From Jules at Zend.To  Sat Feb  8 17:28:40 2020
From: Jules at Zend.To (Jules)
Date: Sat, 8 Feb 2020 17:28:40 +0000
Subject: [ZendTo] =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
Message-ID: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>

Microsoft are about to enforce the use of LDAPS (removing unencrypted 
LDAP) when checking user credentials against an AD server.

This needs a couple of minor changes to your ZendTo server.

I have written up some simple instructions here
https://zend.to/activedirectory.php
which certainly appear to work for me.

I strongly advise you make the changes and test the resulting service 
before Microsoft release the patch that enforces the need for this. It 
should cause no harm except to improve the security of communications 
between ZendTo and your AD server.

Any comments / problems / questions, please do let me know straightaway!

Cheers,

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally
poor.

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200208/0222104b/attachment.html>

From Massimo.Forni at turboden.it  Sat Feb  8 19:29:36 2020
From: Massimo.Forni at turboden.it (Massimo Forni)
Date: Sat, 8 Feb 2020 19:29:36 +0000
Subject: [ZendTo] 
 =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
In-Reply-To: <WM!277a3b952b6a79b84f363911b9a4258c9bdfdaddd447518b8974edeafda81ac89325149f845dfc72b1e402f79a9dd75db85a80223fcff2651c7d9fba710ae7cf!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>,
 <WM!277a3b952b6a79b84f363911b9a4258c9bdfdaddd447518b8974edeafda81ac89325149f845dfc72b1e402f79a9dd75db85a80223fcff2651c7d9fba710ae7cf!@mx.jul.es>
 <C494CE33-9415-4BA7-B616-1589E2BEFBBE@turboden.it>
Message-ID: <WM!3771b43f3fefc7fb2cafe1ec7764318261101f899c65e5b4443af56f692de310f821d324b2329faa8fec933fc326658c!@mx.jul.es>

Hi and thank you!
Can you point us to the Micros  documentation about this change?
Thank you!

Sent from my iPhone

On 8 Feb 2020, at 18:29, Jules via ZendTo <zendto at zend.to> wrote:

? Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.

This needs a couple of minor changes to your ZendTo server.

I have written up some simple instructions here
    https://zend.to/activedirectory.php<https://urldefense.com/v3/__https://zend.to/activedirectory.php__;!!BYEqwblc0Q!g2Ry8YNF8kfZYTQxAwMj0X6zJcTdMv0IFXlZsAtwL29y5tzumtz3IhDZQ0Za8FR5IFUz_Q$>
which certainly appear to work for me.

I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.

Any comments / problems / questions, please do let me know straightaway!

Cheers,

Jules

--
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally
poor.

www.Zend.To<https://urldefense.com/v3/__http://www.Zend.To__;!!BYEqwblc0Q!g2Ry8YNF8kfZYTQxAwMj0X6zJcTdMv0IFXlZsAtwL29y5tzumtz3IhDZQ0Za8FTy8jAWbQ$>
Twitter: @JulesFM


_______________________________________________
ZendTo mailing list
ZendTo at zend.to
https://urldefense.com/v3/__http://jul.es/mailman/listinfo/zendto__;!!BYEqwblc0Q!g2Ry8YNF8kfZYTQxAwMj0X6zJcTdMv0IFXlZsAtwL29y5tzumtz3IhDZQ0Za8FRRR3RmEg$

--

Massimo Forni
ICT Infrastructure Manager

Mobile: +393474110278

________________________________

Turboden S.p.A. I via Cernaia 10 I 25124 Brescia I Italy
t. +39 030 3552001 I f. +39 030 3552011
www.turboden.com<http://www.turboden.com>


Confidentiality notice: this message, together with its attachments, may contain strictly confidential and/or legally privileged information and it is destined solely to the intended addressee(s), who only may use it under his/their responsibility. Opinions, conclusions and other information contained in this message, that do not relate to the official business of this firm, shall be considered as not given or endorsed by it. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Any use, disclosure, copying or distribution of the contents of this communication by a not-intended recipient or in violation of the purposes of this communication is strictly prohibited and may be unlawful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200208/66b17809/attachment.html>

From chris.venter1 at gmail.com  Sat Feb  8 20:51:41 2020
From: chris.venter1 at gmail.com (Chris Venter)
Date: Sat, 8 Feb 2020 20:51:41 +0000
Subject: [ZendTo] 
	=?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
	=?utf-8?q?AD_servers?=
In-Reply-To: <WM!8cf84dc3714709af4a6f9f2a80b7b5bddc3a9fa05b06145c74aa32bf3b3c01bbebfac730fc3dc0c866a976d6eac9062997c115a89dae23898365b64be07c4e71!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <C494CE33-9415-4BA7-B616-1589E2BEFBBE@turboden.it>
 <WM!3771b43f3fefc7fb2cafe1ec7764318261101f899c65e5b4443af56f692de310f821d324b2329faa8fec933fc326658c!@mx.jul.es>
 <WM!277a3b952b6a79b84f363911b9a4258c9bdfdaddd447518b8974edeafda81ac89325149f845dfc72b1e402f79a9dd75db85a80223fcff2651c7d9fba710ae7cf!@mx.jul.es>
 <WM!8cf84dc3714709af4a6f9f2a80b7b5bddc3a9fa05b06145c74aa32bf3b3c01bbebfac730fc3dc0c866a976d6eac9062997c115a89dae23898365b64be07c4e71!@mx.jul.es>
 <CAPgmoWYM3yoctoMFrVCVwnRDRUgYa05erc13x6o0kBt95Jyw5g@mail.gmail.com>
Message-ID: <WM!9b2eec784a8bd7819edc72e542637aa2ea1cff21794f7d3b5d0bab60ad99f1d63a57349ce9dc8f7cee9789f759f73215!@mx.jul.es>

Hi Try the below links

https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Hope this helps

Chris

On Sat, 8 Feb 2020 at 19:30, Massimo Forni via ZendTo <zendto at zend.to>
wrote:

> Hi and thank you!
> Can you point us to the Micros  documentation about this change?
> Thank you!
>
> Sent from my iPhone
>
> On 8 Feb 2020, at 18:29, Jules via ZendTo <zendto at zend.to> wrote:
>
> ? Microsoft are about to enforce the use of LDAPS (removing unencrypted
> LDAP) when checking user credentials against an AD server.
>
> This needs a couple of minor changes to your ZendTo server.
>
> I have written up some simple instructions here
>     https://zend.to/activedirectory.php
> <https://urldefense.com/v3/__https://zend.to/activedirectory.php__;!!BYEqwblc0Q!g2Ry8YNF8kfZYTQxAwMj0X6zJcTdMv0IFXlZsAtwL29y5tzumtz3IhDZQ0Za8FR5IFUz_Q$>
> which certainly appear to work for me.
>
> I strongly advise you make the changes and test the resulting service
> before Microsoft release the patch that enforces the need for this. It
> should cause no harm except to improve the security of communications
> between ZendTo and your AD server.
>
> Any comments / problems / questions, please do let me know straightaway!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
> Slight or moderate, occasionally rough in south. Rain. Good, occasionally
> poor.
> www.Zend.To <https://urldefense.com/v3/__http://www.Zend.To__;!!BYEqwblc0Q!g2Ry8YNF8kfZYTQxAwMj0X6zJcTdMv0IFXlZsAtwL29y5tzumtz3IhDZQ0Za8FTy8jAWbQ$>
> Twitter: @JulesFM
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
>
> https://urldefense.com/v3/__http://jul.es/mailman/listinfo/zendto__;!!BYEqwblc0Q!g2Ry8YNF8kfZYTQxAwMj0X6zJcTdMv0IFXlZsAtwL29y5tzumtz3IhDZQ0Za8FRRR3RmEg$
>
> --
>
> *Massimo Forni*
> ICT Infrastructure Manager
>
> Mobile: +393474110278
> ------------------------------
>
> *Turboden S.p.A.* *I* via Cernaia 10 *I* 25124 Brescia *I* Italy
> t. +39 030 3552001 *I* f. +39 030 3552011
> www.turboden.com
>
>
> *Confidentiality notice*: this message, together with its attachments,
> may contain strictly confidential and/or legally privileged information and
> it is destined solely to the intended addressee(s), who only may use it
> under his/their responsibility. Opinions, conclusions and other information
> contained in this message, that do not relate to the official business of
> this firm, shall be considered as not given or endorsed by it. If you have
> received this communication in error, please notify us immediately by
> responding to this email and then delete it from your system. Any use,
> disclosure, copying or distribution of the contents of this communication
> by a not-intended recipient or in violation of the purposes of this
> communication is strictly prohibited and may be unlawful.
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200208/2fd36d3c/attachment-0001.html>

From glenn.noel at gmail.com  Mon Feb 10 14:40:05 2020
From: glenn.noel at gmail.com (Glenn Noel)
Date: Mon, 10 Feb 2020 09:40:05 -0500
Subject: [ZendTo] 
	=?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
	=?utf-8?q?AD_servers?=
In-Reply-To: <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
 <CAKgOp5wQPPhRHof+cosX33DS71_rZtjstJeXcoop0xXD9UCAsg@mail.gmail.com>
Message-ID: <WM!da4c5bfa2984ec4dddca0170b7cbd2c507595050bb10313148e555da16ff9e4884ccaf25f6aec5e07635917f8979e0c4!@mx.jul.es>

Hi Jules,

I'm just trying the changes now.  The instructions state to add the
following to preferences.php:

'authLDAPServers1' => array('ldaps://your-AD-server-here.example.com'),
'authLDAPUseSSL1' => false,
'authLDAPUseTLS1' => false,

When I try this, the two forward slashes in the *
'ldaps://your-AD-server-here.example.com
<http://your-AD-server-here.example.com>'* comment out the
*your-AD-server-hear.example.com
<http://your-AD-server-hear.example.com>*

I've tried different iterations, but so far no luck.

Any advice, as always is much appreciated.

Glenn


On Sat, Feb 8, 2020 at 12:29 PM Jules via ZendTo <zendto at zend.to> wrote:

> Microsoft are about to enforce the use of LDAPS (removing unencrypted
> LDAP) when checking user credentials against an AD server.
>
> This needs a couple of minor changes to your ZendTo server.
>
> I have written up some simple instructions here
>     https://zend.to/activedirectory.php
> which certainly appear to work for me.
>
> I strongly advise you make the changes and test the resulting service
> before Microsoft release the patch that enforces the need for this. It
> should cause no harm except to improve the security of communications
> between ZendTo and your AD server.
>
> Any comments / problems / questions, please do let me know straightaway!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
> Slight or moderate, occasionally rough in south. Rain. Good, occasionally
> poor.
> www.Zend.To
> Twitter: @JulesFM
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200210/69da3f50/attachment.html>

From Jules at Zend.To  Mon Feb 10 15:46:40 2020
From: Jules at Zend.To (Jules Field)
Date: Mon, 10 Feb 2020 15:46:40 +0000
Subject: [ZendTo] 
 =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
In-Reply-To: <WM!280035d525b0156f445bffb1d919c8db43cf3ffae8c6bb21a42a344e22720c6d825249798ca62a4cef225bbbce5feddcb9104a56c541c5c61974474e2ff842e9!@mx.jul.es>
References: <WM!280035d525b0156f445bffb1d919c8db43cf3ffae8c6bb21a42a344e22720c6d825249798ca62a4cef225bbbce5feddcb9104a56c541c5c61974474e2ff842e9!@mx.jul.es>
Message-ID: <5833FC05-F907-4137-A61E-4F56C0D6AC83@Zend.To>

But they?re in quotes, so won?t act as comment characters.

If what you really mean is that the colour syntax highlighting in your text editor gets it wrong, then just ignore the colouring or turn it off. Text editors don?t actually completely parse your text to produce the colours (that would be a huge job), they just have a bunch of fairly simple rules. 

-- 
Jules
Sent via a stabby glass thing.
All comments you find inappropriate are entirely the fault of autocorrect. Honest.

