[ZendTo] News — Microsoft enforcing LDAPS for AD servers
Jules Field
Jules at Zend.To
Wed Feb 12 15:18:37 GMT 2020
Karl,
Given that it was a could-not-connect-at-all issue, then it's most
likely either
a) incoming firewall on the AD server not listening on the correct LDAPS
ports (636/tcp IIRC),
or
b) the SSL/TLS handshake between the ZendTo server and the AD Server is
failing. This is most often caused by people using locally-signed certs
on their AD servers, at which point the ZendTo server will need to be
given a copy of the Root CA cert for your locally-signed certs. Just
like you would need to give it to a web browser in order to avoid the
errors when you browse to a website which is signed with a
locally-signed cert.
A good command to test the SSL/TLS handshake from your ZendTo server is
this:
openssl s_client -connect your-AD-server-here.example.com:636
That should print out all sorts of nice looking things and not any error
messages. When it's stopped outputting, just Ctrl-C it.
Cheers,
Jules.
On 10/02/2020 17:47, Karl Bundy via ZendTo wrote:
> I also am running RedHat7/CentOS7 and having the same issue. Nothing seems to output any helpful logs to help troubleshoot the source of the issue (cert issue, missing packages, etc.) Any suggestions would be appreciated!
>
> Thanks,
>
> Karl Bundy
>
> -----Original Message-----
> From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via ZendTo
> Sent: Monday, February 10, 2020 10:38 AM
> To: 'ZendTo Users' <zendto at zend.to>
> Cc: Scott Silva <ssilva at sgvwater.com>
> Subject: Re: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
>
> Running on Redhat 7
>
> Made changes to /etc/openldap/ldap.conf
> Made changes to preferences.php
> Get login error
> LDAP Error
> Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
> Authentication Error
> The username or password was incorrect.
> Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
> Maybe a list of packages that might be required?
>
>
>
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules via ZendTo
> Sent: Saturday, February 8, 2020 9:29 AM
> To: ZendTo Users <zendto at zend.to>
> Cc: Jules <Jules at Zend.To>
> Subject: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
>
> Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.
>
> This needs a couple of minor changes to your ZendTo server.
>
> I have written up some simple instructions here
> https://zend.to/activedirectory.php
> which certainly appear to work for me.
>
> I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.
>
> Any comments / problems / questions, please do let me know straightaway!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
> Slight or moderate, occasionally rough in south. Rain. Good, occasionally poor.
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'A good programmer is someone who always looks both ways
before crossing a one-way street.' - Doug Linder
www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200212/0cbe750a/attachment.html>
More information about the ZendTo
mailing list