[ZendTo] Issue with ZendTo AD authentication

Jules Field Jules at Zend.To
Thu Nov 1 12:10:48 GMT 2018 

My top immediate guess would be to try removing the ":3268" from the 
names of your AD servers in authLDAPServers1.

Cheers,
Jules.

On 01/11/2018 12:01, Igor David wrote:
> Hi All,
>
> We are using ZendTo actively with AD authentication and it works well 
> for a few years.
>
> However, we are installing new ZendTo system on AWS EC2 instance 
> (trying with Ubuntu 18.4, Amazon Linux 2018.03 and RedHat7.5 distros) 
> which we can't make to work with AD authentication.
>
> This is our existing preferences.php (OURDOMAIN, USERNAME and PASSWORD 
> are replaced):
>
> * 'authenticator' => 'AD',
> 'authLDAPBaseDN1' => 'DC=OURDOMAIN,DC=com',
> 'authLDAPServers1' => array('AD_SERVER1:3268','AD_SERVER2:3268'),
> 'authLDAPAccountSuffix1' => '@OURDOMAIN.com',
> 'authLDAPUseSSL1' => false,
> 'authLDAPBindUser1' => 'USERNAME',
> 'authLDAPBindPass1' => 'PASSWORD',
> 'authLDAPOrganization1' => 'OUR ORGANIZATION',
> 'authLDAPBaseDN2' => 'DC=soton,DC=ac,DC=uk',
> 'authLDAPServers2' => array(),
> 'authLDAPAccountSuffix2' => '@soton.ac.uk <http://soton.ac.uk>',
> 'authLDAPUseSSL2' => false,
> 'authLDAPBindUser2' => 'SecretUsername2',
> 'authLDAPBindPass2' => 'SecretPassword2',
> 'authLDAPOrganization2' => 'University of Southampton',*
>
>
> in that case, we can't connect and are getting an error on ZendTo 
> front-end page:
>
> /LDAP Error
>     Check User: Unable to connect to any of the authentication 
> servers; could not authenticate user. Please notify the system 
> administrator.
>     Authentication Error
>     The username or password was incorrect./
>
> Apache error:
>
> /[Thu Nov 01 11:28:32.666278 2018] [php7:warn] [pid 1397] [client 
> 10.254.48.252:58828 <http://10.254.48.252:58828>] PHP Warning: 
> ldap_connect(): Could not create session handle: Bad parameter to an 
> ldap routine in /opt/zendto/lib/NSSADAuthenticator.php on line 527/
>
> Zendto log:
>
> /2018-11-01 11:28:32 10.254.48.252 [ZendTo]: Warning: authorization 
> failed for USERNAME/
>
>
> We have also tried to remove ports in server names like this
>
> *'authenticator' => 'AD',
> 'authLDAPBaseDN1' => 'DC=OURDOMAIN,DC=com',
> 'authLDAPServers1' => array('AD_SERVER1','AD_SERVER2'),
> 'authLDAPAccountSuffix1' => '@OURDOMAIN.com',
> 'authLDAPUseSSL1' => false,
> 'authLDAPBindUser1' => 'USERNAME',
> 'authLDAPBindPass1' => 'PASSWORD',
> 'authLDAPOrganization1' => 'OUR ORGANIZATION',
> 'authLDAPBaseDN2' => 'DC=soton,DC=ac,DC=uk',
> 'authLDAPServers2' => array(),
> 'authLDAPAccountSuffix2' => '@soton.ac.uk <http://soton.ac.uk>',
> 'authLDAPUseSSL2' => false,
> 'authLDAPBindUser2' => 'SecretUsername2',
> 'authLDAPBindPass2' => 'SecretPassword2',
> 'authLDAPOrganization2' => 'University of Southampton',*
>
>
> then we got just the following error on ZendTo webpage:
>
>
> 	/Authentication Error/
>
> 	/The username or password was incorrect./
>
>
> and no errors in Apache, Zendto log:
>
> /2018-11-01 11:32:56 10.254.48.252 [ZendTo]: Warning: authorization 
> failed for USERNAME/
>
>
>
>
> We have tried it also like this:
>
> *'authenticator' => 'AD',
> 'authLDAPBaseDN1' => 'DC=OURDOMAIN,DC=com',
> 'authLDAPServers1' => array('AD_SERVER1:3268','AD_SERVER2:3268'),
> 'authLDAPAccountSuffix1' => '@OURDOMAIN.com',
> 'authLDAPUseSSL1' => false,
> 'authLDAPBindUser1' => 'USERNAME',
> 'authLDAPBindPass1' => 'PASSWORD',
> 'authLDAPBaseOrganization1' => 'OUR ORGANIZATION',
> 'authLDAPBaseDN2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPServers2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPAccountSuffix2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPUseSSL2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPBindUser2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPBindPass2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPBaseOrganization2' => '',
> //    Leave blank if not using a 2nd forest. *
>
> It throws message on Zendto front-end page but keep users marked as 
> logged in:
>
> LDAP Error
>
> 	/Check User: Unable to connect to any of the authentication servers; 
> could not authenticate user. Please notify the system administrator./
>
>
>
> Apache error:
> /
> /
> /[Thu Nov 01 11:12:11.381516 2018] [php7:warn] [pid 903] [client 
> 10.254.48.252:58118 <http://10.254.48.252:58118>] PHP Warning: 
> ldap_connect(): Could not create session handle: Bad parameter to an 
> ldap routine in /opt/zendto/lib/NSSADAuthenticator.php on line 527/
