[ZendTo] LDAP authentication

Ken Etter KLE at msktd.com
Thu May 21 19:14:18 BST 2020 

Not at all.  If it will save someone else some time, please do.  I'm no
SSL expert, but I am trying to get a bit smarter on it.

Sorry, but I haven't had a chance to look at the betas.  I am currently
running 5.23-3.  My hands are a bit full this week.

Thanks for all your efforts though.  We do like ZendTo.
Ken
>>> Jules <Jules at Zend.To> 5/21/2020 2:08 PM >>>
Ken,

Mind if I add your steps to the troubleshooting section for LDAP/AD?
Cheers,
Jules.
P.S. Have you tried the latest betas? I fixed a bad Installer bug today
too, that affects CentOS/RedHat-based systems. And there's a slight
revision to the zendto-saml package too.
On 21/05/2020 18:52, Ken Etter via ZendTo wrote:


Scott,
After much trial and error, I figured it out for my system. I assume
from your statement that you are using AD. I use eDirectory so I use the
straight LDAP settings in ZendTo. I also have ZendTo running on SLES 15.
Exact commands will be different for you since you use AD and possibly a
different linux distro for ZendTo. But here are my steps in case it
helps...

1. Retrieve the CA and server certs from my LDAP server in pem format.
2. Copy them into a folder on my ZendTo server and combine them into a
single pem file.
3. Edit ldap.conf so the "TLS_CACERT" variable points to my combined
pem file.
4. Use ldapsearch on my ZendTo server to verify that I can connect to
my LDAP server over port 636.
5. Edit the ZendTo preferences.php file so the URL for the LDAP server
uses the format ldaps://<server_name_or_ip>.
6. Restart the ZendTo web server.
7. Verify that logins work.

Hope that helps. If you have questions, let me know.
Ken
>>> Scott Silva via ZendTo <zendto at zend.to>
( mailto:zendto at zend.to)  5/20/2020 1:01 PM >>>
I never got it working on my system… If I can’t get it working I will
probably have to drop the software when Windows forces the change…
From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Ken Etter via
ZendTo
Sent: Wednesday, May 20, 2020 9:24 AM
To: Jules Field <jules at zend.to>
( mailto:jules at zend.to) ; ZendTo List <zendto at zend.to>
( mailto:zendto at zend.to) 
Cc: Ken Etter <KLE at msktd.com>
( mailto:KLE at msktd.com) 
Subject: Re: [ZendTo] LDAP authentication
Jules,
Is there anything special required to get LDAP working with SSL? I
tried setting 'authLDAPUseSSL' to true, rebooted and logins fail. I then
tried adding the port number (after a colon) to the address in
'authLDAPServers' and rebooted and logins still fail. If I use an ldap
browser to connect, it works although it does complain about the
certificate. Do I need to import the certificate for ZendTo to be able
to connect? If so, do you have any directions for this?

Thanks!
Ken
>>> Jules <Jules at Zend.To> 5/20/2020 8:59 AM >>>
I always forget about it too!
And I wrote it :-(
On 20/05/2020 13:48, Ken Etter wrote:


Thanks Jules! I completely forgot about that feature. That explains
it.
Ken
>>> Jules <Jules at Zend.To>
( mailto:Jules at Zend.To)  5/20/2020 4:54 AM >>>
Ken, 
ZendTo actively locks out (for 24 hours) users who have failed too many
login attempts in a day.
This protects against hackers using your ZendTo to attempt to find
passwords by brute force.
There are 2 ways of seeing who is currently locked out, and to manually
unlock them immediately:
1. The web interface for an Admin user (it's one of the red buttons).
2. But if you can't get to that, then run /opt/zendto/bin/unlockuser
and it will show its command-line usage. You should just be able to run
sudo /opt/zendto/bin/unlockuser -a 
to unlock every temporarily-locked account.
Hope that helps,
Jules.
On 19/05/2020 22:28, Ken Etter via ZendTo wrote:


And now it is working again. Since a trace on my ldap server showed I
wasn't even getting a query from ZendTo, I decided to see what my
firewall was seeing. ZendTo is installed in my DMZ. I log into the
firewall and do a couple of logins to ZendTo with other accounts and
watch what shows up in the firewall. Then I try my login again and 
it
works and shows up in the firewall as expected. I had changed nothing, I
just logged into the firewall to see the activity. Frustrating not
knowing why, but things are working again. I assume the firewall between
the DMZ and the rest of the network was the issue, but I have no idea
how or why since it just started working.
My apologies for all the clutter on the mailing list.
Ken
>>> Ken Etter 5/19/2020 4:48 PM >>>
I have other software that also does LDAP authentication and my account
works fine there. A trace on my LDAP server shows the login happening as
expected. So it is as if ZendTo thinks my account is not an LDAP account
and is trying to authenticate elsewhere and failing.

Ken
>>> Ken Etter 5/19/2020 4:41 PM >>>
Doing some more digging into this and not making much progress. I was
working on moving ZendTo ldap authentication from port 389 to port 636
(SSL). Something wasn't working right, but now my account is locked out
of ZendTo. Doing a trace from my LDAP server shows that I don't even get
a request from ZendTo. ZendTo is working for all accounts except mine.
Is there anything at all within ZendTo that might give me a clue as to
what is going on?


Ken Etter, System Administrator
Architectural Group
260.432.9337 | msktd.com
 
 
_______________________________________________ ZendTo mailing list
ZendTo at zend.to http://jul.es/mailman/listinfo/zendto  
Jules  --  Julian Field MEng CEng CITP MBCS MIEEE MACM  'Teach a man to
reason, and he will think for a lifetime.' - Phil Plait  www.Zend.To
Twitter: @JulesFM 
 
Jules  --  Julian Field MEng CEng CITP MBCS MIEEE MACM  The current UK
shipping forecast: Shannon, Rockall: South backing southwest 5 to 7,
occasionally gale 8 later in Shannon. Moderate or rough. Rain, showers
later. Good, occasionally poor.  www.Zend.To Twitter: @JulesFM 

_______________________________________________ZendTo mailing
listZendTo at zend.tohttp://jul.es/mailman/listinfo/zendto  

Jules-- Julian Field MEng CEng CITP MBCS MIEEE MACM'Learn from
yesterday, live for today, look to tomorrow, rest this afternoon.' -
Charles M Schulzwww.Zend.ToTwitter: @JulesFM 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200521/38a56b2e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IMAGE_13.png
Type: image/png
Size: 18067 bytes
Desc: not available
URL: <http://jul.es/pipermail/zendto/attachments/20200521/38a56b2e/attachment-0001.png>

More information about the ZendTo mailing list