[ZendTo] Re: LDAP

Jules Jules at ZendTo.com
Wed Aug 4 14:10:32 BST 2010

On 03/08/2010 22:01, Brad Beckenhauer wrote:
> Hi Julian,
> I've tested the LDAP authenticator and it is "working" using the last 
> NSSLDAPAuthenticator.php file you sent to me.    During testing I 
> managed to lock my account several times and did not know it until I 
> examined the zendto.log ( I wasted an hour figuring that out).
> My configuration:
> Running the ZendTo version 3.59-1 64-bit CentOS Virtual Machine 
> <http://www.zendto.com/files/ZendTo-CentOS-x64-3.55-3.zip> from the 
> download page.
> LDAP:  The authLDAPServers I tested where both Netware 6.5 and SLES 
> 10sp2.  I could not get the SSL=true to work ( the issue could be on 
> my end).
> Suggestions:
> 1) How about an email_admin setting in the preferences. file that 
> notifies the administrator when an account is locked?
It would only be able to email the admin every time someone tries to 
login to a locked account, for the reason described below.
> 2) when an account is locked, add a commentsto the zendto.log file 
> stating the account is "locked" rather than wait until the next login 
> attempt.
Bit difficult that one. When it gets a login attempt, it counts the 
number of successive failure attempts in the login log table. It doesn't 
lock out a user as such, it merely works out that the user should be 
locked out when a login attempt happens. Much safer that way, as there's 
no "user locked out" flag that could somehow not be set when it should 
be. It's all dependent on what it finds in the login log table instead.
> 3) the bin/README does not list the unlockuser utility.
Good point. Will fix that.
> 4) food for thought:  perhaps rather than create separate utilities 
> (adduser, deleteuser, listusers, setpassword, combine them into one 
> utility
> ie  user.php
> user.php add john password email at address.com 
> <mailto:email at address.com> 'john doe' 'organization'
> user.php delete john
> user.php unlock john
> user.php unlock all
> user.php listusers
> user.php setpasswd john new_password
Possible, but it doesn't make a whole load of difference.
> 5) perhaps allow the admin to unlock a user via the webpage rather 
> than have to do it at the command line?
Yes, good idea. Will try to work on that.
> 6)  in the preferences.php  add the following to enable LDAP
> example 1:  Search LDAP using only One LDAPServer and from the top of 
> the 'O".
>   //
>   // Settings for the LDAP authenticator.
>   //
>   //  "authLDAPServers"     Array of hostnames to try binding to
>   //  "authLDAPBaseDN"      Base distinguished name for search/bind
>   //  "authLDAPAdmins"      Cheap way to grant admin privs to users; an
>   //                                   array of uname's
>   //  "authLDAPUseSSL"      connect using SSL/TLS.  [ true|false ]
>   'authenticator'            => 'LDAP',
>   'authLDAPServers'          => array(''),
>   'authLDAPBaseDN'           => 'o=level1',
>   'authLDAPAdmins'           => array('admin1','admin2','admin3'),
>   'authLDAPUseSSL'           => false,
> Example 2:   Search LDAP using two LDAPServers and using and OU=.
>   //
>   // Settings for the LDAP authenticator.
>   //
>   //  "authLDAPServers"     Array of hostnames to try binding to
>   //  "authLDAPBaseDN"      Base distinguished name for search/bind
>   //  "authLDAPAdmins"      Cheap way to grant admin privs to users; an
>   //                                   array of uname's
>   //  "authLDAPUseSSL"      connect using SSL/TLS.  [ true|false ]
>   'authenticator'            => 'LDAP',
>   'authLDAPServers'          => array('',''),
>   'authLDAPBaseDN'           => 'ou=level1,o=level2',
>   'authLDAPAdmins'           => array('admin1','admin2','admin3'),
>   'authLDAPUseSSL'           => false,
Thanks for that.
> Note:  authLDAPUseSSL = false works.  I could not get it to work with 
> a 'true' setting, but that may only be a fault on my systems.
That's purely down to the configuration of your systems.
> Note: On authLDAPServers, I tested with both one and two configured 
> servers, both work, even if the first one listed does not respond to 
> the bind.
> FYI: If the authLDAPServers is set high in the tree ( ie: o=top), then 
> ldap does search down to lower levels looking for matches.  Some 
> organizations may want to exclude some lower ou's.   I did not test if 
> the BaseDN could contain multiple search ou's.
Again that depends on the permissions of the username you give it to 
search with. Only LDAP trees that user has permission to access would be 
searched. It's all down to your LDAP server configuration.
> Perhaps something the emailDomainRegexp would work to include only 
> specific ou's below the o? (I've not looked at it myself).
> 7) In the comments of the NSSLDAPAuthenticator.php  please 
> add comments to make it look more like the comments section in the 
> NSSADAuthenticator.php file.  Sample below:
> Example for preferences.php:
>     'authenticator'       => 'LDAP',
>     'authLDAPServers'     => array('',''),
>     'authLDAPBaseDN'      => 'ou=users,o=domain',
>      // or       'authLDAPBaseDN'      => 'o=domain',
>     'authLDAPUseSSL'      => false,
Yes, I've already added something very like that.
No worries :-)
Always good to make the software better for everyone.

Many thanks for all your comments and suggestions.


Julian Field MEng CITP CEng

Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100804/69c9f988/attachment.html 

More information about the ZendTo mailing list