I have ExternalAuth working fine over regular LDAP. But I need to run it over 
LDAPS for security reasons.

We use an internal CA for our certs. I've added it to 
/etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to 
/etc/ssl/certs/ca-bundle.crt)

This runs successfully (used to error before I added the CA certs to the 
bundle):

openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

I've also verified the cert/cert chain:
openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem
dc.mydomain.local.pem: OK

However, this errors out with a bad cert error (shortened -D, but it's the same 
string that works when using LDAP and ldapsearch over regular ldap works fine):

ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 
'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' 
 '(sn=smith)' cn sn

Results (snipped hex code):

ldap_initialize( ldaps://dc.mydomain.local:636/??base )
tls_write: want=60, written=60
tls_read: want=3, got=3
tls_read: want=2, got=2
tls_read: want=2724, got=2724
TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown 
code ___f 13.
tls_write: want=7, written=7
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Unknown code ___f 13.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Running LDP.exe on the domain controllers running in SSL mode works fine.

RT's log gives the following:
[Wed Mar 21 19:04:41 2012] [critical]: 
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: 
LDAP_OPERATIONS_ERROR 1 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm guessing it's probably getting that same "is not valid" error... but why?

I've googled for hours looking for anything beyond making sure the CA cert was 
in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than 
/etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? 
Any idea what I'm missing?

Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... 
same thing when I ran 1.0.0-10 too).

Brent

Reply via email to