[ZendTo] Re: AD/LDAP Authentication Help

Jules Jules at Zend.To
Tue Mar 29 09:24:40 BST 2011 

And this Google search "+php +ldaps bind microsoft +sbs" seems to have 
produced quite a few useful documents that I would recommend reading.

Don't forget you can use a web browser as a connection tester, you just 
have to ask it to connect to the LDAPS port number instead of its 
default (80) and if you get a page not found or similar then the SSL 
negotiation worked. Sometimes useful.

On 28/03/2011 23:17, Craig Chambers wrote:
> First let me apologize for the length of this email. When I get into 
> situations like this I find it is best to be as detailed as possible 
> as it is usually some assumption or unsaid detail that turns out to be 
> the solution.
>
> Second, I think I am having other, more fundamental issues than just 
> certificate/AD authentication errors since I can't seem to add new 
> users using the included scripts. Here is the message I get when I try 
> to add a user with the adduser.php script:
>
>     ~$ sudo /opt/zendto/bin/adduser.php
>     /opt/zendto/bin/preferences.php 'MyAdmin' '<password>' '<email
>     address>' 'Administrator' '<organization>'
>
>     PHP Warning: include(/opt/zendto/bin/preferences.php): failed to
>     open stream: No such file or directory in
>     /opt/zendto/bin/adduser.php on line 28
>     PHP Warning: include(): Failed opening
>     '/opt/zendto/bin/preferences.php' for inclusion
>     (include_path='.:/usr/share/php:/usr/share/pear') in
>     /opt/zendto/bin/adduser.php on line 28
>     PHP Notice: Use of undefined constant NSSDROPBOX_LIB_DIR - assumed
>     'NSSDROPBOX_LIB_DIR' in /opt/zendto/bin/adduser.php on line 29
>     PHP Warning: require_once(NSSDROPBOX_LIB_DIRSmartyconf.php):
>     failed to open stream: No such file or directory in
>     /opt/zendto/bin/adduser.php on line 29
>     PHP Fatal error: require_once(): Failed opening required
>     'NSSDROPBOX_LIB_DIRSmartyconf.php'
>     (include_path='.:/usr/share/php:/usr/share/pear') in
>     /opt/zendto/bin/adduser.php on line 29
>
> Is this permissions related? I assume I need to use sudo because I get 
> the usage message when trying to add users without and lots of 
> permission errors when using the listusers script.
>
> Finally let me address the certificate issue.
>
>     /"If your AD doesn't have a proper certificate, then you will have
>     all sorts of nasty problems making things work. You really need a
>     proper SSL certificate."/
>
> Let me start of by saying that the LDAP server I am authenticating to 
> is SBS 2008. As with most SBS boxes, this server has an internal name 
> of server.domain.local but also can be reached externally from 
> remote.externaldomain.com. For those reading this who may not know, 
> SBS creates several certificates when it is set up. First it creates a 
> self signed root certificate for all other certificates issued by that 
> server. The certificate name is DOMAIN-SERVER-CA. It also creates 
> an  Alternative Name Certificate (sometimes called SAN or 
> UC) certificate whose trusted root is DOMAIN-SERVER-CA. with a 
> cn=remote.externaldomain.com but that includes server.doamin.local as 
> an alternative name. This is the certificate that the domain uses for 
> LDAP and AD encryption and authentication.
>
> To create a publicly trusted certificate you can run a wizard (which 
> when talking to MS SBS support, highly recommends using) which will 
> allow you to create a certificate that is signed by a trusted third 
> party (verisign, equifax, etc). The only issue with this public 
> certificate is that it is a simple SSL web certificate made to 
> validate remote.externaldomain.com and is NOT an Alternate Name 
> Certificate. MS support has confirmed that this certificate is only 
> used for email and Remote Web Workplace access. It is not and cannot 
> be used for LDAP authentication. MS Active Directory support has told 
> me that the certificate used for LDAP validation MUST include the 
> server name (I.e. SERVER.domain.local and NOT 
> remote.externaldomain.com) This leaves an SBS server with three 
> supported certificate options:
>
>    1. Use the DOAMIN-SERVER-CA self-signed cert for authentication and
>       put a copy of its public key in the Ubuntu servers list of
>       trusted certificates (can't get that to work)
>    2. Obtain an Alternative Name Certificate (expensive relative to
>       the simple web certificate. Possible to do would prefer a
>       cheaper alternative)