> On 10 Feb 2020, at 2:48 pm, Glenn Noel <glenn.noel at gmail.com> wrote:
> 
> ?
> Hi Jules,
> 
> I'm just trying the changes now.  The instructions state to add the following to preferences.php:
> 
> 'authLDAPServers1' => array('ldaps://your-AD-server-here.example.com'),
> 'authLDAPUseSSL1' => false,
> 'authLDAPUseTLS1' => false,
> 
> When I try this, the two forward slashes in the  'ldaps://your-AD-server-here.example.com' comment out the your-AD-server-hear.example.com
> 
> I've tried different iterations, but so far no luck.  
> 
> Any advice, as always is much appreciated.
> 
> Glenn
> 
> 
>> On Sat, Feb 8, 2020 at 12:29 PM Jules via ZendTo <zendto at zend.to> wrote:
>> Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.
>> 
>> This needs a couple of minor changes to your ZendTo server.
>> 
>> I have written up some simple instructions here
>>     https://zend.to/activedirectory.php
>> which certainly appear to work for me.
>> 
>> I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.
>> 
>> Any comments / problems / questions, please do let me know straightaway!
>> 
>> Cheers,
>> Jules
>> 
>> -- 
>> Julian Field MEng CEng CITP MBCS MIEEE MACM
>> 
>> The current UK shipping forecast:
>> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
>> Slight or moderate, occasionally rough in south. Rain. Good, occasionally
>> poor.
>> 
>> www.Zend.To
>> Twitter: @JulesFM
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200210/6e4d8cb1/attachment.html>

From ssilva at sgvwater.com  Mon Feb 10 17:37:47 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon, 10 Feb 2020 17:37:47 +0000
Subject: [ZendTo] 
 =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
In-Reply-To: <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE114@FONEXCH01.sgvwc.local>
Message-ID: <WM!253f13a5ae9f2864d3af546a7ad6bf628e7b9d4f2fb167e8bef403294cd33cc7ae52d5a00d55eb94823ed922cecc1168!@mx.jul.es>

Running on Redhat 7

Made changes to /etc/openldap/ldap.conf
Made changes to preferences.php
Get login error
	LDAP Error
	Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
	Authentication Error
	The username or password was incorrect.
Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
Maybe a list of packages that might be required?



From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules via ZendTo
Sent: Saturday, February 8, 2020 9:29 AM
To: ZendTo Users <zendto at zend.to>
Cc: Jules <Jules at Zend.To>
Subject: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers

Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.

This needs a couple of minor changes to your ZendTo server.

I have written up some simple instructions here
??? https://zend.to/activedirectory.php
which certainly appear to work for me.

I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.

Any comments / problems / questions, please do let me know straightaway!

Cheers,

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally
poor.

http://www.Zend.To
Twitter: @JulesFM

From karl.bundy at aldentorch.com  Mon Feb 10 17:47:27 2020
From: karl.bundy at aldentorch.com (Karl Bundy)
Date: Mon, 10 Feb 2020 17:47:27 +0000
Subject: [ZendTo] 
 =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
In-Reply-To: <WM!66a1c0c6f68d7c145e01a4fb4712621fa33db9d6773abf33877473dab41b523370dba57452aee53156877206cbeb98f636bbd3bd9f1004bcd088c795198717d9!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE114@FONEXCH01.sgvwc.local>
 <WM!253f13a5ae9f2864d3af546a7ad6bf628e7b9d4f2fb167e8bef403294cd33cc7ae52d5a00d55eb94823ed922cecc1168!@mx.jul.es>
 <WM!66a1c0c6f68d7c145e01a4fb4712621fa33db9d6773abf33877473dab41b523370dba57452aee53156877206cbeb98f636bbd3bd9f1004bcd088c795198717d9!@mx.jul.es>
 <a1326067aed446539190d8890f1a5623@MBX03B-IAD3.mex08.mlsrvr.com>
Message-ID: <WM!05d6919a37873bf6caa9fb7532efb67bba05dd901732aae79fa381a77e74f4498248bff4b7533917e9fb089227b90109!@mx.jul.es>

I also am running RedHat7/CentOS7 and having the same issue.  Nothing seems to output any helpful logs to help troubleshoot the source of the issue (cert issue, missing packages, etc.)  Any suggestions would be appreciated!

Thanks,

Karl Bundy

-----Original Message-----
From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via ZendTo
Sent: Monday, February 10, 2020 10:38 AM
To: 'ZendTo Users' <zendto at zend.to>
Cc: Scott Silva <ssilva at sgvwater.com>
Subject: Re: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers

Running on Redhat 7

Made changes to /etc/openldap/ldap.conf
Made changes to preferences.php
Get login error
	LDAP Error
	Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
	Authentication Error
	The username or password was incorrect.
Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
Maybe a list of packages that might be required?



From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules via ZendTo
Sent: Saturday, February 8, 2020 9:29 AM
To: ZendTo Users <zendto at zend.to>
Cc: Jules <Jules at Zend.To>
Subject: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers

Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.

This needs a couple of minor changes to your ZendTo server.

I have written up some simple instructions here
??? https://zend.to/activedirectory.php
which certainly appear to work for me.

I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.

Any comments / problems / questions, please do let me know straightaway!

Cheers,

Jules

--
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally poor.

http://www.Zend.To
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto

From Guy.Bertrand at exelaonline.com  Mon Feb 10 18:36:35 2020
From: Guy.Bertrand at exelaonline.com (Guy Bertrand)
Date: Mon, 10 Feb 2020 18:36:35 +0000
Subject: [ZendTo] MS LDAPs
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
Message-ID: <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>

Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:
- the outgoing firewall config on the ZendTo server
- the firewall on the DC (is port 636 open?)
- routing
- any intermediate firewall rules

Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.
C:\> telnet "ip of your DC" 636
If a blank screen appears then the port is open, and the test is successful.
If you receive a connecting... message or an error message then something is blocking that port.

Guy Bertrand, M.Ing
Directeur informatique / IT Manager
EXELA TECHNOLOGIES
b: +1.514.392.4999 | m: +1.514.265.9754
1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7
www.ExelaTech.com | EXELA LinkedIn


________________________________
Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.
________________________________
Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.

This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.

This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.


From ssilva at sgvwater.com  Mon Feb 10 18:39:52 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon, 10 Feb 2020 18:39:52 +0000
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
Message-ID: <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>

In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.


-----Original Message-----
From: ZendTo <zendto-bounces at zend.to> On Behalf Of Guy Bertrand via ZendTo
Sent: Monday, February 10, 2020 10:37 AM
To: zendto at zend.to
Cc: Guy Bertrand <Guy.Bertrand at exelaonline.com>
Subject: [ZendTo] MS LDAPs

Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:
- the outgoing firewall config on the ZendTo server
- the firewall on the DC (is port 636 open?)
- routing
- any intermediate firewall rules

Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.
C:\> telnet "ip of your DC" 636
If a blank screen appears then the port is open, and the test is successful.
If you receive a connecting... message or an error message then something is blocking that port.

Guy Bertrand, M.Ing
Directeur informatique / IT Manager
EXELA TECHNOLOGIES
b: +1.514.392.4999 | m: +1.514.265.9754
1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 www.ExelaTech.com | EXELA LinkedIn


________________________________
Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.
________________________________
Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.

This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.

This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.

_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto


From downloadmalware at gmail.com  Tue Feb 11 15:41:48 2020
From: downloadmalware at gmail.com (Ionescu Gigel)
Date: Tue, 11 Feb 2020 17:41:48 +0200
Subject: [ZendTo] Fill in organization from AD attribute
References: <CAHAXsMjzBSriwMytGpunui2cHN6tNMyEQACuO+ykVTqLquW0hA@mail.gmail.com>
Message-ID: <WM!565063bb0361be6d2d43c9bcd717a220826bcc406cdc0f4dcb793cee28b2134f255a6bdd42f850a4ee8d633b54a02cd8!@mx.jul.es>

Hello,
I want to fill in the organization field automatically from AD.
I would like to know how the authLDAPOrganization option really works and
if my understanding is right.
I read some old posts from the time this option was introduced, but I still
don't get it. As far as I see what I put in that option that will be the
default text for internal authenticated users.

>From the lib/NSSLDAPAuthenticator.php code in $attributeNames array I see
you are trying to get some "organization" attribute. Actually, this will be
always empty as AD stores the name of the company in "company" attribute,
so few lines down if (!@$response['organization']) does not make any sense.

Can someone enlight me, please?
As I said, my goal would be to have the organization from AD if
authLDAPOrganization is empty or if I set the AD attribute where I store
the name of the organization.

Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200211/847e3aa2/attachment.html>

From Jules at Zend.To  Wed Feb 12 15:06:01 2020
From: Jules at Zend.To (Jules Field)
Date: Wed, 12 Feb 2020 15:06:01 +0000
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
Message-ID: <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>

Scott,

I have just done a CentOS 7 install of the latest ZendTo beta from 
scratch, including using SELinux.

I set the preferences.php settings to

 ??? authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
 ??? authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
 ??? authLDAPAccountSuffix1 => '@soton.ac.uk',
 ??? authLDAPUseSSL1 => false,
 ??? authLDAPUseTLS1 => false,

and it just worked immediately. I didn't have to install any other 
packages at all.

Our AD servers are listening on 636/tcp (the TCP port for ldaps 
according to /etc/services).

I have already tested the same thing on Ubuntu 18.04 and it worked first 
time there too.

If you are using some sort of a self-signed or locally-signed 
certificate on your AD server(s), then you will need to add your local 
root CA public cert to the TLS_CACERT file, or else the ZendTo server 
won't be able to verify the cert it gets from the AD server. But if you 
are using a "normal" externally-signed commercial cert, it should work fine.


On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
> In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.
>
>
> -----Original Message-----
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Guy Bertrand via ZendTo
> Sent: Monday, February 10, 2020 10:37 AM
> To: zendto at zend.to
> Cc: Guy Bertrand <Guy.Bertrand at exelaonline.com>
> Subject: [ZendTo] MS LDAPs
>
> Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:
> - the outgoing firewall config on the ZendTo server
> - the firewall on the DC (is port 636 open?)
> - routing
> - any intermediate firewall rules
>
> Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.
> C:\> telnet "ip of your DC" 636
> If a blank screen appears then the port is open, and the test is successful.
> If you receive a connecting... message or an error message then something is blocking that port.
>
> Guy Bertrand, M.Ing
> Directeur informatique / IT Manager
> EXELA TECHNOLOGIES
> b: +1.514.392.4999 | m: +1.514.265.9754
> 1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 www.ExelaTech.com | EXELA LinkedIn
>
>
> ________________________________
> Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.
> ________________________________
> Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.
>
> This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.
>
> This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A good programmer is someone who always looks both ways
  before crossing a one-way street.' - Doug Linder

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200212/0d2a6ff5/attachment-0001.html>

From Jules at Zend.To  Wed Feb 12 15:18:37 2020
From: Jules at Zend.To (Jules Field)
Date: Wed, 12 Feb 2020 15:18:37 +0000
Subject: [ZendTo] 
 =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
In-Reply-To: <WM!05d6919a37873bf6caa9fb7532efb67bba05dd901732aae79fa381a77e74f4498248bff4b7533917e9fb089227b90109!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE114@FONEXCH01.sgvwc.local>
 <WM!253f13a5ae9f2864d3af546a7ad6bf628e7b9d4f2fb167e8bef403294cd33cc7ae52d5a00d55eb94823ed922cecc1168!@mx.jul.es>
 <WM!66a1c0c6f68d7c145e01a4fb4712621fa33db9d6773abf33877473dab41b523370dba57452aee53156877206cbeb98f636bbd3bd9f1004bcd088c795198717d9!@mx.jul.es>
 <a1326067aed446539190d8890f1a5623@MBX03B-IAD3.mex08.mlsrvr.com>
 <WM!05d6919a37873bf6caa9fb7532efb67bba05dd901732aae79fa381a77e74f4498248bff4b7533917e9fb089227b90109!@mx.jul.es>
Message-ID: <767493cc-1050-a182-efb5-f278748b2555@Zend.To>

Karl,

Given that it was a could-not-connect-at-all issue, then it's most 
likely either
a) incoming firewall on the AD server not listening on the correct LDAPS 
ports (636/tcp IIRC),
or
b) the SSL/TLS handshake between the ZendTo server and the AD Server is 
failing. This is most often caused by people using locally-signed certs 
on their AD servers, at which point the ZendTo server will need to be 
given a copy of the Root CA cert for your locally-signed certs. Just 
like you would need to give it to a web browser in order to avoid the 
errors when you browse to a website which is signed with a 
locally-signed cert.

A good command to test the SSL/TLS handshake from your ZendTo server is 
this:

 ??? openssl s_client -connect your-AD-server-here.example.com:636

That should print out all sorts of nice looking things and not any error 
messages. When it's stopped outputting, just Ctrl-C it.

Cheers,
Jules.

On 10/02/2020 17:47, Karl Bundy via ZendTo wrote:
> I also am running RedHat7/CentOS7 and having the same issue.  Nothing seems to output any helpful logs to help troubleshoot the source of the issue (cert issue, missing packages, etc.)  Any suggestions would be appreciated!
>
> Thanks,
>
> Karl Bundy
>
> -----Original Message-----
> From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via ZendTo
> Sent: Monday, February 10, 2020 10:38 AM
> To: 'ZendTo Users' <zendto at zend.to>
> Cc: Scott Silva <ssilva at sgvwater.com>
> Subject: Re: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers
>
> Running on Redhat 7
>
> Made changes to /etc/openldap/ldap.conf
> Made changes to preferences.php
> Get login error
> 	LDAP Error
> 	Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
> 	Authentication Error
> 	The username or password was incorrect.
> Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
> Maybe a list of packages that might be required?
>
>
>
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules via ZendTo
> Sent: Saturday, February 8, 2020 9:29 AM
> To: ZendTo Users <zendto at zend.to>
> Cc: Jules <Jules at Zend.To>
> Subject: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers
>
> Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.
>
> This needs a couple of minor changes to your ZendTo server.
>
> I have written up some simple instructions here
>  ??? https://zend.to/activedirectory.php
> which certainly appear to work for me.
>
> I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.
>
> Any comments / problems / questions, please do let me know straightaway!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
> Slight or moderate, occasionally rough in south. Rain. Good, occasionally poor.
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A good programmer is someone who always looks both ways
  before crossing a one-way street.' - Doug Linder

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200212/0cbe750a/attachment.html>

From glenn.noel at gmail.com  Thu Feb 13 21:18:48 2020
From: glenn.noel at gmail.com (Glenn Noel)
Date: Thu, 13 Feb 2020 16:18:48 -0500
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
Message-ID: <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>

Hi All,  I'm still struggling with LDAPS.  In Jules' previous email there
is a mention of:

*"If you are using some sort of a self-signed or locally-signed certificate
on your AD server(s), then you will need to add your local root CA public
cert to the TLS_CACERT file, or else the ZendTo server won't be able to
verify the cert it gets from the AD server. But if you are using a "normal"
externally-signed commercial cert, it should work fine." *

I am in this situation of using a cert created by my internal Domain CA.
The steps I have taken:
1.) Exported the public key/cert for Client Authentication, Server
Authentication from my Windows Domain Controller in DER encoded binary
X.509(.CER) format
2.) copied this .CER to /etc/ssl/certs
3.) in /etc/ldap/ldap.conf  I added:
*TLS_CACERT     /etc/ssl/certs/my-exported-ldaps-cert.cer*
This line sits under the original line of TLS_CACERT
 /etc/ssl/certs/ca-certificates.crt

It was a shot in the dark and I successfully predicted that it would not
work.  However I am stuck.  If anyone has a good step-by-step to help me
out I would appreciate it immensely.

If the recommended method is to purchase a 3rd party cert please let me
know - I will try that next (although I might need some assistance with
that process too).

Thank you,

Glenn


On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <zendto at zend.to>
wrote:

> Scott,
>
> I have just done a CentOS 7 install of the latest ZendTo beta from
> scratch, including using SELinux.
>
> I set the preferences.php settings to
>
>     authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
>     authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
>     authLDAPAccountSuffix1 => '@soton.ac.uk',
>     authLDAPUseSSL1 => false,
>     authLDAPUseTLS1 => false,
>
> and it just worked immediately. I didn't have to install any other
> packages at all.
>
> Our AD servers are listening on 636/tcp (the TCP port for ldaps according
> to /etc/services).
>
> I have already tested the same thing on Ubuntu 18.04 and it worked first
> time there too.
>
> If you are using some sort of a self-signed or locally-signed certificate
> on your AD server(s), then you will need to add your local root CA public
> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
> verify the cert it gets from the AD server. But if you are using a "normal"
> externally-signed commercial cert, it should work fine.
>
>
> On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
>
> In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.
>
>
> -----Original Message-----
> From: ZendTo <zendto-bounces at zend.to> <zendto-bounces at zend.to> On Behalf Of Guy Bertrand via ZendTo
> Sent: Monday, February 10, 2020 10:37 AM
> To: zendto at zend.to
> Cc: Guy Bertrand <Guy.Bertrand at exelaonline.com> <Guy.Bertrand at exelaonline.com>
> Subject: [ZendTo] MS LDAPs
>
> Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:
> - the outgoing firewall config on the ZendTo server
> - the firewall on the DC (is port 636 open?)
> - routing
> - any intermediate firewall rules
>
> Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.
> C:\> telnet "ip of your DC" 636
> If a blank screen appears then the port is open, and the test is successful.
> If you receive a connecting... message or an error message then something is blocking that port.
>
> Guy Bertrand, M.Ing
> Directeur informatique / IT Manager
> EXELA TECHNOLOGIES
> b: +1.514.392.4999 | m: +1.514.265.9754
> 1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 www.ExelaTech.com | EXELA LinkedIn
>
>
> ________________________________
> Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.
> ________________________________
> Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.
>
> This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.
>
> This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://jul.es/mailman/listinfo/zendto
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'A good programmer is someone who always looks both ways
>  before crossing a one-way street.' - Doug Linder
> www.Zend.To
> Twitter: @JulesFM
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200213/0cbe732d/attachment-0001.html>

From ssilva at sgvwater.com  Thu Feb 13 22:38:26 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu, 13 Feb 2020 22:38:26 +0000
Subject: [ZendTo] 
 =?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
 =?utf-8?q?AD_servers?=
In-Reply-To: <WM!472c4888ae0366f1229183b2192c7fca02887611cae73cd5235f1884fcf50d917752840eedadde6b55b4d7471ce16f3dd14beabb42fe9716206808c0b7247dbf!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE114@FONEXCH01.sgvwc.local>
 <WM!253f13a5ae9f2864d3af546a7ad6bf628e7b9d4f2fb167e8bef403294cd33cc7ae52d5a00d55eb94823ed922cecc1168!@mx.jul.es>
 <WM!66a1c0c6f68d7c145e01a4fb4712621fa33db9d6773abf33877473dab41b523370dba57452aee53156877206cbeb98f636bbd3bd9f1004bcd088c795198717d9!@mx.jul.es>
 <a1326067aed446539190d8890f1a5623@MBX03B-IAD3.mex08.mlsrvr.com>
 <WM!05d6919a37873bf6caa9fb7532efb67bba05dd901732aae79fa381a77e74f4498248bff4b7533917e9fb089227b90109!@mx.jul.es>
 <767493cc-1050-a182-efb5-f278748b2555@Zend.To>
 <WM!472c4888ae0366f1229183b2192c7fca02887611cae73cd5235f1884fcf50d917752840eedadde6b55b4d7471ce16f3dd14beabb42fe9716206808c0b7247dbf!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB4470@FONEXCH01.sgvwc.local>
Message-ID: <WM!5e3b2ae4c1b9dd36915b301808a674d23c92c54c06e0306f2828dbe7687f939151713178f4f2bded6736d5080f2a38f9!@mx.jul.es>

Ran openssl s_client -connect your-AD-server-here.example.com:636 (fixing actual name)
On my spamfilter linux box that DOES work I see a bunch of root certificates loaded on the system...
I wonder if that is one of the issues it doesn't seem to work on the CentOS Zendto box
The working system is Debian I believe...



From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules Field via ZendTo
Sent: Wednesday, February 12, 2020 7:24 AM
To: ZendTo Users <zendto at zend.to>
Cc: Jules Field <Jules at Zend.To>
Subject: Re: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers

Karl,

Given that it was a could-not-connect-at-all issue, then it's most likely either
a) incoming firewall on the AD server not listening on the correct LDAPS ports (636/tcp IIRC),
or
b) the SSL/TLS handshake between the ZendTo server and the AD Server is failing. This is most often caused by people using locally-signed certs on their AD servers, at which point the ZendTo server will need to be given a copy of the Root CA cert for your locally-signed certs. Just like you would need to give it to a web browser in order to avoid the errors when you browse to a website which is signed with a locally-signed cert.

A good command to test the SSL/TLS handshake from your ZendTo server is this:

??? openssl s_client -connect your-AD-server-here.example.com:636

That should print out all sorts of nice looking things and not any error messages. When it's stopped outputting, just Ctrl-C it.

Cheers,
Jules.
On 10/02/2020 17:47, Karl Bundy via ZendTo wrote:
I also am running RedHat7/CentOS7 and having the same issue.  Nothing seems to output any helpful logs to help troubleshoot the source of the issue (cert issue, missing packages, etc.)  Any suggestions would be appreciated!

Thanks,

Karl Bundy

-----Original Message-----
From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via ZendTo
Sent: Monday, February 10, 2020 10:38 AM
To: 'ZendTo Users' mailto:zendto at zend.to
Cc: Scott Silva mailto:ssilva at sgvwater.com
Subject: Re: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers

Running on Redhat 7

Made changes to /etc/openldap/ldap.conf
Made changes to preferences.php
Get login error
	LDAP Error
	Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
	Authentication Error
	The username or password was incorrect.
Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
Maybe a list of packages that might be required?



From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Jules via ZendTo
Sent: Saturday, February 8, 2020 9:29 AM
To: ZendTo Users mailto:zendto at zend.to
Cc: Jules mailto:Jules at Zend.To
Subject: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers

Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.

This needs a couple of minor changes to your ZendTo server.

I have written up some simple instructions here
??? https://zend.to/activedirectory.php
which certainly appear to work for me.

I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.

Any comments / problems / questions, please do let me know straightaway!

Cheers,

Jules

--
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally poor.

http://www.Zend.To
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto
_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto


Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A good programmer is someone who always looks both ways
 before crossing a one-way street.' - Doug Linder

http://www.Zend.To
Twitter: @JulesFM

From ssilva at sgvwater.com  Thu Feb 13 23:13:32 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu, 13 Feb 2020 23:13:32 +0000
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
 <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>
 <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB449E@FONEXCH01.sgvwc.local>
Message-ID: <WM!986ae456051d47b412e081cbbf3cf8cd7336a35d252c72b585e016eb0771b3fbd1e4f2ed80c9c64a8c1cfe61c58de71c!@mx.jul.es>

I also just tried this, but replaced the line for the cert path since all docs I read said you could only have one..
Still no joy in mudville tonight...


From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
Sent: Thursday, February 13, 2020 2:24 PM
To: ZendTo Users <zendto at zend.to>
Cc: Glenn Noel <glenn.noel at gmail.com>
Subject: Re: [ZendTo] MS LDAPs

Hi All,? I'm still struggling with LDAPS.? In Jules' previous email there is a mention of:?

"If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine."?

I am in this situation of using a cert created by my internal Domain CA.? The steps I have taken:
1.) Exported the public key/cert for Client Authentication, Server Authentication from my Windows Domain Controller in DER encoded binary X.509(.CER) format
2.) copied this .CER to /etc/ssl/certs
3.) in /etc/ldap/ldap.conf? I added:
TLS_CACERT? ? ?/etc/ssl/certs/my-exported-ldaps-cert.cer?
This line sits under the original line of TLS_CACERT? ? ?/etc/ssl/certs/ca-certificates.crt

It was a shot in the dark and I successfully predicted that it would not work.? However I am stuck.? If anyone has a good step-by-step to help me out I would appreciate it immensely.

If the recommended method is to purchase a 3rd party cert please let me know - I will try that next (although I might need some assistance with that process too).

Thank you,

Glenn
??

On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <mailto:zendto at zend.to> wrote:
Scott,

I have just done a CentOS 7 install of the latest ZendTo beta from scratch, including using SELinux.

I set the preferences.php settings to

??? authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
??? authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
??? authLDAPAccountSuffix1 => '@http://soton.ac.uk',
??? authLDAPUseSSL1 => false,
??? authLDAPUseTLS1 => false,

and it just worked immediately. I didn't have to install any other packages at all.

Our AD servers are listening on 636/tcp (the TCP port for ldaps according to /etc/services).

I have already tested the same thing on Ubuntu 18.04 and it worked first time there too.

If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine.

On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.


-----Original Message-----
From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Guy Bertrand via ZendTo
Sent: Monday, February 10, 2020 10:37 AM
To: mailto:zendto at zend.to
Cc: Guy Bertrand mailto:Guy.Bertrand at exelaonline.com
Subject: [ZendTo] MS LDAPs

Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:
- the outgoing firewall config on the ZendTo server
- the firewall on the DC (is port 636 open?)
- routing
- any intermediate firewall rules

Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.
C:\> telnet "ip of your DC" 636
If a blank screen appears then the port is open, and the test is successful.
If you receive a connecting... message or an error message then something is blocking that port.

Guy Bertrand, M.Ing
Directeur informatique / IT Manager
EXELA TECHNOLOGIES
b: +1.514.392.4999 | m: +1.514.265.9754
1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 http://www.ExelaTech.com | EXELA LinkedIn


________________________________
Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.
________________________________
Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.

This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.

This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.

_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto

_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto


Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A good programmer is someone who always looks both ways
 before crossing a one-way street.' - Doug Linder

http://www.Zend.To
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto

From maxsec at gmail.com  Fri Feb 14 08:06:59 2020
From: maxsec at gmail.com (Martin Hepworth)
Date: Fri, 14 Feb 2020 08:06:59 +0000
Subject: [ZendTo] 
	=?utf-8?q?News_=E2=80=94_Microsoft_enforcing_LDAPS_for_?=
	=?utf-8?q?AD_servers?=
In-Reply-To: <WM!5642a2b4a759419010b033e68241c0828390f3ea6f83ebcc51a36380f143449c2aaba5d19ff303cb79356887a6be6790d24cf430573c5fb001c5913e242f353d!@mx.jul.es>
References: <6aa1cb37-037b-4d3d-dc85-f31821bd46b9@Zend.To>
 <WM!4fd59997efeecfa8cadf80f296503470646de07d4b1eafc7f7c600c5aac7cfa983ee04edfc10963ddfe2035fdd358778d7dcb271605cf5d1c2943c64971274e0!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE114@FONEXCH01.sgvwc.local>
 <WM!253f13a5ae9f2864d3af546a7ad6bf628e7b9d4f2fb167e8bef403294cd33cc7ae52d5a00d55eb94823ed922cecc1168!@mx.jul.es>
 <WM!66a1c0c6f68d7c145e01a4fb4712621fa33db9d6773abf33877473dab41b523370dba57452aee53156877206cbeb98f636bbd3bd9f1004bcd088c795198717d9!@mx.jul.es>
 <a1326067aed446539190d8890f1a5623@MBX03B-IAD3.mex08.mlsrvr.com>
 <WM!05d6919a37873bf6caa9fb7532efb67bba05dd901732aae79fa381a77e74f4498248bff4b7533917e9fb089227b90109!@mx.jul.es>
 <767493cc-1050-a182-efb5-f278748b2555@Zend.To>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB4470@FONEXCH01.sgvwc.local>
 <WM!5e3b2ae4c1b9dd36915b301808a674d23c92c54c06e0306f2828dbe7687f939151713178f4f2bded6736d5080f2a38f9!@mx.jul.es>
 <WM!472c4888ae0366f1229183b2192c7fca02887611cae73cd5235f1884fcf50d917752840eedadde6b55b4d7471ce16f3dd14beabb42fe9716206808c0b7247dbf!@mx.jul.es>
 <WM!5642a2b4a759419010b033e68241c0828390f3ea6f83ebcc51a36380f143449c2aaba5d19ff303cb79356887a6be6790d24cf430573c5fb001c5913e242f353d!@mx.jul.es>
 <CAGDKor+Ahw+ePZ1wBJCjXq-qjoehgDL0hEkM9aKDNASFACuWXQ@mail.gmail.com>
Message-ID: <WM!f3a52475e94baaa62cb5441432d94ff0ef448983a2f4fcc7aab4cb04daab38d1425f0bb1c78fabb17f25124e6ceb2727!@mx.jul.es>

Fyi looks like MS have pushed this back to second 1/2 of year
https://isc.sans.edu/forums/diary/Authmageddon+deferred+but+not+averted+Microsoft+LDAP+Changes+now+slated+for+Q3Q4+2020/25800/


Martin

On Thu, 13 Feb 2020 at 22:38, Scott Silva via ZendTo <zendto at zend.to> wrote:

> Ran openssl s_client -connect your-AD-server-here.example.com:636 (fixing
> actual name)
> On my spamfilter linux box that DOES work I see a bunch of root
> certificates loaded on the system...
> I wonder if that is one of the issues it doesn't seem to work on the
> CentOS Zendto box
> The working system is Debian I believe...
>
>
>
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules Field via ZendTo
> Sent: Wednesday, February 12, 2020 7:24 AM
> To: ZendTo Users <zendto at zend.to>
> Cc: Jules Field <Jules at Zend.To>
> Subject: Re: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers
>
> Karl,
>
> Given that it was a could-not-connect-at-all issue, then it's most likely
> either
> a) incoming firewall on the AD server not listening on the correct LDAPS
> ports (636/tcp IIRC),
> or
> b) the SSL/TLS handshake between the ZendTo server and the AD Server is
> failing. This is most often caused by people using locally-signed certs on
> their AD servers, at which point the ZendTo server will need to be given a
> copy of the Root CA cert for your locally-signed certs. Just like you would
> need to give it to a web browser in order to avoid the errors when you
> browse to a website which is signed with a locally-signed cert.
>
> A good command to test the SSL/TLS handshake from your ZendTo server is
> this:
>
>     openssl s_client -connect your-AD-server-here.example.com:636
>
> That should print out all sorts of nice looking things and not any error
> messages. When it's stopped outputting, just Ctrl-C it.
>
> Cheers,
> Jules.
> On 10/02/2020 17:47, Karl Bundy via ZendTo wrote:
> I also am running RedHat7/CentOS7 and having the same issue.  Nothing
> seems to output any helpful logs to help troubleshoot the source of the
> issue (cert issue, missing packages, etc.)  Any suggestions would be
> appreciated!
>
> Thanks,
>
> Karl Bundy
>
> -----Original Message-----
> From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via
> ZendTo
> Sent: Monday, February 10, 2020 10:38 AM
> To: 'ZendTo Users' mailto:zendto at zend.to
> Cc: Scott Silva mailto:ssilva at sgvwater.com
> Subject: Re: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers
>
> Running on Redhat 7
>
> Made changes to /etc/openldap/ldap.conf
> Made changes to preferences.php
> Get login error
>         LDAP Error
>         Check User: Unable to connect to any of the authentication
> servers; could not authenticate user. Please notify the system
> administrator.
>         Authentication Error
>         The username or password was incorrect.
> Found I did not have gnutls installed, and thought it might be required.
> Not sure how else to test...
> Maybe a list of packages that might be required?
>
>
>
> From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Jules via ZendTo
> Sent: Saturday, February 8, 2020 9:29 AM
> To: ZendTo Users mailto:zendto at zend.to
> Cc: Jules mailto:Jules at Zend.To
> Subject: [ZendTo] News ? Microsoft enforcing LDAPS for AD servers
>
> Microsoft are about to enforce the use of LDAPS (removing unencrypted
> LDAP) when checking user credentials against an AD server.
>
> This needs a couple of minor changes to your ZendTo server.
>
> I have written up some simple instructions here
>     https://zend.to/activedirectory.php
> which certainly appear to work for me.
>
> I strongly advise you make the changes and test the resulting service
> before Microsoft release the patch that enforces the need for this. It
> should cause no harm except to improve the security of communications
> between ZendTo and your AD server.
>
> Any comments / problems / questions, please do let me know straightaway!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4
> to 6.
> Slight or moderate, occasionally rough in south. Rain. Good, occasionally
> poor.
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'A good programmer is someone who always looks both ways
>  before crossing a one-way street.' - Doug Linder
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/a0bae6bf/attachment-0001.html>

From ssilva at sgvwater.com  Fri Feb 14 16:42:02 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri, 14 Feb 2020 16:42:02 +0000
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
 <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>
 <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB5CC5@FONEXCH01.sgvwc.local>
Message-ID: <WM!04a89d04c89155cd0cb7e1a147d9c75f57da7c19241eaf94028c85043bbb3c346636bdb034fc2a633df518f0921a74cd!@mx.jul.es>

My new try? Saw my ca-cert bundle was in base 64, so I exported my root cert in base 64 and pasted it at the end of all the other certs in the file? Still no go?


From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
Sent: Thursday, February 13, 2020 2:24 PM
To: ZendTo Users <zendto at zend.to>
Cc: Glenn Noel <glenn.noel at gmail.com>
Subject: Re: [ZendTo] MS LDAPs

Hi All,  I'm still struggling with LDAPS.  In Jules' previous email there is a mention of:

"If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine."

I am in this situation of using a cert created by my internal Domain CA.  The steps I have taken:
1.) Exported the public key/cert for Client Authentication, Server Authentication from my Windows Domain Controller in DER encoded binary X.509(.CER) format
2.) copied this .CER to /etc/ssl/certs
3.) in /etc/ldap/ldap.conf  I added:
TLS_CACERT     /etc/ssl/certs/my-exported-ldaps-cert.cer
This line sits under the original line of TLS_CACERT     /etc/ssl/certs/ca-certificates.crt

It was a shot in the dark and I successfully predicted that it would not work.  However I am stuck.  If anyone has a good step-by-step to help me out I would appreciate it immensely.

If the recommended method is to purchase a 3rd party cert please let me know - I will try that next (although I might need some assistance with that process too).

Thank you,

Glenn


On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <zendto at zend.to<mailto:zendto at zend.to>> wrote:
Scott,

I have just done a CentOS 7 install of the latest ZendTo beta from scratch, including using SELinux.

I set the preferences.php settings to

    authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
    authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
    authLDAPAccountSuffix1 => '@soton.ac.uk<http://soton.ac.uk>',
    authLDAPUseSSL1 => false,
    authLDAPUseTLS1 => false,

and it just worked immediately. I didn't have to install any other packages at all.

Our AD servers are listening on 636/tcp (the TCP port for ldaps according to /etc/services).

I have already tested the same thing on Ubuntu 18.04 and it worked first time there too.

If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine.

On 10/02/2020 18:39, Scott Silva via ZendTo wrote:

In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.





-----Original Message-----

From: ZendTo <zendto-bounces at zend.to><mailto:zendto-bounces at zend.to> On Behalf Of Guy Bertrand via ZendTo

Sent: Monday, February 10, 2020 10:37 AM

To: zendto at zend.to<mailto:zendto at zend.to>

Cc: Guy Bertrand <Guy.Bertrand at exelaonline.com><mailto:Guy.Bertrand at exelaonline.com>

Subject: [ZendTo] MS LDAPs



Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:

- the outgoing firewall config on the ZendTo server

- the firewall on the DC (is port 636 open?)

- routing

- any intermediate firewall rules



Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.

C:\> telnet "ip of your DC" 636

If a blank screen appears then the port is open, and the test is successful.

If you receive a connecting... message or an error message then something is blocking that port.



Guy Bertrand, M.Ing

Directeur informatique / IT Manager

EXELA TECHNOLOGIES

b: +1.514.392.4999 | m: +1.514.265.9754

1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 www.ExelaTech.com<http://www.ExelaTech.com> | EXELA LinkedIn





________________________________

Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.

________________________________

Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.



This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.



This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.



_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto



_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto



Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'A good programmer is someone who always looks both ways

 before crossing a one-way street.' - Doug Linder



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://jul.es/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/473e086c/attachment-0001.html>

From ssilva at sgvwater.com  Fri Feb 14 16:54:25 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri, 14 Feb 2020 16:54:25 +0000
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
 <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>
 <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB5CFD@FONEXCH01.sgvwc.local>
Message-ID: <WM!39331cf456ca713755b95771ef441e4b360373b952e3f526e3a748673e7c8344a41a8aa6c310cecc89092f790fd2087c!@mx.jul.es>

OK? I think I figured this out?

Run       openssl s_client -connect your-AD-server-here.example.com:636  (fixed to your AD server)

In the results you will see a full key in base 64

Copy all from the  ----BEGIN Certificate --- to the ---END CERTIFICATE--- including those lines and paste to the end of whichever cert your TLS_CACERT?points to

Don't overwrite, paste to the end and save.
Now try and see if it authenticates...

Works in mine





From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
Sent: Thursday, February 13, 2020 2:24 PM
To: ZendTo Users <zendto at zend.to>
Cc: Glenn Noel <glenn.noel at gmail.com>
Subject: Re: [ZendTo] MS LDAPs

Hi All,? I'm still struggling with LDAPS.? In Jules' previous email there is a mention of:?

"If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine."?

I am in this situation of using a cert created by my internal Domain CA.? The steps I have taken:
1.) Exported the public key/cert for Client Authentication, Server Authentication from my Windows Domain Controller in DER encoded binary X.509(.CER) format
2.) copied this .CER to /etc/ssl/certs
3.) in /etc/ldap/ldap.conf? I added:
TLS_CACERT? ? ?/etc/ssl/certs/my-exported-ldaps-cert.cer?
This line sits under the original line of TLS_CACERT? ? ?/etc/ssl/certs/ca-certificates.crt

It was a shot in the dark and I successfully predicted that it would not work.? However I am stuck.? If anyone has a good step-by-step to help me out I would appreciate it immensely.

If the recommended method is to purchase a 3rd party cert please let me know - I will try that next (although I might need some assistance with that process too).

Thank you,

Glenn
??

On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <mailto:zendto at zend.to> wrote:
Scott,

I have just done a CentOS 7 install of the latest ZendTo beta from scratch, including using SELinux.

