You know, I looked into the same thing. What I found was that it was
*not* so easy to use RT-Authen-ExternlAuth -- that is, if your LDAP
server is secure enough. My LDAP server requires a certificate to build
an SSL or STARTTLS connection, as part of our baseline security.
RT-Authen-ExternalAuth, by default, does not support a method to pass
the path to a certificate, and the reqcert setting, to the underlying
perl-Net-LDAP library (even though this library supports all that stuff).
I had to apply this patch to RT-Authen-ExternalAuth
http://old.nabble.com/attachment/23889671/0/RT-Authen-ExternalAuth-19912-start_tls-options.patch
Patch applies perfectly. Afterwards, I did something like this in my
config (note the tls_args segment):
Set($ExternalSettings, {
'LDAP' => {
'type' => 'ldap',
'auth' => 1,
'info' => 1,
'server' => 'ldap.example.com',
'base' => 'dc=example,dc=com',
'filter' => '(objectClass=posixAccount)',
'tls' => 1,
# What other args should I pass to net::LDAP->new($host,@args)?
'net_ldap_args' => [
version => 3,
port => 389,
debug => 8,
],
# Special argument for start_tls (see perldoc com::LDAP for details)
'tls_args' => [
'verify' => 'require',
'cafile' => '/etc/openldap/cacerts/example_ca.pem',
],
# This MUST be a full DN
'group' => 'cn=admins,ou=PosixGroups,dc=example,dc=com',
'group_attr' => 'memberUid',
'group_attr_value' => 'uid',
'attr_match_list' => [
'Name',
'EmailAddress',
'RealName',
'Gecos',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'Gecos' => 'cn',
} # end NAME
}, # end LDAP
}, # end $ExternalSettings
); # end Set
(Server is OpenLDAP 2.4.x using rfc2307 style posixAccount and
posixGroup objectclasses)
--
Jonathan Mills
Systems Administrator
Renaissance Computing Institute
UNC-Chapel Hill
On 10/16/2012 08:19 AM, Darin Perusich wrote:
On Tue, Oct 16, 2012 at 6:46 AM, Marko Cupać <marko.cu...@gmail.com> wrote:
I have been using rt4 for some time now in plain protocols (site is on
http, fetchmail is plain pop3, external auth is done from ldap without
ssl). Now, I am increasing security by switching to encrypted
protocols.
Switching apache to https was easy thing to do, and I spent a few hours
with fetchmail and certificates but it also works now.
RT::Extension::LDAPimport "just worked" when switching ldaphost to
ldaps:
Set($LDAPHost,'ldaps://ldap.company.tld');
Also, after setting
Set($ExternalAuthPriority,['My_LDAP']);
Set($ExternalInfoPriority,['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS,1);
Set($ExternalSettings,{
'My_LDAP' => {
...
'tls' => 1,
'ssl_version' => 3,
...
}
}
... i can still authenticate.
I can not believe this can be so simple :) Is there a way to check that
ssl is really used?
Check your ldap servers logs or run wireshark/tcpdump from the RT
server and inspect the traffic.
--------
Final RT training for 2012 in Atlanta, GA - October 23 & 24
http://bestpractical.com/training
We're hiring! http://bestpractical.com/jobs
--------
Final RT training for 2012 in Atlanta, GA - October 23 & 24
http://bestpractical.com/training
We're hiring! http://bestpractical.com/jobs
