Solved: LDAPimport over TLS?

tobiasbp · June 16, 2017, 11:42am

Hello there…

I’m running RT 4.2 with LDAP auth. It works as expected.

Now, I want to add the LDAPimport extension. I’m confused as to weather some of the LDAP configuration for LDAP auth is shared with LDAPimport? Or, maybe the are completely seperate?

Could someone share a working config for LDAPimport? I can’t seem to find any?

Martin_Wheldon · June 16, 2017, 12:05pm

Hi,

I’m afraid that the configs are not shared, here is a example from one
of my RT instances. Hope it helps?

LDAP import settings

Set($LDAPHost,‘ldap-00’);
Set($LDAPUser,‘cn=search_10001,ou=people,dc=local’);
Set($LDAPPassword,‘secret’);
Set($LDAPBase, ‘ou=people,dc=local’);

Set($LDAPTLS, {
‘verify’ => ‘require’,
‘cafile’ => ‘/etc/ssl/certs/CACert.pem’, } ); # Path CA
file

User import

Set($LDAPFilter,
’(&(objectClass=inetOrgPerson)(ukFirmGhITAccLocked=RT-FALSE)(ukFirmGhITAccSubSrvcs=RT*))’);
Set($LDAPMapping, {
‘Name’ => ‘mail’, # required
’Organization’ => ‘ukFirmGhITAccOrg’,
‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘Address1’ => ‘street’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘UserCF.external_auth’ => sub { return “RT_LDAP”; },
}
);

Group import

Set($LDAPGroupBase, ‘ou=groups,ou=people,dc=local’);
Set($LDAPGroupFilter, ‘(cn=*)’ );
Set($LDAPGroupMapping, {
‘Name’ => ‘cn’,
‘Member_Attr’ => ‘member’,
‘Member_Attr_Value’ => ‘dn’, } );

Don’t create “Imported from LDAP” group

Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
Set($LDAPSizeLimit, 200);

1;

Best Regards

Martin

Parish_Brent · June 16, 2017, 12:21pm

As far as I’m aware (and how my configuration is set), the two are independent.
Mine may be a bit different because I use Apache to do the auth (SSO via Kerberos module) – this is the $WebRemoteUserAuth setting below.

LDAPImport Extension

Set( $LDAPHost,‘globalcatalogserver.example.com:3268’ );
Set( $LDAPUser,‘bindaccount@example.com’ );
Set( $LDAPPassword,‘PASSWORD’ );

Set( $LDAPSizeLimit, 500 );
Set( $LDAPSkipAutogeneratedGroup, 1 ); # 1 = DONT ADD IMPORTED USERS TO DEFAULT ‘Imported from LDAP’ GROUP
Set( $LDAPUpdateUsers, 1 ); # 0 = SKIP EXISTING USERS, 1 = UPDATE THEM
Set( $LDAPUpdateOnly, 0 ); # 0 = CREATE NEW USERS, 1 = ONLY UPDATE EXISTING USERS

Set( $ExternalAuth, 1 );
Set( $WebRemoteUserAuth, 1 );

Set( $LDAPBase, ‘dc=example,dc=com’ );
# This filter looks for non-disabled users who have an employeeID
Set( $LDAPFilter, ‘(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=))’ );
# We also map some custom fields during user sync/import
Set( $LDAPMapping, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘UserCF.Manager’ => ‘manager’,
‘UserCF.Company’ => ‘Company’,
‘UserCF.Department’ => ‘DepartmentNumber’,
‘UserCF.Division’ => ‘Division’,
‘UserCF.Domain’ => ‘Comment’,
‘UserCF.EEID’ => ‘employeeID’
} );
Set( $LDAPGroupBase, ‘dc=example,dc=com’ );
# We only import specific groups from AD, most of the RT ones use a naming convention of RT-SRV- (RT service account)
Set( $LDAPGroupFilter, '(&(objectcategory=group)(|(cn=Admins)(cn=Helpdesk)(cn=ITPeops)(cn=RT-SRV-)))’ );
Set( $LDAPGroupMapping, {
Name => ‘cn’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’
} );

tobiasbp · June 16, 2017, 12:28pm

Very helpful! Much appreciated. Thank you.

tobiasbp · June 19, 2017, 9:36am

I’m trying to enable TLS for ldap import , basing my configuration on this:

Since I use a “snakeoil” certificate, I’d like to turn off verification. This works well with external auth with the setting:
'tls' => 1,

I want to do the samething for LDAPimport. I have tried these with no success:
Set($LDAPTLS, { ‘verify’ => ‘none’, } );
Set($LDAPTLS, 1);

I’m using LDAPimport from here:

I see no mention of TLS support?

This is what I get when running rtldapimport --debug
[350] [Mon Jun 19 09:33:57 2017] [error]: LDAP bind failed confidentiality required (/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1579)
LDAP bind failed confidentiality required

Any suggestions?

Regards,
Tobias

Martin_Wheldon · June 19, 2017, 3:07pm

Hi Tobias,

Sorry for confusing you, I missed the TLS when I posted the
configuration.

The currently released LDAPImport modules don’t support TLS, I created a
patch for RT 4.4 to enable TLS functionality.
It’s not found it’s way into the trunk yet, but the changes can be found
below:

I’ve been using it in production for a few months now.

Best Regards

Martin

tobiasbp · June 19, 2017, 8:58pm

Hello Martin.

So LDAPimport is a part of RT 4.4 correct?

And, since I’m running 4.2 (Ubuntu packages), I can not use TLS with LDAPimport unless I create a patch for the code here:

Correct?

Martin_Wheldon · June 19, 2017, 9:27pm

Hi Tobias,

So LDAPimport is a part of RT 4.4 correct?
Yes, that is correct

And, since I’m running 4.2 (Ubuntu packages), I can not use TLS with
LDAPimport unless I create a patch for the code here:
I’m afraid that is also correct. However the patch to RT4.4 may apply to
the RT4.2 LDAPImport module, I however haven’t examined the RT 4.2
LDAPImport module code.

Best Regards

Martin

tobiasbp · June 20, 2017, 8:35am

Hello Martin.

I was able to easly implement your patch in the 0.36 version of LDAPimport. The code (I looked at) looks exactly the same.

I’m contemplating putting the patched version on github.

Thank you for all your help with this.