[ZendTo] MS LDAPs

Glenn Noel glenn.noel at gmail.com
Fri Feb 14 19:54:55 GMT 2020


Thank you Scott,

I was able to complete your instructions but mine is still a no-go.  I have
verified that my Zend server is trying to connect over port 636, but I'm
still getting errors.  I will continue plugging away at this on Monday.

I'm glad you were able to get yours up and running.

Have a good weekend.

Glenn

On Fri, Feb 14, 2020 at 12:23 PM Scott Silva via ZendTo <zendto at zend.to>
wrote:

> OK… I think I figured this out…
>
> Run       openssl s_client -connect your-AD-server-here.example.com:636
> (fixed to your AD server)
>
> In the results you will see a full key in base 64
>
> Copy all from the  ----BEGIN Certificate --- to the ---END CERTIFICATE---
> including those lines and paste to the end of whichever cert your
> TLS_CACERT points to
>
> Don't overwrite, paste to the end and save.
> Now try and see if it authenticates...
>
> Works in mine
>
>
>
>
>
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
> Sent: Thursday, February 13, 2020 2:24 PM
> To: ZendTo Users <zendto at zend.to>
> Cc: Glenn Noel <glenn.noel at gmail.com>
> Subject: Re: [ZendTo] MS LDAPs
>
> Hi All,  I'm still struggling with LDAPS.  In Jules' previous email there
> is a mention of:
>
> "If you are using some sort of a self-signed or locally-signed certificate
> on your AD server(s), then you will need to add your local root CA public
> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
> verify the cert it gets from the AD server. But if you are using a "normal"
> externally-signed commercial cert, it should work fine."
>
> I am in this situation of using a cert created by my internal Domain CA.
> The steps I have taken:
> 1.) Exported the public key/cert for Client Authentication, Server
> Authentication from my Windows Domain Controller in DER encoded binary
> X.509(.CER) format
> 2.) copied this .CER to /etc/ssl/certs
> 3.) in /etc/ldap/ldap.conf  I added:
> TLS_CACERT     /etc/ssl/certs/my-exported-ldaps-cert.cer
> This line sits under the original line of TLS_CACERT
>  /etc/ssl/certs/ca-certificates.crt
>
> It was a shot in the dark and I successfully predicted that it would not
> work.  However I am stuck.  If anyone has a good step-by-step to help me
> out I would appreciate it immensely.
>
> If the recommended method is to purchase a 3rd party cert please let me
> know - I will try that next (although I might need some assistance with
> that process too).
>
> Thank you,
>
> Glenn
>
>
> On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <mailto:
> zendto at zend.to> wrote:
> Scott,
>
> I have just done a CentOS 7 install of the latest ZendTo beta from
> scratch, including using SELinux.
>
> I set the preferences.php settings to
>
>     authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
>     authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
>     authLDAPAccountSuffix1 => '@http://soton.ac.uk',
>     authLDAPUseSSL1 => false,
>     authLDAPUseTLS1 => false,
>
> and it just worked immediately. I didn't have to install any other
> packages at all.
>
> Our AD servers are listening on 636/tcp (the TCP port for ldaps according
> to /etc/services).
>
> I have already tested the same thing on Ubuntu 18.04 and it worked first
> time there too.
>
> If you are using some sort of a self-signed or locally-signed certificate
> on your AD server(s), then you will need to add your local root CA public
> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
> verify the cert it gets from the AD server. But if you are using a "normal"
> externally-signed commercial cert, it should work fine.
>
> On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
> In my case I know the ports are open because I have a Linux based spam
> filter that is able to auth secured.
>
>
> -----Original Message-----
> From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Guy Bertrand via
> ZendTo
> Sent: Monday, February 10, 2020 10:37 AM
> To: mailto:zendto at zend.to
> Cc: Guy Bertrand mailto:Guy.Bertrand at exelaonline.com
> Subject: [ZendTo] MS LDAPs
>
> Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to
> the domain controller.  Don't forget to check things between your ZendTo
> server and the domain controller:
> - the outgoing firewall config on the ZendTo server
> - the firewall on the DC (is port 636 open?)
> - routing
> - any intermediate firewall rules
>
> Quick test: open a command prompt (CMD on Windows, any shell on *nix).
> This will try to "telnet" to that port.
> C:\> telnet "ip of your DC" 636
> If a blank screen appears then the port is open, and the test is
> successful.
> If you receive a connecting... message or an error message then something
> is blocking that port.
>
> Guy Bertrand, M.Ing
> Directeur informatique / IT Manager
> EXELA TECHNOLOGIES
> b: +1.514.392.4999 | m: +1.514.265.9754
> 1155, boulevard Robert-Bourassa, suite 500 | Montréal (Québec) CANADA H3B
> 3A7 http://www.ExelaTech.com | EXELA LinkedIn
>
>
> ________________________________
> Attention : le présent message et toutes les pièces jointes sont
> confidentiels et établis à l'attention exclusive du ou des destinataire(s)
> indiqué(s). Toute autre diffusion ou utilisation non autorisée est
> interdite. Si vous recevez ce message par erreur, veuillez immédiatement en
> avertir l'expéditeur par e-mail en retour, détruire le message et vous
> abstenir de toute référence aux informations qui y figurent afin d'éviter
> les sanctions attachées à la divulgation et à l'utilisation d'informations
> confidentielles. Les messages électroniques sont susceptibles d'altération.
> Exela Technologies et ses filiales déclinent toute responsabilité en cas
> d'altération ou de falsification du présent message.
> ________________________________
> Please consider the environment before printing or forwarding this email.
> If you do print this email, please recycle the paper.
>
> This email message may contain confidential, proprietary and/or privileged
> information. It is intended only for the use of the intended recipient(s).
> If you have received it in error, please immediately advise the sender by
> reply email and then delete this email message. Any disclosure, copying,
> distribution or use of the information contained in this email message to
> or by anyone other than the intended recipient is strictly prohibited. Any
> views expressed in this message are those of the individual sender, except
> where the sender specifically states them to be the views of Exela
> Technologies, Inc. or its subsidiaries.
>
> This email does not constitute an agreement to conduct transactions by
> electronic means and does not create any legally binding contract or
> enforceable obligation against Exela in the absence of a fully signed
> written agreement.
>
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'A good programmer is someone who always looks both ways
>  before crossing a one-way street.' - Doug Linder
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/85fa2642/attachment.html>


More information about the ZendTo mailing list