Getting LDAPS working correctly

Moderator: crythias

Post Reply
98cwitr
Znuny newbie
Posts: 9
Joined: 04 Dec 2012, 19:14
Znuny Version: 3.1.6

Getting LDAPS working correctly

Post by 98cwitr »

Well, apparently I need to work on getting my CA cert signed, but maybe you guys can point me in the right direction. I cannot get OTRS to authenticate to my DC A little background

Error message in /var/logs/httpd
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Mon Dec 3 15:22:50 2012

Message: Can't connect to ldaps://server.domain.net: IO::Socket::SSL: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason$

Traceback (2040):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 172
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
We are authenticating to a 2003 domain level AD
OTRS is sitting on a redhat box
We have our own root CA and the cert is signed (and Apache works on 443)

Here's the main chunk of my Config.pm file
sub Load {
my $Self = shift;
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldaps://server.domain.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=server,dc=domain,dc=net';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Service - OTRS,ou=Service Accounts,dc=server,dc=domain,dc=net';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
timeout => 120,
async => 0,
cafile => 'etc/ssl/certs/ca.cer',
clientcert => '/etc/ssl/certs/server.cer',
clientkey => '/etc/ssl/certs/server.key',
};
So checking my certs, I ran the following:

[root@server ~]# openssl s_client -connect dc1.server.domain.net:636 -state -CAfile /etc/ssl/certs/ca.cer -cert /etc/ssl/certs/server.cer -key /etc/ssl/certs/server.key -tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
140381855455048:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:590:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1354641836
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---


Running an LDAP search yields


[root@server ~]# ldapsearch -d -1 -x -H ldaps://server.domain.net
ldap_url_parse_ext(ldaps://server.domain.net)
ldap_create
ldap_url_parse_ext(ldaps://server.domain.net:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <removed>
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <ip:port>
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/certs/ca.cer.
TLS: file ca.cer does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.

tls_write: want=70, written=70
0000: 16 03 01 00 41 01 00 00 3d 03 01 50 be 32 10 0f ....A...=..P.2..
0010: cd 2b c8 e2 eb 19 c1 89 93 40 4a 99 fb 54 52 ae .+.......@J..TR.
0020: f5 f5 f0 66 1a 46 23 c9 00 a6 7e 00 00 16 00 ff ...f.F#...~.....
0030: 00 35 00 05 00 04 00 2f 00 0a 00 09 00 64 00 62 .5...../.....d.b
0040: 00 03 00 06 01 00 ......
tls_read: want=5, got=0

TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Would you guys agree it's simply a certificate problem? Or am I missing something more fundamental here?

many thanks!
Last edited by 98cwitr on 21 Mar 2017, 21:47, edited 1 time in total.
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Getting LDAPS working correctly

Post by crythias »

98cwitr wrote:cafile => 'etc/ssl/certs/ca.cer',
maybe it should be:

Code: Select all

cafile => '/etc/ssl/certs/ca.cer',
assuming all the rest is correct.

Other than that, TLS: file ca.cer does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
98cwitr
Znuny newbie
Posts: 9
Joined: 04 Dec 2012, 19:14
Znuny Version: 3.1.6

Re: Getting LDAPS working correctly

Post by 98cwitr »

Woops! Nice catch! :)

So I guess my question is...is that line needed?

EDIT: So does the CAfile go in a different dir? I am now wondering if the simple export from my Microsoft CA (base64 format) needs to be processed by openssl in a different way that I am not aware of.

EDIT2:

After playing around with the Config.pm for the certs, no more errors in /var/log/httpd
[Tue Dec 04 13:50:06 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Dec 04 13:50:07 2012] [notice] Digest: generating secret for digest authentication ...
[Tue Dec 04 13:50:07 2012] [notice] Digest: done
[Tue Dec 04 13:50:07 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_perl/2.0.4 Perl/v5.10.1 configured --$
Still cant authenticate though :(
98cwitr
Znuny newbie
Posts: 9
Joined: 04 Dec 2012, 19:14
Znuny Version: 3.1.6

Re: Getting LDAPS working correctly

Post by 98cwitr »

So when I change the Config.pm to this

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'server1.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'FullDNOfGroup';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'fulldnOfAuthAccountInAD';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';


# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 636,
timeout => 120,
async => 0,
cafile => '/etc/ssl/certs/ca.cer',
};
I get this:
[Thu Dec 06 09:02:34 2012] [notice] caught SIGTERM, shutting down
[Thu Dec 06 09:02:36 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Dec 06 09:02:37 2012] [notice] Digest: generating secret for digest authentication ...
[Thu Dec 06 09:02:37 2012] [notice] Digest: done
[Thu Dec 06 09:02:38 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_perl/2.0.4 Perl/v5.10.1 configured --$
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Thu Dec 6 09:02:45 2012

Message: First bind failed! Unexpected EOF
So, my interpretation here is that the Config.pm must have ldaps://server1.domain.com in the AuthModule::LDAP::Host define, and have no settings in AuthModule::LDAP::Params. That seems strange to me though, since most examples I see have these settings.

As a sidenote, I also ran this just for the heck of it
[root@otrs bin]# perl otrs.CheckDB.pl
Can't locate Kernel/Config.pm in @INC (@INC contains: /root /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at otrs.CheckDB.pl line 37.
BEGIN failed--compilation aborted at otrs.CheckDB.pl line 37.
Dunno if that would have anything to do with it.
98cwitr
Znuny newbie
Posts: 9
Joined: 04 Dec 2012, 19:14
Znuny Version: 3.1.6

Re: Getting LDAPS working correctly

Post by 98cwitr »

Break through moment on the Customer Portal! After putting sniffers on the DC and seeing the connections, I realized that

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

was proper instead of $Self->{'AuthModule::LDAP::UID'} = 'uid'; (we're not using openldap...duh!)

So now I get

Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.

Very promising...only problem is that now on the Agent side now shows
#500

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:

Re: Getting LDAPS working correctly

Post by reneeb »

What do the logs say? (OTRS log and webserver log)
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
98cwitr
Znuny newbie
Posts: 9
Joined: 04 Dec 2012, 19:14
Znuny Version: 3.1.6

Re: Getting LDAPS working correctly

Post by 98cwitr »

reneeb wrote:What do the logs say? (OTRS log and webserver log)
It's my understanding that otrs uses Apache's logs in Linux, please correct me if I'm wrong;

Here's the error_log file contents for this morning.

ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Wed Dec 12 08:15:02 2012

Message: No UserID found for 'myUsername'!

Traceback (10872):
Module: Kernel::System::User::UserLookup (v1.121) Line: 797
Module: Kernel::System::Auth::Auth (v1.56) Line: 244
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31

[Wed Dec 12 08:15:23 2012] [notice] caught SIGTERM, shutting down
[Wed Dec 12 08:15:25 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Dec 12 08:15:26 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Dec 12 08:15:26 2012] [notice] Digest: done
[Wed Dec 12 08:15:26 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_perl/2.0.4 Perl/v5.10.1 configured --$
[Wed Dec 12 08:17:59 2012] [notice] caught SIGTERM, shutting down
[Wed Dec 12 08:18:00 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Dec 12 08:18:02 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Dec 12 08:18:02 2012] [notice] Digest: done
[Wed Dec 12 08:18:02 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_perl/2.0.4 Perl/v5.10.1 configured --$
[Wed Dec 12 08:19:49 2012] [notice] caught SIGTERM, shutting down
[Wed Dec 12 08:19:51 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Dec 12 08:19:52 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Dec 12 08:19:52 2012] [notice] Digest: done
[Wed Dec 12 08:19:52 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_perl/2.0.4 Perl/v5.10.1 configured --$
mateco78
Znuny newbie
Posts: 1
Joined: 16 Dec 2022, 16:16
Znuny Version: 6.4.4
Real Name: serafino
Company: ITD Solutions

Re: Getting LDAPS working correctly

Post by mateco78 »

Somebody it done configuration LDAPS on znuny 6.4.4? Can you help ?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Getting LDAPS working correctly

Post by root »

mateco78 wrote: 30 Mar 2023, 16:51 Somebody it done configuration LDAPS on znuny 6.4.4? Can you help ?
Hi,

Please create a new post and don't reopen an over 10-year-old one.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Getting LDAPS working correctly

Post by crythias »

This thread is about 10 years old. Please start a new thread but you can link to this one.
Also let us know what you've tried, encountered, etc on that new thread.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Post Reply