[ZendTo] Re: AD Authentication

Jules Jules at Zend.To
Wed Jun 6 09:19:56 BST 2012



On 01/06/2012 21:03, Kevin Miller wrote:
> Having a bit of trouble with AD authentication.
>
> Our AD domain is cbj.local (strictly internal) while our publically viewable internet and email domain is ci.juneau.ak.us.
> Server is centos 6, mysql backend, named zendto.ci.juneau.ak.us
>
> When I fire up the web page I get error notices at the top of the page and corresponding messages in /var/log/http/error.log:
>
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 42
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 48
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index: authLDAPAdmins in /opt/zendto/lib/NSSADAuthenticator.php on line 83
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index: authLDAPMemberKey in /opt/zendto/lib/NSSADAuthenticator.php on line 104
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index: authLDAPMemberRole in /opt/zendto/lib/NSSADAuthenticator.php on line 105
They're harmless. Alter your PHP settings so that it doesn't log errors 
on notices.
>
> What am I doing wrong there - what's missing?
Nothing.
>
> When I try to log in, the following is displayed on the web page:
> -----------------------------------------------------------
> Connected to city-dc1.cbj.local but could not bind, it said
> 	Invalid credentials
> Connected to city-dc2.cbj.local but could not bind, it said
> 	Invalid credentials
>   	LDAP Error
> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
> 	LDAP Error
> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>   	LDAP Error
> Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
>   	Authentication Error
> The username or password was incorrect.
> -----------------------------------------------------------
>
> The username and password specified in authLDAPBindUser1 and authLDAPBindPass1 are valid.  I've logged into the domain using them.
In which case you aren't binding correctly to your AD servers. A good 
way to get these settings right if you're not sure is to play with the 
"ldapsearch" command until you get it to connect and give you the right 
information.

ldapsearch -x -LLL -E pr=200/noprompt -h AD-SERVER-NAME-HERE -D 
'USERNAME-HERE' -w 'PASSWORD-HERE' -b 'BASEDN-HERE' -s sub 
'(sAMAccountName=*)' cn mail memberOf

Once you get everything right (obviously do all the "-HERE" 
substitutions) it will spit out the username, email address and 
memberships of every user. Then you know the server name, username, 
password and BaseDN to set it preferences.php.

sAMAccountName should be the username, not the full name. If it is, then 
your AD is seriously screwed.

>
> Do I need to install samba and winbind to use AD authentication?  It doesn't seem to be mentioned in the instructions anywhere so I haven't.
No you don't need Samba or winbind at all, it will happily talk straight 
to AD servers.

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman



More information about the ZendTo mailing list