[ZendTo] Re: Is there any way to have more than 2 realms to authenticate with in AD on Zendto?

Duncan, Brian M. brian.duncan at kattenlaw.com
Wed Dec 9 02:13:39 GMT 2015


Thanks for the information!

BRIAN M. DUNCAN
Data Security Administrator
Katten Muchin Rosenman LLP
525 W. Monroe Street / Chicago, IL 60661-3693
p / (312) 577-8045 f / (312) 577-4490
brian.duncan at kattenlaw.com / www.kattenlaw.com


From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Kevin Miller
Sent: Monday, November 30, 2015 12:39 PM
To: 'ZendTo Users'
Subject: [ZendTo] Re: Is there any way to have more than 2 realms to authenticate with in AD on Zendto?

I had the same question a couple years ago.  Naz Snidanko provided the answer which I've copied/pasted below.  In a nutshell, you just need to add an appropriate number of stanzas to the file mentioned.   I have three AD domains authenticating so only needed to add one more.

Hi Kevin,

We have it in place already, for 5 domains. You need to adjust config and  functions in lib\NSSADAuthenticator.php file.
There is a nicer way of doing it but it’s simplest way without rewriting to much code

public function __construct(
    $prefs, $db
  )
  {
    if  ( $prefs['authLDAPAdmins'] && (! $prefs['authAdmins']) ) {
      $prefs['authAdmins'] = $prefs['authLDAPAdmins'];
    }
    parent::__construct($prefs, $db);

    $this->_ldapServers1                                 = $prefs['authLDAPServers1'];
    $this->_ldapBase1                       = $prefs['authLDAPBaseDN1'];
    $this->_ldapAccountSuffix1    = $prefs['authLDAPAccountSuffix1'];
    $this->_ldapUseSSL1                                  = $prefs['authLDAPUseSSL1'];
    $this->_ldapBindUser1                              = $prefs['authLDAPBindUser1'];
    $this->_ldapBindPass1                              = $prefs['authLDAPBindPass1'];
    $this->_ldapOrg1                    = $prefs['authLDAPOrganization1'];

    $this->_ldapServers2                                 = $prefs['authLDAPServers2'];
    $this->_ldapBase2                                       = $prefs['authLDAPBaseDN2'];
    $this->_ldapAccountSuffix2   = $prefs['authLDAPAccountSuffix2'];
    $this->_ldapUseSSL2                                  = $prefs['authLDAPUseSSL2'];
    $this->_ldapBindUser2                              = $prefs['authLDAPBindUser2'];
    $this->_ldapBindPass2                              = $prefs['authLDAPBindPass2'];
    $this->_ldapOrg2                    = $prefs['authLDAPOrganization2'];

    //CUSTOM CODE STARTS HERE
    // Created by Naz Snidanko Oct 02, 2012

    $this->_ldapServers3                                 = $prefs['authLDAPServers3'];
    $this->_ldapBase3                                       = $prefs['authLDAPBaseDN3'];
    $this->_ldapAccountSuffix3   = $prefs['authLDAPAccountSuffix3'];
    $this->_ldapUseSSL3                                  = $prefs['authLDAPUseSSL3'];
    $this->_ldapBindUser3                              = $prefs['authLDAPBindUser3'];
    $this->_ldapBindPass3                              = $prefs['authLDAPBindPass3'];
    $this->_ldapOrg3                    = $prefs['authLDAPOrganization3'];

    $this->_ldapServers4                                 = $prefs['authLDAPServers4'];
    $this->_ldapBase4                                       = $prefs['authLDAPBaseDN4'];
    $this->_ldapAccountSuffix4   = $prefs['authLDAPAccountSuffix4'];
    $this->_ldapUseSSL4                                  = $prefs['authLDAPUseSSL4'];
    $this->_ldapBindUser4                              = $prefs['authLDAPBindUser4'];
   $this->_ldapBindPass4                              = $prefs['authLDAPBindPass4'];
    $this->_ldapOrg4                    = $prefs['authLDAPOrganization4'];

    $this->_ldapServers5                                 = $prefs['authLDAPServers5'];
    $this->_ldapBase5                                       = $prefs['authLDAPBaseDN5'];
    $this->_ldapAccountSuffix5   = $prefs['authLDAPAccountSuffix5'];
    $this->_ldapUseSSL5                                  = $prefs['authLDAPUseSSL5'];
    $this->_ldapBindUser5                              = $prefs['authLDAPBindUser5'];
    $this->_ldapBindPass5                              = $prefs['authLDAPBindPass5'];
    $this->_ldapOrg5                    = $prefs['authLDAPOrganization5'];

    // CUSTOM CODE ENDS HERE


    $this->_ldapMemberKey = strtolower($prefs['authLDAPMemberKey']);
    $this->_ldapMemberRole= strtolower($prefs['authLDAPMemberRole']);
  }


public function validUsername(
    $uname,
    &$response
  )
  {
    $result = FALSE;

