<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">My new try… Saw my ca-cert bundle was in base 64, so I exported my root cert in base 64 and pasted it at the end of all the other certs in the file… Still no
go…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> ZendTo <zendto-bounces@zend.to>
<b>On Behalf Of </b>Glenn Noel via ZendTo<br>
<b>Sent:</b> Thursday, February 13, 2020 2:24 PM<br>
<b>To:</b> ZendTo Users <zendto@zend.to><br>
<b>Cc:</b> Glenn Noel <glenn.noel@gmail.com><br>
<b>Subject:</b> Re: [ZendTo] MS LDAPs<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">Hi All, I'm still struggling with LDAPS. In Jules' previous email there is a mention of: <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><i>"If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't
be able to verify the cert it gets from the AD server. But if you are using a "normal" externally-signed commercial cert, it should work fine." </i><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">I am in this situation of using a cert created by my internal Domain CA. The steps I have taken:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">1.) Exported the public key/cert for Client Authentication, Server Authentication from my Windows Domain Controller in DER encoded binary X.509(.CER) format<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">2.) copied this .CER to /etc/ssl/certs<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">3.) in /etc/ldap/ldap.conf I added:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><i>TLS_CACERT /etc/ssl/certs/my-exported-ldaps-cert.cer</i> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">This line sits under the original line of TLS_CACERT /etc/ssl/certs/ca-certificates.crt<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">It was a shot in the dark and I successfully predicted that it would not work. However I am stuck. If anyone has a good step-by-step to help me out I would appreciate it immensely.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">If the recommended method is to purchase a 3rd party cert please let me know - I will try that next (although I might need some assistance with that process too).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Thank you,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Glenn<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"> <i> </i><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <<a href="mailto:zendto@zend.to">zendto@zend.to</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
Scott,<br>
<br>
I have just done a CentOS 7 install of the latest ZendTo beta from scratch, including using SELinux.<br>
<br>
I set the preferences.php settings to<br>
<br>
<tt><span style="font-size:10.0pt"> authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt> authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',</tt><br>
<tt> authLDAPAccountSuffix1 => '@<a href="http://soton.ac.uk" target="_blank">soton.ac.uk</a>',</tt><br>
<tt> authLDAPUseSSL1 => false,</tt><br>
<tt> authLDAPUseTLS1 => false,</tt><br>
</span><br>
and it just worked immediately. I didn't have to install any other packages at all.<br>
<br>
Our AD servers are listening on 636/tcp (the TCP port for ldaps according to /etc/services).<br>
<br>
I have already tested the same thing on Ubuntu 18.04 and it worked first time there too.<br>
<br>
If you are using some sort of a self-signed or locally-signed certificate on your AD server(s), then you will need to add your local root CA public cert to the TLS_CACERT file, or else the ZendTo server won't be able to verify the cert it gets from the AD server.
