Hi everyone
Does someone knows how to make LDAP work with tls in OTRS?
My configuration is:
...
$Self->{'AuthModule::LDAP::Host'} = 'srv-ldap-consumer-01.edu.br';
...
$Self->{'AuthModule::LDAP::Params'} = {
verify => 'optional',
cafile => '/etc/ssl/certs/cacert.pem',
sslversion => 'tlsv1',
port => 389,
timeout => 120,
async => 0,
version => 3,
};
.....
LDAP server log does not shows that STARTTLS was called, it is binding with code 128 that means SIMPLE
Looks like a call to 'start_tls' on perl is missing somewhere...
Obs:
We don't use ldaps here, but for tests I have done this:
$Self->{'AuthModule::LDAP::Host'} = 'ldaps://srv-ldap-consumer-01.edu.br';
And apache gives this:
Can't connect to ldaps://srv-ldap-consumer-01.edu.br:
We have others systems connecting to ldap using tls normally:
Jul 15 10:39:06 srv-ldap-consumer-01 slapd[995]: conn=89304 op=0 STARTTLS
Jul 15 10:39:06 srv-ldap-consumer-01 slapd[995]: conn=89304 op=0 RESULT oid= err=0 text=
Jul 15 10:39:06 srv-ldap-consumer-01 slapd[995]: conn=89304 fd=101 TLS established tls_ssf=128 ssf=128
Any help is appreciated.
Thanks
LDAP OTRS TLS
Moderator: crythias
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP OTRS TLS
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: LDAP OTRS TLS
Our LDAP uses TLS on port 389. It is an OpenLDAP server.crythias wrote:ldaps would be ssl ldap. A search might help
For instance, 389 is known to not be ssl but 636 is
For example, our Linux machines are using the following to search an authenticate on LDAP:
uri ldap://srv-ldap-consumer-01.edu.br
ssl start_tls
Using perl you need to call a function to start the tls conection like this:
mesg = $ldap->start_tls(
sslversion => 'tlsv1',
verify => 'require',
capath => '/etc/ssl/certs/',
);
But I dont know how OTRS calls perl start_tls function, maybe should be something like this on OTRS:
$Self->{'AuthModule::LDAP::Params'} = {
...
starttls = yes,
...
};
Any idea?
Thanks
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP OTRS TLS
Kernel/System/Auth/LDAP.pm
http://search.cpan.org/~marschap/perl-l ... #start_tls
There is no call for start_tls though. Seems trivial to add and since it's your install, you could hard code appropriate values.
Code: Select all
# ldap connect and bind (maybe with SearchUserDN and SearchUserPw)
my $LDAP = Net::LDAP->new( $Self->{Host}, %{ $Self->{Params} } );
if ( !$LDAP ) {
if ( $Self->{Die} ) {
die "Can't connect to $Self->{Host}: $@";
}
else {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Can't connect to $Self->{Host}: $@",
);
return;
}
}http://search.cpan.org/~marschap/perl-l ... #start_tls
There is no call for start_tls though. Seems trivial to add and since it's your install, you could hard code appropriate values.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: LDAP OTRS TLS
Thank you, it worked! (Now the traffic is encrypted, I tested with tcpdump)crythias wrote:Kernel/System/Auth/LDAP.pmCode: Select all
# ldap connect and bind (maybe with SearchUserDN and SearchUserPw) my $LDAP = Net::LDAP->new( $Self->{Host}, %{ $Self->{Params} } ); if ( !$LDAP ) { if ( $Self->{Die} ) { die "Can't connect to $Self->{Host}: $@"; } else { $Self->{LogObject}->Log( Priority => 'error', Message => "Can't connect to $Self->{Host}: $@", ); return; } }
http://search.cpan.org/~marschap/perl-l ... #start_tls
There is no call for start_tls though. Seems trivial to add and since it's your install, you could hard code appropriate values.
I'm posting the modifications the I made (I think there is no other file??) (OTRS 3.3.8):
On the file Kernel/System/Auth/LDAP.pm line 174
On the file Kernel/System/Auth/Sync/LDAP.pm line 130
The code that needs to be inserted:
Code: Select all
# start tls begin
my $ResultTls = '';
$ResultTls = $LDAP->start_tls(
verify => 'required',
);
if ( !$ResultTls ) {
if ( $Self->{Die} ) {
die "Can't connect to $Self->{Host}: $@";
}
else {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Can't connect to $Self->{Host} using TLS: $@",
);
return;
}
}
# start tls end-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP OTRS TLS
CustomerAuth LDAP.pm may need to be similarly addressed if you need such.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask