[ZendTo] Re: AD authentication - Solved
Jules
Jules at ZendTo.com
Tue Jul 27 19:46:22 BST 2010
On 27/07/2010 18:41, Brad Beckenhauer wrote:
> Top -posting.
>
> I did a fresh install of 3.57-2/Centos-64 from the ISO this morning.
>
> I've been working on resolving my AD authentication issue all morning only to figure out that the problem is not with Zendto or the configuration in the preferences file.
>
> The problem I was having authenticating against the AD tree was because the User Accounts in the tree where populated/created by an Identity Management Driver (IDM) and the driver apparently is not populating some field/attribute for the user account in the AD forest that Zendto needs ( Arggg!!).
>
The attributes it uses are all very common ones that should be present
in any AD forest. They are
mail
cn
displayName
I have just found that cn is only ever used once, and in a place where
displayName will work perfectly well, so I have removed cn. So the only
attributes it uses are mail and displayName, both of which should always
be present.
> I kinda stumbled into this when I tried logging in as the user defined as the 'authLDAPBindUser1' and it worked. So I manually created a test AD account and found that I could login as that user as well. So now our Microsoft guys need to figure out what is not populating...
>
> One tool I found useful for debugging was the ldapsearch utility ( yum install openldap-clients ),
>
>
> Enhancement request: When you get logged in and select the "drop-off" button, the next screen has a dialog box for your name and the Organization. Please consider increasing the size of the box for companies with LONG names ( American Academy of Family Physicians ).
>
You can change that in /opt/zendto/templates/verify.tpl (line 52, it
says "30" currently). Those template files are where the user interface
is defined, and you can change anything in here to change how the ZendTo
site looks to your users. Any changes you make sure will not be
overwritten by future upgrades of ZendTo if you are using the RPM.
However, I have just changed the default length of all 3 fields to be 45
characters instead of 30. This will be in the next release.
Jules.
> Thanks All
>
> Brad
>
>
>>>> On 7/22/2010 at 4:31 AM, in message<4C480FD8.3090207 at ZendTo.com>, Jules
>>>>
> <Jules at zendto.com> wrote:
>
>
>> On 22/07/2010 00:08, Brad Beckenhauer wrote:
>>
>>>
>>>
>>>>>> On 7/21/2010 at 4:25 PM, in message<4C471F700200006800059BD9 at smtp.aafp.org>,
>>>>>>
>>>>>>
>>> "Brad Beckenhauer"<bbecken at aafp.org> wrote:
>>>
>>>
>>>
>>>>
>>>>
>>>>>>> On 7/21/2010 at 3:14 PM, in message<4C475543.2050203 at ZendTo.com>, Jules
>>>>>>>
>>>>>>>
>>>> <Jules at zendto.com> wrote:
>>>>
>>>>
>>>>
>>>>> On 21/07/2010 20:57, Brad Beckenhauer wrote:
>>>>>
>>>>>
>>>>>> I just installed ZendTo/Centos-64 3.56-2 using the vm.
>>>>>> IMAP authentication works for my test account but I need to switch to
>>>>>> AD authentication for my internal clients.
>>>>>> I installed the openldap-client on the vm (yum install
>>>>>> openldap-client ) so I could use the utility for debugging.
>>>>>> I can run the ldap-search command and it returns a Success using the
>>>>>> below command line.
>>>>>> # ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>>>>>> -D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W
>>>>>> "sAMAccountName=test"
>>>>>> Note that my Administrator is not in the same context as my user named
>>>>>> 'test'.
>>>>>> from: preferences.php
>>>>>> //'authenticator' => 'IMAP',
>>>>>> 'authenticator' => 'AD',
>>>>>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>>>>>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>>>>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>>>>>> 'authLDAPAccountSuffix1' => '@yyy.org'<mailto:%27 at yyy.org%27>,
>>>>>> 'authLDAPUseSSL1' => false,
>>>>>> 'authLDAPBindUser1' =>
>>>>>>
>>>>>>
>>>> 'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',
>>>>
>>>>
>>>>>> 'authLDAPBindPass1' => 'Secret Password for the above user is
>>>>>>
>>>>>>
>>>> entered here',
>>>>
>>>> I only used the Administrator account for testing while I was doing proof
>>>> concept for management. I'll go ahead and create a zendto user account.
>>>>
>>>> Ok, I created a new user account 'zendto' ( not an domain administrator) in
>>>> the same context as my user account.
>>>>
>>>> 'authenticator' => 'AD',
>>>> 'authLDAPAdmins' => array('test','admin2','admin3'),
>>>> 'authLDAPBaseDN1' => 'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',
>>>> 'authLDAPServers1' => array('MyADServer1','MyADServer2'),
>>>> 'authLDAPAccountSuffix1' => '@yyy.org'<mailto:%27 at yyy.org%27>,
>>>> 'authLDAPUseSSL1' => false,
>>>> 'authLDAPBindUser1' => 'zendto',
>>>> 'authLDAPBindPass1' => 'Secret Password for the above zendto user is
>>>> entered here',
>>>>
>>>> restart apache
>>>>
>>>> When I run:
>>>> ldapsearch -h MyADServer1 -b ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
>>>> -D"cn=zendto,ou=ZendToUsers,dc=xxx,dc=yyy,dc=org" -W "sAMAccountName=zendto"
>>>>
>>>> The end of ldapsearch returns the below as well as the zendto user.:
>>>>
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>>
>>>>
>>>> I'll keep playing with it.