>    3. Use the self-signed remote.domain.com certificate and have the
>       zendto server ignore trust errors, which would allow encryption
>       but in theory would expose you to a man in the middle attack.
>       (Not sure if this is possible)
>
>
> The first and third options are the least expensive except and 
> therefore preferable. I have tried installing the certificate on the 
> Ubuntu server in several places but the SERVER-DOMAIN-CA certificate 
> is still read as untrusted by gnutls-cli. I am not sure if this is a 
> gnutls error or a certificate problem. Maybe it doesn't matter since 
> the handshake is occurring internally and if encryption is occurring 
> anyway (not sure if it is or not). For now, a man-in --the-middle 
> attack on my internal network isn't a big concern.
>
> After playing around with the ldp.exe utility and ldapsearch here is a 
> list of what works and doesn't. I am including the ldp.exe list 
> because that at least lets us know what is working from a windows 
> perspective.
>
> ===LDP.EXE===
> Connecting to the server <server.domain.local> *with* SSL (port 636) = 
> works (SSL over 389 does not work but that isn't surprising)
> Supported SASL Mechanisms are listed as: GSSAPI; GSS-SPNEGO; EXTERNAL; 
> DIGEST-MD5;
>
> *Start TLS* = failed (I assume this is because am already connected to 
> the server via SSL)
>
>     *Bind Simple* with DOMAIN\LDAP or LDAP at domain.local
>     <mailto:LDAP at domain.local> and < LDAP password> = Authenticated as
>     DOMAIN\LDAP
>     *
>     *
>     *Bind Simple* using only LDAP and <password> (no domain) = Failed,
>     Invalid Credentials
>     *
>     *
>     *Bind Simple with no credentials* = Authenticated as NT
>     Authority\Anonymous Login
>
>     *Bind with credentials* USER:LDAP PASSWORD:<password>
>     DOMAIN:domain = Authenticated as DOMAIN\LDAP
>     *B**ind Advanced (DIGEST)* with USER:LDAP PASSWORD:<password>
>     DOMAIN:domain = Failed Server error: 8009030C: LdapErr:
>     DSID-0C0904D1, comment: AcceptSecurityContext error, data 52e,
>     v1772Error 0x8009030C The logon attempt failed
>     *
>     *
>     *B**ind Advanced (SASL) *= Failed. Error <7>: ldap_bind_s()
>     failed: Authentication Method Not Supported.
>
> Connecting to the server <server.domain.local> *without* SSL (port 
> 389) = works same result as above
>
> *Start TLS* = worksldap_start_tls_s(ld, &retValue, result, SvrCtrls, 
> ClntCtrls) result <0>
> All the bind results are the same
>
> ===GNUTLS===
> Running "gnutls-cli --print-cert -p 636 server.domain.local" from the 
> Ubuntu box I get:
>
>     - Successfully sent 0 certificate(s) to server.
>     - Server has requested a certificate.
>     - Certificate type: X.509
>      - Got a certificate list of 1 certificates.
>      - Certificate[0] info:
>       - subject `CN=remote.externaldomain.com', issuer
>     `CN=domain-SERVER-CA', RSA key 2048 bits, signed using RSA-SHA
>
>     -----BEGIN CERTIFICATE-----
>     <Certificate key>
>     -----END CERTIFICATE-----
>
>     - The hostname in the certificate matches 'server.domain.local'.
>     - Peer's certificate issuer is unknown
>     - Peer's certificate is NOT trusted
>     - Version: TLS1.0
>     - Key Exchange: RSA
>     - Cipher: AES-128-CBC
>     - MAC: SHA1
>     - Compression: NULL
>     - Handshake was completed
>
>     - Simple Client Mode:
>
> ===LDAPSEARCH===
> And finally some different ldapsearch results:
>
>     ~$ ldapsearch -D LDAP -H ldaps://server.domain.local -b
>     "ou=Users,,dc=doamin,dc=local" sAMAccountName
>     ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>     ldapsearch -w <password> -D LDAP at domain.local -H
>     ldap://server.domain.local -b "ou=Users,dc=domain,dc=local"
>     sAMAccountName
>     WORKS! Lists users.
>
>     ~$ ldapsearch -w
>     X0YnUm7NVHjdGJK0ncSOkAlmmyPHYN15X6oPWOtrvhu1aGEMCm -D LDAPQuery -H
>     ldap://thor.henryv.local -b
>     "ou=SBSUsers,ou=Users,ou=MyBusiness,dc=henryv,dc=local" sAMAccountName
>     ldap_bind: Invalid credentials (49)
>     additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
>     AcceptSecurityContext error, data 525, v1772
>     (I assume this is related to the ldp.exe error using simple bind
>     with no @domain.local)
>
>
> If you want ssh or vnc access to the server please contact me outside 
> the mailing list for login credentials.
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110329/22ea216b/attachment-0001.html

More information about the ZendTo mailing list