<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
My top immediate guess would be to try removing the ":3268" from the
names of your AD servers in authLDAPServers1.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<div class="moz-cite-prefix">On 01/11/2018 12:01, Igor David wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!6e7661617da42a80a4e7d353ef9c357bd0044c09a3a83b2a90737c3a2eb51ff5deb46f35178f82859448c37465f4e6497b6a88f6cb1199f95991eff4b3b35239d60a6979779c3ebcde7e351c77aada6d!@mx.jul.es">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi All,</div>
<div><br>
</div>
<div>We are using ZendTo
actively with AD
authentication and it works
well for a few years.</div>
<div><br>
</div>
<div>However, we are installing
new ZendTo system on AWS EC2
instance (trying with Ubuntu
18.4, Amazon Linux 2018.03 and
RedHat7.5 distros) which we
can't make to work with AD
authentication.</div>
<div><br>
</div>
<div>This is our existing
preferences.php (OURDOMAIN,
USERNAME and PASSWORD are
replaced):</div>
<div><br>
</div>
<div><b> 'authenticator'
=> 'AD',<br>
'authLDAPBaseDN1'
=> 'DC=OURDOMAIN,DC=com',<br>
'authLDAPServers1'
=>
array('AD_SERVER1:3268','AD_SERVER2:3268'),<br>
'authLDAPAccountSuffix1'
=> '@OURDOMAIN.com',<br>
'authLDAPUseSSL1'
=> false,<br>
'authLDAPBindUser1'
=> 'USERNAME',<br>
'authLDAPBindPass1'
=> 'PASSWORD',<br>
'authLDAPOrganization1'
=> 'OUR ORGANIZATION',<br>
'authLDAPBaseDN2'
=>
'DC=soton,DC=ac,DC=uk',<br>
'authLDAPServers2'
=> array(),<br>
'authLDAPAccountSuffix2'
=> '@<a
href="http://soton.ac.uk"
moz-do-not-send="true">soton.ac.uk</a>',<br>
'authLDAPUseSSL2'
=> false,<br>
'authLDAPBindUser2'
=> 'SecretUsername2',<br>
'authLDAPBindPass2'
=> 'SecretPassword2',<br>
'authLDAPOrganization2'
=> 'University of
Southampton',</b></div>
<div><br>
</div>
<div><br>
</div>
<div>in that case, we can't
connect and are getting an
error on ZendTo front-end
page:<br>
</div>
<div><br>
</div>
<div><i>LDAP Error<br>
Check User: Unable to
connect to any of the
authentication servers;
could not authenticate user.
Please notify the system
administrator.<br>
Authentication Error<br>
The username or password
was incorrect.</i></div>
<div><br>
</div>
<div>Apache error:</div>
<div><br>
</div>
<div><i>[Thu Nov 01
11:28:32.666278 2018]
[php7:warn] [pid 1397]
[client <a
href="http://10.254.48.252:58828"
moz-do-not-send="true">10.254.48.252:58828</a>]
PHP Warning:
ldap_connect(): Could not
create session handle: Bad
parameter to an ldap routine
in
/opt/zendto/lib/NSSADAuthenticator.php
on line 527</i></div>
<div><br>
</div>
<div>Zendto log:</div>
<div><br>
</div>
<div><i>2018-11-01 11:28:32
10.254.48.252 [ZendTo]:
Warning: authorization
failed for USERNAME</i></div>
<div><br>
</div>
<div><br>
</div>
<div>We have also tried to
remove ports in server names
like this<br>
</div>
<div><br>
</div>
<div>
<div> <b>'authenticator'
=> 'AD',<br>
'authLDAPBaseDN1'
=>
'DC=OURDOMAIN,DC=com',<br>
'authLDAPServers1'
=>
array('AD_SERVER1','AD_SERVER2'),<br>
'authLDAPAccountSuffix1'
=> '@OURDOMAIN.com',<br>
'authLDAPUseSSL1'
=> false,<br>
'authLDAPBindUser1'
=> 'USERNAME',<br>
'authLDAPBindPass1'
=> 'PASSWORD',<br>
'authLDAPOrganization1'
=> 'OUR ORGANIZATION',<br>
'authLDAPBaseDN2'
=>
'DC=soton,DC=ac,DC=uk',<br>
'authLDAPServers2'
=> array(),<br>
'authLDAPAccountSuffix2'
=> '@<a
href="http://soton.ac.uk"
moz-do-not-send="true">soton.ac.uk</a>',<br>
'authLDAPUseSSL2'
=> false,<br>
'authLDAPBindUser2'
=> 'SecretUsername2',<br>
'authLDAPBindPass2'
=> 'SecretPassword2',<br>
'authLDAPOrganization2'
=> 'University of
Southampton',</b></div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>then we got just the
following error on ZendTo
webpage:</div>
<div><br>
</div>
<div>
<table class="gmail-UD_error"
width="50%">
<tbody>
<tr>
<td
class="gmail-UD_error_title"><br>
</td>
<td
class="gmail-UD_error_title"><i>Authentication
Error</i></td>
</tr>
<tr>
<td
class="gmail-UD_error_message"><br>
</td>
<td
class="gmail-UD_error_message"><i>The
username or password
was incorrect.</i></td>
</tr>
</tbody>
</table>
</div>
<div><br>
</div>
<div>and no errors in Apache,
Zendto log:</div>
<div><br>
</div>
<div><i>2018-11-01 11:32:56
10.254.48.252 [ZendTo]:
Warning: authorization
failed for USERNAME</i></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>We have tried it also like
this:</div>
<div><br>
