Bugzilla authentication through LDAPS and SSL certificates

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Bugzilla authentication through LDAPS and SSL certificates

bugzilla.user3
Hello all,

I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.

I'm facing an issue when trying to authenticate with LDAPS.

I found several posts on the web of people who faced similar issues. I tried the suggested fixes but none of them succeeded.

The authentication works pretty well when using the non-crypted LDAP protocol to communicate with the AD server. The LDAP configuration of my bugzilla server is the following :
   "LDAPBaseDN" : "o=xxx",
   "LDAPbinddn" : "CN=xxx,OU=Users,OU=xxx,OU=Apps,O=xxx:xxx",
   "LDAPfilter" : "",
   "LDAPmailattribute" : "xxx",
   "LDAPserver" : "servername",
   "LDAPstarttls" : "0",
   "LDAPuidattribute" : "uid",

I activate LDAPS by modifying the following line :
   "LDAPserver" : "ldaps://servername",

I've copied the CA and server certificates into /etc/openldap/certs/ :
xxxCA.crt
servername.cer
servername.key

The ldap.conf uncommented lines are the following :
TLS_CACERTDIR   /etc/openldap/certs
SASL_NOCANON    on

When trying to log on the Bugzilla home page, I get the following error :
Could not connect to the LDAP server(s)

I know that the LDAP server has LDAPS support because some other apps are using it (these are java apps, using java keystores).

My guess is that the certificates are not sent correctly to the LDAPS server. How can I check if this is actually the case ?

Any suggestion would be appreciated, about how to fix or how to investigate this issue.

Thanks in advance and best regards.
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

Gervase Markham
On 26/01/18 10:10, [hidden email] wrote:
> I know that the LDAP server has LDAPS support because some other apps are using it (these are java apps, using java keystores).

Do you know if the relevant Perl modules Bugzila uses for LDAP have
LDAPS support? They may not...

Gerv
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

Emmanuel Seyman-3
* Gervase Markham [26/01/2018 10:53] :
>
> Do you know if the relevant Perl modules Bugzila uses for LDAP have
> LDAPS support? They may not...

Net::LDAP does have LDAPS support.
http://search.cpan.org/~marschap/perl-ldap-0.65/lib/Net/LDAPS.pm

Emmanuel
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

bugzilla.user3
In reply to this post by Gervase Markham
During installation, Bugzilla install-module.pl script downloaded the missing Perl modules from CPAN. This includes LDAP.pm and LDAPS.pm (I checked in bugzilla file tree).

Thanks for your replies anyway :)

Any other idea ?

Regards.
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

Emmanuel Seyman-3
In reply to this post by bugzilla.user3
* [hidden email] [26/01/2018 02:10] :
>
> I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.

Shameless plug: https://blog.fedora-fr.org/eseyman/post/Installing-Bugzilla-on-RHEL/Centos-7.x

> I've copied the CA and server certificates into /etc/openldap/certs/ :

I would expect IO::Socket::SSL to look in /etc/ssl/certs, by default.

Emmanuel
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

bugzilla.user3
In reply to this post by bugzilla.user3
Hello Thorsten,

>
> > I know that the LDAP server has LDAPS support because some other
> > apps are using it (these are java apps, using java keystores).
>
> What kind of certificates are you using? Especially, did you add some
> to the Java keystore in use? If so, you most likely need to do the
> same for Perl.

I didn't add anything to these java apps keystore, as I'm not their maintainer. Anyway I could not re-use the same certificates as they run on different servers. I'm considering here the certificates sent to the AD server for client authentication (kept in a keystore for java apps), not the certificates received from the AD server for sever authentication (kept in a truststore for java apps).

I'd love to add the certificates to some kind of perl keystore, but I'm not aware of such functionality.

>
> Have a look at the following class, I don't see any custom keystore
> handling by Bugzilla, so it uses whatever Net::LDAP uses which should
> be what IO::Socket::SSL uses etc.
>
> > Bugzilla::Auth::Verify::LDAP
>
> This might be easy to test by changing the following line:
>
> > $self->{ldap} = new Net::LDAP(trim($_));
>
> to
>
> > $self->{ldap} = new Net::LDAP(trim($_), verify => 'none');

I already tried this. But I think (not totaly sure though) that my problem comes from the certificates that bugzilla sends to AD server, not the certificates it receives from the server.

