<div dir="ltr">I am not sure how I came to be on this mailing list. I don't have any input to this. If possible, please remove me from future emails. <div>Thanks</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 20, 2020 at 5:12 PM Ken Etter via ZendTo <<a href="mailto:zendto@zend.to">zendto@zend.to</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="font:10pt "Segoe UI""><div id="gmail-m_-6329902008736786296GroupWiseSection_1590010612000_KLE"><div>I found an issue with the openldap config, so ldapsearch isn't working yet. I'll have to work on it some more later.<br>Ken<br></div>
<div id="gmail-m_-6329902008736786296GroupWiseSection_1590009938000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><span>>>> Ken Etter 5/20/2020 5:36 PM >>><br></span><div>Jules,<br>I'm not running AD, but I do want to get SSL working with my LDAP server. I configured everything and tested with ldapsearch from my ZendTo server and ldapsearch works. The command line I am using to test is:</div><div><br></div><div>ldapsearch -H <a>ldaps://server_ip_address:636</a> -x -D "<my_user_name>" -w <my_password> -b "<my_searchbase>" -s sub -a always "(objectClass=User)" cn</div><div><br></div><div>That returns the correct info. I modified the LDAP section trying both of these:</div><div><br></div><div>'authLDAPServers' => array('ldaps://<server_ip_address>:636'),</div><div><div>'authLDAPServers' => array('ldaps://<server_ip_address>'),</div></div><div><br></div><div>Both work as long as 'authLDAPUseSSL' is set to false . But as soon as I set 'authLDAPUseSSL' equal to true and restart apache, ZendTo complains that it cannot connect.</div><div><br></div><div>Any suggestions?</div><div>Ken<br></div>
</div><div id="gmail-m_-6329902008736786296GroupWiseSection_1589994770000_Jules@Zend.To"><span>>>> Jules <Jules@Zend.To> 5/20/2020 1:12 PM >>><br></span><div>
Ken,<div><br></div><div>
</div><div>
You almost certainly want to do the change that will be needed for
Active Directory in the Autumn (the Fall).</div><div>
Basically you leave the UseSSL settings set to false, but change the
server hostname by putting <a>"ldaps://"</a> on the front of it.</div><div>
</div><div>
If it is complaining about the certificate, then I guess you are
using a locally-signed cert on your LDAPS server(s). In which case,
take a look at the troubleshooting guide linked from the 2nd
paragraph of</div><div>
<a href="https://zend.to/activedirectory.php" target="_blank">https://zend.to/activedirectory.php</a></div><div>
</div><div>
Also, that page talks about what you need in preferences.php and
your ldap.conf. Both the LDAP and AD authenticators use the same
library, as querying AD is basically the same as LDAP just with the
odd minor modification to the code.</div><div>
</div><div>
Cheers,</div><div>
Jules.</div><div>
</div>
<div>On 20/05/2020 17:23, Ken Etter wrote:<br>
</div>
<blockquote type="cite">
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589991464000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Jules,</div>
<div>Is there anything special required to get LDAP working with
SSL? I tried setting 'authLDAPUseSSL' to true, rebooted and
logins fail. I then tried adding the port number (after a
colon) to the address in 'authLDAPServers' and rebooted and
logins still fail. If I use an ldap browser to connect, it
works although it does complain about the certificate. Do I
need to import the certificate for ZendTo to be able to
connect? If so, do you have any directions for this?</div>
<div><br>
Thanks!</div>
<div>Ken<br>
</div>
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589979559000_Jules@Zend.To"><span>>>> Jules
<a href="mailto:Jules@Zend.To" target="_blank"><Jules@Zend.To></a> 5/20/2020 8:59 AM >>><br>
</span>
<div> I always forget about it too!
