[ZendTo] Re: AD authentication

Jules Jules at ZendTo.com
Wed Jul 21 21:14:59 BST 2010 


On 21/07/2010 20:57, Brad Beckenhauer wrote:
> I just installed ZendTo/Centos-64 3.56-2 using the vm.
> IMAP authentication works for my test account but I need to switch to 
> AD authentication for my internal clients.
> I installed the openldap-client on the vm  (yum install 
> openldap-client ) so I could use the utility for debugging.
> I can run the ldap-search command and it returns a Success using the 
> below command line.
> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x 
> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W 
> "sAMAccountName=test"
> Note that my Administrator is not in the same context as my user named 
> 'test'.
> from: preferences.php
>  //'authenticator' => 'IMAP',
>   'authenticator'             => 'AD',
>   'authLDAPAdmins'            => array('test','admin2','admin3'),
>   'authLDAPBaseDN1'           => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>   'authLDAPServers1'          => array('MyADServer1','MyADServer2'),
>   'authLDAPAccountSuffix1'    => '@yyy.org' <mailto:%27 at yyy.org%27>,
>   'authLDAPUseSSL1'           => false,
>   'authLDAPBindUser1'         => 
> 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>   'authLDAPBindPass1'         => 'Secret Password for the above user 
> is entered here',
> restart apache
> service httpd restart
> try to login on the webpage and I get two errors:
> LDAP Error Check User: Unable to connect to any of the LDAP servers; 
> could not authenticate user.
That mean exactly what it says. It couldn't ldap_bind() to any of the AD 
servers. The code is fairly simple to read, it's in 
NSSADAuthenticator.php in the validate function. I very much doubt your 
authLDAPBindUser1 is correct or usable. I don't think it supports the 
LDAPBindUser1 being in a totally different place from the other users. 
Create a user in the same place that has no permissions other than being 
able to read the directory, in the same place as everything else. It 
certainly does not need to be, and *shouldn't* be, an administrator, it 
should be able to do nothing other than read the AD. Then it should 
work. All you can put in authLDAPBindUser1 is a username, not a complete 
AD path.

If you need to be able to do that, then I suggest you tweak 
NSSADAuthenticator.php so that it supports this.

What it does is this:
@ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)

So it takes the connection to the LDAP/AD server, with just a username 
and password. If that bind operation works, then it can proceed. If that 
fails, then you get the error you are seeing.

Have you tried just setting
'authLDAPBindUser1'         => 'Administrator',
in your preferences.php?
I still most definitely advise against using any sort of Administrator 
account for this, that will probably have far more privileges than it needs.

You might even find that anonymous binds are allowed, they are in quite 
a lot of networks.

Hope that helps a bit,
Jules.
> Authentication Error The username or password was incorrect.
> beating my head on this and looking for a pointer on what I'm doing wrong.
> I won't be able to work on this again until next Monday.
> thanks
> Brad
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zendto.com
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>    

Jules

-- 
Julian Field MEng CITP CEng
www.ZendTo.com

Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100721/1a0f21d3/attachment.html

More information about the ZendTo mailing list