>
> ZendTo log:
>
> /2018-11-01 11:13:56 10.254.48.252 [ZendTo]: Info: authorization 
> succeeded for USERNAME
> 2018-11-01 11:13:56 10.254.48.252 [ZendTo]: Info: user authentication 
> verified user as 'USERNAME'/
>
>
> Also when we change AD servers like this (servers without :3268 at the 
> end):
>
> *'authenticator' => 'AD',
> 'authLDAPBaseDN1' => 'DC=OURDOMAIN,DC=com',
> 'authLDAPServers1' => array('AD_SERVER1','AD_SERVER2'),
> 'authLDAPAccountSuffix1' => '@OURDOMAIN.com',
> 'authLDAPUseSSL1' => false,
> 'authLDAPBindUser1' => 'USERNAME',
> 'authLDAPBindPass1' => 'PASSWORD',
> 'authLDAPBaseOrganization1' => 'OUR ORGANIZATION',
> 'authLDAPBaseDN2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPServers2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPAccountSuffix2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPUseSSL2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPBindUser2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPBindPass2' => '',
> //    Leave blank if not using a 2nd forest.
> 'authLDAPBaseOrganization2' => '',
> //    Leave blank if not using a 2nd forest. *
>
>
>
> then ANYONE can login and there is no ZendTo front end or Apache error.
>
> This is zendto.log in that case:
>
> /2018-11-01 11:18:17 10.254.48.252 [ZendTo]: Info: authorization 
> succeeded for USERNAME
> 2018-11-01 11:18:17 10.254.48.252 [ZendTo]: Info: user authentication 
> verified user as USERNAME/
>
>
> When we try like this:
>
> *'authenticator' => 'AD',
> 'authLDAPBaseDN1' => array('DC=OURDOMAIN,DC=com'),
> 'authLDAPServers1' => array('AD_SERVER:3268'),
> 'authLDAPAccountSuffix1' => '@OURDOMAIN.com',
> 'authLDAPUseSSL1' => false,
> 'authLDAPBindUser1' => 'USERNAME',
> 'authLDAPBindPass1' => 'PASSWORD',
> 'authLDAPOrganization1' => 'OUR ORGANIZATION',*
>
> Then ANYONE can login but with the error on front-end Zendto page:
>
>
> 	/LDAP Error/
>
> 	/Check User: Unable to connect to any of the authentication servers; 
> could not authenticate user. Please notify the system administrator./
>
>
> Apache error:
>
> /[Thu Nov 01 11:49:21.846106 2018] [php7:warn] [pid 1397] [client 
> 10.254.48.252:59694 <http://10.254.48.252:59694>] PHP Warning:  
> ldap_connect(): Could not create session handle: Bad parameter to an 
> ldap routine in /opt/zendto/lib/NSSADAuthenticator.php on line 527/
>
> zendto.log:
>
> /2018-11-01 11:49:21 10.254.48.252 [ZendTo]: Info: authorization 
> succeeded for USERNAME
> 2018-11-01 11:49:21 10.254.48.252 [ZendTo]: Info: user authentication 
> verified user as 'USERNAME'/
>
>
> IF we try like this (without :3268 for server):
>
> *'authenticator' => 'AD',
> 'authLDAPBaseDN1' => array('DC=OURDOMAIN,DC=com'),
> 'authLDAPServers1' => array('AD_SERVER:'),
> 'authLDAPAccountSuffix1' => '@OURDOMAIN.com',
> 'authLDAPUseSSL1' => false,
> 'authLDAPBindUser1' => 'USERNAME',
> 'authLDAPBindPass1' => 'PASSWORD',
> 'authLDAPOrganization1' => 'OUR ORGANIZATION', *
>
> then ANYONE can login and no error on Frontend Zendto page, no Apache 
> error, zendto log:
>
> /2018-11-01 11:55:17 10.254.48.252 [ZendTo]: Info: user authentication 
> verified user as 'USERNAME'/
>
>
> We have checked https://zend.to/activedirectory.php and I can query 
> LDAP with the command:
>
> /ldapsearch -x -LLL -E pr=200/noprompt -h AD_SERVER1:3268 -D 
> 'USERNAME' -w 'PASSWORD' -b 'DC=OURDOMAIN,DC=com' -s sub 
> '(sAMAccountName=*)' cn mail memberOf/
>
>
> Our software versions:
>
> PHP: 7.2.10
> Apache: 2.4.6
> Zendto: Version 5.15-1
>
> Did anyone had the same issue maybe, is there any solution, does 
> anyone have configuration example for AD authentication?
>
> Thanks in advance!

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'In Flanders fields the poppies blow
  Between the crosses, row on row,
  That mark our place: and in the sky
  The larks still bravely singing fly
  Scarce heard amid the guns below.

  We are the dead: Short days ago,
  We lived, felt dawn, saw sunset glow,
  Loved and were loved: and now we lie
  In Flanders fields!

  Take up our quarrel with the foe
  To you, from failing hands, we throw
  The torch: be yours to hold it high
  If ye break faith with us who die,
  We shall not sleep, though poppies grow
  In Flanders fields.' Lieutenant Colonel John McCrae

Composed at the battlefront on May 3, 1915
during the second battle of Ypres, Belgium

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20181101/c547b5db/attachment-0001.html>

More information about the ZendTo mailing list