<html><head>
<meta name="Generator" content="Novell Groupwise Client (Version 18.2.1 Build: 135777)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1590009938000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><div>Jules,<br>I'm not running AD, but I do want to get SSL working with my LDAP server. I configured everything and tested with ldapsearch from my ZendTo server and ldapsearch works. The command line I am using to test is:</div><div><br></div><div>ldapsearch -H <a href="ldaps://server_ip_address:636">ldaps://server_ip_address:636</a> -x -D "<my_user_name>" -w <my_password> -b "<my_searchbase>" -s sub -a always "(objectClass=User)" cn</div><div><br></div><div>That returns the correct info. I modified the LDAP section trying both of these:</div><div><br></div><div>'authLDAPServers' => array('ldaps://<server_ip_address>:636'),</div><div><div>'authLDAPServers' => array('ldaps://<server_ip_address>'),</div></div><div><br></div><div>Both work as long as 'authLDAPUseSSL' is set to false . But as soon as I set 'authLDAPUseSSL' equal to true and restart apache, ZendTo complains that it cannot connect.</div><div><br></div><div>Any suggestions?</div><div>Ken<br></div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589994770000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <Jules@Zend.To> 5/20/2020 1:12 PM >>><br></span><div>
Ken,<div><br></div><div>
</div><div>
You almost certainly want to do the change that will be needed for
Active Directory in the Autumn (the Fall).</div><div>
Basically you leave the UseSSL settings set to false, but change the
server hostname by putting <a class="moz-txt-link-rfc2396E" href="ldaps://">"ldaps://"</a> on the front of it.</div><div>
</div><div>
If it is complaining about the certificate, then I guess you are
using a locally-signed cert on your LDAPS server(s). In which case,
take a look at the troubleshooting guide linked from the 2nd
paragraph of</div><div>
<a class="moz-txt-link-freetext" href="https://zend.to/activedirectory.php">https://zend.to/activedirectory.php</a></div><div>
</div><div>
Also, that page talks about what you need in preferences.php and
your ldap.conf. Both the LDAP and AD authenticators use the same
library, as querying AD is basically the same as LDAP just with the
odd minor modification to the code.</div><div>
</div><div>
Cheers,</div><div>
Jules.</div><div>
</div>
<div class="moz-cite-prefix">On 20/05/2020 17:23, Ken Etter wrote:<br>
</div>
<blockquote cite="mid:WM!c6bb4e935bab58d34c046cc87631a6bd628a4d14f25ac3ec616fbd23b990b74f9341c29e8860ba91a1cc6dc4df82b35c!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise Client (Version
18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589991464000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Jules,</div>
<div>Is there anything special required to get LDAP working with
SSL? I tried setting 'authLDAPUseSSL' to true, rebooted and
logins fail. I then tried adding the port number (after a
colon) to the address in 'authLDAPServers' and rebooted and
logins still fail. If I use an ldap browser to connect, it
works although it does complain about the certificate. Do I
need to import the certificate for ZendTo to be able to
connect? If so, do you have any directions for this?</div>
<div><br>
Thanks!</div>
<div>Ken<br>
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589979559000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules
<a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To"><Jules@Zend.To></a> 5/20/2020 8:59 AM >>><br>
</span>
<div> I always forget about it too!
