[ZendTo] Re: AD/LDAP Authentication Help

Jules Jules at Zend.To
Fri Mar 18 08:48:15 GMT 2011 


On 17/03/2011 22:38, Craig Chambers wrote:
> Hi Jules,
>
> Unfortunately, that didn't seem to work. Still getting "Authentication 
> Error: The username or password was incorrect." I am wondering if it 
> is something more fundamental that is the problem. It appears that via 
> SSL TLS does not work because my AD servers certificate isn't trusted 
> even though I tried to add it to the trusted list. But I am not sure 
> if that matters since I have SSL set to false. When set to false does 
> it use Kerberos for authentication or does it just send authentication 
> credentials in the clear?
If SSL is set to false it works exactly as it would normally, it just 
sends everything in the clear.
If your AD doesn't have a proper certificate, then you will have all 
sorts of nasty problems making things work. You really need a proper SSL 
certificate.
>
> I also tried setting up users manually using the user management php 
> scripts but when I try and run:
>
>     ~$ sudo /opt/zendto/bin/listusers.php
>     /opt/zendto/config/preferences.php
>
>
> I get the following message:
>
>     PHP Notice:  Undefined index: HTTPS in
>     /opt/zendto/lib/NSSDropbox.php on line 40
>     PHP Notice:  Undefined index: SERVER_NAME in
>     /opt/zendto/lib/NSSDropbox.php on line 40
>     PHP Notice:  Undefined index: REQUEST_URI in
>     /opt/zendto/lib/NSSDropbox.php on line 40
>
They are just "Notices" as it says, and they have no effect on the 
execution of the code. You need to set the "error_reporting" option 
correctly in your php.ini to stop these appearing.

> At this point I have spent about a solid week trying to figure this 
> out and am about to throw in the towel as this is obviously above my 
> (admittedly limited) abilities. I would to have this running for our 
> office however so I am willing, if anyone has any other ideas or can 
> help further I am all ears. In fact at this point, depending on the 
> cost, I would be willing to pay someone to help me set this up. I can 
> even set up a new VM with ssh and/or VNC credentials so that we are 
> sure my mucking about hasn't created more problems that were there 
> originally.
I will happily help you out. Without using SSL for your AD, the 
credentials will still be encrypted from the end user to the ZendTo 
server, they will just be plaintext from the ZendTo server to the AD 
server. That may or may not be a problem for you. Clearly you have 
something amiss with your AD's SSL certificate, so I would advise trying 
to get it working without SSL first, to prove that everything else is right.

Also, I don't like the "LDAP at yourdomain.local" as the username, surely 
just "ldap" should work okay as the user.

Jules.

>
> Let me know,
>
> - Craig
>
>
> From: Jules <Jules at zend.to <mailto:Jules at zend.to>>
> Organization: ZendTo
> Reply-To: ZendTo Users <zendto at zend.to <mailto:zendto at zend.to>>
> Date: Wed, 09 Mar 2011 13:25:49 +0000
> To: ZendTo Users <zendto at zend.to <mailto:zendto at zend.to>>
> Subject: [ZendTo] Re: AD/LDAP Authentication Help
>
>
>
> On 08/03/2011 23:34, Craig Chambers wrote:
>> Hello,
>>
>> I am having issues getting LDAP?AD authentication to work. I have 
>> read the archives and they all mention using ldapsearch to test your 
>> settings but I am not sure exactly how the ldapsearch strings match 
>> the fields in the preferences.php file.
>>
>> If I run the following ldapsearch, which seems to be the shortest 
>> string that will return the expected results, (items in brackets are 
>> of course substituted with valid information) :
>>
>>     /~$ ldapsearch -w <mypassword> -D LDAP@<domain>.local -H
>>     ldap://<server ip> -b
>>     "ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local"
>>     sAMAccountName/
>>
>>
>>  I get a list of the users in the AllowedUsers OU so it looks like I 
>> can query the LDAP server. However when I try and translate this to 
>> the preferences.php file I get:
>>
>>     /LDAP Error: Unable to connect to any of the LDAP servers; could
>>     not authenticate user./
>>     /Authentication Error: The username or password was incorrect./
>>
> The "-D" you are passing in with the "-w" doesn't authenticate 
> correctly. Why do you need to specify the @<domain>.local, surely just 
> "LDAP" should work as the rest should be taken by default.
>>
>>
>> I currently have both LDAP and AD active in the preference.php file 
>> to see if I could get either to work which is why I assume I am 
>> getting two error messages.
> That will definitely break it. You must only have 1 "authenticator = 
> ....." line uncommented, otherwise the first one will probably get 
> over-ridden by the later ones.
>
> Leave all the settings in the LDAP section commented out, for starters.
>
> Try this set for the AD ones:
>
>   'authenticator'          => 'AD',
>   'authLDAPBaseDN1'        => 
> 'ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local',
>   'authLDAPServers1'       => array('<server ip>'),
>   'authLDAPAccountSuffix1' => '',
>   'authLDAPUseSSL1'        => false,
>   'authLDAPBindUser1'      => 'LDAP@<domain>.local',
>   'authLDAPBindPass1'      => '<mypassword>',
>   'authLDAPOrganization1'  => '<your organisation name>',
>   'authLDAPBaseDN2'        => '',
>   'authLDAPServers2'       => array(),
>   'authLDAPAccountSuffix2' => '',
>   'authLDAPUseSSL2'        => false,
>   'authLDAPBindUser2'      => '',
>   'authLDAPBindPass2'      => '',
>   'authLDAPOrganization2'  => '',
>
> If you want to restrict it to certain "allowed users", then instead of 
> putting it in the authLDAPBaseDN1, use the settings immediately below 
> it like this:
>
>   // If both of these are set, then only users who are members of the 
> given
>   // role/group can log in to ZendTo.
>   'authLDAPMemberKey'      => 'memberOf',
>   'authLDAPMemberRole'     => 
> 'cn=AllowedUsers,OU=Users,OU=MyBusiness,dc=<domain>,dc=local',
>
> and hence just add your users to the group "Allowed Users" within the 
> OU=Users subtree. So let any user authenticate, just only allow the 
> users in that you want. They should get a more sensible error message 
> then too.
> Jules
>
> -- 
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'All programs have a desire to be useful' - Tron, 1982
> _______________________________________________ ZendTo mailing list 
> ZendTo at zend.to <mailto:ZendTo at zend.to> 
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110318/3b454a7e/attachment-0001.html

More information about the ZendTo mailing list