<div><br>
</div>
<div> And I wrote it :-(</div>
<div> </div>
<div>On 20/05/2020 13:48, Ken Etter
wrote:<br>
</div>
<blockquote type="cite">
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589978827000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Thanks Jules! I completely forgot about that
feature. That explains it.</div>
<div><br>
</div>
<div>Ken<br>
</div>
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589964896000_Jules@Zend.To"><span>>>> Jules <a href="mailto:Jules@Zend.To" target="_blank"><Jules@Zend.To></a>
5/20/2020 4:54 AM >>><br>
</span>
<div> Ken,
<div><br>
</div>
<div> </div>
<div> ZendTo actively locks out (for 24 hours) users
who have failed too many login attempts in a day.</div>
<div> This protects against hackers using your
ZendTo to attempt to find passwords by brute
force.</div>
<div> </div>
<div> There are 2 ways of seeing who is currently
locked out, and to manually unlock them
immediately:</div>
<div> 1. The web interface for an Admin user (it's
one of the red buttons).</div>
<div> 2. But if you can't get to that, then run
/opt/zendto/bin/unlockuser and it will show its
command-line usage. You should just be able to run</div>
<tt> sudo /opt/zendto/bin/unlockuser -a</tt>
<div><br>
</div>
<div> to unlock every temporarily-locked account.</div>
<div> </div>
<div> Hope that helps,</div>
<div> Jules.</div>
<div> </div>
<div>On 19/05/2020 22:28,
Ken Etter via ZendTo wrote:<br>
</div>
<blockquote type="cite">
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589921280000_KLE">
<div>And now it is working again. Since a trace
on my ldap server showed I wasn't even getting
a query from ZendTo, I decided to see what my
firewall was seeing. ZendTo is installed in my
DMZ. I log into the firewall and do a couple
of logins to ZendTo with other accounts and
watch what shows up in the firewall. Then I
try my login again and it works and shows up
in the firewall as expected. I had changed
nothing, I just logged into the firewall to
see the activity. Frustrating not knowing why,
but things are working again. I assume the
firewall between the DMZ and the rest of the
network was the issue, but I have no idea how
or why since it just started working.</div>
<div><br>
</div>
<div>My apologies for all the clutter on the
mailing list.</div>
<div><br>
</div>
<div>Ken<br>
</div>
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589920870000_KLE"><span>>>>
Ken Etter 5/19/2020 4:48 PM >>><br>
</span>
<div>I have other software that also does LDAP
authentication and my account works fine
there. A trace on my LDAP server shows the
login happening as expected. So it is as if
ZendTo thinks my account is not an LDAP
account and is trying to authenticate
elsewhere and failing.<br>
<br>
Ken<br>
</div>
</div>
<div id="gmail-m_-6329902008736786296GroupWiseSection_1589920611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><span>>>>
Ken Etter 5/19/2020 4:41 PM >>><br>
</span>
<div>Doing some more digging into this and not
making much progress. I was working on
moving ZendTo ldap authentication from port
389 to port 636 (SSL). Something wasn't
working right, but now my account is locked
out of ZendTo. Doing a trace from my LDAP
server shows that I don't even get a request
from ZendTo. ZendTo is working for all
accounts except mine. Is there anything at
all within ZendTo that might give me a clue
as to what is going on?<br>
</div>
<span id="gmail-m_-6329902008736786296GWSignatureSent" style="padding-right:0px;padding-left:0px;margin-bottom:5px;display:block"><span style="display:block"><br>
<span style="font-size:10pt;display:inline-block">
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;font-family:"Open Sans",sans-serif;font-size:13.32px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;background-color:inherit;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration-style:initial;text-decoration-color:initial"><font color="#000000" face="Arial"><strong>Ken
Etter</strong>, System
Administrator</font></div>
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;font-family:"Open Sans",sans-serif;font-size:13.32px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;background-color:inherit;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration-style:initial;text-decoration-color:initial"><font color="#00abe2" face="Arial">Architectural
Group</font></div>
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;font-family:"Open Sans",sans-serif;font-size:13.32px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;background-color:inherit;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration-style:initial;text-decoration-color:initial"><font color="#000000" face="Arial">260.432.9337</font><font color="#000000" face="Arial"><span>
</span>|<span> </span></font><a style="border:currentcolor;color:rgb(0,0,0);text-decoration:none" href="http://msktd.com/" target="_blank"><font color="#000000" face="Arial">msktd.com</font></a></div>
<br>
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;font-family:"Open Sans",sans-serif;font-size:13.32px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;background-color:inherit;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration-style:initial;text-decoration-color:initial"><a style="border:currentcolor;color:rgb(0,0,0);text-decoration:none" href="http://msktd.com/" target="_blank"><img style="border: currentcolor;" src="cid:172344012cf4b232e691"></a></div>
<div>
<div style="color:rgb(0,0,0);text-transform:none;text-indent:0px;letter-spacing:normal;font-family:"Open Sans",sans-serif;font-size:13.32px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;background-color:inherit;font-variant-ligatures:normal;font-variant-caps:normal;text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
</div>
</span></span></span><span style="margin-bottom:5px;display:block"><br>
</span></div>
</div>
<div><br>
</div>
<fieldset></fieldset>
<pre>_______________________________________________
ZendTo mailing list
<a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a>
<a href="http://jul.es/mailman/listinfo/zendto" target="_blank">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<div><br>
</div>
<pre cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
<a href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<pre cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
The current UK shipping forecast:
Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in
Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.
<a href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br></div>
<pre cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'One of the deep secrets of life is that all that is really worth
doing is what we do for others.' - Lewis Carroll
<a href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div></div></div>
_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><br>
<a href="http://jul.es/mailman/listinfo/zendto" rel="noreferrer" target="_blank">http://jul.es/mailman/listinfo/zendto</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Ann Hilburn, SPED Director</div><div>Chatham School District</div><div>907-723-2829</div></div></div></div></div></div></div></div></div>