I set the preferences.php settings to

??? authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
??? authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
??? authLDAPAccountSuffix1 => '@http://soton.ac.uk',
??? authLDAPUseSSL1 => false,
??? authLDAPUseTLS1 => false,

and it just worked immediately. I didn't have to install any other packages at all.

Our AD servers are listening on 636/tcp (the TCP port for ldaps according to /etc/services).

I have already tested the same thing on Ubuntu 18.04 and it worked first time there too.

If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine.

On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.


-----Original Message-----
From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Guy Bertrand via ZendTo
Sent: Monday, February 10, 2020 10:37 AM
To: mailto:zendto at zend.to
Cc: Guy Bertrand mailto:Guy.Bertrand at exelaonline.com
Subject: [ZendTo] MS LDAPs

Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:
- the outgoing firewall config on the ZendTo server
- the firewall on the DC (is port 636 open?)
- routing
- any intermediate firewall rules

Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.
C:\> telnet "ip of your DC" 636
If a blank screen appears then the port is open, and the test is successful.
If you receive a connecting... message or an error message then something is blocking that port.

Guy Bertrand, M.Ing
Directeur informatique / IT Manager
EXELA TECHNOLOGIES
b: +1.514.392.4999 | m: +1.514.265.9754
1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 http://www.ExelaTech.com | EXELA LinkedIn


________________________________
Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.
________________________________
Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.

This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.

This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.

_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto

_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto


Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A good programmer is someone who always looks both ways
 before crossing a one-way street.' - Doug Linder

http://www.Zend.To
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto

From ssilva at sgvwater.com  Fri Feb 14 16:58:06 2020
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri, 14 Feb 2020 16:58:06 +0000
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
 <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>
 <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB5D0C@FONEXCH01.sgvwc.local>
Message-ID: <WM!a9b16f62893b1ddc9ec78ef45ef11b3b272810b34ef0014e1647b9d2053d77d4fa5f0abaab8baba0917d751c49f351c0!@mx.jul.es>

Disregard? After reloading browser it isn?t working?

Might have been cached credentials or a cookie


From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
Sent: Thursday, February 13, 2020 2:24 PM
To: ZendTo Users <zendto at zend.to>
Cc: Glenn Noel <glenn.noel at gmail.com>
Subject: Re: [ZendTo] MS LDAPs

Hi All,  I'm still struggling with LDAPS.  In Jules' previous email there is a mention of:

"If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine."

I am in this situation of using a cert created by my internal Domain CA.  The steps I have taken:
1.) Exported the public key/cert for Client Authentication, Server Authentication from my Windows Domain Controller in DER encoded binary X.509(.CER) format
2.) copied this .CER to /etc/ssl/certs
3.) in /etc/ldap/ldap.conf  I added:
TLS_CACERT     /etc/ssl/certs/my-exported-ldaps-cert.cer
This line sits under the original line of TLS_CACERT     /etc/ssl/certs/ca-certificates.crt

It was a shot in the dark and I successfully predicted that it would not work.  However I am stuck.  If anyone has a good step-by-step to help me out I would appreciate it immensely.

If the recommended method is to purchase a 3rd party cert please let me know - I will try that next (although I might need some assistance with that process too).

Thank you,

Glenn


On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <zendto at zend.to<mailto:zendto at zend.to>> wrote:
Scott,

I have just done a CentOS 7 install of the latest ZendTo beta from scratch, including using SELinux.

I set the preferences.php settings to

    authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
    authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
    authLDAPAccountSuffix1 => '@soton.ac.uk<http://soton.ac.uk>',
    authLDAPUseSSL1 => false,
    authLDAPUseTLS1 => false,

and it just worked immediately. I didn't have to install any other packages at all.

Our AD servers are listening on 636/tcp (the TCP port for ldaps according to /etc/services).

I have already tested the same thing on Ubuntu 18.04 and it worked first time there too.

If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine.

On 10/02/2020 18:39, Scott Silva via ZendTo wrote:

In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.





-----Original Message-----

From: ZendTo <zendto-bounces at zend.to><mailto:zendto-bounces at zend.to> On Behalf Of Guy Bertrand via ZendTo

Sent: Monday, February 10, 2020 10:37 AM

To: zendto at zend.to<mailto:zendto at zend.to>

Cc: Guy Bertrand <Guy.Bertrand at exelaonline.com><mailto:Guy.Bertrand at exelaonline.com>

Subject: [ZendTo] MS LDAPs



Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller.  Don't forget to check things between your ZendTo server and the domain controller:

- the outgoing firewall config on the ZendTo server

- the firewall on the DC (is port 636 open?)

- routing

- any intermediate firewall rules



Quick test: open a command prompt (CMD on Windows, any shell on *nix).  This will try to "telnet" to that port.

C:\> telnet "ip of your DC" 636

If a blank screen appears then the port is open, and the test is successful.

If you receive a connecting... message or an error message then something is blocking that port.



Guy Bertrand, M.Ing

Directeur informatique / IT Manager

EXELA TECHNOLOGIES

b: +1.514.392.4999 | m: +1.514.265.9754

1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B 3A7 www.ExelaTech.com<http://www.ExelaTech.com> | EXELA LinkedIn





________________________________

Attention : le pr?sent message et toutes les pi?ces jointes sont confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s) indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en avertir l'exp?diteur par e-mail en retour, d?truire le message et vous abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter les sanctions attach?es ? la divulgation et ? l'utilisation d'informations confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration. Exela Technologies et ses filiales d?clinent toute responsabilit? en cas d'alt?ration ou de falsification du pr?sent message.

________________________________

Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.



This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.



This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.



_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto



_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto



Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'A good programmer is someone who always looks both ways

 before crossing a one-way street.' - Doug Linder



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://jul.es/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/b38e0c2a/attachment-0001.html>

From glenn.noel at gmail.com  Fri Feb 14 19:54:55 2020
From: glenn.noel at gmail.com (Glenn Noel)
Date: Fri, 14 Feb 2020 14:54:55 -0500
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!6f2bfc1723f5a6a23e7a2c895713dc9571b276cc6666d239fc801e829e8f66e9bf56dccb196a94a48eddb3fe5bb20491a32af47a55f6db6a7ebf4d8673ecd1ab!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
 <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB5CFD@FONEXCH01.sgvwc.local>
 <WM!39331cf456ca713755b95771ef441e4b360373b952e3f526e3a748673e7c8344a41a8aa6c310cecc89092f790fd2087c!@mx.jul.es>
 <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
 <WM!6f2bfc1723f5a6a23e7a2c895713dc9571b276cc6666d239fc801e829e8f66e9bf56dccb196a94a48eddb3fe5bb20491a32af47a55f6db6a7ebf4d8673ecd1ab!@mx.jul.es>
 <CAKgOp5z6_-whm6KT-pW1O=SQGaUOsxkSh5Be41374XwkMVsvyQ@mail.gmail.com>
Message-ID: <WM!1d4bb6db89cde5ae1d616a2e302785bccec2c72ec1ec5de724a6dde103796fed8c5a9df2b477789d1b4053731b21b471!@mx.jul.es>

Thank you Scott,

I was able to complete your instructions but mine is still a no-go.  I have
verified that my Zend server is trying to connect over port 636, but I'm
still getting errors.  I will continue plugging away at this on Monday.

I'm glad you were able to get yours up and running.

Have a good weekend.

Glenn

On Fri, Feb 14, 2020 at 12:23 PM Scott Silva via ZendTo <zendto at zend.to>
wrote:

> OK? I think I figured this out?
>
> Run       openssl s_client -connect your-AD-server-here.example.com:636
> (fixed to your AD server)
>
> In the results you will see a full key in base 64
>
> Copy all from the  ----BEGIN Certificate --- to the ---END CERTIFICATE---
> including those lines and paste to the end of whichever cert your
> TLS_CACERT points to
>
> Don't overwrite, paste to the end and save.
> Now try and see if it authenticates...
>
> Works in mine
>
>
>
>
>
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
> Sent: Thursday, February 13, 2020 2:24 PM
> To: ZendTo Users <zendto at zend.to>
> Cc: Glenn Noel <glenn.noel at gmail.com>
> Subject: Re: [ZendTo] MS LDAPs
>
> Hi All,  I'm still struggling with LDAPS.  In Jules' previous email there
> is a mention of:
>
> "If you are using some sort of a self-signed or locally-signed certificate
> on your AD server(s), then you will need to add your local root CA public
> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
> verify the cert it gets from the AD server. But if you are using a "normal"
> externally-signed commercial cert, it should work fine."
>
> I am in this situation of using a cert created by my internal Domain CA.
> The steps I have taken:
> 1.) Exported the public key/cert for Client Authentication, Server
> Authentication from my Windows Domain Controller in DER encoded binary
> X.509(.CER) format
> 2.) copied this .CER to /etc/ssl/certs
> 3.) in /etc/ldap/ldap.conf  I added:
> TLS_CACERT     /etc/ssl/certs/my-exported-ldaps-cert.cer
> This line sits under the original line of TLS_CACERT
>  /etc/ssl/certs/ca-certificates.crt
>
> It was a shot in the dark and I successfully predicted that it would not
> work.  However I am stuck.  If anyone has a good step-by-step to help me
> out I would appreciate it immensely.
>
> If the recommended method is to purchase a 3rd party cert please let me
> know - I will try that next (although I might need some assistance with
> that process too).
>
> Thank you,
>
> Glenn
>
>
> On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <mailto:
> zendto at zend.to> wrote:
> Scott,
>
> I have just done a CentOS 7 install of the latest ZendTo beta from
> scratch, including using SELinux.
>
> I set the preferences.php settings to
>
>     authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
>     authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
>     authLDAPAccountSuffix1 => '@http://soton.ac.uk',
>     authLDAPUseSSL1 => false,
>     authLDAPUseTLS1 => false,
>
> and it just worked immediately. I didn't have to install any other
> packages at all.
>
> Our AD servers are listening on 636/tcp (the TCP port for ldaps according
> to /etc/services).
>
> I have already tested the same thing on Ubuntu 18.04 and it worked first
> time there too.
>
> If you are using some sort of a self-signed or locally-signed certificate
> on your AD server(s), then you will need to add your local root CA public
> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
> verify the cert it gets from the AD server. But if you are using a "normal"
> externally-signed commercial cert, it should work fine.
>
> On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
> In my case I know the ports are open because I have a Linux based spam
> filter that is able to auth secured.
>
>
> -----Original Message-----
> From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Guy Bertrand via
> ZendTo
> Sent: Monday, February 10, 2020 10:37 AM
> To: mailto:zendto at zend.to
> Cc: Guy Bertrand mailto:Guy.Bertrand at exelaonline.com
> Subject: [ZendTo] MS LDAPs
>
> Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to
> the domain controller.  Don't forget to check things between your ZendTo
> server and the domain controller:
> - the outgoing firewall config on the ZendTo server
> - the firewall on the DC (is port 636 open?)
> - routing
> - any intermediate firewall rules
>
> Quick test: open a command prompt (CMD on Windows, any shell on *nix).
> This will try to "telnet" to that port.
> C:\> telnet "ip of your DC" 636
> If a blank screen appears then the port is open, and the test is
> successful.
> If you receive a connecting... message or an error message then something
> is blocking that port.
>
> Guy Bertrand, M.Ing
> Directeur informatique / IT Manager
> EXELA TECHNOLOGIES
> b: +1.514.392.4999 | m: +1.514.265.9754
> 1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B
> 3A7 http://www.ExelaTech.com | EXELA LinkedIn
>
>
> ________________________________
> Attention : le pr?sent message et toutes les pi?ces jointes sont
> confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s)
> indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est
> interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en
> avertir l'exp?diteur par e-mail en retour, d?truire le message et vous
> abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter
> les sanctions attach?es ? la divulgation et ? l'utilisation d'informations
> confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration.
> Exela Technologies et ses filiales d?clinent toute responsabilit? en cas
> d'alt?ration ou de falsification du pr?sent message.
> ________________________________
> Please consider the environment before printing or forwarding this email.
> If you do print this email, please recycle the paper.
>
> This email message may contain confidential, proprietary and/or privileged
> information. It is intended only for the use of the intended recipient(s).
> If you have received it in error, please immediately advise the sender by
> reply email and then delete this email message. Any disclosure, copying,
> distribution or use of the information contained in this email message to
> or by anyone other than the intended recipient is strictly prohibited. Any
> views expressed in this message are those of the individual sender, except
> where the sender specifically states them to be the views of Exela
> Technologies, Inc. or its subsidiaries.
>
> This email does not constitute an agreement to conduct transactions by
> electronic means and does not create any legally binding contract or
> enforceable obligation against Exela in the absence of a fully signed
> written agreement.
>
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'A good programmer is someone who always looks both ways
>  before crossing a one-way street.' - Doug Linder
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/85fa2642/attachment.html>

From KLE at msktd.com  Fri Feb 14 20:36:00 2020
From: KLE at msktd.com (Ken Etter)
Date: Fri, 14 Feb 2020 15:36:00 -0500
Subject: [ZendTo] Enhancement Request - Download Waiver
In-Reply-To: <WM!b0b7e959aa745a2899f9bb1d55516e4faa87be16be71b7a00668809cdb255a0614475ffab2238a92b2f2a6f2eb36571236bfe9328aa1b9c7651a08011cb3c7a7!@mx.jul.es>
References: <38a3d4ac-0179-ee93-9587-40fd939b2841@Zend.To>
 <WM!b0b7e959aa745a2899f9bb1d55516e4faa87be16be71b7a00668809cdb255a0614475ffab2238a92b2f2a6f2eb36571236bfe9328aa1b9c7651a08011cb3c7a7!@mx.jul.es>
 <5E4704B0020000130013FDD6@mail.msktd.com>
Message-ID: <WM!53fd50f4436adc9b30e2137a532e9f0eb8799c7e257a59d565d16d625b00c0d9e615553650602184dd0e9863370c416b!@mx.jul.es>

Jules,
I had a request from a company owner here where I work.  He had downloaded a file from another company we are working with.  I'm not sure what software that company uses, but it had a waiver that he had to accept prior to downloading the files.  How hard would that be to implement?  I think it would need the following:
* Configuration option so the administrator could enforce waiver on downloads: all (on), none (off), or user-defined.
* If admin selects user-defined, then the user doing the drop-off would have the option to turn the waiver on or off for their drop-off.  (Outside users sending to our employees would not have this option - it would only be for file transfers initiated by our employees).
* A method for the administrator to define the waiver text (hopefully with some formatting capabilities).
* An acceptance checkbox that the recipient must check before they can download files (preferably the text here is also administrator defined).
* And it might be good to also log this acceptance.

I thought I would copy the list in case anyone thinks this would be useful or has some suggestions for additional configuration needs.  Thoughts?  Thanks!

Ken Etter, System Administrator
Architectural Group
260.432.9337 | msktd.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/0ede308b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMAGE_45.png
Type: image/png
Size: 18080 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20200214/0ede308b/attachment-0001.png>

From zend.to at neilzone.co.uk  Fri Feb 14 20:47:54 2020
From: zend.to at neilzone.co.uk (zend.to at neilzone.co.uk)
Date: Fri, 14 Feb 2020 20:47:54 +0000
Subject: [ZendTo] Enhancement Request - Download Waiver
In-Reply-To: <WM!decaa66d13057880dbe0a06da8ef40ce5cf529e94241c4fac74892609b7c9af4e1fd79e7edbfd7d291b697c092bf6fafc3bf101c608f0b01b71560d1d62b8198!@mx.jul.es>
References: <38a3d4ac-0179-ee93-9587-40fd939b2841@Zend.To>
 <WM!b0b7e959aa745a2899f9bb1d55516e4faa87be16be71b7a00668809cdb255a0614475ffab2238a92b2f2a6f2eb36571236bfe9328aa1b9c7651a08011cb3c7a7!@mx.jul.es>
 <5E4704B0020000130013FDD6@mail.msktd.com>
 <WM!53fd50f4436adc9b30e2137a532e9f0eb8799c7e257a59d565d16d625b00c0d9e615553650602184dd0e9863370c416b!@mx.jul.es>
 <WM!decaa66d13057880dbe0a06da8ef40ce5cf529e94241c4fac74892609b7c9af4e1fd79e7edbfd7d291b697c092bf6fafc3bf101c608f0b01b71560d1d62b8198!@mx.jul.es>
 <14F814C5-3850-4CBE-9F3B-3D12F98F1E69@neilzone.co.uk>
Message-ID: <WM!8ef314e73a97c24b09284ae6e698b15655c87d5286ea8d98f094a07976c56b1742cb47244522a370258fd2fbd2d1370a!@mx.jul.es>



> On 14 Feb 2020, at 20:36, Ken Etter via ZendTo <zendto at zend.to> wrote:
> 
> it had a waiver that he had to accept prior to downloading the files


Does it need some sort of reporting capability, to confirm that the user has agreed to the waiver?

Or would it work if you just put the waiver text in the automated ?drop off notification? email, with words to the effect of ?By clicking the download link, you agree to [this statement]??

Best wishes

Neil

__________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/6684571a/attachment.html>

From KLE at msktd.com  Fri Feb 14 21:28:49 2020
From: KLE at msktd.com (Ken Etter)
Date: Fri, 14 Feb 2020 16:28:49 -0500
Subject: [ZendTo] Enhancement Request - Download Waiver
In-Reply-To: <WM!75644a0df8e24996ef7921b805fed90bf1995117690f84b9cb4aa0f5a8338c17f6bcb467373414dec4cfdc234395cf839d19f785f4b6da397f2b2d607679a975!@mx.jul.es>
References: <38a3d4ac-0179-ee93-9587-40fd939b2841@Zend.To>
 <WM!b0b7e959aa745a2899f9bb1d55516e4faa87be16be71b7a00668809cdb255a0614475ffab2238a92b2f2a6f2eb36571236bfe9328aa1b9c7651a08011cb3c7a7!@mx.jul.es>
 <5E4704B0020000130013FDD6@mail.msktd.com>
 <WM!53fd50f4436adc9b30e2137a532e9f0eb8799c7e257a59d565d16d625b00c0d9e615553650602184dd0e9863370c416b!@mx.jul.es>
 <WM!decaa66d13057880dbe0a06da8ef40ce5cf529e94241c4fac74892609b7c9af4e1fd79e7edbfd7d291b697c092bf6fafc3bf101c608f0b01b71560d1d62b8198!@mx.jul.es>
 <14F814C5-3850-4CBE-9F3B-3D12F98F1E69@neilzone.co.uk>
 <WM!8ef314e73a97c24b09284ae6e698b15655c87d5286ea8d98f094a07976c56b1742cb47244522a370258fd2fbd2d1370a!@mx.jul.es>
 <WM!75644a0df8e24996ef7921b805fed90bf1995117690f84b9cb4aa0f5a8338c17f6bcb467373414dec4cfdc234395cf839d19f785f4b6da397f2b2d607679a975!@mx.jul.es>
 <5E471111020000130013FE03@mail.msktd.com>
Message-ID: <WM!1b09be450d8b48bcf15b6650ebf734248c97d973a5b45d7b8e10967f1e80cef4503aaeb4552e021c825dbe97f8a36bcf!@mx.jul.es>

The concern with just putting the waiver in the email is that someone
could easily ignore or skip over it.  By putting it on the page where
you pick up the files and requiring someone to check the box first means
they have to acknowledge it before getting the files.

Ken
>>> Neil via ZendTo <zendto at zend.to> 2/14/2020 3:47 PM >>>




On 14 Feb 2020, at 20:36, Ken Etter via ZendTo <zendto at zend.to> wrote:

it had a waiver that he had to accept prior to downloading the files

Does it need some sort of reporting capability, to confirm that the
user has agreed to the waiver?

Or would it work if you just put the waiver text in the automated ?drop
off notification? email, with words to the effect of ?By clicking the
download link, you agree to [this statement]??

Best wishes

Neil

__________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/bdec7f42/attachment.html>

From zend.to at neilzone.co.uk  Fri Feb 14 21:41:13 2020
From: zend.to at neilzone.co.uk (zend.to at neilzone.co.uk)
Date: Fri, 14 Feb 2020 21:41:13 +0000
Subject: [ZendTo] Enhancement Request - Download Waiver
In-Reply-To: <5E4712DA020000130013FE09@mail.msktd.com>
References: <38a3d4ac-0179-ee93-9587-40fd939b2841@Zend.To>
 <WM!b0b7e959aa745a2899f9bb1d55516e4faa87be16be71b7a00668809cdb255a0614475ffab2238a92b2f2a6f2eb36571236bfe9328aa1b9c7651a08011cb3c7a7!@mx.jul.es>
 <5E4704B0020000130013FDD6@mail.msktd.com>
 <WM!53fd50f4436adc9b30e2137a532e9f0eb8799c7e257a59d565d16d625b00c0d9e615553650602184dd0e9863370c416b!@mx.jul.es>
 <WM!decaa66d13057880dbe0a06da8ef40ce5cf529e94241c4fac74892609b7c9af4e1fd79e7edbfd7d291b697c092bf6fafc3bf101c608f0b01b71560d1d62b8198!@mx.jul.es>
 <14F814C5-3850-4CBE-9F3B-3D12F98F1E69@neilzone.co.uk>
 <WM!8ef314e73a97c24b09284ae6e698b15655c87d5286ea8d98f094a07976c56b1742cb47244522a370258fd2fbd2d1370a!@mx.jul.es>
 <WM!75644a0df8e24996ef7921b805fed90bf1995117690f84b9cb4aa0f5a8338c17f6bcb467373414dec4cfdc234395cf839d19f785f4b6da397f2b2d607679a975!@mx.jul.es>
 <5E471111020000130013FE03@mail.msktd.com>
 <EEFD01AA-48ED-43DF-B6BE-2B97BB6D7174@neilzone.co.uk>
 <5E4712DA020000130013FE09@mail.msktd.com>
 <0DA63D5F-9397-4ACE-8E14-5BBB7F6EFCBB@neilzone.co.uk>
Message-ID: <WM!53f405a7ededaa98181743a682a81643a765805f1a2d289f3ba43a264bc9180be1353968e67fd80336ace928972087bb!@mx.jul.es>



> On 14 Feb 2020, at 21:36, Ken Etter <KLE at msktd.com> wrote:
> 
> I think they are wanting something more along the lines of a legally binding statement.  But that is why I mentioned logging the acceptance.  But if the recipient does not check the box, they are not permitted to download the files, which might make it a moot point.

If text in the email won?t suffice, then I think it?s a neat feature to have.

Neil

__________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/68328847/attachment.html>

From Jules at Zend.To  Thu Feb 20 19:30:29 2020
From: Jules at Zend.To (Jules)
Date: Thu, 20 Feb 2020 19:30:29 +0000
Subject: [ZendTo] Enhancement Request - Download Waiver
In-Reply-To: <WM!53fd50f4436adc9b30e2137a532e9f0eb8799c7e257a59d565d16d625b00c0d9e615553650602184dd0e9863370c416b!@mx.jul.es>
References: <38a3d4ac-0179-ee93-9587-40fd939b2841@Zend.To>
 <WM!b0b7e959aa745a2899f9bb1d55516e4faa87be16be71b7a00668809cdb255a0614475ffab2238a92b2f2a6f2eb36571236bfe9328aa1b9c7651a08011cb3c7a7!@mx.jul.es>
 <5E4704B0020000130013FDD6@mail.msktd.com>
 <WM!53fd50f4436adc9b30e2137a532e9f0eb8799c7e257a59d565d16d625b00c0d9e615553650602184dd0e9863370c416b!@mx.jul.es>
Message-ID: <89774b88-7665-4c26-8193-4ff30286c7b3@Zend.To>

Folks,

This is written and appears to be working. You can put any HTML in the 
waiver, and it's properly multi-lingual. You can choose to let the users 
turn it on/off per-new-dropoff, or you can disable it or enforce it 
system-wide in preferences.php. It's currently disabled by default. Look 
for "waiver" in preferences.php and you'll find the settings.

There's one outstanding question on a different feature that I need to 
double-check with the site that requested it.
After that, I'll get another beta out to you folks.

Cheers,
Jules.

