Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bugzilla authentication through LDAPS and SSL certificates
121 views
Skip to first unread message
bugzill...@gmail.com
Jan 26, 2018, 5:10:31 AM1/26/18
to
Hello all,
I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
I'm facing an issue when trying to authenticate with LDAPS.
I found several posts on the web of people who faced similar issues. I tried the suggested fixes but none of them succeeded.
The authentication works pretty well when using the non-crypted LDAP protocol to communicate with the AD server. The LDAP configuration of my bugzilla server is the following :
"LDAPBaseDN" : "o=xxx",
"LDAPbinddn" : "CN=xxx,OU=Users,OU=xxx,OU=Apps,O=xxx:xxx",
"LDAPfilter" : "",
"LDAPmailattribute" : "xxx",
"LDAPserver" : "servername",
"LDAPstarttls" : "0",
"LDAPuidattribute" : "uid",
I activate LDAPS by modifying the following line :
"LDAPserver" : "ldaps://servername",
I've copied the CA and server certificates into /etc/openldap/certs/ :
xxxCA.crt
servername.cer
servername.key
The ldap.conf uncommented lines are the following :
TLS_CACERTDIR /etc/openldap/certs
SASL_NOCANON on
When trying to log on the Bugzilla home page, I get the following error :
Could not connect to the LDAP server(s)
I know that the LDAP server has LDAPS support because some other apps are using it (these are java apps, using java keystores).
My guess is that the certificates are not sent correctly to the LDAPS server. How can I check if this is actually the case ?
Any suggestion would be appreciated, about how to fix or how to investigate this issue.
Thanks in advance and best regards.
I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
I'm facing an issue when trying to authenticate with LDAPS.
I found several posts on the web of people who faced similar issues. I tried the suggested fixes but none of them succeeded.
The authentication works pretty well when using the non-crypted LDAP protocol to communicate with the AD server. The LDAP configuration of my bugzilla server is the following :
"LDAPBaseDN" : "o=xxx",
"LDAPbinddn" : "CN=xxx,OU=Users,OU=xxx,OU=Apps,O=xxx:xxx",
"LDAPfilter" : "",
"LDAPmailattribute" : "xxx",
"LDAPserver" : "servername",
"LDAPstarttls" : "0",
"LDAPuidattribute" : "uid",
I activate LDAPS by modifying the following line :
"LDAPserver" : "ldaps://servername",
I've copied the CA and server certificates into /etc/openldap/certs/ :
xxxCA.crt
servername.cer
servername.key
The ldap.conf uncommented lines are the following :
TLS_CACERTDIR /etc/openldap/certs
SASL_NOCANON on
When trying to log on the Bugzilla home page, I get the following error :
Could not connect to the LDAP server(s)
I know that the LDAP server has LDAPS support because some other apps are using it (these are java apps, using java keystores).
My guess is that the certificates are not sent correctly to the LDAPS server. How can I check if this is actually the case ?
Any suggestion would be appreciated, about how to fix or how to investigate this issue.
Thanks in advance and best regards.
Gervase Markham
Jan 26, 2018, 5:53:37 AM1/26/18
to bugzill...@gmail.com
On 26/01/18 10:10, bugzill...@gmail.com wrote:
> I know that the LDAP server has LDAPS support because some other apps are using it (these are java apps, using java keystores).
Do you know if the relevant Perl modules Bugzila uses for LDAP have
> I know that the LDAP server has LDAPS support because some other apps are using it (these are java apps, using java keystores).
LDAPS support? They may not...
Gerv
Emmanuel Seyman
Jan 26, 2018, 5:59:08 AM1/26/18
to support-...@lists.mozilla.org
* Gervase Markham [26/01/2018 10:53] :
http://search.cpan.org/~marschap/perl-ldap-0.65/lib/Net/LDAPS.pm
Emmanuel
>
> Do you know if the relevant Perl modules Bugzila uses for LDAP have
> LDAPS support? They may not...
Net::LDAP does have LDAPS support.
> Do you know if the relevant Perl modules Bugzila uses for LDAP have
> LDAPS support? They may not...
http://search.cpan.org/~marschap/perl-ldap-0.65/lib/Net/LDAPS.pm
Emmanuel
bugzill...@gmail.com
Jan 26, 2018, 6:25:14 AM1/26/18
to
During installation, Bugzilla install-module.pl script downloaded the missing Perl modules from CPAN. This includes LDAP.pm and LDAPS.pm (I checked in bugzilla file tree).
