[ZendTo] LDAP authentication

Ann Hilburn ahilburn at chathamsd.org
Wed May 20 23:42:37 BST 2020 

I am not sure how I came to be on this mailing list. I don't have any input
to this. If possible, please remove me from future emails.
Thanks

On Wed, May 20, 2020 at 5:12 PM Ken Etter via ZendTo <zendto at zend.to> wrote:

> I found an issue with the openldap config, so ldapsearch isn't working
> yet.  I'll have to work on it some more later.
> Ken
> >>> Ken Etter 5/20/2020 5:36 PM >>>
> Jules,
> I'm not running AD, but I do want to get SSL working with my LDAP server.
> I configured everything and tested with ldapsearch from my ZendTo server
> and ldapsearch works.  The command line I am using to test is:
>
> ldapsearch -H ldaps://server_ip_address:636 -x -D "<my_user_name>"
> -w <my_password> -b "<my_searchbase>" -s sub -a always "(objectClass=User)"
> cn
>
> That returns the correct info.  I modified the LDAP section trying both of
> these:
>
> 'authLDAPServers'       => array('ldaps://<server_ip_address>:636'),
> 'authLDAPServers'       => array('ldaps://<server_ip_address>'),
>
> Both work as long as 'authLDAPUseSSL' is set to false .  But as soon as I
> set 'authLDAPUseSSL' equal to true and restart apache, ZendTo complains
> that it cannot connect.
>
> Any suggestions?
> Ken
> >>> Jules <Jules at Zend.To> 5/20/2020 1:12 PM >>>
> Ken,
>
> You almost certainly want to do the change that will be needed for Active
> Directory in the Autumn (the Fall).
> Basically you leave the UseSSL settings set to false, but change the
> server hostname by putting "ldaps://" on the front of it.
> If it is complaining about the certificate, then I guess you are using a
> locally-signed cert on your LDAPS server(s). In which case, take a look at
> the troubleshooting guide linked from the 2nd paragraph of
> https://zend.to/activedirectory.php
> Also, that page talks about what you need in preferences.php and your
> ldap.conf. Both the LDAP and AD authenticators use the same library, as
> querying AD is basically the same as LDAP just with the odd minor
> modification to the code.
> Cheers,
> Jules.
> On 20/05/2020 17:23, Ken Etter wrote:
>
> Jules,
> Is there anything special required to get LDAP working with SSL? I tried
> setting 'authLDAPUseSSL' to true, rebooted and logins fail. I then tried
> adding the port number (after a colon) to the address in 'authLDAPServers'
> and rebooted and logins still fail. If I use an ldap browser to connect, it
> works although it does complain about the certificate. Do I need to import
> the certificate for ZendTo to be able to connect? If so, do you have any
> directions for this?
>
> Thanks!
> Ken
> >>> Jules <Jules at Zend.To> <Jules at Zend.To> 5/20/2020 8:59 AM >>>
> I always forget about it too!
>
> And I wrote it :-(
> On 20/05/2020 13:48, Ken Etter wrote:
>
> Thanks Jules! I completely forgot about that feature. That explains it.
>
> Ken
> >>> Jules <Jules at Zend.To> <Jules at Zend.To> 5/20/2020 4:54 AM >>>
> Ken,
>
> ZendTo actively locks out (for 24 hours) users who have failed too many
> login attempts in a day.
> This protects against hackers using your ZendTo to attempt to find
> passwords by brute force.
> There are 2 ways of seeing who is currently locked out, and to manually
> unlock them immediately:
> 1. The web interface for an Admin user (it's one of the red buttons).
> 2. But if you can't get to that, then run /opt/zendto/bin/unlockuser and
> it will show its command-line usage. You should just be able to run
> sudo /opt/zendto/bin/unlockuser -a
>
> to unlock every temporarily-locked account.
> Hope that helps,
> Jules.
> On 19/05/2020 22:28, Ken Etter via ZendTo wrote:
>
> And now it is working again. Since a trace on my ldap server showed I
> wasn't even getting a query from ZendTo, I decided to see what my firewall
> was seeing. ZendTo is installed in my DMZ. I log into the firewall and do a
> couple of logins to ZendTo with other accounts and watch what shows up in
> the firewall. Then I try my login again and it works and shows up in the
> firewall as expected. I had changed nothing, I just logged into the
> firewall to see the activity. Frustrating not knowing why, but things are
> working again. I assume the firewall between the DMZ and the rest of the
> network was the issue, but I have no idea how or why since it just started
> working.
>
> My apologies for all the clutter on the mailing list.
>
> Ken
> >>> Ken Etter 5/19/2020 4:48 PM >>>
> I have other software that also does LDAP authentication and my account
> works fine there. A trace on my LDAP server shows the login happening as
> expected. So it is as if ZendTo thinks my account is not an LDAP account
> and is trying to authenticate elsewhere and failing.
>
> Ken
> >>> Ken Etter 5/19/2020 4:41 PM >>>
> Doing some more digging into this and not making much progress. I was
> working on moving ZendTo ldap authentication from port 389 to port 636
> (SSL). Something wasn't working right, but now my account is locked out of
> ZendTo. Doing a trace from my LDAP server shows that I don't even get a
> request from ZendTo. ZendTo is working for all accounts except mine. Is
> there anything at all within ZendTo that might give me a clue as to what is
> going on?
>
> *Ken Etter*, System Administrator
> Architectural Group
> 260.432.9337 | msktd.com
>
> <http://msktd.com/>
>
>
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
> www.Zend.To
> Twitter: @JulesFM
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in
> Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.
> www.Zend.To
> Twitter: @JulesFM
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'One of the deep secrets of life is that all that is really worth
>  doing is what we do for others.' - Lewis Carroll
> www.Zend.To
> Twitter: @JulesFM
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>


-- 
Ann Hilburn, SPED Director
Chatham School District
907-723-2829
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200520/ca4211c6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMAGE_2.png
Type: image/png
Size: 18067 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20200520/ca4211c6/attachment-0001.png>

More information about the ZendTo mailing list