Re: [rt-users] RT::Authen::ExternalAuth LDAPS
It' always a judgement call what to post and what to leave out. I can't post the full settings, strictly speaking. 'server'=> 'ldaps://server', seems to have fixed it. Thanks all. On Wed, Mar 5, 2014 at 10:22 AM, Gerald Vogt wrote: > It's always much easier to help if you post the full settings instead of > some parts. > > Did you use ldaps in the server definition or did you add ldaps or the > different port number in net_ldap_args? > > -Gerald > > On 05.03.2014 17:08, Dewhirst, Rob wrote: >> thanks, I should have clarified that LDAP over TLS on 389 is not an >> option for us. We can only do LDAPS over 636. >> >> On Tue, Mar 4, 2014 at 11:32 AM, k...@rice.edu wrote: >>> TLS would still be over port 389 if it was being used. >>> >>> Regards, >>> Ken >>> >>> On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' => 1, 'ssl_version' => 3, It still authenticates (successfully) over TCP 389. I noticed someone else had a similar problem but was lacking Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP without Net:SSLeay) [root@rtir-test ~]# cpan -i Net::SSLeay CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Mon, 03 Mar 2014 20:17:02 GMT CPAN: Module::CoreList loaded ok (v2.18) Net::SSLeay is up to date (1.58). [root@rtir-test ~]# I have debug logging enabled in RT, but it doesn't seem to tell me anything useful since nothing is failing. RT-Authen-ExternalAuth-0.17 > > -- > RT Training London, March 19-20 and Dallas May 20-21 > http://bestpractical.com/training -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
On Wed, Mar 05, 2014 at 10:08:53AM -0600, Dewhirst, Rob wrote: > thanks, I should have clarified that LDAP over TLS on 389 is not an > option for us. We can only do LDAPS over 636. If you want to do LDAPS to the LDAPS port and not STARTTLS on the standard port, you probably want server => 'ldaps://my.server' Net::LDAP's default LDAPS port is 636 so you don't need to specify it. It's possibly you'll need to turn off tls if Net::LDAP::start_tls breaks you. It's also possible you might need some extra things in net_ldap_args, refer to the Net::LDAP documentation for that. -kevin > > On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: > >> I am successfully authenticating via LDAP (cleartext) over TCP 389 > >> using RT::Authen::ExternalAuth > >> > >> However, once I change: > >> > >> Set($ExternalServiceUsesSSLorTLS,1); > >> > >> and in the ExternalSettings for My_LDAP: > >> > >> 'tls' => 1, > >> 'ssl_version' => 3, > >> > >> It still authenticates (successfully) over TCP 389. pgpaJDyLyoSFV.pgp Description: PGP signature -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
It's always much easier to help if you post the full settings instead of some parts. Did you use ldaps in the server definition or did you add ldaps or the different port number in net_ldap_args? -Gerald On 05.03.2014 17:08, Dewhirst, Rob wrote: > thanks, I should have clarified that LDAP over TLS on 389 is not an > option for us. We can only do LDAPS over 636. > > On Tue, Mar 4, 2014 at 11:32 AM, k...@rice.edu wrote: >> TLS would still be over port 389 if it was being used. >> >> Regards, >> Ken >> >> On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: >>> I am successfully authenticating via LDAP (cleartext) over TCP 389 >>> using RT::Authen::ExternalAuth >>> >>> However, once I change: >>> >>> Set($ExternalServiceUsesSSLorTLS,1); >>> >>> and in the ExternalSettings for My_LDAP: >>> >>> 'tls' => 1, >>> 'ssl_version' => 3, >>> >>> It still authenticates (successfully) over TCP 389. >>> >>> I noticed someone else had a similar problem but was lacking >>> Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP >>> without Net:SSLeay) >>> >>> [root@rtir-test ~]# cpan -i Net::SSLeay >>> CPAN: Storable loaded ok (v2.20) >>> Reading '/root/.cpan/Metadata' >>> Database was generated on Mon, 03 Mar 2014 20:17:02 GMT >>> CPAN: Module::CoreList loaded ok (v2.18) >>> Net::SSLeay is up to date (1.58). >>> [root@rtir-test ~]# >>> >>> I have debug logging enabled in RT, but it doesn't seem to tell me >>> anything useful since nothing is failing. >>> >>> RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
