[ZendTo] Re: AD Authentication

Scott B. Anderson sbanderson at impromed.com
Wed Jun 6 14:45:10 BST 2012 

Thanks for the assistance using the ldapsearch command to test, I finally think I can get away from using local authentication.  That said, I'm not sure what to set authLDAPBindDn  and authLDAPOrganization to.  The example shows o= and a uid= parameter, but my basedn is actually like 'CN=Firstname MI Lastname,OU=MyOu,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix' .   The only place I see an o= attribute is my LegacyExchangeDN but that contains and o= , ou=, and two cn= attributes (and won't work for my final target user, which won't have a legacyexchangedn property set)
In addition, I'm not sure which AD property authLDAPOrganization should be set to.  I tried  distinguished name of the domain, (which is 'DC=mydomain,DC=mydomainsuffix'  and I tried the dc attribute which is just 'mydomain' .  I might already have this correct, as when I set my authLDAPBindDN to my user basedn it hangs for a long time (2 minutes) then comes back and says 'Authentication Error, the username or password was incorrect.  I know I typed it correctly and it works in the previous ldapsearch command.

Thanks in advance for any additional assistance you can provide, it is appreciated.

Scott Anderson

-----Original Message-----
From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Jules
Sent: Wednesday, June 06, 2012 3:20 AM
To: ZendTo Users
Subject: [ZendTo] Re: AD Authentication



On 01/06/2012 21:03, Kevin Miller wrote:
> Having a bit of trouble with AD authentication.
>
> Our AD domain is cbj.local (strictly internal) while our publically viewable internet and email domain is ci.juneau.ak.us.
> Server is centos 6, mysql backend, named zendto.ci.juneau.ak.us
>
> When I fire up the web page I get error notices at the top of the page and corresponding messages in /var/log/http/error.log:
>
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 42
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 48
> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
> Undefined index: authLDAPAdmins in
> /opt/zendto/lib/NSSADAuthenticator.php on line 83 [Fri Jun 01 11:02:19
> 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index:
> authLDAPMemberKey in /opt/zendto/lib/NSSADAuthenticator.php on line
> 104 [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP
> Notice:  Undefined index: authLDAPMemberRole in
> /opt/zendto/lib/NSSADAuthenticator.php on line 105
They're harmless. Alter your PHP settings so that it doesn't log errors on notices.
>
> What am I doing wrong there - what's missing?
Nothing.
>
> When I try to log in, the following is displayed on the web page:
> -----------------------------------------------------------
> Connected to city-dc1.cbj.local but could not bind, it said
>       Invalid credentials
> Connected to city-dc2.cbj.local but could not bind, it said
>       Invalid credentials
>       LDAP Error
> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>       LDAP Error
> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>       LDAP Error
> Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
>       Authentication Error
> The username or password was incorrect.
> -----------------------------------------------------------
>
> The username and password specified in authLDAPBindUser1 and authLDAPBindPass1 are valid.  I've logged into the domain using them.
In which case you aren't binding correctly to your AD servers. A good way to get these settings right if you're not sure is to play with the "ldapsearch" command until you get it to connect and give you the right information.

ldapsearch -x -LLL -E pr=200/noprompt -h AD-SERVER-NAME-HERE -D 'USERNAME-HERE' -w 'PASSWORD-HERE' -b 'BASEDN-HERE' -s sub '(sAMAccountName=*)' cn mail memberOf

Once you get everything right (obviously do all the "-HERE"
substitutions) it will spit out the username, email address and memberships of every user. Then you know the server name, username, password and BaseDN to set it preferences.php.

sAMAccountName should be the username, not the full name. If it is, then your AD is seriously screwed.

>
> Do I need to install samba and winbind to use AD authentication?  It doesn't seem to be mentioned in the instructions anywhere so I haven't.
No you don't need Samba or winbind at all, it will happily talk straight to AD servers.

Jules

--
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011 'All programs have a desire to be useful' - Tron, 1982 'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
...

-- 
ImproMed LLC
--

More information about the ZendTo mailing list