Error message in /var/logs/httpd
We are authenticating to a 2003 domain level ADERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Mon Dec 3 15:22:50 2012
Message: Can't connect to ldaps://server.domain.net: IO::Socket::SSL: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason$
Traceback (2040):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 172
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
OTRS is sitting on a redhat box
We have our own root CA and the cert is signed (and Apache works on 443)
Here's the main chunk of my Config.pm file
So checking my certs, I ran the following:sub Load {
my $Self = shift;
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldaps://server.domain.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=server,dc=domain,dc=net';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Service - OTRS,ou=Service Accounts,dc=server,dc=domain,dc=net';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
timeout => 120,
async => 0,
cafile => 'etc/ssl/certs/ca.cer',
clientcert => '/etc/ssl/certs/server.cer',
clientkey => '/etc/ssl/certs/server.key',
};
[root@server ~]# openssl s_client -connect dc1.server.domain.net:636 -state -CAfile /etc/ssl/certs/ca.cer -cert /etc/ssl/certs/server.cer -key /etc/ssl/certs/server.key -tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
140381855455048:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:590:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1354641836
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Running an LDAP search yields
[root@server ~]# ldapsearch -d -1 -x -H ldaps://server.domain.net
ldap_url_parse_ext(ldaps://server.domain.net)
ldap_create
ldap_url_parse_ext(ldaps://server.domain.net:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <removed>
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <ip:port>
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/certs/ca.cer.
TLS: file ca.cer does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
tls_write: want=70, written=70
0000: 16 03 01 00 41 01 00 00 3d 03 01 50 be 32 10 0f ....A...=..P.2..
0010: cd 2b c8 e2 eb 19 c1 89 93 40 4a 99 fb 54 52 ae .+.......@J..TR.
0020: f5 f5 f0 66 1a 46 23 c9 00 a6 7e 00 00 16 00 ff ...f.F#...~.....
0030: 00 35 00 05 00 04 00 2f 00 0a 00 09 00 64 00 62 .5...../.....d.b
0040: 00 03 00 06 01 00 ......
tls_read: want=5, got=0
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Would you guys agree it's simply a certificate problem? Or am I missing something more fundamental here?
many thanks!