thanks, I should have clarified that LDAP over TLS on 389 is not an option for us. We can only do LDAPS over 636. On Tue, Mar 4, 2014 at 11:32 AM, k...@rice.edu wrote: > TLS would still be over port 389 if it was being used. > > Regards, > Ken > > On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: >> I am successfully authenticating via LDAP (cleartext) over TCP 389 >> using RT::Authen::ExternalAuth >> >> However, once I change: >> >> Set($ExternalServiceUsesSSLorTLS,1); >> >> and in the ExternalSettings for My_LDAP: >> >> 'tls' => 1, >> 'ssl_version' => 3, >> >> It still authenticates (successfully) over TCP 389. >> >> I noticed someone else had a similar problem but was lacking >> Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP >> without Net:SSLeay) >> >> [root@rtir-test ~]# cpan -i Net::SSLeay >> CPAN: Storable loaded ok (v2.20) >> Reading '/root/.cpan/Metadata' >> Database was generated on Mon, 03 Mar 2014 20:17:02 GMT >> CPAN: Module::CoreList loaded ok (v2.18) >> Net::SSLeay is up to date (1.58). >> [root@rtir-test ~]# >> >> I have debug logging enabled in RT, but it doesn't seem to tell me >> anything useful since nothing is failing. >> >> RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
Is the CA certificate which signed your LDAP servers certs on your RT host? It would need to be installed in /etc/ssl/certs or /etc/pki/trust/anchors and hashed to be trusted. -- Later, Darin On Tue, Mar 4, 2014 at 12:29 PM, Dewhirst, Rob wrote: > I am successfully authenticating via LDAP (cleartext) over TCP 389 > using RT::Authen::ExternalAuth > > However, once I change: > > Set($ExternalServiceUsesSSLorTLS,1); > > and in the ExternalSettings for My_LDAP: > > 'tls' => 1, > 'ssl_version' => 3, > > It still authenticates (successfully) over TCP 389. > > I noticed someone else had a similar problem but was lacking > Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP > without Net:SSLeay) > > [root@rtir-test ~]# cpan -i Net::SSLeay > CPAN: Storable loaded ok (v2.20) > Reading '/root/.cpan/Metadata' > Database was generated on Mon, 03 Mar 2014 20:17:02 GMT > CPAN: Module::CoreList loaded ok (v2.18) > Net::SSLeay is up to date (1.58). > [root@rtir-test ~]# > > I have debug logging enabled in RT, but it doesn't seem to tell me > anything useful since nothing is failing. > > RT-Authen-ExternalAuth-0.17 > -- > RT Training London, March 19-20 and Dallas May 20-21 > http://bestpractical.com/training -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
TLS would still be over port 389 if it was being used. Regards, Ken On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: > I am successfully authenticating via LDAP (cleartext) over TCP 389 > using RT::Authen::ExternalAuth > > However, once I change: > > Set($ExternalServiceUsesSSLorTLS,1); > > and in the ExternalSettings for My_LDAP: > > 'tls' => 1, > 'ssl_version' => 3, > > It still authenticates (successfully) over TCP 389. > > I noticed someone else had a similar problem but was lacking > Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP > without Net:SSLeay) > > [root@rtir-test ~]# cpan -i Net::SSLeay > CPAN: Storable loaded ok (v2.20) > Reading '/root/.cpan/Metadata' > Database was generated on Mon, 03 Mar 2014 20:17:02 GMT > CPAN: Module::CoreList loaded ok (v2.18) > Net::SSLeay is up to date (1.58). > [root@rtir-test ~]# > > I have debug logging enabled in RT, but it doesn't seem to tell me > anything useful since nothing is failing. > > RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training