    $this->_ldapServers = $this->_ldapServers1;
    $this->_ldapUseSSL  = $this->_ldapUseSSL1;
    $this->_ldapBindUser = $this->_ldapBindUser1;
    $this->_ldapBindPass = $this->_ldapBindPass1;
    $this->_ldapBase     = $this->_ldapBase1;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix1;
    $this->_ldapOrg      = $this->_ldapOrg1;

    $result = $this->Tryvalid($uname, $response);
    if ($result !== -70 && $result !== -69) {
      return TRUE;
    }

    // Bail out quietly if there isn't a 2nd AD forest
    if (empty($this->_ldapServers2)) {
      return FALSE;
    }
    $this->_ldapServers = $this->_ldapServers2;
    $this->_ldapUseSSL  = $this->_ldapUseSSL2;
    $this->_ldapBindUser = $this->_ldapBindUser2;
    $this->_ldapBindPass = $this->_ldapBindPass2;
    $this->_ldapBase     = $this->_ldapBase2;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix2;
    $this->_ldapOrg      = $this->_ldapOrg2;

    $result = $this->Tryvalid($uname, $response);
     if ($result !== -70 && $result !== -69) {
      return TRUE;
    }
    // CUSTOM CODE STARTS HERE
    // Created by Naz Snidanko Oct 02, 2012

        // Bail out quietly if there isn't a 3rd AD forest
    if (empty($this->_ldapServers3)) {
      return FALSE;
    }
    $this->_ldapServers = $this->_ldapServers3;
    $this->_ldapUseSSL  = $this->_ldapUseSSL3;
    $this->_ldapBindUser = $this->_ldapBindUser3;
    $this->_ldapBindPass = $this->_ldapBindPass3;
    $this->_ldapBase     = $this->_ldapBase3;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix3;
    $this->_ldapOrg      = $this->_ldapOrg3;

    $result = $this->Tryvalid($uname, $response);
     if ($result !== -70 && $result !== -69) {
      return TRUE;
    }

        // Bail out quietly if there isn't a 4th AD forest
    if (empty($this->_ldapServers4)) {
      return FALSE;
    }
    $this->_ldapServers = $this->_ldapServers4;
    $this->_ldapUseSSL  = $this->_ldapUseSSL4;
    $this->_ldapBindUser = $this->_ldapBindUser4;
    $this->_ldapBindPass = $this->_ldapBindPass4;
    $this->_ldapBase     = $this->_ldapBase4;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix4;
    $this->_ldapOrg      = $this->_ldapOrg4;

    $result = $this->Tryvalid($uname, $response);
     if ($result !== -70 && $result !== -69) {
      return TRUE;
    }

             // Bail out quietly if there isn't a 5th AD forest
    if (empty($this->_ldapServers5)) {
      return FALSE;
     }

    $this->_ldapServers = $this->_ldapServers5;
    $this->_ldapUseSSL  = $this->_ldapUseSSL5;
    $this->_ldapBindUser = $this->_ldapBindUser5;
    $this->_ldapBindPass = $this->_ldapBindPass5;
    $this->_ldapBase     = $this->_ldapBase5;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix5;
    $this->_ldapOrg      = $this->_ldapOrg5;

    $result = $this->Tryvalid($uname, $response);
    if ($result === -70) {
      NSSError('Check User: Unable to connect to any of the LDAP servers; could not authenticate user.','LDAP Error');
      return FALSE;
    } else if ($result === -69) {
      // NSSError('Check User: Incorrect username or password.','LDAP Error');
      return FALSE;
    }
    // return $result;
    return TRUE;
  }

public function authenticate(
    &$uname,
    $password,
    &$response
  )
  {
    $result = FALSE;

    // The username should not be their email address.
    // So remove everything after any @ sign.
    // And remove any domain name on the front, separated by \
    // Passed by reference so should change what is stored in the calling code.
    $uname = preg_replace('/@.*$/', '', $uname);
    $uname = preg_replace('/^.*\\\/', '', $uname);

    $this->_ldapServers = $this->_ldapServers1;
    $this->_ldapUseSSL  = $this->_ldapUseSSL1;
    $this->_ldapBindUser = $this->_ldapBindUser1;
    $this->_ldapBindPass = $this->_ldapBindPass1;
    $this->_ldapBase     = $this->_ldapBase1;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix1;
    $this->_ldapOrg      = $this->_ldapOrg1;

    $result = $this->Tryauthenticate($uname, $password, $response);
    if ($result !== -69 && $result !== -70) {
      return TRUE;
    }

