[ZendTo] News — Microsoft enforcing LDAPS for AD servers

Scott Silva ssilva at sgvwater.com
Thu Feb 13 22:38:26 GMT 2020 

Ran openssl s_client -connect your-AD-server-here.example.com:636 (fixing actual name)
On my spamfilter linux box that DOES work I see a bunch of root certificates loaded on the system...
I wonder if that is one of the issues it doesn't seem to work on the CentOS Zendto box
The working system is Debian I believe...



From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules Field via ZendTo
Sent: Wednesday, February 12, 2020 7:24 AM
To: ZendTo Users <zendto at zend.to>
Cc: Jules Field <Jules at Zend.To>
Subject: Re: [ZendTo] News — Microsoft enforcing LDAPS for AD servers

Karl,

Given that it was a could-not-connect-at-all issue, then it's most likely either
a) incoming firewall on the AD server not listening on the correct LDAPS ports (636/tcp IIRC),
or
b) the SSL/TLS handshake between the ZendTo server and the AD Server is failing. This is most often caused by people using locally-signed certs on their AD servers, at which point the ZendTo server will need to be given a copy of the Root CA cert for your locally-signed certs. Just like you would need to give it to a web browser in order to avoid the errors when you browse to a website which is signed with a locally-signed cert.

A good command to test the SSL/TLS handshake from your ZendTo server is this:

    openssl s_client -connect your-AD-server-here.example.com:636

That should print out all sorts of nice looking things and not any error messages. When it's stopped outputting, just Ctrl-C it.

Cheers,
Jules.
On 10/02/2020 17:47, Karl Bundy via ZendTo wrote:
I also am running RedHat7/CentOS7 and having the same issue.  Nothing seems to output any helpful logs to help troubleshoot the source of the issue (cert issue, missing packages, etc.)  Any suggestions would be appreciated!

Thanks,

Karl Bundy

-----Original Message-----
From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via ZendTo
Sent: Monday, February 10, 2020 10:38 AM
To: 'ZendTo Users' mailto:zendto at zend.to
Cc: Scott Silva mailto:ssilva at sgvwater.com
Subject: Re: [ZendTo] News — Microsoft enforcing LDAPS for AD servers

Running on Redhat 7

Made changes to /etc/openldap/ldap.conf
Made changes to preferences.php
Get login error
	LDAP Error
	Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
	Authentication Error
	The username or password was incorrect.
Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
Maybe a list of packages that might be required?



From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Jules via ZendTo
Sent: Saturday, February 8, 2020 9:29 AM
To: ZendTo Users mailto:zendto at zend.to
Cc: Jules mailto:Jules at Zend.To
Subject: [ZendTo] News — Microsoft enforcing LDAPS for AD servers

Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.

This needs a couple of minor changes to your ZendTo server.

I have written up some simple instructions here
    https://zend.to/activedirectory.php
which certainly appear to work for me.

I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.

Any comments / problems / questions, please do let me know straightaway!

Cheers,

Jules

--
Julian Field MEng CEng CITP MBCS MIEEE MACM

The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally poor.

http://www.Zend.To
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto
_______________________________________________
ZendTo mailing list
mailto:ZendTo at zend.to
http://jul.es/mailman/listinfo/zendto


Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'A good programmer is someone who always looks both ways
 before crossing a one-way street.' - Doug Linder

http://www.Zend.To
Twitter: @JulesFM

More information about the ZendTo mailing list