Thanks for your replies anyway :)
Any other idea ?
Regards.
Thanks for your replies anyway :)
Any other idea ?
Regards.
Thorsten Schöning
Jan 26, 2018, 7:23:06 AM1/26/18
to support-...@lists.mozilla.org
Guten Tag bugzill...@gmail.com,
am Freitag, 26. Januar 2018 um 11:10 schrieben Sie:
> I know that the LDAP server has LDAPS support because some other
> apps are using it (these are java apps, using java keystores).
What kind of certificates are you using? Especially, did you add some
to the Java keystore in use? If so, you most likely need to do the
same for Perl.
Have a look at the following class, I don't see any custom keystore
handling by Bugzilla, so it uses whatever Net::LDAP uses which should
be what IO::Socket::SSL uses etc.
> Bugzilla::Auth::Verify::LDAP
This might be easy to test by changing the following line:
> $self->{ldap} = new Net::LDAP(trim($_));
to
> $self->{ldap} = new Net::LDAP(trim($_), verify => 'none');
http://search.cpan.org/~marschap/perl-ldap-0.65/lib/Net/LDAPS.pm
http://search.cpan.org/~sullr/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod#Common_Usage_Errors
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: Thorsten....@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
am Freitag, 26. Januar 2018 um 11:10 schrieben Sie:
> I know that the LDAP server has LDAPS support because some other
> apps are using it (these are java apps, using java keystores).
to the Java keystore in use? If so, you most likely need to do the
same for Perl.
Have a look at the following class, I don't see any custom keystore
handling by Bugzilla, so it uses whatever Net::LDAP uses which should
be what IO::Socket::SSL uses etc.
> Bugzilla::Auth::Verify::LDAP
This might be easy to test by changing the following line:
> $self->{ldap} = new Net::LDAP(trim($_));
to
> $self->{ldap} = new Net::LDAP(trim($_), verify => 'none');
http://search.cpan.org/~marschap/perl-ldap-0.65/lib/Net/LDAPS.pm
http://search.cpan.org/~sullr/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod#Common_Usage_Errors
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: Thorsten....@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
bugzill...@gmail.com
Jan 26, 2018, 7:48:29 AM1/26/18
to
Hello Thorsten,
>
> > I know that the LDAP server has LDAPS support because some other
> > apps are using it (these are java apps, using java keystores).
>
> What kind of certificates are you using? Especially, did you add some
> to the Java keystore in use? If so, you most likely need to do the
> same for Perl.
I didn't add anything to these java apps keystore, as I'm not their maintainer. Anyway I could not re-use the same certificates as they run on different servers. I'm considering here the certificates sent to the AD server for client authentication (kept in a keystore for java apps), not the certificates received from the AD server for sever authentication (kept in a truststore for java apps).
I'd love to add the certificates to some kind of perl keystore, but I'm not aware of such functionality.
>
> Have a look at the following class, I don't see any custom keystore
> handling by Bugzilla, so it uses whatever Net::LDAP uses which should
> be what IO::Socket::SSL uses etc.
>
> > Bugzilla::Auth::Verify::LDAP
>
> This might be easy to test by changing the following line:
>
> > $self->{ldap} = new Net::LDAP(trim($_));
>
> to
>
> > $self->{ldap} = new Net::LDAP(trim($_), verify => 'none');
I already tried this. But I think (not totaly sure though) that my problem comes from the certificates that bugzilla sends to AD server, not the certificates it receives from the server.
I also tried the following :
$self->{ldap} = new Net::LDAP(trim($_), verify => 'none', clientcert => '/somepath/servername.cer', clientkey => '/somepath/servername.key');
Thank you for your try.
>
> > I know that the LDAP server has LDAPS support because some other
> > apps are using it (these are java apps, using java keystores).
>
> What kind of certificates are you using? Especially, did you add some
> to the Java keystore in use? If so, you most likely need to do the
> same for Perl.
I'd love to add the certificates to some kind of perl keystore, but I'm not aware of such functionality.
>
> Have a look at the following class, I don't see any custom keystore
> handling by Bugzilla, so it uses whatever Net::LDAP uses which should
> be what IO::Socket::SSL uses etc.
