[ZendTo] Re: AD authentication
Jules
Jules at ZendTo.com
Thu Jul 22 10:31:04 BST 2010
On 22/07/2010 00:08, Brad Beckenhauer wrote:
>
>>>> On 7/21/2010 at 4:25 PM, in message<4C471F700200006800059BD9 at smtp.aafp.org>,
>>>>
> "Brad Beckenhauer"<bbecken at aafp.org> wrote:
>
>
>>
>>>>> On 7/21/2010 at 3:14 PM, in message<4C475543.2050203 at ZendTo.com>, Jules
>>>>>
>> <Jules at zendto.com> wrote:
>>
>>
>>> On 21/07/2010 20:57, Brad Beckenhauer wrote:
>>>
>>>> I just installed ZendTo/Centos-64 3.56-2 using the vm.
>>>> IMAP authentication works for my test account but I need to switch to
>>>> AD authentication for my internal clients.
>>>> I installed the openldap-client on the vm (yum install
>>>> openldap-client ) so I could use the utility for debugging.
>>>> I can run the ldap-search command and it returns a Success using the
>>>> below command line.
>>>> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>>>> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W
>>>> "sAMAccountName=test"
>>>> Note that my Administrator is not in the same context as my user named
>>>> 'test'.
>>>> from: preferences.php
>>>> //'authenticator' => 'IMAP',
>>>> 'authenticator' => 'AD',
>>>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>>>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>>>> 'authLDAPAccountSuffix1' => '@yyy.org'<mailto:%27 at yyy.org%27>,
>>>> 'authLDAPUseSSL1' => false,
>>>> 'authLDAPBindUser1' =>
>>>>
>> 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>>
>>>> 'authLDAPBindPass1' => 'Secret Password for the above user is
>>>>
>> entered here',
>>
>> I only used the Administrator account for testing while I was doing proof
>> concept for management. I'll go ahead and create a zendto user account.
>>
>> Ok, I created a new user account 'zendto' ( not an domain administrator) in
>> the same context as my user account.
>>
>> 'authenticator' => 'AD',
>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>> 'authLDAPAccountSuffix1' => '@yyy.org'<mailto:%27 at yyy.org%27>,
>> 'authLDAPUseSSL1' => false,
>> 'authLDAPBindUser1' => 'zendto',
>> 'authLDAPBindPass1' => 'Secret Password for the above zendto user is
>> entered here',
>>
>> restart apache
>>
>> When I run:
>> ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>> -D"cn=zendto,ou=ZendToUsers,dc=xxx,dc=yyy,dc=org" -W "sAMAccountName=zendto"
>>
>> The end of ldapsearch returns the below as well as the zendto user.:
>>
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> I'll keep playing with it.
>> Suggestions are welcome.
>>
>> thanks
>> Brad
>>
>>
>>>> restart apache
>>>> service httpd restart
>>>> try to login on the webpage and I get two errors:
>>>> LDAP Error Check User: Unable to connect to any of the LDAP servers;
>>>> could not authenticate user.
>>>>
>>> That mean exactly what it says. It couldn't ldap_bind() to any of the AD
>>> servers. The code is fairly simple to read, it's in
>>> NSSADAuthenticator.php in the validate function. I very much doubt your
>>> authLDAPBindUser1 is correct or usable. I don't think it supports the
>>> LDAPBindUser1 being in a totally different place from the other users.
>>> Create a user in the same place that has no permissions other than being
>>> able to read the directory, in the same place as everything else. It
>>> certainly does not need to be, and *shouldn't* be, an administrator, it
>>> should be able to do nothing other than read the AD. Then it should
>>> work. All you can put in authLDAPBindUser1 is a username, not a complete
>>> AD path.
>>>
>>> If you need to be able to do that, then I suggest you tweak
>>> NSSADAuthenticator.php so that it supports this.
>>>
>>> What it does is this:
>>> @ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)
>>>
>>>
>
> Ok, my PHP is pretty weak but I've been looking at the ldap_bind statements in NSSADAuthenticator.php.
>
> What I found interesting was the comment above the ldap_bind statement "start TLS", I checked my preferences and authLDAPUseSSL1 was set to false. So it should connect to my AD server without TLS if I understand the preferences correctly.
>
I didn't write much of this code, and yes that comment is rubbish.
> On an whim, I tried to connect to my AD server (using ldapsearch) with TLS and it would not connect, so I'll ask the AD server guys about that next week.
>
> I tried to find the @ldap_bind code to see if the bind was actually binding using TLS ( and ignoring the authLDAPUseSSL1 statement ) or if just the comment was misleading, but I could not find that section (I'll leave that to the experts).
>
The comment is indeed misleading, and has now gone.
> So because the webpage told me to "Check User", I've been focusing on my AD USER thinking that it was misconfigured/bad, when it's also possible that the AD server does not have TLS working.
>
> Perhaps consider tweaking the code to let the admin know that the problem may not only be the AD USER, but that a TLS /LDAP connection could not be made, therefore the AD user could not be validated/authenticated.
>
If it connects to the LDAP server but could not bind, it now reports an
error back to the user including the LDAP error message which will
hopefully help you diagnose why it couldn't bind.
If it cannot connect to the LDAP server at all, it just quietly fails
and tries the next one in the list.
This will all be in the next release, which will be out soon.
Cheers,
Jules.
> I apologize if some of the terminology above is incorrect.
>
>
> have a good week, I've enjoyed working on this and I'll continue next week.
>
> Brad
>
>
>
>>> So it takes the connection to the LDAP/AD server, with just a username
>>> and password. If that bind operation works, then it can proceed. If that
>>> fails, then you get the error you are seeing.
>>>
>>> Have you tried just setting
>>> 'authLDAPBindUser1' => 'Administrator',
>>> in your preferences.php?
>>>
>> yes - did not work
>>
>>
>>> I still most definitely advise against using any sort of Administrator
>>> account for this, that will probably have far more privileges than it needs.
>>>
>>> You might even find that anonymous binds are allowed, they are in quite
>>> a lot of networks.
>>>
>>> Hope that helps a bit,
>>> Jules.
>>>
>>>> Authentication Error The username or password was incorrect.
>>>> beating my head on this and looking for a pointer on what I'm doing wrong.
>>>> I won't be able to work on this again until next Monday.
>>>> thanks
>>>> Brad
>>>>
>>>>
>>>> _______________________________________________
>>>> ZendTo mailing list
>>>> ZendTo at zendto.com
>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>>
>>>>
>>> Jules
>>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zendto.com
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zendto.com
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
Jules
--
Julian Field MEng CITP CEng
www.ZendTo.com
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
More information about the ZendTo
mailing list