Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Request Tracker: Users

ExternalAuth to active directory over SSL

  

 
Request Tracker users RSS feed   Index | Next | Previous | View Threaded


bwiese at ElementPS

Mar 21, 2012, 12:23 PM

Post #1 of 8 (1283 views)
Permalink
ExternalAuth to active directory over SSL
I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons.

We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)

This runs successfully (used to error before I added the CA certs to the bundle):

openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

I've also verified the cert/cert chain:
openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem
dc.mydomain.local.pem: OK

However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine):

ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn

Results (snipped hex code):

ldap_initialize( ldaps://dc.mydomain.local:636/??base )
tls_write: want=60, written=60
tls_read: want=3, got=3
tls_read: want=2, got=2
tls_read: want=2724, got=2724
TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13.
tls_write: want=7, written=7
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Unknown code ___f 13.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Running LDP.exe on the domain controllers running in SSL mode works fine.

RT's log gives the following:
[Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm guessing it's probably getting that same "is not valid" error... but why?

I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing?

Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too).

Brent


bwiese at ElementPS

Mar 21, 2012, 2:11 PM

Post #2 of 8 (1260 views)
Permalink
Re: ExternalAuth to active directory over SSL [In reply to]
I answered part of my question... I can successfully ldapsearch now. I added

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

To /etc/openldap/ldap.conf.

But RT is still failing. If I set:

'tls' => 1,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],

I get:
[Wed Mar 21 21:05:14 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

If I change to this:

'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],

I get:
[Wed Mar 21 21:09:27 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm further, but still stuck.


From: rt-users-bounces [at] lists [mailto:rt-users-bounces [at] lists] On Behalf Of Brent Wiese
Sent: Wednesday, March 21, 2012 12:23 PM
To: rt-users [at] lists
Subject: [rt-users] ExternalAuth to active directory over SSL

I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons.

We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)

This runs successfully (used to error before I added the CA certs to the bundle):

openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

I've also verified the cert/cert chain:
openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem
dc.mydomain.local.pem: OK

However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine):

ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn

Results (snipped hex code):

ldap_initialize( ldaps://dc.mydomain.local:636/??base )
tls_write: want=60, written=60
tls_read: want=3, got=3
tls_read: want=2, got=2
tls_read: want=2724, got=2724
TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13.
tls_write: want=7, written=7
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Unknown code ___f 13.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Running LDP.exe on the domain controllers running in SSL mode works fine.

RT's log gives the following:
[Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm guessing it's probably getting that same "is not valid" error... but why?

I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing?

Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too).

Brent


bwiese at ElementPS

Mar 23, 2012, 3:05 PM

Post #3 of 8 (1238 views)
Permalink
Re: ExternalAuth to active directory over SSL [In reply to]
In case anyone is following this thread...

I noticed in the notes that when you enable SSL/TLS, it invokes NET::SSLeay.

Didn't appear to be installed. I installed via cpan... and now Apache seg faults when I try to start it. It's seg faulting on:
Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");

If I comment that line out, apache will start, but it doesn't do anything (500 server errors).

I've seen some posts about this on the list, but nothing that solved my issue.

I tried upgrading all my cpan pm's and "yum update" (I'm running CentOS) everything to see if that helped... no go.

So I'm dead in the water now. Thankfully, this is my test/play system, so my prod system is still running, but unless someone here has a solution, I'm looking at a fresh reload of everything and starting over from scratch...


From: rt-users-bounces [at] lists [mailto:rt-users-bounces [at] lists] On Behalf Of Brent Wiese
Sent: Wednesday, March 21, 2012 2:11 PM
To: rt-users [at] lists
Subject: Re: [rt-users] ExternalAuth to active directory over SSL

I answered part of my question... I can successfully ldapsearch now. I added

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt

To /etc/openldap/ldap.conf.

But RT is still failing. If I set:

'tls' => 1,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],

I get:
[Wed Mar 21 21:05:14 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

If I change to this:

'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],

I get:
[Wed Mar 21 21:09:27 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm further, but still stuck.


From: rt-users-bounces [at] lists<mailto:rt-users-bounces [at] lists> [mailto:rt-users-bounces [at] lists] On Behalf Of Brent Wiese
Sent: Wednesday, March 21, 2012 12:23 PM
To: rt-users [at] lists<mailto:rt-users [at] lists>
Subject: [rt-users] ExternalAuth to active directory over SSL

I have ExternalAuth working fine over regular LDAP. But I need to run it over LDAPS for security reasons.

We use an internal CA for our certs. I've added it to /etc/pki/tls/certs/ca-bundle.crt (which looks to be linked to /etc/ssl/certs/ca-bundle.crt)

This runs successfully (used to error before I added the CA certs to the bundle):

openssl s_client -connect dc.mydomain.local:636 -CApath /etc/ssl/certs

I've also verified the cert/cert chain:
openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt dc.mydomain.local.pem
dc.mydomain.local.pem: OK

However, this errors out with a bad cert error (shortened -D, but it's the same string that works when using LDAP and ldapsearch over regular ldap works fine):

ldapsearch -d 2 -LLL -v -x -H ldaps:// dc.mydomain.local:636 -b 'DC=mydomain,DC=local' -D 'CN=Apache,OU...,DC= mydomain,DC=local' -w '**pass**' '(sn=smith)' cn sn

Results (snipped hex code):

ldap_initialize( ldaps://dc.mydomain.local:636/??base )
tls_write: want=60, written=60
tls_read: want=3, got=3
tls_read: want=2, got=2
tls_read: want=2724, got=2724
TLS: certificate [CN= dc.mydomain.local] is not valid - error -8179:Unknown code ___f 13.
tls_write: want=7, written=7
TLS: error: connect - force handshake failure: errno 21 - moznss error -8179
TLS: can't connect: TLS error -8179:Unknown code ___f 13.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Running LDP.exe on the domain controllers running in SSL mode works fine.