>
> > Bugzilla::Auth::Verify::LDAP
>
> This might be easy to test by changing the following line:
>
> > $self->{ldap} = new Net::LDAP(trim($_));
>
> to
>
> > $self->{ldap} = new Net::LDAP(trim($_), verify => 'none');
I also tried the following :
$self->{ldap} = new Net::LDAP(trim($_), verify => 'none', clientcert => '/somepath/servername.cer', clientkey => '/somepath/servername.key');
Thank you for your try.
Emmanuel Seyman
Jan 26, 2018, 7:48:57 AM1/26/18
to support-...@lists.mozilla.org
* bugzill...@gmail.com [26/01/2018 02:10] :
> I've copied the CA and server certificates into /etc/openldap/certs/ :
I would expect IO::Socket::SSL to look in /etc/ssl/certs, by default.
Emmanuel
>
> I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
Shameless plug: https://blog.fedora-fr.org/eseyman/post/Installing-Bugzilla-on-RHEL/Centos-7.x
> I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
> I've copied the CA and server certificates into /etc/openldap/certs/ :
Emmanuel
bugzill...@gmail.com
Jan 26, 2018, 8:18:18 AM1/26/18
to
Hi Emmanuel,
> > I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
>
> Shameless plug: https://blog.fedora-fr.org/eseyman/post/Installing-Bugzilla-on-RHEL/Centos-7.x
Thanks for this link. I installed bugzilla from tarball, and ran the script that installs missing perl modules from CPAN. This step ran OK (only a few optional modules are still 'not found', see the list below if you wish).
>
> > I've copied the CA and server certificates into /etc/openldap/certs/ :
>
> I would expect IO::Socket::SSL to look in /etc/ssl/certs, by default.
I didn't know this place. On my server this is a symlink to /etc/pki/tls/certs. I also found some other 'certs' directories in /etc/pki. I copied the certificates in all of them. Unfortunately this didn't help :(
Thank you anyway.
> > I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
>
> Shameless plug: https://blog.fedora-fr.org/eseyman/post/Installing-Bugzilla-on-RHEL/Centos-7.x
>
> > I've copied the CA and server certificates into /etc/openldap/certs/ :
>
> I would expect IO::Socket::SSL to look in /etc/ssl/certs, by default.
Thank you anyway.
bugzill...@gmail.com
Jan 26, 2018, 8:19:35 AM1/26/18
to
# ./checksetup.pl --check-modules
* This is Bugzilla 5.0.3 on perl 5.16.3
* Running on Linux 3.10.0-327.10.1.el7.x86_64 #1 SMP Sat Jan 23 04:54:55 EST 2016
Checking perl modules...
Checking for CGI.pm (v3.51) ok: found v4.36
Checking for Digest-SHA (any) ok: found v5.85
Checking for TimeDate (v2.23) ok: found v2.24
Checking for DateTime (v0.75) ok: found v1.44
Checking for DateTime-TimeZone (v1.64) ok: found v2.13
Checking for DBI (v1.614) ok: found v1.627
Checking for Template-Toolkit (v2.24) ok: found v2.27
Checking for Email-Sender (v1.300011) ok: found v1.300031
Checking for Email-MIME (v1.904) ok: found v1.946
Checking for URI (v1.55) ok: found v1.72
Checking for List-MoreUtils (v0.32) ok: found v0.425
Checking for Math-Random-ISAAC (v1.0.1) ok: found v1.004
Checking for File-Slurp (v9999.13) ok: found v9999.19
Checking for JSON-XS (v2.01) ok: found v3.04
Checking available perl DBD modules...
