[ZendTo] Re: {Disarmed} Re: LDAP

Brad Beckenhauer bbecken at aafp.org
Tue Aug 3 17:50:35 BST 2010 

I updated the code and ran two tests:
 
With authLDAPUseSSL = true 
LDAP Error 
Unable to connect to any of the LDAP servers; could not authenticate user. 
Authentication Error 
The username or password was incorrect.

Warning: ldap_start_tls() [function.ldap-start-tls ]: Unable to start TLS: Connect error in /opt/zendto/lib/NSSLDAPAuthenticator.php on line 201
 
 
With authLDAPUseSSL = false
Authentication Error 
The username or password was incorrect.

 
Ok,  Kicking myself....  I've not done the SSL key setup in this vm, does it matter?  If so, I'll try after lunch.
 

>>> On 8/3/2010 at 11:31 AM, in message <4C58446E.3000705 at ZendTo.com>, Jules <Jules at zendto.com> wrote:

What they do in the LDAP authenticator is use TLS if authLDAPUseSSL is TRUE.
In the AD version, they use LDAPS (i.e. LDAP over SSL) if authLDAPUseSSL is TRUE.

I would be interested to hear if the LDAP+TLS approach works.
Their original code used TLS regardless of whether you set the option or not.
It now only does TLS if you ask it to.

So please try the attached code instead of the last version I sent you.

Jules.

On 03/08/2010 17:08, Brad Beckenhauer wrote: 

Ok I get the following warning when connecting using your new code.
 
Line 199 points to a ldap_start_tls code block that appears twice in the library.
 
        if ( ldap_start_tls($ldapConn) ) {
 
I've tried using setting the authLDAPUseSSL set to both true and false, both fail.  I'm not sure if it is honoring the false setting yet.
 
I currently authenticate to my LDAP server using HTTP, so I know it works (my ldap server is SLES 10 running edirectory).
 
Here is the relevant line from my Apache conf file connecting on port 389 that works. (IP's and ou's are munged)
 
AuthLDAPUrl "ldap://191.168.19.13:389/ou=Admin,o=TEST?uid"
 
my preferences.php line looks like:
 
'authLDAPBaseDN'           => 'ou=Admin,o=TEST',
 
I'll try to work on this later this afternoon.
 
thanks
Brad

>>> On 8/3/2010 at 9:57 AM, in message <4C582E73.7090101 at ZendTo.com> ( mailto:4C582E73.7090101 at ZendTo.com ), Jules <Jules at zendto.com> ( mailto:Jules at zendto.com ) wrote:



On 03/08/2010 15:48, Brad Beckenhauer wrote: 

Hi Jules,
 
I noticed that there is a authenticator /lib/NSSLDAPAuthenticator.php but the preferences.php file does not have a corresponding section on implementing it.
I've never had an LDAP server to test it against. If you fancy contributing the section, then that would be much appreciated!


   I have access to SLES servers that supports OPEN LDAP and thought I'd give it a whirl instead of the AD or IMAP authenticators.
 
The NSSADAuthenticator.php has a section on howto implement it in the preferences.php file but the NSSLDAPAuthenticator.php does not have an example.
It should be much the same as the AD one, as that uses LDAP anyway.


 
I'm going to "try" configuring the LDAP Auth in the preferences.php as I have SLES system I can authenticate against.
 
I'm "guessing" that the preferences file needs something like the below to work:
 
  //
  // Settings for the LDAP authenticator.
  //
  //  "authLDAPServers"     Array of hostnames to try binding to
  //  "authLDAPBaseDN"      Base distinguished name for search/bind
  //  "authLDAPAdmins"      Cheap way to grant admin privs to users; an
  //                        array of uname's
  'authenticator' => 'LDAP',
  'authLDAPServers'          => array('192.168.1.1','192.168.1.2'),
  'authLDAPBaseDN'           => 'ou=users,o=domain',
  'authLDAPUseSSL'           => false,              <<<<<  option does not appear to be currently supported in v3.59
That looks good. If you gunzip the attached file and drop it on the top of your /opt/zendto/lib/NSSLDAPAuthenticator.php file, then you should get the "authLDAPUseSSL" option you want.


 
Can the LDAP library be tweaked to allow the use of the authLDAPUseSSL option in the preferences file? (If my humble interpretation that it is not currently implemented is correct).
Done, see above.

If it works, please let me know and I'll put it in the next release.
Jules

-- 
Julian Field MEng CITP CEngwww.ZendTo.com
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
        
_______________________________________________
ZendTo mailing listZendTo at zendto.comhttp://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto  
Jules

-- 
Julian Field MEng CITP CEngwww.ZendTo.com
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM

More information about the ZendTo mailing list