[ZendTo] Re: AD/LDAP Authentication Help

Jules Jules at Zend.To
Wed Mar 9 13:25:49 GMT 2011 


On 08/03/2011 23:34, Craig Chambers wrote:
> Hello,
>
> I am having issues getting LDAP?AD authentication to work. I have read 
> the archives and they all mention using ldapsearch to test your 
> settings but I am not sure exactly how the ldapsearch strings match 
> the fields in the preferences.php file.
>
> If I run the following ldapsearch, which seems to be the shortest 
> string that will return the expected results, (items in brackets are 
> of course substituted with valid information) :
>
>     /~$ ldapsearch -w <mypassword> -D LDAP@<domain>.local -H
>     ldap://<server ip> -b
>     "ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local"
>     sAMAccountName/
>
>
>  I get a list of the users in the AllowedUsers OU so it looks like I 
> can query the LDAP server. However when I try and translate this to 
> the preferences.php file I get:
>
>     /LDAP Error: Unable to connect to any of the LDAP servers; could
>     not authenticate user./
>     /Authentication Error: The username or password was incorrect./
>
The "-D" you are passing in with the "-w" doesn't authenticate 
correctly. Why do you need to specify the @<domain>.local, surely just 
"LDAP" should work as the rest should be taken by default.
>
>
> I currently have both LDAP and AD active in the preference.php file to 
> see if I could get either to work which is why I assume I am getting 
> two error messages.
That will definitely break it. You must only have 1 "authenticator = 
....." line uncommented, otherwise the first one will probably get 
over-ridden by the later ones.

Leave all the settings in the LDAP section commented out, for starters.

Try this set for the AD ones:

   'authenticator'          => 'AD',
   'authLDAPBaseDN1'        => 
'ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local',
   'authLDAPServers1'       => array('<server ip>'),
   'authLDAPAccountSuffix1' => '',
   'authLDAPUseSSL1'        => false,
   'authLDAPBindUser1'      => 'LDAP@<domain>.local',
   'authLDAPBindPass1'      => '<mypassword>',
   'authLDAPOrganization1'  => '<your organisation name>',
   'authLDAPBaseDN2'        => '',
   'authLDAPServers2'       => array(),
   'authLDAPAccountSuffix2' => '',
   'authLDAPUseSSL2'        => false,
   'authLDAPBindUser2'      => '',
   'authLDAPBindPass2'      => '',
   'authLDAPOrganization2'  => '',

If you want to restrict it to certain "allowed users", then instead of 
putting it in the authLDAPBaseDN1, use the settings immediately below it 
like this:

   // If both of these are set, then only users who are members of the given
   // role/group can log in to ZendTo.
   'authLDAPMemberKey'      => 'memberOf',
   'authLDAPMemberRole'     => 
'cn=AllowedUsers,OU=Users,OU=MyBusiness,dc=<domain>,dc=local',

and hence just add your users to the group "Allowed Users" within the 
OU=Users subtree. So let any user authenticate, just only allow the 
users in that you want. They should get a more sensible error message 
then too.

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110309/dad79dbd/attachment.html

More information about the ZendTo mailing list