[ZendTo] Re: AD authentication
Brad Beckenhauer
bbecken at aafp.org
Wed Jul 21 22:25:20 BST 2010
>>> On 7/21/2010 at 3:14 PM, in message <4C475543.2050203 at ZendTo.com>, Jules
<Jules at zendto.com> wrote:
>
> On 21/07/2010 20:57, Brad Beckenhauer wrote:
>> I just installed ZendTo/Centos-64 3.56-2 using the vm.
>> IMAP authentication works for my test account but I need to switch to
>> AD authentication for my internal clients.
>> I installed the openldap-client on the vm (yum install
>> openldap-client ) so I could use the utility for debugging.
>> I can run the ldap-search command and it returns a Success using the
>> below command line.
>> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W
>> "sAMAccountName=test"
>> Note that my Administrator is not in the same context as my user named
>> 'test'.
>> from: preferences.php
>> //'authenticator' => 'IMAP',
>> 'authenticator' => 'AD',
>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>> 'authLDAPAccountSuffix1' => '@yyy.org' <mailto:%27 at yyy.org%27>,
>> 'authLDAPUseSSL1' => false,
>> 'authLDAPBindUser1' => 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>> 'authLDAPBindPass1' => 'Secret Password for the above user is entered here',
I only used the Administrator account for testing while I was doing proof concept for management. I'll go ahead and create a zendto user account.
Ok, I created a new user account 'zendto' ( not an domain administrator) in the same context as my user account.
'authenticator' => 'AD',
'authLDAPAdmins' => array('test','admin2','admin3'),
'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
'authLDAPServers1' => array('MyADServer1','MyADServer2'),
'authLDAPAccountSuffix1' => '@yyy.org' <mailto:%27 at yyy.org%27>,
'authLDAPUseSSL1' => false,
'authLDAPBindUser1' => 'zendto',
'authLDAPBindPass1' => 'Secret Password for the above zendto user is entered here',
restart apache
When I run:
ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x -D"cn=zendto,ou=ZendToUsers,dc=xxx,dc=yyy,dc=org" -W "sAMAccountName=zendto"
The end of ldapsearch returns the below as well as the zendto user.:
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I'll keep playing with it.
Suggestions are welcome.
thanks
Brad
>> restart apache
>> service httpd restart
>> try to login on the webpage and I get two errors:
>> LDAP Error Check User: Unable to connect to any of the LDAP servers;
>> could not authenticate user.
> That mean exactly what it says. It couldn't ldap_bind() to any of the AD
> servers. The code is fairly simple to read, it's in
> NSSADAuthenticator.php in the validate function. I very much doubt your
> authLDAPBindUser1 is correct or usable. I don't think it supports the
> LDAPBindUser1 being in a totally different place from the other users.
> Create a user in the same place that has no permissions other than being
> able to read the directory, in the same place as everything else. It
> certainly does not need to be, and *shouldn't* be, an administrator, it
> should be able to do nothing other than read the AD. Then it should
> work. All you can put in authLDAPBindUser1 is a username, not a complete
> AD path.
>
> If you need to be able to do that, then I suggest you tweak
> NSSADAuthenticator.php so that it supports this.
>
> What it does is this:
> @ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)
>
> So it takes the connection to the LDAP/AD server, with just a username
> and password. If that bind operation works, then it can proceed. If that
> fails, then you get the error you are seeing.
>
> Have you tried just setting
> 'authLDAPBindUser1' => 'Administrator',
> in your preferences.php?
yes - did not work
> I still most definitely advise against using any sort of Administrator
> account for this, that will probably have far more privileges than it needs.
>
> You might even find that anonymous binds are allowed, they are in quite
> a lot of networks.
>
> Hope that helps a bit,
> Jules.
>> Authentication Error The username or password was incorrect.
>> beating my head on this and looking for a pointer on what I'm doing wrong.
>> I won't be able to work on this again until next Monday.
>> thanks
>> Brad
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zendto.com
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>
> Jules
More information about the ZendTo
mailing list