On 14/02/2020 8:36 pm, Ken Etter wrote:
> Jules,
> I had a request from a company owner here where I work.? He had 
> downloaded a file from another company we are working with.? I'm not 
> sure what software that company uses, but?it had?a waiver that he had 
> to?accept prior to downloading the files.? How hard would that be to 
> implement?? I think it would need the following:
> * Configuration option so the administrator could enforce waiver 
> on?downloads: all (on), none (off), or user-defined.
> * If admin selects user-defined, then the user doing the drop-off 
> would have the option to turn the waiver on or off for their 
> drop-off.? (Outside users sending to our employees would not have this 
> option - it would only be for?file transfers initiated by our employees).
> * A method for the administrator to define the waiver text (hopefully 
> with some formatting capabilities).
> * An acceptance checkbox that the recipient must check before they can 
> download files (preferably the text here is also administrator defined).
> * And it might be good to also log this acceptance.
>
> I thought I would copy the list in case anyone thinks this would be 
> useful or has some suggestions for additional configuration needs.? 
> Thoughts?? Thanks!
>
> *Ken Etter*, System Administrator
> Architectural Group
> 260.432.9337|msktd.com <http://msktd.com/>
>
> <http://msktd.com/>
>
>

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM


www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200220/a4d02c5b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMAGE_45.png
Type: image/png
Size: 18080 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20200220/a4d02c5b/attachment-0001.png>

From Jules at Zend.To  Fri Feb 21 09:27:24 2020
From: Jules at Zend.To (Jules)
Date: Fri, 21 Feb 2020 09:27:24 +0000
Subject: [ZendTo] Fill in organization from AD attribute
In-Reply-To: <WM!565063bb0361be6d2d43c9bcd717a220826bcc406cdc0f4dcb793cee28b2134f255a6bdd42f850a4ee8d633b54a02cd8!@mx.jul.es>
References: <CAHAXsMjzBSriwMytGpunui2cHN6tNMyEQACuO+ykVTqLquW0hA@mail.gmail.com>
 <WM!565063bb0361be6d2d43c9bcd717a220826bcc406cdc0f4dcb793cee28b2134f255a6bdd42f850a4ee8d633b54a02cd8!@mx.jul.es>
Message-ID: <82e49b73-6277-1190-d5d2-0892b378de3a@Zend.To>

Ionescu,

If you are using AD, you should be using the AD authenticator and not 
the LDAP authenticator. They are not quite the same thing.

As for the "organization" versus "company" attributes, if the 
organization attribute is empty, the company attribute is copied into 
it. That means the rest of ZendTo can continue to call it 'organization' 
without worrying about Microsoft's naming conventions.

If the LDAP attributes for a user include the "company" attribute, that 
will be used as the "organization" in ZendTo. If there is no "company" 
attribute, then the preferences.php setting "authLDAPOrganization1" (for 
the first forest searched) is used instead.

Hopefully that explains things a bit better.

Cheers,
Jules.


On 11/02/2020 3:41 pm, Ionescu Gigel via ZendTo wrote:
> Hello,
> I want to fill in the organization field automatically from AD.
> I would like to know how the?authLDAPOrganization option really works 
> and if my understanding is right.
> I read some old posts from the time this option was introduced, but I 
> still don't get it. As far as I see what I put in that option that 
> will be the default text for internal authenticated users.
>
> From the?lib/NSSLDAPAuthenticator.php code in $attributeNames array I 
> see you are trying to get some "organization" attribute. Actually, 
> this will be always empty as AD stores the name of the company in 
> "company" attribute, so few lines down if 
> (!@$response['organization']) does not make any sense.
>
> Can someone enlight me, please?
> As I said, my goal would be to have the organization from AD if 
> authLDAPOrganization is empty or if I set the AD attribute where I 
> store the name of the organization.
>
> Regards,
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM


www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200221/1bc05bce/attachment.html>

From Jules at Zend.To  Fri Feb 21 11:32:51 2020
From: Jules at Zend.To (Jules)
Date: Fri, 21 Feb 2020 11:32:51 +0000
Subject: [ZendTo] New beta 5.22-3 released
Message-ID: <fce47102-4f26-f6f5-b2de-24ce16ae7d88@Zend.To>

Hi folks!

I have been hard at work, and have implemented the "terms and conditions 
waiver" that some people have been asking for.

To test it out (once you've upgraded to the latest beta), you'll see an 
extra checkbox in the "New Drop-off" form. Tick that, send a drop-off, 
then go and retrieve it using the link in the email it sent you (log out 
of ZendTo first so you get the proper recipient's experience).
You should now see some text you have to agree to, before it will show 
you any download links or buttons.

In preferences.php, you can easily disable this feature or mandate its 
use for everyone. Search preferences.php for the word "waiver" and 
you'll find the 2 settings along with an explanation of exactly what 
they do and how they interact.

The internaldomains.conf file can now contain specific email addresses 
in addition to just domain names. So if you just want a few people 
@gmail.com to be considered "internal users" instead of everyone with a 
GMail account, you can now do that.

I've also fixed some outstanding bugs.

Download the beta as usual via https://zend.to/beta.php.

Please can you test this out and let me know how you get on?

Thanks!

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM


www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200221/aca5dabf/attachment.html>

From downloadmalware at gmail.com  Tue Feb 25 07:04:32 2020
From: downloadmalware at gmail.com (Ionescu Gigel)
Date: Tue, 25 Feb 2020 09:04:32 +0200
Subject: [ZendTo] Fill in organization from AD attribute
In-Reply-To: <WM!0eb16e404cc3f40d3baebfd73410130d382643f5cd397e8790a4c8ae59acd54d54ac5e2669a1bbbdeb7cf0a944cb4a86ecfda288793e157262c77b3db67702cc!@mx.jul.es>
References: <CAHAXsMjzBSriwMytGpunui2cHN6tNMyEQACuO+ykVTqLquW0hA@mail.gmail.com>
 <82e49b73-6277-1190-d5d2-0892b378de3a@Zend.To>
 <WM!565063bb0361be6d2d43c9bcd717a220826bcc406cdc0f4dcb793cee28b2134f255a6bdd42f850a4ee8d633b54a02cd8!@mx.jul.es>
 <WM!0eb16e404cc3f40d3baebfd73410130d382643f5cd397e8790a4c8ae59acd54d54ac5e2669a1bbbdeb7cf0a944cb4a86ecfda288793e157262c77b3db67702cc!@mx.jul.es>
 <CAHAXsMgX0uxK8jbvicRDgCn69dzqwbfm82pCqr6PBpZzw1G-pg@mail.gmail.com>
Message-ID: <WM!3f2ef496fde5a3e1eda96cf6d507fd1481e132aa35cd2c9c0f4580ca42c4e5eadb4c6ffbcda80d6e3cc888e2c31fa9ca!@mx.jul.es>

Hello,
Thanks for the answer Jules, I changed auth to AD and now is better, things
are working as expected.
I would not like to let people change this attribute in the UI, setting the
html attribute "disabled" to this field would work?
Regards,
Bogdan

?n vin., 21 feb. 2020 la 11:27, Jules <Jules at zend.to> a scris:

> Ionescu,
>
> If you are using AD, you should be using the AD authenticator and not the
> LDAP authenticator. They are not quite the same thing.
>
> As for the "organization" versus "company" attributes, if the organization
> attribute is empty, the company attribute is copied into it. That means the
> rest of ZendTo can continue to call it 'organization' without worrying
> about Microsoft's naming conventions.
>
> If the LDAP attributes for a user include the "company" attribute, that
> will be used as the "organization" in ZendTo. If there is no "company"
> attribute, then the preferences.php setting "authLDAPOrganization1" (for
> the first forest searched) is used instead.
>
> Hopefully that explains things a bit better.
>
> Cheers,
> Jules.
>
>
> On 11/02/2020 3:41 pm, Ionescu Gigel via ZendTo wrote:
>
> Hello,
> I want to fill in the organization field automatically from AD.
> I would like to know how the authLDAPOrganization option really works and
> if my understanding is right.
> I read some old posts from the time this option was introduced, but I
> still don't get it. As far as I see what I put in that option that will be
> the default text for internal authenticated users.
>
> From the lib/NSSLDAPAuthenticator.php code in $attributeNames array I see
> you are trying to get some "organization" attribute. Actually, this will be
> always empty as AD stores the name of the company in "company" attribute,
> so few lines down if (!@$response['organization']) does not make any sense.
>
> Can someone enlight me, please?
> As I said, my goal would be to have the organization from AD if
> authLDAPOrganization is empty or if I set the AD attribute where I store
> the name of the organization.
>
> Regards,
>
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> www.Zend.To
> Twitter: @JulesFM
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200225/0a135653/attachment.html>

From Jules at Zend.To  Tue Feb 25 09:55:50 2020
From: Jules at Zend.To (Jules Field)
Date: Tue, 25 Feb 2020 09:55:50 +0000
Subject: [ZendTo] Fill in organization from AD attribute
In-Reply-To: <WM!3f2ef496fde5a3e1eda96cf6d507fd1481e132aa35cd2c9c0f4580ca42c4e5eadb4c6ffbcda80d6e3cc888e2c31fa9ca!@mx.jul.es>
References: <CAHAXsMjzBSriwMytGpunui2cHN6tNMyEQACuO+ykVTqLquW0hA@mail.gmail.com>
 <82e49b73-6277-1190-d5d2-0892b378de3a@Zend.To>
 <WM!565063bb0361be6d2d43c9bcd717a220826bcc406cdc0f4dcb793cee28b2134f255a6bdd42f850a4ee8d633b54a02cd8!@mx.jul.es>
 <WM!0eb16e404cc3f40d3baebfd73410130d382643f5cd397e8790a4c8ae59acd54d54ac5e2669a1bbbdeb7cf0a944cb4a86ecfda288793e157262c77b3db67702cc!@mx.jul.es>
 <CAHAXsMgX0uxK8jbvicRDgCn69dzqwbfm82pCqr6PBpZzw1G-pg@mail.gmail.com>
 <WM!3f2ef496fde5a3e1eda96cf6d507fd1481e132aa35cd2c9c0f4580ca42c4e5eadb4c6ffbcda80d6e3cc888e2c31fa9ca!@mx.jul.es>
Message-ID: <7ac9ea0b-cfcb-8056-0f9e-5a48decfd296@Zend.To>

There's a setting
 ??? 'requestSenderOrgIsEditable' => TRUE,
which, if set to FALSE, stops users from editing that field when sending 
a request for a drop-off.

Otherwise, on text boxes, adding "readonly" is better than using 
"disabled" in my opinion.

Cheers,
Jules.

On 25/02/2020 07:04, Ionescu Gigel wrote:
> Hello,
> Thanks for the answer Jules, I changed auth to AD and now is better, 
> things are working as expected.
> I would not like to let people change this attribute in the UI, 
> setting the html attribute "disabled" to this field would work?
> Regards,
> Bogdan
>
> ?n vin., 21 feb. 2020 la 11:27, Jules <Jules at zend.to 
> <mailto:Jules at zend.to>> a scris:
>
>     Ionescu,
>
>     If you are using AD, you should be using the AD authenticator and
>     not the LDAP authenticator. They are not quite the same thing.
>
>     As for the "organization" versus "company" attributes, if the
>     organization attribute is empty, the company attribute is copied
>     into it. That means the rest of ZendTo can continue to call it
>     'organization' without worrying about Microsoft's naming conventions.
>
>     If the LDAP attributes for a user include the "company" attribute,
>     that will be used as the "organization" in ZendTo. If there is no
>     "company" attribute, then the preferences.php setting
>     "authLDAPOrganization1" (for the first forest searched) is used
>     instead.
>
>     Hopefully that explains things a bit better.
>
>     Cheers,
>     Jules.
>
>
>     On 11/02/2020 3:41 pm, Ionescu Gigel via ZendTo wrote:
>>     Hello,
>>     I want to fill in the organization field automatically from AD.
>>     I would like to know how the?authLDAPOrganization option really
>>     works and if my understanding is right.
>>     I read some old posts from the time this option was introduced,
>>     but I still don't get it. As far as I see what I put in that
>>     option that will be the default text for internal authenticated
>>     users.
>>
>>     From the?lib/NSSLDAPAuthenticator.php code in $attributeNames
>>     array I see you are trying to get some "organization" attribute.
>>     Actually, this will be always empty as AD stores the name of the
>>     company in "company" attribute, so few lines down if
>>     (!@$response['organization']) does not make any sense.
>>
>>     Can someone enlight me, please?
>>     As I said, my goal would be to have the organization from AD if?
>>     authLDAPOrganization is empty or if I set the AD attribute where
>>     I store the name of the organization.
>>
>>     Regards,
>>
>>
>>     _______________________________________________
>>     ZendTo mailing list
>>     ZendTo at zend.to  <mailto:ZendTo at zend.to>
>>     http://jul.es/mailman/listinfo/zendto
>
>     Jules
>
>     -- 
>     Julian Field MEng CEng CITP MBCS MIEEE MACM
>
>
>     www.Zend.To  <http://www.Zend.To>
>     Twitter: @JulesFM
>

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Tyne, Dogger: East or southeast, veering west 6 to gale 8, occasionally severe
gale 9 for a time. Moderate or rough, occasionally very rough in Dogger. Rain,
then wintry showers. Moderate or poor, occasionally good later.

