[ZendTo] Re: AD authentication

Brad Beckenhauer bbecken at aafp.org
Wed Jul 21 22:25:20 BST 2010



>>> On 7/21/2010 at 3:14 PM, in message <4C475543.2050203 at ZendTo.com>, Jules
<Jules at zendto.com> wrote:

> 
> On 21/07/2010 20:57, Brad Beckenhauer wrote:
>> I just installed ZendTo/Centos-64 3.56-2 using the vm.
>> IMAP authentication works for my test account but I need to switch to 
>> AD authentication for my internal clients.
>> I installed the openldap-client on the vm  (yum install 
>> openldap-client ) so I could use the utility for debugging.
>> I can run the ldap-search command and it returns a Success using the 
>> below command line.
>> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x 
>> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W 
>> "sAMAccountName=test"
>> Note that my Administrator is not in the same context as my user named 
>> 'test'.
>> from: preferences.php
>>  //'authenticator' => 'IMAP',
>>   'authenticator'             => 'AD',
>>   'authLDAPAdmins'            => array('test','admin2','admin3'),
>>   'authLDAPBaseDN1'           => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>   'authLDAPServers1'          => array('MyADServer1','MyADServer2'),
>>   'authLDAPAccountSuffix1'    => '@yyy.org' <mailto:%27 at yyy.org%27>,
>>   'authLDAPUseSSL1'           => false,
>>   'authLDAPBindUser1'         => 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>>   'authLDAPBindPass1'         => 'Secret Password for the above user is entered here',

I only used the Administrator account for testing while I was doing proof concept for management.  I'll go ahead and create a zendto user account.

Ok, I created a new user account 'zendto'  ( not an domain administrator) in the same context as my user account.

'authenticator'             => 'AD',
'authLDAPAdmins'            => array('test','admin2','admin3'),
'authLDAPBaseDN1'           => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
'authLDAPServers1'          => array('MyADServer1','MyADServer2'),
'authLDAPAccountSuffix1'    => '@yyy.org' <mailto:%27 at yyy.org%27>,
'authLDAPUseSSL1'           => false,
'authLDAPBindUser1'         => 'zendto',
'authLDAPBindPass1'         => 'Secret Password for the above zendto user is entered here',

restart apache

When I run:
ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x -D"cn=zendto,ou=ZendToUsers,dc=xxx,dc=yyy,dc=org" -W "sAMAccountName=zendto"

The end of ldapsearch returns the below as well as the zendto user.:


# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


I'll keep playing with it.
Suggestions are welcome.

thanks
Brad

>> restart apache
>> service httpd restart
>> try to login on the webpage and I get two errors:
>> LDAP Error Check User: Unable to connect to any of the LDAP servers; 
>> could not authenticate user.
> That mean exactly what it says. It couldn't ldap_bind() to any of the AD 
> servers. The code is fairly simple to read, it's in 
> NSSADAuthenticator.php in the validate function. I very much doubt your 
> authLDAPBindUser1 is correct or usable. I don't think it supports the 
> LDAPBindUser1 being in a totally different place from the other users. 
> Create a user in the same place that has no permissions other than being 
> able to read the directory, in the same place as everything else. It 
> certainly does not need to be, and *shouldn't* be, an administrator, it 
> should be able to do nothing other than read the AD. Then it should 
> work. All you can put in authLDAPBindUser1 is a username, not a complete 
> AD path.
> 
> If you need to be able to do that, then I suggest you tweak 
> NSSADAuthenticator.php so that it supports this.
> 
> What it does is this:
> @ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)
> 
> So it takes the connection to the LDAP/AD server, with just a username 
> and password. If that bind operation works, then it can proceed. If that 
> fails, then you get the error you are seeing.
> 
> Have you tried just setting
> 'authLDAPBindUser1'         => 'Administrator',
> in your preferences.php?

yes - did not work

> I still most definitely advise against using any sort of Administrator 
> account for this, that will probably have far more privileges than it needs.
> 
> You might even find that anonymous binds are allowed, they are in quite 
> a lot of networks.
> 
> Hope that helps a bit,
> Jules.
>> Authentication Error The username or password was incorrect.
>> beating my head on this and looking for a pointer on what I'm doing wrong.
>> I won't be able to work on this again until next Monday.
>> thanks
>> Brad
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zendto.com 
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto 
>>    
> 
> Jules



More information about the ZendTo mailing list