[ZendTo] Re: AD Authentication

Jules Jules at Zend.To
Wed Jun 6 15:33:35 BST 2012 


On 06/06/2012 14:45, Scott B. Anderson wrote:
> Thanks for the assistance using the ldapsearch command to test, I finally think I can get away from using local authentication.  That said, I'm not sure what to set authLDAPBindDn  and authLDAPOrganization to.  The example shows o= and a uid= parameter, but my basedn is actually like 'CN=Firstname MI Lastname,OU=MyOu,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix'
You should probably use a BaseDN of
     ou=MyOU,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix
and it should find users in there.
>   .   The only place I see an o= attribute
Where did you see that? It's not in the example settings I ship in 
preferences.php. There's no "uid=" either. Not a clue where you saw 
them. The settings you should be aiming for are these:
   'authLDAPBaseDN1'           => 
'OU=users,DC=ecs,DC=soton,DC=ac,DC=uk',  'authLDAPServers1'          => 
array('ad1.ecs.soton.ac.uk','ad2.ecs.soton.ac.u
k'),
   'authLDAPAccountSuffix1'    => '@ecs.soton.ac.uk',
   'authLDAPUseSSL1'           => false,
   'authLDAPBindUser1'         => 'SecretUsername1',
   'authLDAPBindPass1'         => 'SecretPassword1',
   'authLDAPOrganization1'     => 'ECS, University of Southampton',

The LDAPOrganization1 is just a nice version of the name of your company 
or organisation. It's what is put in by default as the Organisation name 
when a user creates a new drop-off.

>   is my LegacyExchangeDN but that contains and o= , ou=, and two cn= attributes (and won't work for my final target user, which won't have a legacyexchangedn property set)
That's nothing to do with it.
> In addition, I'm not sure which AD property authLDAPOrganization should be set to.
It's not a property, it's just the name of your organisation.
>    I tried  distinguished name of the domain, (which is 'DC=mydomain,DC=mydomainsuffix'  and I tried the dc attribute which is just 'mydomain' .  I might already have this correct, as when I set my authLDAPBindDN to my user basedn it hangs for a long time (2 minutes) then comes back and says 'Authentication Error, the username or password was incorrect.  I know I typed it correctly and it works in the previous ldapsearch command.
>
> Thanks in advance for any additional assistance you can provide, it is appreciated.
>
> Scott Anderson
>
> -----Original Message-----
> From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Jules
> Sent: Wednesday, June 06, 2012 3:20 AM
> To: ZendTo Users
> Subject: [ZendTo] Re: AD Authentication
>
>
>
> On 01/06/2012 21:03, Kevin Miller wrote:
>> Having a bit of trouble with AD authentication.
>>
>> Our AD domain is cbj.local (strictly internal) while our publically viewable internet and email domain is ci.juneau.ak.us.
>> Server is centos 6, mysql backend, named zendto.ci.juneau.ak.us
>>
>> When I fire up the web page I get error notices at the top of the page and corresponding messages in /var/log/http/error.log:
>>
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 42
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 48
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: authLDAPAdmins in
>> /opt/zendto/lib/NSSADAuthenticator.php on line 83 [Fri Jun 01 11:02:19
>> 2012] [error] [client 199.58.55.10] PHP Notice:  Undefined index:
>> authLDAPMemberKey in /opt/zendto/lib/NSSADAuthenticator.php on line
>> 104 [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP
>> Notice:  Undefined index: authLDAPMemberRole in
>> /opt/zendto/lib/NSSADAuthenticator.php on line 105
> They're harmless. Alter your PHP settings so that it doesn't log errors on notices.
>> What am I doing wrong there - what's missing?
> Nothing.
>> When I try to log in, the following is displayed on the web page:
>> -----------------------------------------------------------
>> Connected to city-dc1.cbj.local but could not bind, it said
>>        Invalid credentials
>> Connected to city-dc2.cbj.local but could not bind, it said
>>        Invalid credentials
>>        LDAP Error
>> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>>        LDAP Error
>> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>>        LDAP Error
>> Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
>>        Authentication Error
>> The username or password was incorrect.
>> -----------------------------------------------------------
>>
>> The username and password specified in authLDAPBindUser1 and authLDAPBindPass1 are valid.  I've logged into the domain using them.
> In which case you aren't binding correctly to your AD servers. A good way to get these settings right if you're not sure is to play with the "ldapsearch" command until you get it to connect and give you the right information.
>
> ldapsearch -x -LLL -E pr=200/noprompt -h AD-SERVER-NAME-HERE -D 'USERNAME-HERE' -w 'PASSWORD-HERE' -b 'BASEDN-HERE' -s sub '(sAMAccountName=*)' cn mail memberOf
>
> Once you get everything right (obviously do all the "-HERE"
> substitutions) it will spit out the username, email address and memberships of every user. Then you know the server name, username, password and BaseDN to set it preferences.php.
>
> sAMAccountName should be the username, not the full name. If it is, then your AD is seriously screwed.
>
>> Do I need to install samba and winbind to use AD authentication?  It doesn't seem to be mentioned in the instructions anywhere so I haven't.
> No you don't need Samba or winbind at all, it will happily talk straight to AD servers.
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'It's okay to live without all the answers' - Charlie Eppes, 2011 'All programs have a desire to be useful' - Tron, 1982 'That is the land of lost content,
>    I see it shining plain,
>    The happy highways where I went,
>    And cannot come again.' - A.E. Houseman
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> ...
>

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

More information about the ZendTo mailing list