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200225/5e3abec5/attachment-0001.html>

From glenn.noel at gmail.com  Fri Feb 28 19:07:48 2020
From: glenn.noel at gmail.com (Glenn Noel)
Date: Fri, 28 Feb 2020 14:07:48 -0500
Subject: [ZendTo] MS LDAPs
In-Reply-To: <WM!317ecf0b3b9203fca47a9542b186cf00d07e18fa32a2528ce38a5463bf4a6440b62e7fee2d4e37db35dd964feee2b8c333f98f4bb32d01a57d653bddf4076e76!@mx.jul.es>
References: <3b98cb5708d24a44a1db365e91db106e@exelaonline.com>
 <WM!ded8b427dcb9586f9bf2cdf47aefa56fd7e3ae1776e96dfd39e6c06ad22db4cdfaeec047067d8203e2abe1420d4e0e3d!@mx.jul.es>
 <WM!2440172da7dd00e71e2569cd5d34d76ea0b40b1dd6297dd6555340836260fa66ba86e48ad3da85fd901a96ae6ae02607bdb15995f1e555043164531c6211750d!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAAE1C9@FONEXCH01.sgvwc.local>
 <09997bfa-4721-692d-55f3-90103403c07a@Zend.To>
 <WM!3c36310c00d2c53ee4e33a5ebb8166227324c4a02ca47c659622b5b0c02b74130d1ac341ffd33d5275879d9a4af18fe1!@mx.jul.es>
 <WM!4da9f9f92e81314d503c59334bdce01964416a166a2bb30eac169ac01f576012cf064e410d1d66d146542b5308a23083f9e566f6f1c25c8307a6b7c4085d2559!@mx.jul.es>
 <CAKgOp5xksYMyWb87xAKN7VP1RjS_vc3gA7Pm9f5tMu+QjODJBg@mail.gmail.com>
 <WM!d826d4da10631a987c9beafdbacfcf9e7f76a03d3be750af62cf6b0791a8f8adf1ebc483e5eae02ed3bd4faf5427ac6a!@mx.jul.es>
 <54D3F6A07E3F2A4AAD4CBA73922025F42EAB5CFD@FONEXCH01.sgvwc.local>
 <WM!39331cf456ca713755b95771ef441e4b360373b952e3f526e3a748673e7c8344a41a8aa6c310cecc89092f790fd2087c!@mx.jul.es>
 <WM!5cf9bdb35d852b44387e9a2507cc13d38840a5b2fd1752160496dbcff211eb58ce7c3cfac40bb2587b071f54476478e2ed93208fb9006e84391c867109f063f7!@mx.jul.es>
 <CAKgOp5z6_-whm6KT-pW1O=SQGaUOsxkSh5Be41374XwkMVsvyQ@mail.gmail.com>
 <WM!1d4bb6db89cde5ae1d616a2e302785bccec2c72ec1ec5de724a6dde103796fed8c5a9df2b477789d1b4053731b21b471!@mx.jul.es>
 <WM!6f2bfc1723f5a6a23e7a2c895713dc9571b276cc6666d239fc801e829e8f66e9bf56dccb196a94a48eddb3fe5bb20491a32af47a55f6db6a7ebf4d8673ecd1ab!@mx.jul.es>
 <WM!317ecf0b3b9203fca47a9542b186cf00d07e18fa32a2528ce38a5463bf4a6440b62e7fee2d4e37db35dd964feee2b8c333f98f4bb32d01a57d653bddf4076e76!@mx.jul.es>
 <CAKgOp5y8Y4-Xnmo+fsugUkWa-dqiV-Sikp26uewoGfvNhBwGJg@mail.gmail.com>
Message-ID: <WM!ed9588e7c664c6d1a3f995651f51fe6a461ed93ba99db6b5b099b67e6d81f8c2900de2a2a775d7f6e7b82e2a17b7badd!@mx.jul.es>

[Fixed] Hello fellow Zendto users.  I wanted to follow up on this recent
thread and to thank Scott once again.  His instructions are sound.  When I
first attempted the command that Scott provided:
  *openssl s_client -connect your-AD-server-here.example.com:636
<http://your-AD-server-here.example.com:636>*
I received a cert in the output, but it was not the correct certificate for
my network so I was still unable to connect via LDAPS.

I worked with Microsoft Support and even they had a difficult time
determining which of my certs was actually performing the client
authentication.  To resolve, MS support assisted me by:
- Created a duplicate Kerberos Authentication Template and import it into
the Personal Certificate store.  We named the template "ldapoverssl" for
easy identification (This was done because we didn't know which other cert
to export and none were marked "exportable")
- On a client computer ran the following command to create a trace-file:
netsh trace start capture=yes scenario=netconnection tracefile=c:\SSLtraffic
- On the client computer ran ldp.exe and went through the steps to test an
LDAPS bind over 636, then stopped the trace.
- Used Microsoft Network Monitor 3.4 to view the trace-file.  Using this
trace-file we were able to track down the handshake between my client and
the LDAP server.  We could then find the Serial number of the certificate
used for LDAPS.
This confirmed that the new ldapoverssl template/certificate was the one
being used for LDAPS connections.
- I then re-ran the command that Scott provided:  openssl s_client -connect
your-AD-server-here.example.com:636 and found that the output was different
than what I had before.
- Imported the new cert output into /etc/ssl/certs/ca-certificates.crt,
tweaked preferences.php to the LDAPS settings and restarted Apache..SUCCESS!

I am still very much a novice with Linux, Apache, Zend and apparently
Microsoft Certificates so I hope my notes make a little bit of sense.

Thank you everyone for your assistance with this.  I learned a lot.

Glenn

On Fri, Feb 14, 2020 at 2:55 PM Glenn Noel via ZendTo <zendto at zend.to>
wrote:

> Thank you Scott,
>
> I was able to complete your instructions but mine is still a no-go.  I
> have verified that my Zend server is trying to connect over port 636, but
> I'm still getting errors.  I will continue plugging away at this on
> Monday.
>
> I'm glad you were able to get yours up and running.
>
> Have a good weekend.
>
> Glenn
>
> On Fri, Feb 14, 2020 at 12:23 PM Scott Silva via ZendTo <zendto at zend.to>
> wrote:
>
>> OK? I think I figured this out?
>>
>> Run       openssl s_client -connect your-AD-server-here.example.com:636
>> (fixed to your AD server)
>>
>> In the results you will see a full key in base 64
>>
>> Copy all from the  ----BEGIN Certificate --- to the ---END CERTIFICATE---
>> including those lines and paste to the end of whichever cert your
>> TLS_CACERT points to
>>
>> Don't overwrite, paste to the end and save.
>> Now try and see if it authenticates...
>>
>> Works in mine
>>
>>
>>
>>
>>
>> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
>> Sent: Thursday, February 13, 2020 2:24 PM
>> To: ZendTo Users <zendto at zend.to>
>> Cc: Glenn Noel <glenn.noel at gmail.com>
>> Subject: Re: [ZendTo] MS LDAPs
>>
>> Hi All,  I'm still struggling with LDAPS.  In Jules' previous email there
>> is a mention of:
>>
>> "If you are using some sort of a self-signed or locally-signed
>> certificate on your AD server(s), then you will need to add your local root
>> CA public cert to the TLS_CACERT file, or else the ZendTo server won't be
>> able to verify the cert it gets from the AD server. But if you are using a
>> "normal" externally-signed commercial cert, it should work fine."
>>
>> I am in this situation of using a cert created by my internal Domain CA.
>> The steps I have taken:
>> 1.) Exported the public key/cert for Client Authentication, Server
>> Authentication from my Windows Domain Controller in DER encoded binary
>> X.509(.CER) format
>> 2.) copied this .CER to /etc/ssl/certs
>> 3.) in /etc/ldap/ldap.conf  I added:
>> TLS_CACERT     /etc/ssl/certs/my-exported-ldaps-cert.cer
>> This line sits under the original line of TLS_CACERT
>>  /etc/ssl/certs/ca-certificates.crt
>>
>> It was a shot in the dark and I successfully predicted that it would not
>> work.  However I am stuck.  If anyone has a good step-by-step to help me
>> out I would appreciate it immensely.
>>
>> If the recommended method is to purchase a 3rd party cert please let me
>> know - I will try that next (although I might need some assistance with
>> that process too).
>>
>> Thank you,
>>
>> Glenn
>>
>>
>> On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <mailto:
>> zendto at zend.to> wrote:
>> Scott,
>>
>> I have just done a CentOS 7 install of the latest ZendTo beta from
>> scratch, including using SELinux.
>>
>> I set the preferences.php settings to
>>
>>     authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
>>     authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
>>     authLDAPAccountSuffix1 => '@http://soton.ac.uk',
>>     authLDAPUseSSL1 => false,
>>     authLDAPUseTLS1 => false,
>>
>> and it just worked immediately. I didn't have to install any other
>> packages at all.
>>
>> Our AD servers are listening on 636/tcp (the TCP port for ldaps according
>> to /etc/services).
>>
>> I have already tested the same thing on Ubuntu 18.04 and it worked first
>> time there too.
>>
>> If you are using some sort of a self-signed or locally-signed certificate
>> on your AD server(s), then you will need to add your local root CA public
>> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
>> verify the cert it gets from the AD server. But if you are using a "normal"
>> externally-signed commercial cert, it should work fine.
>>
>> On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
>> In my case I know the ports are open because I have a Linux based spam
>> filter that is able to auth secured.
>>
>>
>> -----Original Message-----
>> From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Guy Bertrand via
>> ZendTo
>> Sent: Monday, February 10, 2020 10:37 AM
>> To: mailto:zendto at zend.to
>> Cc: Guy Bertrand mailto:Guy.Bertrand at exelaonline.com
>> Subject: [ZendTo] MS LDAPs
>>
>> Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk
>> to the domain controller.  Don't forget to check things between your ZendTo
>> server and the domain controller:
>> - the outgoing firewall config on the ZendTo server
>> - the firewall on the DC (is port 636 open?)
>> - routing
>> - any intermediate firewall rules
>>
>> Quick test: open a command prompt (CMD on Windows, any shell on *nix).
>> This will try to "telnet" to that port.
>> C:\> telnet "ip of your DC" 636
>> If a blank screen appears then the port is open, and the test is
>> successful.
>> If you receive a connecting... message or an error message then something
>> is blocking that port.
>>
>> Guy Bertrand, M.Ing
>> Directeur informatique / IT Manager
>> EXELA TECHNOLOGIES
>> b: +1.514.392.4999 | m: +1.514.265.9754
>> 1155, boulevard Robert-Bourassa, suite 500 | Montr?al (Qu?bec) CANADA H3B
>> 3A7 http://www.ExelaTech.com | EXELA LinkedIn
>>
>>
>> ________________________________
>> Attention : le pr?sent message et toutes les pi?ces jointes sont
>> confidentiels et ?tablis ? l'attention exclusive du ou des destinataire(s)
>> indiqu?(s). Toute autre diffusion ou utilisation non autoris?e est
>> interdite. Si vous recevez ce message par erreur, veuillez imm?diatement en
>> avertir l'exp?diteur par e-mail en retour, d?truire le message et vous
>> abstenir de toute r?f?rence aux informations qui y figurent afin d'?viter
>> les sanctions attach?es ? la divulgation et ? l'utilisation d'informations
>> confidentielles. Les messages ?lectroniques sont susceptibles d'alt?ration.
>> Exela Technologies et ses filiales d?clinent toute responsabilit? en cas
>> d'alt?ration ou de falsification du pr?sent message.
>> ________________________________
>> Please consider the environment before printing or forwarding this email.
>> If you do print this email, please recycle the paper.
>>
>> This email message may contain confidential, proprietary and/or
>> privileged information. It is intended only for the use of the intended
>> recipient(s). If you have received it in error, please immediately advise
>> the sender by reply email and then delete this email message. Any
>> disclosure, copying, distribution or use of the information contained in
>> this email message to or by anyone other than the intended recipient is
>> strictly prohibited. Any views expressed in this message are those of the
>> individual sender, except where the sender specifically states them to be
>> the views of Exela Technologies, Inc. or its subsidiaries.
>>
>> This email does not constitute an agreement to conduct transactions by
>> electronic means and does not create any legally binding contract or
>> enforceable obligation against Exela in the absence of a fully signed
>> written agreement.
>>
>> _______________________________________________
>> ZendTo mailing list
>> mailto:ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>>
>> _______________________________________________
>> ZendTo mailing list
>> mailto:ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>>
>>
>> Jules
>>
>> --
>> Julian Field MEng CEng CITP MBCS MIEEE MACM
>>
>> 'A good programmer is someone who always looks both ways
>>  before crossing a one-way street.' - Doug Linder
>>
>> http://www.Zend.To
>> Twitter: @JulesFM
>> _______________________________________________
>> ZendTo mailing list
>> mailto:ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200228/212aae81/attachment.html>