<b>'authenticator'
=> 'AD',<br>
'authLDAPBaseDN1'
=> 'DC=OURDOMAIN,DC=com',<br>
'authLDAPServers1'
=>
array('AD_SERVER1:3268','AD_SERVER2:3268'),<br>
'authLDAPAccountSuffix1'
=> '@OURDOMAIN.com',<br>
'authLDAPUseSSL1'
=> false,<br>
'authLDAPBindUser1'
=> 'USERNAME',<br>
'authLDAPBindPass1'
=> 'PASSWORD',<br>
'authLDAPBaseOrganization1'
=> 'OUR ORGANIZATION',<br>
'authLDAPBaseDN2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPServers2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPAccountSuffix2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPUseSSL2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPBindUser2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPBindPass2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPBaseOrganization2'
=> '',<br>
// Leave blank if not
using a 2nd forest. </b></div>
<div><br>
</div>
<div>It throws message on Zendto
front-end page but keep users
marked as logged in:</div>
<div><br>
</div>
<div>
<table class="gmail-UD_error"
width="50%">
<tbody>
<tr>
<td
class="gmail-UD_error_title">LDAP
Error</td>
</tr>
<tr>
<td
class="gmail-UD_error_message"><br>
</td>
<td
class="gmail-UD_error_message"><i>Check
User: Unable to
connect to any of
the authentication
servers; could not
authenticate user.
Please notify the
system
administrator.</i></td>
</tr>
</tbody>
</table>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Apache error:</div>
<div><i><br>
</i></div>
<div><i>[Thu Nov 01
11:12:11.381516 2018]
[php7:warn] [pid 903]
[client <a
href="http://10.254.48.252:58118"
moz-do-not-send="true">10.254.48.252:58118</a>]
PHP Warning:
ldap_connect(): Could not
create session handle: Bad
parameter to an ldap routine
in
/opt/zendto/lib/NSSADAuthenticator.php
on line 527</i></div>
<div><br>
</div>
<div>ZendTo log:</div>
<div><br>
</div>
<div><i>2018-11-01 11:13:56
10.254.48.252 [ZendTo]:
Info: authorization
succeeded for USERNAME<br>
2018-11-01 11:13:56
10.254.48.252 [ZendTo]:
Info: user authentication
verified user as 'USERNAME'</i><br>
<br>
</div>
<div><br>
</div>
<div>Also when we change AD
servers like this (servers
without :3268 at the end):</div>
<div><br>
</div>
<div><b>'authenticator'
=> 'AD',<br>
'authLDAPBaseDN1'
=> 'DC=OURDOMAIN,DC=com',<br>
'authLDAPServers1'
=>
array('AD_SERVER1','AD_SERVER2'),<br>
'authLDAPAccountSuffix1'
=> '@OURDOMAIN.com',<br>
'authLDAPUseSSL1'
=> false,<br>
'authLDAPBindUser1'
=> 'USERNAME',<br>
'authLDAPBindPass1'
=> 'PASSWORD',<br>
'authLDAPBaseOrganization1'
=> 'OUR ORGANIZATION',<br>
'authLDAPBaseDN2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPServers2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPAccountSuffix2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPUseSSL2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPBindUser2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPBindPass2'
=> '',<br>
// Leave blank if not
using a 2nd forest.<br>
'authLDAPBaseOrganization2'
=> '',<br>
// Leave blank if not
using a 2nd forest. </b></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>then ANYONE can login and
there is no ZendTo front end
or Apache error.<br>
</div>
<div><br>
</div>
<div>This is zendto.log in that
case:<br>
</div>
<div><br>
</div>
<i>2018-11-01 11:18:17
10.254.48.252 [ZendTo]: Info:
authorization succeeded for
USERNAME<br>
2018-11-01 11:18:17
10.254.48.252 [ZendTo]: Info:
user authentication verified
user as USERNAME</i><br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
</div>
<div>When we try like this:</div>
<div><br>
</div>
<div><b>'authenticator' =>
'AD',<br>
'authLDAPBaseDN1' =>
array('DC=OURDOMAIN,DC=com'),<br>
'authLDAPServers1' =>
array('AD_SERVER:3268'),<br>
'authLDAPAccountSuffix1' =>
'@OURDOMAIN.com',<br>
'authLDAPUseSSL1' => false,
<br>
'authLDAPBindUser1' =>
'USERNAME',<br>
'authLDAPBindPass1' =>
'PASSWORD',<br>
'authLDAPOrganization1' =>
'OUR ORGANIZATION',</b></div>
<div><br>
</div>
<div>Then ANYONE can login but
with the error on front-end
Zendto page:</div>
<div><br>
</div>
<div>
<table class="gmail-UD_error"
width="50%">
<tbody>
<tr>
<td
class="gmail-UD_error_title"><br>
</td>
<td
class="gmail-UD_error_title"><i>LDAP
Error</i></td>
</tr>
<tr>
<td
class="gmail-UD_error_message"><br>
</td>
<td
class="gmail-UD_error_message"><i>Check
User: Unable to
connect to any of the
authentication
servers; could not
authenticate user.
