[ZendTo] LDAP authentication

Massimo Forni Massimo.Forni at turboden.it
Thu May 21 06:13:37 BST 2020


You subscribed to it and like every mailing list you have the link in the footer to control your subscription…


From: ZendTo <zendto-bounces at zend.to> On Behalf Of Ann Hilburn via ZendTo
Sent: giovedì 21 maggio 2020 00:43
To: ZendTo Users <zendto at zend.to>
Cc: Ann Hilburn <ahilburn at chathamsd.org>
Subject: Re: [ZendTo] LDAP authentication

I am not sure how I came to be on this mailing list. I don't have any input to this. If possible, please remove me from future emails.
Thanks

On Wed, May 20, 2020 at 5:12 PM Ken Etter via ZendTo <zendto at zend.to<mailto:zendto at zend.to>> wrote:
I found an issue with the openldap config, so ldapsearch isn't working yet.  I'll have to work on it some more later.
Ken
>>> Ken Etter 5/20/2020 5:36 PM >>>
Jules,
I'm not running AD, but I do want to get SSL working with my LDAP server.  I configured everything and tested with ldapsearch from my ZendTo server and ldapsearch works.  The command line I am using to test is:

ldapsearch -H ldaps://server_ip_address:636 -x -D "<my_user_name>" -w <my_password> -b "<my_searchbase>" -s sub -a always "(objectClass=User)" cn

That returns the correct info.  I modified the LDAP section trying both of these:

'authLDAPServers'       => array('ldaps://<server_ip_address>:636'),
'authLDAPServers'       => array('ldaps://<server_ip_address>'),

Both work as long as 'authLDAPUseSSL' is set to false .  But as soon as I set 'authLDAPUseSSL' equal to true and restart apache, ZendTo complains that it cannot connect.

Any suggestions?
Ken
>>> Jules <Jules at Zend.To<mailto:Jules at Zend.To>> 5/20/2020 1:12 PM >>>
Ken,

You almost certainly want to do the change that will be needed for Active Directory in the Autumn (the Fall).
Basically you leave the UseSSL settings set to false, but change the server hostname by putting "ldaps://" on the front of it.
If it is complaining about the certificate, then I guess you are using a locally-signed cert on your LDAPS server(s). In which case, take a look at the troubleshooting guide linked from the 2nd paragraph of
https://zend.to/activedirectory.php<https://urldefense.com/v3/__https:/zend.to/activedirectory.php__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuFbmH_HBw$>
Also, that page talks about what you need in preferences.php and your ldap.conf. Both the LDAP and AD authenticators use the same library, as querying AD is basically the same as LDAP just with the odd minor modification to the code.
Cheers,
Jules.
On 20/05/2020 17:23, Ken Etter wrote:
Jules,
Is there anything special required to get LDAP working with SSL? I tried setting 'authLDAPUseSSL' to true, rebooted and logins fail. I then tried adding the port number (after a colon) to the address in 'authLDAPServers' and rebooted and logins still fail. If I use an ldap browser to connect, it works although it does complain about the certificate. Do I need to import the certificate for ZendTo to be able to connect? If so, do you have any directions for this?

Thanks!
Ken
>>> Jules <Jules at Zend.To><mailto:Jules at Zend.To> 5/20/2020 8:59 AM >>>
I always forget about it too!

And I wrote it :-(
On 20/05/2020 13:48, Ken Etter wrote:
Thanks Jules! I completely forgot about that feature. That explains it.

