[ZendTo] Re: AD Authentication
Scott B. Anderson
sbanderson at impromed.com
Wed Jun 6 20:06:50 BST 2012
On 06/06/2012 14:45, Scott B. Anderson wrote:
> Thanks for the assistance using the ldapsearch command to test, I finally think I can get away from using local authentication. That said, I'm not sure what to set authLDAPBindDn and authLDAPOrganization to. The example shows o= and a uid= parameter, but my basedn is actually like 'CN=Firstname MI Lastname,OU=MyOu,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix'
You should probably use a BaseDN of
ou=MyOU,OU=MyParentOU,DC=mydomain,DC=mydomainsuffix
and it should find users in there.
> . The only place I see an o= attribute
Where did you see that? It's not in the example settings I ship in preferences.php. There's no "uid=" either. Not a clue where you saw them. The settings you should be aiming for are these:
'authLDAPBaseDN1' =>
'OU=users,DC=ecs,DC=soton,DC=ac,DC=uk', 'authLDAPServers1' =>
array('ad1.ecs.soton.ac.uk','ad2.ecs.soton.ac.u
k'),
'authLDAPAccountSuffix1' => '@ecs.soton.ac.uk',
'authLDAPUseSSL1' => false,
'authLDAPBindUser1' => 'SecretUsername1',
'authLDAPBindPass1' => 'SecretPassword1',
'authLDAPOrganization1' => 'ECS, University of Southampton',
The LDAPOrganization1 is just a nice version of the name of your company or organisation. It's what is put in by default as the Organisation name when a user creates a new drop-off.
> is my LegacyExchangeDN but that contains and o= , ou=, and two cn=
> attributes (and won't work for my final target user, which won't have
> a legacyexchangedn property set)
That's nothing to do with it.
> In addition, I'm not sure which AD property authLDAPOrganization should be set to.
It's not a property, it's just the name of your organisation.
> I tried distinguished name of the domain, (which is 'DC=mydomain,DC=mydomainsuffix' and I tried the dc attribute which is just 'mydomain' . I might already have this correct, as when I set my authLDAPBindDN to my user basedn it hangs for a long time (2 minutes) then comes back and says 'Authentication Error, the username or password was incorrect. I know I typed it correctly and it works in the previous ldapsearch command.
>
> Thanks in advance for any additional assistance you can provide, it is appreciated.
>
> Scott Anderson
>
> -----Original Message-----
> From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf
> Of Jules
> Sent: Wednesday, June 06, 2012 3:20 AM
> To: ZendTo Users
> Subject: [ZendTo] Re: AD Authentication
>
>
>
> On 01/06/2012 21:03, Kevin Miller wrote:
>> Having a bit of trouble with AD authentication.
>>
>> Our AD domain is cbj.local (strictly internal) while our publically viewable internet and email domain is ci.juneau.ak.us.
>> Server is centos 6, mysql backend, named zendto.ci.juneau.ak.us
>>
>> When I fire up the web page I get error notices at the top of the page and corresponding messages in /var/log/http/error.log:
>>
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 42
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 48
>> [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice:
>> Undefined index: authLDAPAdmins in
>> /opt/zendto/lib/NSSADAuthenticator.php on line 83 [Fri Jun 01
>> 11:02:19 2012] [error] [client 199.58.55.10] PHP Notice: Undefined index:
>> authLDAPMemberKey in /opt/zendto/lib/NSSADAuthenticator.php on line
>> 104 [Fri Jun 01 11:02:19 2012] [error] [client 199.58.55.10] PHP
>> Notice: Undefined index: authLDAPMemberRole in
>> /opt/zendto/lib/NSSADAuthenticator.php on line 105
> They're harmless. Alter your PHP settings so that it doesn't log errors on notices.
>> What am I doing wrong there - what's missing?
> Nothing.
>> When I try to log in, the following is displayed on the web page:
>> -----------------------------------------------------------
>> Connected to city-dc1.cbj.local but could not bind, it said
>> Invalid credentials
>> Connected to city-dc2.cbj.local but could not bind, it said
>> Invalid credentials
>> LDAP Error
>> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>> LDAP Error
>> Check User: Unable to connect to any of the authentication servers; could not authenticate user.
>> LDAP Error
>> Check User: Unable to connect to any of the LDAP servers; could not authenticate user.
>> Authentication Error
>> The username or password was incorrect.
>> -----------------------------------------------------------
>>
>> The username and password specified in authLDAPBindUser1 and authLDAPBindPass1 are valid. I've logged into the domain using them.
> In which case you aren't binding correctly to your AD servers. A good way to get these settings right if you're not sure is to play with the "ldapsearch" command until you get it to connect and give you the right information.
>
> ldapsearch -x -LLL -E pr=200/noprompt -h AD-SERVER-NAME-HERE -D
> 'USERNAME-HERE' -w 'PASSWORD-HERE' -b 'BASEDN-HERE' -s sub
> '(sAMAccountName=*)' cn mail memberOf
>
> Once you get everything right (obviously do all the "-HERE"
> substitutions) it will spit out the username, email address and memberships of every user. Then you know the server name, username, password and BaseDN to set it preferences.php.
>
> sAMAccountName should be the username, not the full name. If it is, then your AD is seriously screwed.
>
>> Do I need to install samba and winbind to use AD authentication? It doesn't seem to be mentioned in the instructions anywhere so I haven't.
> No you don't need Samba or winbind at all, it will happily talk straight to AD servers.
>
> Jules
>
> --
>
...
>
Jules
--
Thanks tons. It works perfectly now. My mistake was that I was trying to use LDAP auth instead of AD auth. When you pointed out which directives I should be using, I had an epiphany.
Scott
...
--
ImproMed LLC
--
More information about the ZendTo
mailing list