[ZendTo] Re: AD authentication - Solved
Brad Beckenhauer
bbecken at aafp.org
Tue Jul 27 18:41:14 BST 2010
Top -posting.
I did a fresh install of 3.57-2/Centos-64 from the ISO this morning.
I've been working on resolving my AD authentication issue all morning only to figure out that the problem is not with Zendto or the configuration in the preferences file.
The problem I was having authenticating against the AD tree was because the User Accounts in the tree where populated/created by an Identity Management Driver (IDM) and the driver apparently is not populating some field/attribute for the user account in the AD forest that Zendto needs ( Arggg!!).
I kinda stumbled into this when I tried logging in as the user defined as the 'authLDAPBindUser1' and it worked. So I manually created a test AD account and found that I could login as that user as well. So now our Microsoft guys need to figure out what is not populating...
One tool I found useful for debugging was the ldapsearch utility ( yum install openldap-clients ),
Enhancement request: When you get logged in and select the "drop-off" button, the next screen has a dialog box for your name and the Organization. Please consider increasing the size of the box for companies with LONG names ( American Academy of Family Physicians ).
Thanks All
Brad
>>> On 7/22/2010 at 4:31 AM, in message <4C480FD8.3090207 at ZendTo.com>, Jules
<Jules at zendto.com> wrote:
>
> On 22/07/2010 00:08, Brad Beckenhauer wrote:
>>
>>>>> On 7/21/2010 at 4:25 PM, in message<4C471F700200006800059BD9 at smtp.aafp.org>,
>>>>>
>> "Brad Beckenhauer"<bbecken at aafp.org> wrote:
>>
>>
>>>
>>>>>> On 7/21/2010 at 3:14 PM, in message<4C475543.2050203 at ZendTo.com>, Jules
>>>>>>
>>> <Jules at zendto.com> wrote:
>>>
>>>
>>>> On 21/07/2010 20:57, Brad Beckenhauer wrote:
>>>>
>>>>> I just installed ZendTo/Centos-64 3.56-2 using the vm.
>>>>> IMAP authentication works for my test account but I need to switch to
>>>>> AD authentication for my internal clients.
>>>>> I installed the openldap-client on the vm (yum install
>>>>> openldap-client ) so I could use the utility for debugging.
>>>>> I can run the ldap-search command and it returns a Success using the
>>>>> below command line.
>>>>> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>>>>> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W
>>>>> "sAMAccountName=test"
>>>>> Note that my Administrator is not in the same context as my user named
>>>>> 'test'.
>>>>> from: preferences.php
>>>>> //'authenticator' => 'IMAP',
>>>>> 'authenticator' => 'AD',
>>>>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>>>>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>>>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>>>>> 'authLDAPAccountSuffix1' => '@yyy.org'<mailto:%27 at yyy.org%27>,
>>>>> 'authLDAPUseSSL1' => false,
>>>>> 'authLDAPBindUser1' =>
>>>>>
>>> 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>>>
>>>>> 'authLDAPBindPass1' => 'Secret Password for the above user is
>>>>>
>>> entered here',
>>>
>>> I only used the Administrator account for testing while I was doing proof
>>> concept for management. I'll go ahead and create a zendto user account.
>>>
>>> Ok, I created a new user account 'zendto' ( not an domain administrator) in
>>> the same context as my user account.
>>>
>>> 'authenticator' => 'AD',
>>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>>> 'authLDAPAccountSuffix1' => '@yyy.org'<mailto:%27 at yyy.org%27>,
>>> 'authLDAPUseSSL1' => false,
>>> 'authLDAPBindUser1' => 'zendto',
>>> 'authLDAPBindPass1' => 'Secret Password for the above zendto user is
>>> entered here',
>>>
>>> restart apache
>>>
>>> When I run:
>>> ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>>> -D"cn=zendto,ou=ZendToUsers,dc=xxx,dc=yyy,dc=org" -W "sAMAccountName=zendto"
>>>
>>> The end of ldapsearch returns the below as well as the zendto user.:
>>>
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>>
>>> I'll keep playing with it.
>>> Suggestions are welcome.