Ken
>>> Jules <Jules at Zend.To><mailto:Jules at Zend.To> 5/20/2020 4:54 AM >>>
Ken,

ZendTo actively locks out (for 24 hours) users who have failed too many login attempts in a day.
This protects against hackers using your ZendTo to attempt to find passwords by brute force.
There are 2 ways of seeing who is currently locked out, and to manually unlock them immediately:
1. The web interface for an Admin user (it's one of the red buttons).
2. But if you can't get to that, then run /opt/zendto/bin/unlockuser and it will show its command-line usage. You should just be able to run
sudo /opt/zendto/bin/unlockuser -a

to unlock every temporarily-locked account.
Hope that helps,
Jules.
On 19/05/2020 22:28, Ken Etter via ZendTo wrote:
And now it is working again. Since a trace on my ldap server showed I wasn't even getting a query from ZendTo, I decided to see what my firewall was seeing. ZendTo is installed in my DMZ. I log into the firewall and do a couple of logins to ZendTo with other accounts and watch what shows up in the firewall. Then I try my login again and it works and shows up in the firewall as expected. I had changed nothing, I just logged into the firewall to see the activity. Frustrating not knowing why, but things are working again. I assume the firewall between the DMZ and the rest of the network was the issue, but I have no idea how or why since it just started working.

My apologies for all the clutter on the mailing list.

Ken
>>> Ken Etter 5/19/2020 4:48 PM >>>
I have other software that also does LDAP authentication and my account works fine there. A trace on my LDAP server shows the login happening as expected. So it is as if ZendTo thinks my account is not an LDAP account and is trying to authenticate elsewhere and failing.

Ken
>>> Ken Etter 5/19/2020 4:41 PM >>>
Doing some more digging into this and not making much progress. I was working on moving ZendTo ldap authentication from port 389 to port 636 (SSL). Something wasn't working right, but now my account is locked out of ZendTo. Doing a trace from my LDAP server shows that I don't even get a request from ZendTo. ZendTo is working for all accounts except mine. Is there anything at all within ZendTo that might give me a clue as to what is going on?

Ken Etter, System Administrator
Architectural Group
260.432.9337 | msktd.com<https://urldefense.com/v3/__http:/msktd.com/__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuHF7mGKUg$>

[cid:image001.png at 01D62F3F.5863A9E0]<https://urldefense.com/v3/__http:/msktd.com/__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuHF7mGKUg$>




_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto<https://urldefense.com/v3/__http:/jul.es/mailman/listinfo/zendto__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuE3qBSK5A$>


Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'Teach a man to reason, and he will think for a lifetime.' - Phil Plait



www.Zend.To<https://urldefense.com/v3/__http:/www.Zend.To__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuFlx2a-nA$>

Twitter: @JulesFM


Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



The current UK shipping forecast:

Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in

Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.



www.Zend.To<https://urldefense.com/v3/__http:/www.Zend.To__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuFlx2a-nA$>

Twitter: @JulesFM


Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'One of the deep secrets of life is that all that is really worth

 doing is what we do for others.' - Lewis Carroll



www.Zend.To<https://urldefense.com/v3/__http:/www.Zend.To__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuFlx2a-nA$>

Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://jul.es/mailman/listinfo/zendto<https://urldefense.com/v3/__http:/jul.es/mailman/listinfo/zendto__;!!BYEqwblc0Q!i6RimpDdfeN3JQzVXXPjITUSFRZzpEsJw0GkLZJj_pCldHYo9Q5jyLrbwF_TYuE3qBSK5A$>


--
Ann Hilburn, SPED Director
Chatham School District
907-723-2829

--

Massimo Forni
ICT Infrastructure Manager

Mobile: +393474110278

________________________________

Turboden S.p.A. I via Cernaia 10 I 25124 Brescia I Italy
t. +39 030 3552001 I f. +39 030 3552011
www.turboden.com<http://www.turboden.com>


Confidentiality notice: this message, together with its attachments, may contain strictly confidential and/or legally privileged information and it is destined solely to the intended addressee(s), who only may use it under his/their responsibility. Opinions, conclusions and other information contained in this message, that do not relate to the official business of this firm, shall be considered as not given or endorsed by it. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Any use, disclosure, copying or distribution of the contents of this communication by a not-intended recipient or in violation of the purposes of this communication is strictly prohibited and may be unlawful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200521/360687e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18067 bytes
Desc: image001.png
URL: <http://jul.es/pipermail/zendto/attachments/20200521/360687e2/attachment-0001.png>


More information about the ZendTo mailing list