Hello,

I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb packages.

I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64.
I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem.

I followed a previous discussion on this matter here : http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html
I'm facing the same issue.

$ openssl s_client -connect srv2.lan.domain.com:636 -CApath /etc/ssl/certs
Return Verify return code: 21 (unable to verify the first certificate)

$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem /etc/ssl/certs/srv2.lan.domain.com_cert.pem
/etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK

Running LDP.exe on the domain controllers running in SSL mode works fine.


RT's log gives the following :

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1


An ldapsearch gives me this (snipped hex code) :

ldap_initialize( ldaps://srv2.lan.domain.com:636/??base )
tls_write: want=117, written=117
tls_read: want=3422, got=1443
tls_read: want=1979, got=1448
tls_read: want=531, got=531
tls_write: want=12, written=12
tls_write: want=267, written=267
tls_write: want=6, written=6
tls_write: want=117, written=117
tls_read: want=5, got=5
tls_read: want=1, got=1
tls_read: want=5, got=5
tls_read: want=80, got=80
TLS: can't connect: (unknown error code).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


Here's my configuration :

        'AD_LAN' => {
                'type'                      =>  'ldap',
                'server'                    => 'srv2.lan.domain.com',
'user' => 'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com',
                'pass'                      =>  'XXXXXXX',

'base' => 'CN=Utilisateurs,DC=lan,DC=domain,DC=com', 'filter' => '(&(objectClass=organizationalPerson)(mail=*))', 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',

                'group'                     =>  '',
                'group_attr'                =>  '',

                'tls'                       =>  0,
                'ssl_version'               =>  3,
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],

                'attr_match_list' => [
                        'Name',
                        'EmailAddress',
                ],
                'attr_map' => {
                        'Name' => 'sAMAccountName',
                        'EmailAddress' => 'mail',
                        'Organization' => 'physicalDeliveryOfficeName',
                        'RealName' => 'cn',
                        'ExternalAuthId' => 'sAMAccountName',
                        'Gecos' => 'sAMAccountName',
                        'WorkPhone' => 'telephoneNumber',
                        'Address1' => 'streetAddress',
                        'City' => 'l',
                        'State' => 'st',
                        'Zip' => 'postalCode',
                        'Country' => 'co'
                },
        },


Setting tls to 1 give me his different error :

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81


Regards,

--
  Guillaume Hilt

Reply via email to