>>>> Suggestions are welcome.
>>>>
>>>> thanks
>>>> Brad
>>>>
>>>>
>>>>
>>>>>> restart apache
>>>>>> service httpd restart
>>>>>> try to login on the webpage and I get two errors:
>>>>>> LDAP Error Check User: Unable to connect to any of the LDAP servers;
>>>>>> could not authenticate user.
>>>>>>
>>>>>>
>>>>> That mean exactly what it says. It couldn't ldap_bind() to any of the AD
>>>>> servers. The code is fairly simple to read, it's in
>>>>> NSSADAuthenticator.php in the validate function. I very much doubt your
>>>>> authLDAPBindUser1 is correct or usable. I don't think it supports the
>>>>> LDAPBindUser1 being in a totally different place from the other users.
>>>>> Create a user in the same place that has no permissions other than being
>>>>> able to read the directory, in the same place as everything else. It
>>>>> certainly does not need to be, and *shouldn't* be, an administrator, it
>>>>> should be able to do nothing other than read the AD. Then it should
>>>>> work. All you can put in authLDAPBindUser1 is a username, not a complete
>>>>> AD path.
>>>>>
>>>>> If you need to be able to do that, then I suggest you tweak
>>>>> NSSADAuthenticator.php so that it supports this.
>>>>>
>>>>> What it does is this:
>>>>> @ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)
>>>>>
>>>>>
>>>>>
>>> Ok, my PHP is pretty weak but I've been looking at the ldap_bind statements
>>>
>> in NSSADAuthenticator.php.
>>
>>> What I found interesting was the comment above the ldap_bind statement
>>>
>> "start TLS", I checked my preferences and authLDAPUseSSL1 was set to false.
>> So it should connect to my AD server without TLS if I understand the
>> preferences correctly.
>>
>>>
>>>
>> I didn't write much of this code, and yes that comment is rubbish.
>>
>>> On an whim, I tried to connect to my AD server (using ldapsearch) with TLS
>>>
>> and it would not connect, so I'll ask the AD server guys about that next
>> week.
>>
>>> I tried to find the @ldap_bind code to see if the bind was actually binding
>>>
>> using TLS ( and ignoring the authLDAPUseSSL1 statement ) or if just the
>> comment was misleading, but I could not find that section (I'll leave that to
>> the experts).
>>
>>>
>>>
>> The comment is indeed misleading, and has now gone.
>>
>>> So because the webpage told me to "Check User", I've been focusing on my AD
>>>
>> USER thinking that it was misconfigured/bad, when it's also possible that
>> the AD server does not have TLS working.
>>
>>> Perhaps consider tweaking the code to let the admin know that the problem
>>>
>> may not only be the AD USER, but that a TLS /LDAP connection could not be
>> made, therefore the AD user could not be validated/authenticated.
>>
>>>
>>>
>> If it connects to the LDAP server but could not bind, it now reports an
>> error back to the user including the LDAP error message which will
>> hopefully help you diagnose why it couldn't bind.
>>
>> If it cannot connect to the LDAP server at all, it just quietly fails
>> and tries the next one in the list.
>>
>> This will all be in the next release, which will be out soon.
>>
>> Cheers,
>> Jules.
>>
>>
>>> I apologize if some of the terminology above is incorrect.
>>>
>>>
>>> have a good week, I've enjoyed working on this and I'll continue next
>>>
>> week.
>>
>>> Brad
>>>
>>>
>>>
>>>
>>>>> So it takes the connection to the LDAP/AD server, with just a username
>>>>> and password. If that bind operation works, then it can proceed. If that
>>>>> fails, then you get the error you are seeing.
>>>>>
>>>>> Have you tried just setting
>>>>> 'authLDAPBindUser1' => 'Administrator',
>>>>> in your preferences.php?
>>>>>
>>>>>
>>>> yes - did not work
>>>>
>>>>
>>>>
>>>>> I still most definitely advise against using any sort of Administrator
>>>>> account for this, that will probably have far more privileges than it needs.
>>>>>
>>>>> You might even find that anonymous binds are allowed, they are in quite
>>>>> a lot of networks.
>>>>>
>>>>> Hope that helps a bit,
>>>>> Jules.
>>>>>
>>>>>
>>>>>> Authentication Error The username or password was incorrect.
>>>>>> beating my head on this and looking for a pointer on what I'm doing wrong.
>>>>>> I won't be able to work on this again until next Monday.
>>>>>> thanks
>>>>>> Brad
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> ZendTo mailing list
>>>>>> ZendTo at zendto.com
>>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>>>>
>>>>>>
>>>>>>
>>>>> Jules
>>>>>
>>>>>
>>>> _______________________________________________
>>>> ZendTo mailing list
>>>> ZendTo at zendto.com
>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>>
>>>>
>>> _______________________________________________
>>> ZendTo mailing list
>>> ZendTo at zendto.com
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>
>>>
>> Jules
>>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zendto.com
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
Jules
--
Julian Field MEng CITP CEng
www.ZendTo.com
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
More information about the ZendTo
mailing list