I also tried the following :
$self->{ldap} = new Net::LDAP(trim($_), verify => 'none', clientcert => '/somepath/servername.cer', clientkey => '/somepath/servername.key');

Thank you for your try.

_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

bugzilla.user3
In reply to this post by bugzilla.user3
Hi Emmanuel,

> > I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
>
> Shameless plug: https://blog.fedora-fr.org/eseyman/post/Installing-Bugzilla-on-RHEL/Centos-7.x

Thanks for this link. I installed bugzilla from tarball, and ran the script that installs missing perl modules from CPAN. This step ran OK (only a few optional modules are still 'not found', see the list below if you wish).

>
> > I've copied the CA and server certificates into /etc/openldap/certs/ :
>
> I would expect IO::Socket::SSL to look in /etc/ssl/certs, by default.

I didn't know this place. On my server this is a symlink to /etc/pki/tls/certs. I also found some other 'certs' directories in /etc/pki. I copied the certificates in all of them. Unfortunately this didn't help :(

Thank you anyway.

_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

bugzilla.user3
Le vendredi 26 janvier 2018 14:18:18 UTC+1, [hidden email] a écrit :

> Hi Emmanuel,
>
> > > I've installed a Bugzilla (5.0.3) server, run by apache, on a RHEL linux machine.
> >
> > Shameless plug: https://blog.fedora-fr.org/eseyman/post/Installing-Bugzilla-on-RHEL/Centos-7.x
>
> Thanks for this link. I installed bugzilla from tarball, and ran the script that installs missing perl modules from CPAN. This step ran OK (only a few optional modules are still 'not found', see the list below if you wish).
>
> >
> > > I've copied the CA and server certificates into /etc/openldap/certs/ :
> >
> > I would expect IO::Socket::SSL to look in /etc/ssl/certs, by default.
>
> I didn't know this place. On my server this is a symlink to /etc/pki/tls/certs. I also found some other 'certs' directories in /etc/pki. I copied the certificates in all of them. Unfortunately this didn't help :(
>
> Thank you anyway.

I forgot the list of modules :

# ./checksetup.pl --check-modules
* This is Bugzilla 5.0.3 on perl 5.16.3
* Running on Linux 3.10.0-327.10.1.el7.x86_64 #1 SMP Sat Jan 23 04:54:55 EST 2016

Checking perl modules...
Checking for               CGI.pm (v3.51)     ok: found v4.36
Checking for           Digest-SHA (any)       ok: found v5.85
Checking for             TimeDate (v2.23)     ok: found v2.24
Checking for             DateTime (v0.75)     ok: found v1.44
Checking for    DateTime-TimeZone (v1.64)     ok: found v2.13
Checking for                  DBI (v1.614)    ok: found v1.627
Checking for     Template-Toolkit (v2.24)     ok: found v2.27
Checking for         Email-Sender (v1.300011) ok: found v1.300031
Checking for           Email-MIME (v1.904)    ok: found v1.946
Checking for                  URI (v1.55)     ok: found v1.72
Checking for       List-MoreUtils (v0.32)     ok: found v0.425
Checking for    Math-Random-ISAAC (v1.0.1)    ok: found v1.004
Checking for           File-Slurp (v9999.13)  ok: found v9999.19
Checking for              JSON-XS (v2.01)     ok: found v3.04

Checking available perl DBD modules...
Checking for               DBD-Pg (v2.7.0)    not found
Checking for            DBD-mysql (v4.001)    ok: found v4.023
Checking for           DBD-SQLite (v1.29)     ok: found v1.54
Checking for           DBD-Oracle (v1.19)     not found

