[ZendTo] LDAP authentication

Der PCFreak mailinglists at pcfreak.de
Tue Jun 2 07:14:29 BST 2020


Hi,

I recently also went the LDAPs way on CentOS 7. The way described at 
https://zend.to/activedirectory.php did not work for me, especially the 
part where to put
ther certificate of the CA and the modifications to ldap.conf - but it 
was very easy to get it working.

We use Microsoft Active Directory here and the Domain Controllers (which 
I authenticate against) have a certificate created by our internal, 
active-directory-integrated CA.

The Windows admins told me to use port 636 with ldaps to connect and 
gave me the public certificate of the CA that issued the DCs certificates.

So the only thing (for CentOS7) I had to do was to copy the CAs public 
certificate to |/etc/pki/ca-trust/source/anchors/| and then execute the 
command |update-ca-trust| which
imported the certificate into the trusted CA database.

After that everything worked fine and I could verify the connection 
using |ldapsearch|.

One should ensure, that you *connect to the DCs using their FQDN* 
because their certificate usually contains only the FQDN as certificate 
subject. So I *added the DCs with their IP and FQDN to the CentOS
|/etc/hosts| file* and replaced IPs with FQDNs in ZendTo config and 
setting |'authLDAPUseSSL' => true,| . - All works fine now here.

For troubleshooting, you should first do a generic connection test to 
your AD domain controllers with openssl like this:

|openssl s_client -connect fqdn.of.dc:636 -showcerts < /dev/null |

This should show the certificate of the DC and a |Verify return code: 0 
(ok)|. Then use ldapsearch to check the certificate chain (assuming you 
have the CA already copied and used |update-ca-trust|)

My ldapsearch command to check everything looked like this:

|dc="fqdn.of.your.dc" port=636 user="ldapuser at ldapdomain.tld" 
pass="ldapuserpassword" searchbase="DC=sub,DC=domain,DC=tld" ldapsearch 
-x -LLL -E pr=200/noprompt -H ldaps://${dc}:${port} -D "${user}" -w 
"${pass}" -b "$searchbase" dn cn mail memberOf |

After ldapsearch succeeded, Zendto worked fine, too.

*I did not have to change any defaults in /etc/openldap/ldap.conf to get 
it working on CentOS7!*

Greets

Peter

On 19/05/2020 22:41, Ken Etter via ZendTo wrote:

> Doing some more digging into this and not making much progress.  I was 
> working on moving ZendTo ldap authentication from port 389 to port 636 
> (SSL).  Something wasn't working right, but now my account is locked 
> out of ZendTo.  Doing a trace from my LDAP server shows that I don't 
> even get a request from ZendTo.  ZendTo is working for all accounts 
> except mine.  Is there anything at all within ZendTo that might give 
> me a clue as to what is going on?
>
> *Ken Etter*, System Administrator
> Architectural Group
> 260.432.9337|msktd.com <http://msktd.com/>
>
> <http://msktd.com/>
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200602/19ef7704/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMAGE_2.png
Type: image/png
Size: 18080 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20200602/19ef7704/attachment-0001.png>


More information about the ZendTo mailing list