But if you are using a "normal" externally-signed commercial cert, it should work fine.<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 10/02/2020 18:39, Scott Silva via ZendTo wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre style="margin-left:.5in">In my case I know the ports are open because I have a Linux based spam filter that is able to auth secured.<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">-----Original Message-----<o:p></o:p></pre>
<pre style="margin-left:.5in">From: ZendTo <a href="mailto:zendto-bounces@zend.to" target="_blank"><zendto-bounces@zend.to></a> On Behalf Of Guy Bertrand via ZendTo<o:p></o:p></pre>
<pre style="margin-left:.5in">Sent: Monday, February 10, 2020 10:37 AM<o:p></o:p></pre>
<pre style="margin-left:.5in">To: <a href="mailto:zendto@zend.to" target="_blank">zendto@zend.to</a><o:p></o:p></pre>
<pre style="margin-left:.5in">Cc: Guy Bertrand <a href="mailto:Guy.Bertrand@exelaonline.com" target="_blank"><Guy.Bertrand@exelaonline.com></a><o:p></o:p></pre>
<pre style="margin-left:.5in">Subject: [ZendTo] MS LDAPs<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk to the domain controller. Don't forget to check things between your ZendTo server and the domain controller:<o:p></o:p></pre>
<pre style="margin-left:.5in">- the outgoing firewall config on the ZendTo server<o:p></o:p></pre>
<pre style="margin-left:.5in">- the firewall on the DC (is port 636 open?)<o:p></o:p></pre>
<pre style="margin-left:.5in">- routing<o:p></o:p></pre>
<pre style="margin-left:.5in">- any intermediate firewall rules<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">Quick test: open a command prompt (CMD on Windows, any shell on *nix). This will try to "telnet" to that port.<o:p></o:p></pre>
<pre style="margin-left:.5in">C:\> telnet "ip of your DC" 636<o:p></o:p></pre>
<pre style="margin-left:.5in">If a blank screen appears then the port is open, and the test is successful.<o:p></o:p></pre>
<pre style="margin-left:.5in">If you receive a connecting... message or an error message then something is blocking that port.<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">Guy Bertrand, M.Ing<o:p></o:p></pre>
<pre style="margin-left:.5in">Directeur informatique / IT Manager<o:p></o:p></pre>
<pre style="margin-left:.5in">EXELA TECHNOLOGIES<o:p></o:p></pre>
<pre style="margin-left:.5in">b: +1.514.392.4999 | m: +1.514.265.9754<o:p></o:p></pre>
<pre style="margin-left:.5in">1155, boulevard Robert-Bourassa, suite 500 | Montréal (Québec) CANADA H3B 3A7 <a href="http://www.ExelaTech.com" target="_blank">www.ExelaTech.com</a> | EXELA LinkedIn<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">Attention : le présent message et toutes les pièces jointes sont confidentiels et établis à l'attention exclusive du ou des destinataire(s) indiqué(s). Toute autre diffusion ou utilisation non autorisée est interdite. Si vous recevez ce message par erreur, veuillez immédiatement en avertir l'expéditeur par e-mail en retour, détruire le message et vous abstenir de toute référence aux informations qui y figurent afin d'éviter les sanctions attachées à la divulgation et à l'utilisation d'informations confidentielles. Les messages électroniques sont susceptibles d'altération. Exela Technologies et ses filiales déclinent toute responsabilité en cas d'altération ou de falsification du présent message.<o:p></o:p></pre>
<pre style="margin-left:.5in">________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">Please consider the environment before printing or forwarding this email. If you do print this email, please recycle the paper.<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">This email message may contain confidential, proprietary and/or privileged information. It is intended only for the use of the intended recipient(s). If you have received it in error, please immediately advise the sender by reply email and then delete this email message. Any disclosure, copying, distribution or use of the information contained in this email message to or by anyone other than the intended recipient is strictly prohibited. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Exela Technologies, Inc. or its subsidiaries.<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">This email does not constitute an agreement to conduct transactions by electronic means and does not create any legally binding contract or enforceable obligation against Exela in the absence of a fully signed written agreement.<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">ZendTo mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a href="http://jul.es/mailman/listinfo/zendto" target="_blank">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">_______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in">ZendTo mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"><a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><o:p></o:p></pre>
<pre style="margin-left:.5in"><a href="http://jul.es/mailman/listinfo/zendto" target="_blank">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><br>
<br>
<o:p></o:p></p>
<pre style="margin-left:.5in">Jules<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">-- <o:p></o:p></pre>
<pre style="margin-left:.5in">Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">'A good programmer is someone who always looks both ways<o:p></o:p></pre>
<pre style="margin-left:.5in"> before crossing a one-way street.' - Doug Linder<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in"><a href="http://www.Zend.To" target="_blank">www.Zend.To</a><o:p></o:p></pre>
<pre style="margin-left:.5in">Twitter: @JulesFM<o:p></o:p></pre>
</div>
<p class="MsoNormal" style="margin-left:.5in">_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><br>
<a href="http://jul.es/mailman/listinfo/zendto" target="_blank">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>