Checking for DBD-Pg (v2.7.0) not found
Checking for DBD-mysql (v4.001) ok: found v4.023
Checking for DBD-SQLite (v1.29) ok: found v1.54
Checking for DBD-Oracle (v1.19) not found
The following Perl modules are optional:
Checking for GD (v1.20) ok: found v2.66
Checking for Chart (v2.4.1) ok: found v2.4.10
Checking for Template-GD (any) ok: found v1.56
Checking for GDTextUtil (any) ok: found v0.86
Checking for GDGraph (any) ok: found v1.54
Checking for MIME-tools (v5.406) ok: found v5.509
Checking for libwww-perl (any) ok: found v6.27
Checking for XML-Twig (any) ok: found v3.52
Checking for PatchReader (v0.9.6) ok: found v0.9.6
Checking for perl-ldap (any) ok: found v0.65
Checking for Authen-SASL (any) ok: found v2.16
Checking for Net-SMTP-SSL (v1.01) ok: found v1.04
Checking for RadiusPerl (any) ok: found v0.26
Checking for SOAP-Lite (v0.712) ok: found v1.22
Checking for XMLRPC-Lite (v0.712) ok: found v0.717
Checking for JSON-RPC (any) ok: found v1.06
Checking for Test-Taint (v1.06) ok: found v1.06
Checking for HTML-Parser (v3.67) ok: found v3.72
Checking for HTML-Scrubber (any) ok: found v0.17
Checking for Encode (v2.21) ok: found v2.93
Checking for Encode-Detect (any) not found
Checking for Email-Reply (any) ok: found v1.204
Checking for HTML-FormatText-WithLinks (v0.13) ok: found v0.15
Checking for TheSchwartz (v1.07) ok: found v1.12
Checking for Daemon-Generic (any) ok: found v0.85
Checking for mod_perl (v1.999022) not found
Checking for Apache-SizeLimit (v0.96) not found
Checking for File-MimeInfo (any) ok: found v0.28
Checking for IO-stringy (any) ok: found v2.111
Checking for Cache-Memcached (any) ok: found v1.30
Checking for File-Copy-Recursive (any) ok: found v0.38
Checking for File-Which (any) ok: found v1.22
Checking for mod_env (any) ok
Checking for mod_expires (any) ok
Checking for mod_headers (any) ok
Checking for mod_rewrite (any) ok
Checking for mod_version (any) ok
***********************************************************************
* OPTIONAL MODULES *
***********************************************************************
* Certain Perl modules are not required by Bugzilla, but by *
* installing the latest version you gain access to additional *
* features. *
* *
* The optional modules you do not have installed are listed below, *
* with the name of the feature they enable. Below that table are the *
* commands to install each module. *
***********************************************************************
* MODULE NAME * ENABLES FEATURE(S) *
***********************************************************************
* Encode-Detect * Automatic charset detection for text attachments *
* mod_perl * mod_perl *
* Apache-SizeLimit * mod_perl *
***********************************************************************
COMMANDS TO INSTALL OPTIONAL MODULES:
Encode-Detect: /usr/bin/perl install-module.pl Encode::Detect
mod_perl: /usr/bin/perl install-module.pl mod_perl2
Apache-SizeLimit: /usr/bin/perl install-module.pl Apache2::SizeLimit
To attempt an automatic install of every required and optional module
with one command, do:
/usr/bin/perl install-module.pl --all
Thorsten Schöning
Jan 26, 2018, 11:33:05 AM1/26/18
to support-...@lists.mozilla.org
Guten Tag bugzill...@gmail.com,
am Freitag, 26. Januar 2018 um 13:48 schrieben Sie:
> I already tried this. But I think (not totaly sure though) that my
> problem comes from the certificates that bugzilla sends to AD
> server, not the certificates it receives from the server.
Did you already try Wireshark or such to have a look at the exact
communication, who sends what where when? Does your server(/LDAPS)
really requires client authentication using certificates?
Did you try debugging already according the following docs?
http://search.cpan.org/~sullr/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL
am Freitag, 26. Januar 2018 um 13:48 schrieben Sie:
> I already tried this. But I think (not totaly sure though) that my
> problem comes from the certificates that bugzilla sends to AD
> server, not the certificates it receives from the server.
communication, who sends what where when? Does your server(/LDAPS)
really requires client authentication using certificates?
Did you try debugging already according the following docs?
http://search.cpan.org/~sullr/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL
bugzill...@gmail.com
Jan 29, 2018, 4:40:23 AM1/29/18
to
> Did you already try Wireshark or such to have a look at the exact
> communication, who sends what where when? Does your server(/LDAPS)
> really requires client authentication using certificates?
>
> Did you try debugging already according the following docs?
>
> http://search.cpan.org/~sullr/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL
>
I may try to investigate as described in this page, depending on how much more time I'm allowed to spend on this issue.
Thanks Thorsten, and best regards.
0 new messages