<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Karl,<br>
<br>
Given that it was a could-not-connect-at-all issue, then it's most
likely either<br>
a) incoming firewall on the AD server not listening on the correct
LDAPS ports (636/tcp IIRC),<br>
or<br>
b) the SSL/TLS handshake between the ZendTo server and the AD Server
is failing. This is most often caused by people using locally-signed
certs on their AD servers, at which point the ZendTo server will
need to be given a copy of the Root CA cert for your locally-signed
certs. Just like you would need to give it to a web browser in order
to avoid the errors when you browse to a website which is signed
with a locally-signed cert.<br>
<br>
A good command to test the SSL/TLS handshake from your ZendTo server
is this:<br>
<br>
<font size="+1"><tt> openssl s_client -connect
your-AD-server-here.example.com:636</tt></font><br>
<br>
That should print out all sorts of nice looking things and not any
error messages. When it's stopped outputting, just Ctrl-C it.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<div class="moz-cite-prefix">On 10/02/2020 17:47, Karl Bundy via
ZendTo wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!05d6919a37873bf6caa9fb7532efb67bba05dd901732aae79fa381a77e74f4498248bff4b7533917e9fb089227b90109!@mx.jul.es">
<pre class="moz-quote-pre" wrap="">I also am running RedHat7/CentOS7 and having the same issue. Nothing seems to output any helpful logs to help troubleshoot the source of the issue (cert issue, missing packages, etc.) Any suggestions would be appreciated!
Thanks,
Karl Bundy
-----Original Message-----
From: ZendTo [<a class="moz-txt-link-freetext" href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>] On Behalf Of Scott Silva via ZendTo
Sent: Monday, February 10, 2020 10:38 AM
To: 'ZendTo Users' <a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a>
Cc: Scott Silva <a class="moz-txt-link-rfc2396E" href="mailto:ssilva@sgvwater.com"><ssilva@sgvwater.com></a>
Subject: Re: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
Running on Redhat 7
Made changes to /etc/openldap/ldap.conf
Made changes to preferences.php
Get login error
LDAP Error
Check User: Unable to connect to any of the authentication servers; could not authenticate user. Please notify the system administrator.
Authentication Error
The username or password was incorrect.
Found I did not have gnutls installed, and thought it might be required. Not sure how else to test...
Maybe a list of packages that might be required?
From: ZendTo <a class="moz-txt-link-rfc2396E" href="mailto:zendto-bounces@zend.to"><zendto-bounces@zend.to></a> On Behalf Of Jules via ZendTo
Sent: Saturday, February 8, 2020 9:29 AM
To: ZendTo Users <a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a>
Cc: Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To"><Jules@Zend.To></a>
Subject: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
Microsoft are about to enforce the use of LDAPS (removing unencrypted LDAP) when checking user credentials against an AD server.
This needs a couple of minor changes to your ZendTo server.
I have written up some simple instructions here
<a class="moz-txt-link-freetext" href="https://zend.to/activedirectory.php">https://zend.to/activedirectory.php</a>
which certainly appear to work for me.
I strongly advise you make the changes and test the resulting service before Microsoft release the patch that enforces the need for this. It should cause no harm except to improve the security of communications between ZendTo and your AD server.
Any comments / problems / questions, please do let me know straightaway!
Cheers,
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
The current UK shipping forecast:
Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4 to 6.
Slight or moderate, occasionally rough in south. Rain. Good, occasionally poor.
<a class="moz-txt-link-freetext" href="http://www.Zend.To">http://www.Zend.To</a>
Twitter: @JulesFM
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'A good programmer is someone who always looks both ways
before crossing a one-way street.' - Doug Linder
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>