<div><br>
</div>
<div> And I wrote it :-(</div>
<div> </div>
<div class="moz-cite-prefix">On 20/05/2020 13:48, Ken Etter
wrote:<br>
</div>
<blockquote cite="mid:WM!ca4469d817e4470a73e4853ab5f6d7340d84c4fe9446705708728955bd673400dfb859b1863fa69f97972e336ef8d230!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise Client
(Version 18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589978827000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Thanks Jules! I completely forgot about that
feature. That explains it.</div>
<div><br>
</div>
<div>Ken<br>
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589964896000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To" moz-do-not-send="true"><Jules@Zend.To></a>
5/20/2020 4:54 AM >>><br>
</span>
<div> Ken,
<div><br>
</div>
<div> </div>
<div> ZendTo actively locks out (for 24 hours) users
who have failed too many login attempts in a day.</div>
<div> This protects against hackers using your
ZendTo to attempt to find passwords by brute
force.</div>
<div> </div>
<div> There are 2 ways of seeing who is currently
locked out, and to manually unlock them
immediately:</div>
<div> 1. The web interface for an Admin user (it's
one of the red buttons).</div>
<div> 2. But if you can't get to that, then run
/opt/zendto/bin/unlockuser and it will show its
command-line usage. You should just be able to run</div>
<tt> sudo /opt/zendto/bin/unlockuser -a</tt>
<div><br>
</div>
<div> to unlock every temporarily-locked account.</div>
<div> </div>
<div> Hope that helps,</div>
<div> Jules.</div>
<div> </div>
<div class="moz-cite-prefix">On 19/05/2020 22:28,
Ken Etter via ZendTo wrote:<br>
</div>
<blockquote cite="mid:WM!8f8e5b8d4c23527c2eb3958915c6518cb1fcc1baaac338cccdb8ab8ca53040a5a670830ab713e0e1a0fdf5aa4e178fd9!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise
Client (Version 18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589921280000_KLE">
<div>And now it is working again. Since a trace
on my ldap server showed I wasn't even getting
a query from ZendTo, I decided to see what my
firewall was seeing. ZendTo is installed in my
DMZ. I log into the firewall and do a couple
of logins to ZendTo with other accounts and
watch what shows up in the firewall. Then I
try my login again and it works and shows up
in the firewall as expected. I had changed
nothing, I just logged into the firewall to
see the activity. Frustrating not knowing why,
but things are working again. I assume the
firewall between the DMZ and the rest of the
network was the issue, but I have no idea how
or why since it just started working.</div>
<div><br>
</div>
<div>My apologies for all the clutter on the
mailing list.</div>
<div><br>
</div>
<div>Ken<br>
</div>
<meta name="Generator" content="Novell Groupwise
Client (Version 18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589920870000_KLE"><span class="GroupwiseReplyHeader">>>>
Ken Etter 5/19/2020 4:48 PM >>><br>
</span>
<div>I have other software that also does LDAP
authentication and my account works fine
there. A trace on my LDAP server shows the
login happening as expected. So it is as if
ZendTo thinks my account is not an LDAP
account and is trying to authenticate
elsewhere and failing.<br>
<br>
Ken<br>
</div>
<meta name="Generator" content="Novell
Groupwise Client (Version 18.2.1 Build:
135777)">
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589920611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><span class="GroupwiseReplyHeader">>>>
Ken Etter 5/19/2020 4:41 PM >>><br>
</span>
<div>Doing some more digging into this and not
making much progress. I was working on
moving ZendTo ldap authentication from port
389 to port 636 (SSL). Something wasn't
working right, but now my account is locked
out of ZendTo. Doing a trace from my LDAP
server shows that I don't even get a request
from ZendTo. ZendTo is working for all
accounts except mine. Is there anything at
all within ZendTo that might give me a clue
as to what is going on?<br>
</div>
<span id="GWSignatureSent" style="padding-right: 0px; padding-left: 0px; margin-bottom: 5px; display: block;"><span style="display: block;"><br>
<span style="font-size: 10pt; display: inline-block; -ms-word-wrap: normal;">
<div style='color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: "Open Sans", sans-serif; font-size: 13.32px; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;'><font color="#000000" face="Arial"><strong>Ken
Etter</strong>, System
Administrator</font></div>
<div style='color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: "Open Sans", sans-serif; font-size: 13.32px; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;'><font color="#00abe2" face="Arial">Architectural
Group</font></div>
<div style='color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: "Open Sans", sans-serif; font-size: 13.32px; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;'><font color="#000000" face="Arial">260.432.9337</font><font color="#000000" face="Arial"><span>
</span>|<span> </span></font><a style="border: currentColor; border-image: none; color: rgb(0, 0, 0); text-decoration: none;" href="http://msktd.com/" moz-do-not-send="true"><font color="#000000" face="Arial">msktd.com</font></a></div>
<br>
<div style='color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: "Open Sans", sans-serif; font-size: 13.32px; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;'><a style="border: currentColor; border-image: none; color: rgb(0, 0, 0); text-decoration: none;" href="http://msktd.com/" moz-do-not-send="true"><img style="border: currentColor; border-image: none;" src="cid:BGVKITFBIYLR.IMAGE_1.png"></a></div>
<div>
<div style='color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-family: "Open Sans", sans-serif; font-size: 13.32px; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;'><br>
</div>
</div>
</span></span></span><span style="margin-bottom: 5px; display: block;"><br>
</span></div>
</div>
<div><br>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<div><br>
</div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
The current UK shipping forecast:
Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in
Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br></div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'One of the deep secrets of life is that all that is really worth
doing is what we do for others.' - Lewis Carroll
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div></div></body></html>