The following Perl modules are optional:
Checking for                   GD (v1.20)     ok: found v2.66
Checking for                Chart (v2.4.1)    ok: found v2.4.10
Checking for          Template-GD (any)       ok: found v1.56
Checking for           GDTextUtil (any)       ok: found v0.86
Checking for              GDGraph (any)       ok: found v1.54
Checking for           MIME-tools (v5.406)    ok: found v5.509
Checking for          libwww-perl (any)       ok: found v6.27
Checking for             XML-Twig (any)       ok: found v3.52
Checking for          PatchReader (v0.9.6)    ok: found v0.9.6
Checking for            perl-ldap (any)       ok: found v0.65
Checking for          Authen-SASL (any)       ok: found v2.16
Checking for         Net-SMTP-SSL (v1.01)     ok: found v1.04
Checking for           RadiusPerl (any)       ok: found v0.26
Checking for            SOAP-Lite (v0.712)    ok: found v1.22
Checking for          XMLRPC-Lite (v0.712)    ok: found v0.717
Checking for             JSON-RPC (any)       ok: found v1.06
Checking for           Test-Taint (v1.06)     ok: found v1.06
Checking for          HTML-Parser (v3.67)     ok: found v3.72
Checking for        HTML-Scrubber (any)       ok: found v0.17
Checking for               Encode (v2.21)     ok: found v2.93
Checking for        Encode-Detect (any)       not found
Checking for          Email-Reply (any)       ok: found v1.204
Checking for HTML-FormatText-WithLinks (v0.13)     ok: found v0.15
Checking for          TheSchwartz (v1.07)     ok: found v1.12
Checking for       Daemon-Generic (any)       ok: found v0.85
Checking for             mod_perl (v1.999022) not found
Checking for     Apache-SizeLimit (v0.96)     not found
Checking for        File-MimeInfo (any)       ok: found v0.28
Checking for           IO-stringy (any)       ok: found v2.111
Checking for      Cache-Memcached (any)       ok: found v1.30
Checking for  File-Copy-Recursive (any)       ok: found v0.38
Checking for           File-Which (any)       ok: found v1.22
Checking for              mod_env (any)       ok
Checking for          mod_expires (any)       ok
Checking for          mod_headers (any)       ok
Checking for          mod_rewrite (any)       ok
Checking for          mod_version (any)       ok
***********************************************************************
* OPTIONAL MODULES                                                    *
***********************************************************************
* Certain Perl modules are not required by Bugzilla, but by           *
* installing the latest version you gain access to additional         *
* features.                                                           *
*                                                                     *
* The optional modules you do not have installed are listed below,    *
* with the name of the feature they enable. Below that table are the  *
* commands to install each module.                                    *
***********************************************************************
*      MODULE NAME * ENABLES FEATURE(S)                               *
***********************************************************************
*    Encode-Detect * Automatic charset detection for text attachments *
*         mod_perl * mod_perl                                         *
* Apache-SizeLimit * mod_perl                                         *
***********************************************************************
COMMANDS TO INSTALL OPTIONAL MODULES:

  Encode-Detect: /usr/bin/perl install-module.pl Encode::Detect
       mod_perl: /usr/bin/perl install-module.pl mod_perl2
Apache-SizeLimit: /usr/bin/perl install-module.pl Apache2::SizeLimit


To attempt an automatic install of every required and optional module
with one command, do:

  /usr/bin/perl install-module.pl --all

_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.
Reply | Threaded
Open this post in threaded view
|

Re: Bugzilla authentication through LDAPS and SSL certificates

bugzilla.user3
In reply to this post by bugzilla.user3

> Did you already try Wireshark or such to have a look at the exact
> communication, who sends what where when? Does your server(/LDAPS)
> really requires client authentication using certificates?
>
> Did you try debugging already according the following docs?
>
> http://search.cpan.org/~sullr/IO-Socket-SSL-2.054/lib/IO/Socket/SSL.pod#Common_Problems_with_SSL
>

Thank you for this documentation. I haven't tried this yet.

I may try to investigate as described in this page, depending on how much more time I'm allowed to spend on this issue.

Thanks Thorsten, and best regards.
_______________________________________________
support-bugzilla mailing list
[hidden email]
https://lists.mozilla.org/listinfo/support-bugzilla
PLEASE put [hidden email] in the To: field when you reply.