[ZendTo] LDAP authentication

Jules Jules at Zend.To
Thu May 21 19:08:43 BST 2020 

Ken,

Mind if I add your steps to the troubleshooting section for LDAP/AD?

Cheers,
Jules.

P.S. Have you tried the latest betas? I fixed a bad Installer bug today 
too, that affects CentOS/RedHat-based systems. And there's a slight 
revision to the zendto-saml package too.

On 21/05/2020 18:52, Ken Etter via ZendTo wrote:
> Scott,
> After much trial and error, I figured it out for my system.  I assume 
> from your statement that you are using AD. I use eDirectory so I use 
> the straight LDAP settings in ZendTo.  I also have ZendTo running on 
> SLES 15.  Exact commands will be different for you since you use AD 
> and possibly a different linux distro for ZendTo.  But here are my 
> steps in case it helps...
>
> 1. Retrieve the CA and server certs from my LDAP server in pem format.
> 2. Copy them into a folder on my ZendTo server and combine them into a 
> single pem file.
> 3. Edit ldap.conf so the "TLS_CACERT" variable points to my combined 
> pem file.
> 4. Use ldapsearch on my ZendTo server to verify that I can connect to 
> my LDAP server over port 636.
> 5. Edit the ZendTo preferences.php file so the URL for the LDAP server 
> uses the format ldaps://<server_name_or_ip>.
> 6. Restart the ZendTo web server.
> 7. Verify that logins work.
>
> Hope that helps.  If you have questions, let me know.
> Ken
> >>> Scott Silva via ZendTo <zendto at zend.to> 5/20/2020 1:01 PM >>>
> I never got it working on my system… If I can’t get it working I will 
> probably have to drop the software when Windows forces the change…
> *From:*ZendTo [mailto:zendto-bounces at zend.to] *On Behalf Of *Ken Etter 
> via ZendTo
> *Sent:* Wednesday, May 20, 2020 9:24 AM
> *To:* Jules Field <jules at zend.to>; ZendTo List <zendto at zend.to>
> *Cc:* Ken Etter <KLE at msktd.com>
> *Subject:* Re: [ZendTo] LDAP authentication
> Jules,
> Is there anything special required to get LDAP working with SSL?  I 
> tried setting 'authLDAPUseSSL' to true, rebooted and logins fail.  I 
> then tried adding the port number (after a colon) to the address in 
> 'authLDAPServers' and rebooted and logins still fail.  If I use an 
> ldap browser to connect, it works although it does complain about the 
> certificate.  Do I need to import the certificate for ZendTo to be 
> able to connect?  If so, do you have any directions for this?
>
> Thanks!
> Ken
> >>> Jules <Jules at Zend.To <mailto:Jules at Zend.To>> 5/20/2020 8:59 AM >>>
> I always forget about it too!
> And I wrote it :-(
> On 20/05/2020 13:48, Ken Etter wrote:
>
>     Thanks Jules! I completely forgot about that feature. That
>     explains it.
>     Ken
>     >>> Jules <Jules at Zend.To> <mailto:Jules at Zend.To> 5/20/2020 4:54 AM >>>
>     Ken,
>     ZendTo actively locks out (for 24 hours) users who have failed too
>     many login attempts in a day.
>     This protects against hackers using your ZendTo to attempt to find
>     passwords by brute force.
>     There are 2 ways of seeing who is currently locked out, and to
>     manually unlock them immediately:
>     1. The web interface for an Admin user (it's one of the red buttons).
>     2. But if you can't get to that, then run
>     /opt/zendto/bin/unlockuser and it will show its command-line
>     usage. You should just be able to run
>     sudo /opt/zendto/bin/unlockuser -a
>     to unlock every temporarily-locked account.
>     Hope that helps,
>     Jules.
>     On 19/05/2020 22:28, Ken Etter via ZendTo wrote:
>
>         And now it is working again. Since a trace on my ldap server
>         showed I wasn't even getting a query from ZendTo, I decided to
>         see what my firewall was seeing. ZendTo is installed in my
>         DMZ. I log into the firewall and do a couple of logins to
>         ZendTo with other accounts and watch what shows up in the
>         firewall. Then I try my login again and it works and shows up
>         in the firewall as expected. I had changed nothing, I just
>         logged into the firewall to see the activity. Frustrating not
>         knowing why, but things are working again. I assume the
>         firewall between the DMZ and the rest of the network was the
>         issue, but I have no idea how or why since it just started
>         working.
>         My apologies for all the clutter on the mailing list.
>         Ken
>         >>> Ken Etter 5/19/2020 4:48 PM >>>
>         I have other software that also does LDAP authentication and
>         my account works fine there. A trace on my LDAP server shows
>         the login happening as expected. So it is as if ZendTo thinks
>         my account is not an LDAP account and is trying to
>         authenticate elsewhere and failing.
>
>         Ken
>         >>> Ken Etter 5/19/2020 4:41 PM >>>
>         Doing some more digging into this and not making much
>         progress. I was working on moving ZendTo ldap authentication
>         from port 389 to port 636 (SSL). Something wasn't working
>         right, but now my account is locked out of ZendTo. Doing a
>         trace from my LDAP server shows that I don't even get a
>         request from ZendTo. ZendTo is working for all accounts except
>         mine. Is there anything at all within ZendTo that might give
>         me a clue as to what is going on?
>
>
>         *Ken Etter*, System Administrator
>         Architectural Group
>         260.432.9337 | msktd.com <http://msktd.com/>
>         <http://msktd.com/>
>
>         _______________________________________________
>
>         ZendTo mailing list
>
>         ZendTo at zend.to  <mailto:ZendTo at zend.to>
>
>         http://jul.es/mailman/listinfo/zendto
>
>     Jules
>
>     -- 
>
>     Julian Field MEng CEng CITP MBCS MIEEE MACM
>
>     'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
>
>     www.Zend.To  <http://www.Zend.To>
>
>     Twitter: @JulesFM
>
> Jules
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> The current UK shipping forecast:
> Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in
> Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.
> www.Zend.To  <http://www.Zend.To>
> Twitter: @JulesFM
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'Learn from yesterday, live for today,
  look to tomorrow, rest this afternoon.' - Charles M Schulz

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200521/b9f908cd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMAGE_12.png
Type: image/png
Size: 18067 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20200521/b9f908cd/attachment-0001.png>

More information about the ZendTo mailing list