[ZendTo] Re: LDAP
Brad Beckenhauer
bbecken at aafp.org
Tue Aug 3 22:01:16 BST 2010
Hi Julian,
I've tested the LDAP authenticator and it is "working" using the last NSSLDAPAuthenticator.php file you sent to me. During testing I managed to lock my account several times and did not know it until I examined the zendto.log ( I wasted an hour figuring that out).
My configuration:
Running the ZendTo version 3.59-1 64-bit CentOS Virtual Machine ( http://www.zendto.com/files/ZendTo-CentOS-x64-3.55-3.zip ) from the download page.
LDAP: The authLDAPServers I tested where both Netware 6.5 and SLES 10sp2. I could not get the SSL=true to work ( the issue could be on my end).
Suggestions:
1) How about an email_admin setting in the preferences. file that notifies the administrator when an account is locked?
2) when an account is locked, add a commentsto the zendto.log file stating the account is "locked" rather than wait until the next login attempt.
3) the bin/README does not list the unlockuser utility.
4) food for thought: perhaps rather than create separate utilities (adduser, deleteuser, listusers, setpassword, combine them into one utility
ie user.php
user.php add john password email at address.com 'john doe' 'organization'
user.php delete john
user.php unlock john
user.php unlock all
user.php listusers
user.php setpasswd john new_password
5) perhaps allow the admin to unlock a user via the webpage rather than have to do it at the command line?
6) in the preferences.php add the following to enable LDAP
example 1: Search LDAP using only One LDAPServer and from the top of the 'O".
//
// Settings for the LDAP authenticator.
//
// "authLDAPServers" Array of hostnames to try binding to
// "authLDAPBaseDN" Base distinguished name for search/bind
// "authLDAPAdmins" Cheap way to grant admin privs to users; an
// array of uname's
// "authLDAPUseSSL" connect using SSL/TLS. [ true|false ]
'authenticator' => 'LDAP',
'authLDAPServers' => array('192.168.1.1'),
'authLDAPBaseDN' => 'o=level1',
'authLDAPAdmins' => array('admin1','admin2','admin3'),
'authLDAPUseSSL' => false,
Example 2: Search LDAP using two LDAPServers and using and OU=.
//
// Settings for the LDAP authenticator.
//
// "authLDAPServers" Array of hostnames to try binding to
// "authLDAPBaseDN" Base distinguished name for search/bind
// "authLDAPAdmins" Cheap way to grant admin privs to users; an
// array of uname's
// "authLDAPUseSSL" connect using SSL/TLS. [ true|false ]
'authenticator' => 'LDAP',
'authLDAPServers' => array('192.168.1.1','192.168.1.2'),
'authLDAPBaseDN' => 'ou=level1,o=level2',
'authLDAPAdmins' => array('admin1','admin2','admin3'),
'authLDAPUseSSL' => false,
Note: authLDAPUseSSL = false works. I could not get it to work with a 'true' setting, but that may only be a fault on my systems.
Note: On authLDAPServers, I tested with both one and two configured servers, both work, even if the first one listed does not respond to the bind.
FYI: If the authLDAPServers is set high in the tree ( ie: o=top), then ldap does search down to lower levels looking for matches. Some organizations may want to exclude some lower ou's. I did not test if the BaseDN could contain multiple search ou's.
Perhaps something the emailDomainRegexp would work to include only specific ou's below the o? (I've not looked at it myself).
7) In the comments of the NSSLDAPAuthenticator.php please add comments to make it look more like the comments section in the NSSADAuthenticator.php file. Sample below:
Example for preferences.php:
'authenticator' => 'LDAP',
'authLDAPServers' => array('192.168.1.1','192.168.1.2'),
'authLDAPBaseDN' => 'ou=users,o=domain',
// or 'authLDAPBaseDN' => 'o=domain',
'authLDAPUseSSL' => false,
8) THANK YOU JULIAN!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100803/e17531ef/attachment-0001.html
More information about the ZendTo
mailing list