[ZendTo] Re: AD authentication

Brad Beckenhauer bbecken at aafp.org
Thu Jul 22 00:08:37 BST 2010


>>> On 7/21/2010 at 4:25 PM, in message <4C471F700200006800059BD9 at smtp.aafp.org>,
"Brad Beckenhauer" <bbecken at aafp.org> wrote:

> 
>>>> On 7/21/2010 at 3:14 PM, in message <4C475543.2050203 at ZendTo.com>, Jules
> <Jules at zendto.com> wrote:
> 
>> 
>> On 21/07/2010 20:57, Brad Beckenhauer wrote:
>>> I just installed ZendTo/Centos-64 3.56-2 using the vm.
>>> IMAP authentication works for my test account but I need to switch to 
>>> AD authentication for my internal clients.
>>> I installed the openldap-client on the vm  (yum install 
>>> openldap-client ) so I could use the utility for debugging.
>>> I can run the ldap-search command and it returns a Success using the 
>>> below command line.
>>> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x 
>>> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W 
>>> "sAMAccountName=test"
>>> Note that my Administrator is not in the same context as my user named 
>>> 'test'.
>>> from: preferences.php
>>>  //'authenticator' => 'IMAP',
>>>   'authenticator'             => 'AD',
>>>   'authLDAPAdmins'            => array('test','admin2','admin3'),
>>>   'authLDAPBaseDN1'           => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>>   'authLDAPServers1'          => array('MyADServer1','MyADServer2'),
>>>   'authLDAPAccountSuffix1'    => '@yyy.org' <mailto:%27 at yyy.org%27>,
>>>   'authLDAPUseSSL1'           => false,
>>>   'authLDAPBindUser1'         => 
> 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>>>   'authLDAPBindPass1'         => 'Secret Password for the above user is 
> entered here',
> 
> I only used the Administrator account for testing while I was doing proof 
> concept for management.  I'll go ahead and create a zendto user account.
> 
> Ok, I created a new user account 'zendto'  ( not an domain administrator) in 
> the same context as my user account.
> 
> 'authenticator'             => 'AD',
> 'authLDAPAdmins'            => array('test','admin2','admin3'),
> 'authLDAPBaseDN1'           => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
> 'authLDAPServers1'          => array('MyADServer1','MyADServer2'),
> 'authLDAPAccountSuffix1'    => '@yyy.org' <mailto:%27 at yyy.org%27>,
> 'authLDAPUseSSL1'           => false,
> 'authLDAPBindUser1'         => 'zendto',
> 'authLDAPBindPass1'         => 'Secret Password for the above zendto user is 
> entered here',
> 
> restart apache
> 
> When I run:
> ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x 
> -D"cn=zendto,ou=ZendToUsers,dc=xxx,dc=yyy,dc=org" -W "sAMAccountName=zendto"
> 
> The end of ldapsearch returns the below as well as the zendto user.:
> 
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> I'll keep playing with it.
> Suggestions are welcome.
> 
> thanks
> Brad
> 
>>> restart apache
>>> service httpd restart
>>> try to login on the webpage and I get two errors:
>>> LDAP Error Check User: Unable to connect to any of the LDAP servers; 
>>> could not authenticate user.
>> That mean exactly what it says. It couldn't ldap_bind() to any of the AD 
>> servers. The code is fairly simple to read, it's in 
>> NSSADAuthenticator.php in the validate function. I very much doubt your 
>> authLDAPBindUser1 is correct or usable. I don't think it supports the 
>> LDAPBindUser1 being in a totally different place from the other users. 
>> Create a user in the same place that has no permissions other than being 
>> able to read the directory, in the same place as everything else. It 
>> certainly does not need to be, and *shouldn't* be, an administrator, it 
>> should be able to do nothing other than read the AD. Then it should 
>> work. All you can put in authLDAPBindUser1 is a username, not a complete 
>> AD path.
>> 
>> If you need to be able to do that, then I suggest you tweak 
>> NSSADAuthenticator.php so that it supports this.
>> 
>> What it does is this:
>> @ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)
>> 


Ok, my PHP is pretty weak but I've been looking at the ldap_bind statements in NSSADAuthenticator.php.

What I found interesting was the comment above the ldap_bind statement "start TLS",  I checked my preferences and authLDAPUseSSL1 was set to false.   So it should connect to my AD server without TLS if I understand the preferences correctly.

On an whim, I tried to connect to my AD server (using ldapsearch) with TLS and it would not connect, so I'll ask the AD server guys about that next week.

I tried to find the @ldap_bind code to see if the bind was actually binding using TLS ( and ignoring the authLDAPUseSSL1 statement ) or if just the comment was misleading, but I could not find that section (I'll leave that to the experts).

So because the webpage told me to "Check User", I've been focusing on my AD USER thinking that it was misconfigured/bad,  when it's also possible that the AD server does not have TLS working.

Perhaps consider tweaking the code to let the admin know that the problem may not only be the AD USER, but that a TLS /LDAP connection could not be made, therefore the AD user could not be validated/authenticated.

I apologize if some of the terminology above is incorrect.


have a good week,   I've enjoyed working on this and I'll continue next week.

Brad


>> So it takes the connection to the LDAP/AD server, with just a username 
>> and password. If that bind operation works, then it can proceed. If that 
>> fails, then you get the error you are seeing.
>> 
>> Have you tried just setting
>> 'authLDAPBindUser1'         => 'Administrator',
>> in your preferences.php?
> 
> yes - did not work
> 
>> I still most definitely advise against using any sort of Administrator 
>> account for this, that will probably have far more privileges than it needs.
>> 
>> You might even find that anonymous binds are allowed, they are in quite 
>> a lot of networks.
>> 
>> Hope that helps a bit,
>> Jules.
>>> Authentication Error The username or password was incorrect.
>>> beating my head on this and looking for a pointer on what I'm doing wrong.
>>> I won't be able to work on this again until next Monday.
>>> thanks
>>> Brad
>>>
>>>
>>> _______________________________________________
>>> ZendTo mailing list
>>> ZendTo at zendto.com 
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto 
>>>    
>> 
>> Jules
> 
> _______________________________________________
> ZendTo mailing list
> ZendTo at zendto.com 
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto



More information about the ZendTo mailing list