[ZendTo] Re: AD Authentication
Jules
Jules at Zend.To
Wed Jun 6 15:33:35 BST 2012
On 06/06/2012 14:45, Scott B. Anderson wrote:
> Thanks for the assistance using the ldapsearch command to test, I finally think I can get away from using local authentication. That said, I'm not sure what to set authLDAPBindDn and authLDAPOrganization to. The example shows o= and a uid= parameter, but my basedn is actually like 'CN=Firstname MI Lastname,OU=MyOu,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix'
You should probably use a BaseDN of
ou=MyOU,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix
and it should find users in there.
> . The only place I see an o= attribute
Where did you see that? It's not in the example settings I ship in
preferences.php. There's no "uid=" either. Not a clue where you saw
them. The settings you should be aiming for are these:
'authLDAPBaseDN1' =>
'OU=users,DC=ecs,DC=soton,DC=ac,DC=uk', 'authLDAPServers1' =>
array('ad1.ecs.soton.ac.uk','ad2.ecs.soton.ac.u
k'),
'authLDAPAccountSuffix1' => '@ecs.soton.ac.uk',
'authLDAPUseSSL1' => false,
'authLDAPBindUser1' => 'SecretUsername1',
'authLDAPBindPass1' => 'SecretPassword1',
'authLDAPOrganization1' => 'ECS, University of Southampton',
The LDAPOrganization1 is just a nice version of the name of your company
or organisation. It's what is put in by default as the Organisation name
when a user creates a new drop-off.
> is my LegacyExchangeDN but that contains and o= , ou=, and two cn= attributes (and won't work for my final target user, which won't have a legacyexchangedn property set)
That's nothing to do with it.
> In addition, I'm not sure which AD property authLDAPOrganization should be set to.
It's not a property, it's just the name of your organisation.
> I tried distinguished name of the domain, (which is 'DC=mydomain,DC=mydomainsuffix' and I tried the dc attribute which is just 'mydomain' . I might already have this correct, as when I set my authLDAPBindDN to my user basedn it hangs for a long time (2 minutes) then comes back and says 'Authentication Error, the username or password was incorrect. I know I typed it correctly and it works in the previous ldapsearch command.
>
> Thanks in advance for any additional assistance you can provide, it is appreciated.
>
> Scott Anderson
>
> -----Original Message-----
> From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Jules
> Sent: Wednesday, June 06, 2012 3:20 AM
> To: ZendTo Users
> Subject: [ZendTo] Re: AD Authentication
>
>
>
> On 01/06/2012 21:03, Kevin Miller wrote:
>> Having a bit of trouble with AD authentication.
>>
>> Our AD domain is cbj.local (strictly internal) while our publically viewable internet and email domain is ci.juneau.ak.us.
>> Server is centos 6, mysql backend, named zendto.ci.juneau.ak.us
>>
>> When I fire up the web page I get error notices at the top of the page and corresponding messages in /var/log/http/error.log:
>>
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 42
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 48
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: authLDAPAdmins in
>> /opt/zendto/lib/NSSADAuthenticator.php on line 83 [Fri Jun 01 11:02:19
>> 2012] [error] [client 199.58.55.10] PHP Notice: Undefined index:
>> authLDAPMemberKey in /opt/zendto/lib/NSSADAuthenticator.php on line
>> 104 [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP
>> Notice: Undefined index: authLDAPMemberRole in
>> /opt/zendto/lib/NSSADAuthenticator.php on line 105
> They're harmless. Alter your PHP settings so that it doesn't log errors on notices.
>> What am I doing wrong there - what's missing?
> Nothing.
>> When I try to log in, the following is displayed on the web page:
>> -----------------------------------------------------------
>> Connected to city-dc1.cbj.local but could not bind, it said
>> Invalid credentials
>> Connected to city-dc2.cbj.local but could not bind, it said
>> Invalid credentials
>> LDAP Error
>> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>> LDAP Error
>> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>> LDAP Error
>> Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
>> Authentication Error
>> The username or password was incorrect.
>> -----------------------------------------------------------
>>
>> The username and password specified in authLDAPBindUser1 and authLDAPBindPass1 are valid. I've logged into the domain using them.
> In which case you aren't binding correctly to your AD servers. A good way to get these settings right if you're not sure is to play with the "ldapsearch" command until you get it to connect and give you the right information.
>
> ldapsearch -x -LLL -E pr=200/noprompt -h AD-SERVER-NAME-HERE -D 'USERNAME-HERE' -w 'PASSWORD-HERE' -b 'BASEDN-HERE' -s sub '(sAMAccountName=*)' cn mail memberOf
>
> Once you get everything right (obviously do all the "-HERE"
> substitutions) it will spit out the username, email address and memberships of every user. Then you know the server name, username, password and BaseDN to set it preferences.php.
>
> sAMAccountName should be the username, not the full name. If it is, then your AD is seriously screwed.
>
>> Do I need to install samba and winbind to use AD authentication? It doesn't seem to be mentioned in the instructions anywhere so I haven't.
> No you don't need Samba or winbind at all, it will happily talk straight to AD servers.
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'It's okay to live without all the answers' - Charlie Eppes, 2011 'All programs have a desire to be useful' - Tron, 1982 'That is the land of lost content,
> I see it shining plain,
> The happy highways where I went,
> And cannot come again.' - A.E. Houseman
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> ...
>
Jules
--
Julian Field MEng CITP CEng
www.Zend.To
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
I see it shining plain,
The happy highways where I went,
And cannot come again.' - A.E. Houseman
More information about the ZendTo
mailing list