldaps in the server definition or did you add ldaps or the
different port number in net_ldap_args?

-Gerald

On 05.03.2014 17:08, Dewhirst, Rob wrote:

thanks, I should have clarified that LDAP over TLS on 389 is not an
option for us. We can only do LDAPS over 636.

On Tue, Mar 4, 2014 at 11:32 AM, ktm@rice.edu ktm@rice.edu wrote:

TLS would still be over port 389 if it was being used.

Regards,
Ken

On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote:

I am successfully authenticating via LDAP (cleartext) over TCP 389
using RT::Authen::ExternalAuth

However, once I change:

Set($ExternalServiceUsesSSLorTLS, 1);

and in the ExternalSettings for My_LDAP:

    'tls'                       =>  1,
    'ssl_version'               =>  3,

It still authenticates (successfully) over TCP 389.

I noticed someone else had a similar problem but was lacking
Net::SSLeay. Not my case here (I don’t see how you can use Net::LDAP
without Net:SSLeay)

[root@rtir-test ~]# cpan -i Net::SSLeay
CPAN: Storable loaded ok (v2.20)
Reading ‘/root/.cpan/Metadata’
Database was generated on Mon, 03 Mar 2014 20:17:02 GMT
CPAN: Module::CoreList loaded ok (v2.18)
Net::SSLeay is up to date (1.58).
[root@rtir-test ~]#

I have debug logging enabled in RT, but it doesn’t seem to tell me
anything useful since nothing is failing.

RT-Authen-ExternalAuth-0.17


RT Training London, March 19-20 and Dallas May 20-21
Training — Best Practical Solutions