>>>
>>> thanks
>>> Brad
>>>
>>>
>>>>> restart apache
>>>>> service httpd restart
>>>>> try to login on the webpage and I get two errors:
>>>>> LDAP Error Check User: Unable to connect to any of the LDAP servers;
>>>>> could not authenticate user.
>>>>>
>>>> That mean exactly what it says. It couldn't ldap_bind() to any of the AD
>>>> servers. The code is fairly simple to read, it's in
>>>> NSSADAuthenticator.php in the validate function. I very much doubt your
>>>> authLDAPBindUser1 is correct or usable. I don't think it supports the
>>>> LDAPBindUser1 being in a totally different place from the other users.
>>>> Create a user in the same place that has no permissions other than being
>>>> able to read the directory, in the same place as everything else. It
>>>> certainly does not need to be, and *shouldn't* be, an administrator, it
>>>> should be able to do nothing other than read the AD. Then it should
>>>> work. All you can put in authLDAPBindUser1 is a username, not a complete
>>>> AD path.
>>>>
>>>> If you need to be able to do that, then I suggest you tweak
>>>> NSSADAuthenticator.php so that it supports this.
>>>>
>>>> What it does is this:
>>>> @ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)
>>>>
>>>>
>>
>> Ok, my PHP is pretty weak but I've been looking at the ldap_bind statements
> in NSSADAuthenticator.php.
>>
>> What I found interesting was the comment above the ldap_bind statement
> "start TLS", I checked my preferences and authLDAPUseSSL1 was set to false.
> So it should connect to my AD server without TLS if I understand the
> preferences correctly.
>>
> I didn't write much of this code, and yes that comment is rubbish.
>> On an whim, I tried to connect to my AD server (using ldapsearch) with TLS
> and it would not connect, so I'll ask the AD server guys about that next
> week.
>>
>> I tried to find the @ldap_bind code to see if the bind was actually binding
> using TLS ( and ignoring the authLDAPUseSSL1 statement ) or if just the
> comment was misleading, but I could not find that section (I'll leave that to
> the experts).
>>
> The comment is indeed misleading, and has now gone.
>> So because the webpage told me to "Check User", I've been focusing on my AD
> USER thinking that it was misconfigured/bad, when it's also possible that
> the AD server does not have TLS working.
>>
>> Perhaps consider tweaking the code to let the admin know that the problem
> may not only be the AD USER, but that a TLS /LDAP connection could not be
> made, therefore the AD user could not be validated/authenticated.
>>
> If it connects to the LDAP server but could not bind, it now reports an
> error back to the user including the LDAP error message which will
> hopefully help you diagnose why it couldn't bind.
>
> If it cannot connect to the LDAP server at all, it just quietly fails
> and tries the next one in the list.
>
> This will all be in the next release, which will be out soon.
>
> Cheers,
> Jules.
>
>> I apologize if some of the terminology above is incorrect.
>>
>>
>> have a good week, I've enjoyed working on this and I'll continue next
> week.
>>
>> Brad
>>
>>
>>
>>>> So it takes the connection to the LDAP/AD server, with just a username
>>>> and password. If that bind operation works, then it can proceed. If that
>>>> fails, then you get the error you are seeing.
>>>>
>>>> Have you tried just setting
>>>> 'authLDAPBindUser1' => 'Administrator',
>>>> in your preferences.php?
>>>>
>>> yes - did not work
>>>
>>>
>>>> I still most definitely advise against using any sort of Administrator
>>>> account for this, that will probably have far more privileges than it needs.
>>>>
>>>> You might even find that anonymous binds are allowed, they are in quite
>>>> a lot of networks.
>>>>
>>>> Hope that helps a bit,
>>>> Jules.
>>>>
>>>>> Authentication Error The username or password was incorrect.
>>>>> beating my head on this and looking for a pointer on what I'm doing wrong.
>>>>> I won't be able to work on this again until next Monday.
>>>>> thanks
>>>>> Brad
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> ZendTo mailing list
>>>>> ZendTo at zendto.com
>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>>>
>>>>>
>>>> Jules
>>>>
>>> _______________________________________________
>>> ZendTo mailing list
>>> ZendTo at zendto.com
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zendto.com
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>
> Jules
More information about the ZendTo
mailing list