Please notify the
system administrator.</i></td>
</tr>
</tbody>
</table>
</div>
<div><br>
</div>
<div> Apache error:</div>
<div><br>
</div>
<div dir="ltr"><i>[Thu Nov 01
11:49:21.846106 2018]
[php7:warn] [pid 1397] [client
<a
href="http://10.254.48.252:59694"
moz-do-not-send="true">10.254.48.252:59694</a>]
PHP Warning: ldap_connect():
Could not create session
handle: Bad parameter to an
ldap routine in
/opt/zendto/lib/NSSADAuthenticator.php
on line 527</i></div>
<div dir="ltr"><br>
</div>
<div>zendto.log:<br>
</div>
<div><br>
</div>
<div><i>2018-11-01 11:49:21
10.254.48.252 [ZendTo]: Info:
authorization succeeded for
USERNAME<br>
2018-11-01 11:49:21
10.254.48.252 [ZendTo]: Info:
user authentication verified
user as 'USERNAME'</i></div>
<div><br>
</div>
<div><br>
</div>
<div>IF we try like this (without
:3268 for server):</div>
<div><br>
</div>
<div>
<b>'authenticator' => 'AD',<br>
'authLDAPBaseDN1' =>
array('DC=OURDOMAIN,DC=com'),<br>
'authLDAPServers1' =>
array('AD_SERVER:'),<br>
'authLDAPAccountSuffix1' =>
'@OURDOMAIN.com',<br>
'authLDAPUseSSL1' => false,
<br>
'authLDAPBindUser1' =>
'USERNAME',<br>
'authLDAPBindPass1' =>
'PASSWORD',<br>
'authLDAPOrganization1' =>
'OUR ORGANIZATION', </b><br>
</div>
<div><br>
</div>
<div>then ANYONE can login and no
error on Frontend Zendto page,
no Apache error, zendto log:</div>
<div><br>
</div>
<div><i>2018-11-01 11:55:17
10.254.48.252 [ZendTo]: Info:
user authentication verified
user as 'USERNAME'</i><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>We have checked <a
href="https://zend.to/activedirectory.php"
moz-do-not-send="true">https://zend.to/activedirectory.php</a>
and I can query LDAP with the
command:</div>
<div><br>
</div>
<div><i>ldapsearch -x -LLL -E
pr=200/noprompt -h
AD_SERVER1:3268 -D 'USERNAME'
-w 'PASSWORD' -b
'DC=OURDOMAIN,DC=com' -s sub
'(sAMAccountName=*)' cn mail
memberOf</i></div>
<div><br>
</div>
<div><br>
</div>
<div>Our software versions:</div>
<div><br>
</div>
<div>PHP: 7.2.10</div>
<div>Apache: 2.4.6</div>
<div>Zendto: <span
style="white-space:nowrap">Version
5.15-1</span> <br>
</div>
<div><br>
</div>
<div>Did anyone had the same issue
maybe, is there any solution,
does anyone have configuration
example for AD authentication?</div>
<div><br>
</div>
<div>Thanks in advance!</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'In Flanders fields the poppies blow
Between the crosses, row on row,
That mark our place: and in the sky
The larks still bravely singing fly
Scarce heard amid the guns below.
We are the dead: Short days ago,
We lived, felt dawn, saw sunset glow,
Loved and were loved: and now we lie
In Flanders fields!
Take up our quarrel with the foe
To you, from failing hands, we throw
The torch: be yours to hold it high
If ye break faith with us who die,
We shall not sleep, though poppies grow
In Flanders fields.' Lieutenant Colonel John McCrae
Composed at the battlefront on May 3, 1915
during the second battle of Ypres, Belgium
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>