RT's log gives the following:
[Wed Mar 21 19:04:41 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

So I'm guessing it's probably getting that same "is not valid" error... but why?

I've googled for hours looking for anything beyond making sure the CA cert was in the bundle. Does ldapsearch/RT externalAuth use a different CA bundle than /etc/pki/tls/certs/ca-bundle.crt (or the linked /etc/ssl/certs/ca-bundle.crt)? Any idea what I'm missing?

Running centos 6 and openssl -1.0.0-20.el6_2.2.x86_64 (latest in yum repo... same thing when I ran 1.0.0-10 too).

Brent


alexmv at bestpractical

Mar 23, 2012, 5:06 PM

Post #4 of 8 (1239 views)
Permalink
Re: ExternalAuth to active directory over SSL [In reply to]
On Fri, 2012-03-23 at 15:05 -0700, Brent Wiese wrote:
> I noticed in the notes that when you enable SSL/TLS, it invokes
> NET::SSLeay.

This is why RT::Authen::ExternalAuth prompts about "SSL LDAP
Connections" when you run `perl Makefile.PL`.

> Didn’t appear to be installed. I installed via cpan… and now Apache
> seg faults when I try to start it. It’s seg faulting on:

This generally means that you're running mod_perl, and Net::SSLeay is
disagreeing with something else in the system (be it Apache, or your
database handle) which also wants to load the SSL libraries -- and the
libraries are ending up in an inconsistent state.
As a first step, try disabling Apache's SSL, or switching from
mod_perl to mod_fcgid or mod_fastcgi, and see if it helps.
- Alex


bwiese at ElementPS

Mar 27, 2012, 9:48 AM

Post #5 of 8 (1174 views)
Permalink
ExternalAuth to active directory over SSL [In reply to]
>
> On Fri, 2012-03-23 at 15:05 -0700, Brent Wiese wrote:
> > I noticed in the notes that when you enable SSL/TLS, it invokes
> > NET::SSLeay.
>
> This is why RT::Authen::ExternalAuth prompts about "SSL LDAP
> Connections" when you run `perl Makefile.PL`.

I'd installed via cpan so didn't notice that before.

> > Didn’t appear to be installed. I installed via cpan… and now Apache
> > seg faults when I try to start it. It’s seg faulting on:
>
> This generally means that you're running mod_perl, and Net::SSLeay is
> disagreeing with something else in the system (be it Apache, or your
> database handle) which also wants to load the SSL libraries -- and the
> libraries are ending up in an inconsistent state.
> As a first step, try disabling Apache's SSL, or switching from
> mod_perl to mod_fcgid or mod_fastcgi, and see if it helps.
> - Alex
>

I switched to fcgid and was able to get apache running again. Still same problems with the external auth.

Figuring maybe there was an issue when I first installed because Net::SSLeay wasn't installed, I grabbed the latest stable and manually built. Looks like it found everything correctly:

*** Module::AutoInstall version 1.04
*** Checking for Perl dependencies...
[SSL LDAP Connections]
- Net::SSLeay ...loaded. (1.45)
[External LDAP Sources]
- Net::LDAP ...loaded. (0.44)
[External DBI Sources]
- DBI ...loaded. (1.618)
[SSO Cookie Sources]
- CGI::Cookie ...loaded. (1.30)
*** Module::AutoInstall configuration finished.
Checking if your kit is complete...
Looks good

Alas, no, it didn't help:
[Tue Mar 27 16:43:36 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

I'm not convinced it works. I challenge someone to respond with "yes, I can successfully use ExternalAuth against AD via SSL" and post their challenges/config. :)

I just don't know where to go from here.


falcone at bestpractical

Mar 27, 2012, 9:59 AM

Post #6 of 8 (1179 views)
Permalink
Re: ExternalAuth to active directory over SSL [In reply to]
On Tue, Mar 27, 2012 at 09:48:54AM -0700, Brent Wiese wrote:
> Alas, no, it didn't help:
> [Tue Mar 27 16:43:36 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

And what's in your AD server configs?

> I'm not convinced it works. I challenge someone to respond with "yes, I can successfully use ExternalAuth against AD via SSL" and post their challenges/config. :)

I've configured ExternalAuth against AD using SSL, but since these were
client installs I'm not allowed to copy/paste their configurations.

-kevin


trs at bestpractical

Mar 27, 2012, 10:02 AM

Post #7 of 8 (1174 views)
Permalink
Re: ExternalAuth to active directory over SSL [In reply to]
On 03/27/2012 12:48 PM, Brent Wiese wrote:
> I'm not convinced it works. I challenge someone to respond with "yes,
> I can successfully use ExternalAuth against AD via SSL" and post
> their challenges/config. :)

Just a couple weeks ago I setup RT::Authen::ExternalAuth against AD via
SSL for a customer. It _does_ work.


trs at bestpractical

Mar 27, 2012, 10:28 AM

Post #8 of 8 (1173 views)
Permalink
Re: ExternalAuth to active directory over SSL [In reply to]
On 03/27/2012 12:48 PM, Brent Wiese wrote:
> Alas, no, it didn't help: [Tue Mar 27 16:43:36 2012] [critical]:
> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
> LDAP_OPERATIONS_ERROR 1
> (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)

Note that you're no longer getting segfaults from Apache, meaning you
solved the SSL lib conflict between Perl and Apache. The error above is
a pure bind error.

What's your ExternalAuth config? I suspect you configured it to talk
TLS to your SSL port.

Thomas

Request Tracker users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.