    $this->_ldapServers = $this->_ldapServers2;
    $this->_ldapUseSSL  = $this->_ldapUseSSL2;
    $this->_ldapBindUser = $this->_ldapBindUser2;
    $this->_ldapBindPass = $this->_ldapBindPass2;
    $this->_ldapBase     = $this->_ldapBase2;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix2;
    $this->_ldapOrg      = $this->_ldapOrg2;

    $result = $this->Tryauthenticate($uname, $password, $response);
     if ($result !== -69 && $result !== -70) {
      return TRUE;
    }

    $this->_ldapServers = $this->_ldapServers3;
    $this->_ldapUseSSL  = $this->_ldapUseSSL3;
    $this->_ldapBindUser = $this->_ldapBindUser3;
    $this->_ldapBindPass = $this->_ldapBindPass3;
    $this->_ldapBase     = $this->_ldapBase3;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix3;
    $this->_ldapOrg      = $this->_ldapOrg3;

    $result = $this->Tryauthenticate($uname, $password, $response);
     if ($result !== -69 && $result !== -70) {
      return TRUE;
    }

    $this->_ldapServers = $this->_ldapServers4;
    $this->_ldapUseSSL  = $this->_ldapUseSSL4;
    $this->_ldapBindUser = $this->_ldapBindUser4;
    $this->_ldapBindPass = $this->_ldapBindPass4;
    $this->_ldapBase     = $this->_ldapBase4;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix4;
    $this->_ldapOrg      = $this->_ldapOrg4;

    $result = $this->Tryauthenticate($uname, $password, $response);
     if ($result !== -69 && $result !== -70) {
      return TRUE;
    }

    $this->_ldapServers = $this->_ldapServers5;
    $this->_ldapUseSSL  = $this->_ldapUseSSL5;
    $this->_ldapBindUser = $this->_ldapBindUser5;
    $this->_ldapBindPass = $this->_ldapBindPass5;
    $this->_ldapBase     = $this->_ldapBase5;
    $this->_ldapAccountSuffix = $this->_ldapAccountSuffix5;
    $this->_ldapOrg      = $this->_ldapOrg5;

    $result = $this->Tryauthenticate($uname, $password, $response);
    if ($result === -70) {
      // Failed because we couldn't connect to any auth servers
      NSSError('Check User: Unable to connect to any of the LDAP servers; could not authenticate user.','LDAP Error');
      return FALSE;
    } else if ($result === -69) {
      // Failed because the user failed authentication tests
      // NSSError('Check User: Incorrect username or password.','LDAP Error');
      return FALSE;
    }
    return TRUE;
  }


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357

From: zendto-bounces at zend.to<mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to]<mailto:[mailto:zendto-bounces at zend.to]> On Behalf Of Duncan, Brian M.
Sent: Monday, November 30, 2015 5:52 AM
To: 'zendto at zend.to'
Subject: [ZendTo] Is there any way to have more than 2 realms to authenticate with in AD on Zendto?

We are using zendto to successfully authenticate users in 2 different realms in LDAP.

For example:

'authenticator'             => 'AD',
'authLDAPBaseDN1'    => 'DC=us,DC=test,DC=com',
'authLDAPServers1'    => array('192.168.5.11','192.168.5.10'),

'authLDAPBaseDN2'  => 'DC=eu,DC=test,DC=com',
'authLDAPServers2'   => array('192.168.5.11','192.168.5.10'),

We would like to be able to authenticate AD users in yet another realm called AP.  (ap.test.com)

Can I just create 'authLDAPBaseDN3' etc.. and add the 3rd realm?  Or is Zendto hardcoded to only be able to support up to 2 realms?


'authLDAPBaseDN3'  => 'DC=ap,DC=test,DC=com',
'authLDAPServers3'   => array('192.168.5.11','192.168.5.10'),
Etc..

Thanks



BRIAN M. DUNCAN
Data Security Administrator
Katten Muchin Rosenman LLP
525 W. Monroe Street / Chicago, IL 60661-3693
p / (312) 577-8045 f / (312) 577-4490
brian.duncan at kattenlaw.com<mailto:brian.duncan at kattenlaw.com> / www.kattenlaw.com<http://www.kattenlaw.com>



===========================================================

CONFIDENTIALITY NOTICE:

This electronic mail message and any attached files contain information intended for the exclusive

use of the individual or entity to whom it is addressed and may contain information that is

proprietary, privileged, confidential and/or exempt from disclosure under applicable law.  If you

are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or

distribution of this information may be subject to legal restriction or sanction.  Please notify

the sender, by electronic mail or telephone, of any unintended recipients and delete the original

message without making any copies.

===========================================================

NOTIFICATION:  Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has

elected to be governed by the Illinois Uniform Partnership Act (1997).

===========================================================


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20151209/20b300b1/attachment-0001.html 


More information about the ZendTo mailing list