<html><head>
<meta name="Generator" content="Novell Groupwise Client (Version 18.2.1 Build: 135777)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1590084568000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><div>Not at all. If it will save someone else some time, please do. I'm no SSL expert, but I am trying to get a bit smarter on it.</div><div><br></div><div>Sorry, but I haven't had a chance to look at the betas. I am currently running 5.23-3. My hands are a bit full this week.</div><div><br>Thanks for all your efforts though. We do like ZendTo.</div><div>Ken<br></div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1590084523000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <Jules@Zend.To> 5/21/2020 2:08 PM >>><br></span><div>
Ken,<div><br></div><div>
</div><div>
Mind if I add your steps to the troubleshooting section for LDAP/AD?</div><div>
</div><div>
Cheers,</div><div>
Jules.</div><div>
</div><div>
P.S. Have you tried the latest betas? I fixed a bad Installer bug
today too, that affects CentOS/RedHat-based systems. And there's a
slight revision to the zendto-saml package too.</div><div>
</div>
<div class="moz-cite-prefix">On 21/05/2020 18:52, Ken Etter via
ZendTo wrote:<br>
</div>
<blockquote cite="mid:WM!3ecef5854a02dd21c5e4959a7ba4e2334ecbf6889d09d802d7538ed1c822bf9ea66879ae06a888c8e70923e445e8aeca!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise Client (Version
18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1590082573000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Scott,</div>
<div>After much trial and error, I figured it out for my
system. I assume from your statement that you are using AD.
I use eDirectory so I use the straight LDAP settings in
ZendTo. I also have ZendTo running on SLES 15. Exact
commands will be different for you since you use AD and
possibly a different linux distro for ZendTo. But here are my
steps in case it helps...</div>
<div><br>
</div>
<div>1. Retrieve the CA and server certs from my LDAP server in
pem format.</div>
<div>2. Copy them into a folder on my ZendTo server and combine
them into a single pem file.</div>
<div>3. Edit ldap.conf so the "TLS_CACERT" variable points to my
combined pem file.</div>
<div>4. Use ldapsearch on my ZendTo server to verify that I can
connect to my LDAP server over port 636.</div>
<div>5. Edit the ZendTo preferences.php file so the URL for the
LDAP server uses the format <a href="ldaps://<server_name_or_ip>" moz-do-not-send="true">ldaps://<server_name_or_ip></a>.</div>
<div>6. Restart the ZendTo web server.</div>
<div>7. Verify that logins work.</div>
<div><br>
</div>
<div>Hope that helps. If you have questions, let me know.</div>
<div>Ken<br>
</div>
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Open Sans";}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.groupwisereplyheader
{mso-style-name:groupwisereplyheader;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589994085000_zendto@zend.to"><span class="GroupwiseReplyHeader">>>> Scott Silva via
ZendTo <a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a> 5/20/2020 1:01 PM >>><br>
</span>
<div>
<div class="WordSection1">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='color: rgb(31, 73, 125); font-family: "Calibri",sans-serif; font-size: 11pt;'>I
never got it working on my system… If I can’t get it
working I will probably have to drop the software when
Windows forces the change…<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='color: rgb(31, 73, 125); font-family: "Calibri",sans-serif; font-size: 11pt;'><o:p> </o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><a name="_MailEndCompose" moz-do-not-send="true"><span style='color: rgb(31, 73, 125); font-family: "Calibri",sans-serif; font-size: 11pt;'><o:p> </o:p></span></a></div>
<div>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentColor currentColor; padding: 3pt 0in 0in; border-image: none;">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><b><span style='font-family: "Calibri",sans-serif; font-size: 11pt;'>From:</span></b><span style='font-family: "Calibri",sans-serif; font-size: 11pt;'>
ZendTo [<a class="moz-txt-link-freetext" href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Ken Etter via ZendTo<br>
<b>Sent:</b> Wednesday, May 20, 2020 9:24 AM<br>
<b>To:</b> Jules Field <a class="moz-txt-link-rfc2396E" href="mailto:jules@zend.to"><jules@zend.to></a>;
ZendTo List <a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a><br>
<b>Cc:</b> Ken Etter <a class="moz-txt-link-rfc2396E" href="mailto:KLE@msktd.com"><KLE@msktd.com></a><br>
<b>Subject:</b> Re: [ZendTo] LDAP authentication<o:p></o:p></span></div>
</div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><o:p> </o:p></div>
<div id="GroupWiseSection_1589991464000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Jules,<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Is there
anything special required to get LDAP working with
SSL? I tried setting 'authLDAPUseSSL' to true,
rebooted and logins fail. I then tried adding the
port number (after a colon) to the address in
'authLDAPServers' and rebooted and logins still
fail. If I use an ldap browser to connect, it
works although it does complain about the
certificate. Do I need to import the certificate
for ZendTo to be able to connect? If so, do you
have any directions for this?<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><br>
Thanks!<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Ken<o:p></o:p></span></div>
</div>
<div id="GroupWiseSection_1589979559000_Jules@Zend.To">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span>>>>
Jules <<a href="mailto:Jules@Zend.To" moz-do-not-send="true">Jules@Zend.To</a>>
5/20/2020 8:59 AM >>></span></span><span><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>I always
forget about it too!<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>And I
wrote it :-(<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>On
20/05/2020 13:48, Ken Etter wrote:<o:p></o:p></span></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<div id="GroupWiseSection_1589978827000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Thanks
Jules! I completely forgot about that
feature. That explains it.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Ken<o:p></o:p></span></div>
</div>
<div id="GroupWiseSection_1589964896000_Jules@Zend.To">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span>>>>
Jules
<a href="mailto:Jules@Zend.To" moz-do-not-send="true"><Jules@Zend.To></a>
5/20/2020 4:54 AM >>></span></span><span><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Ken,
<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>ZendTo actively
locks out (for 24 hours) users who
have failed too many login attempts in
a day.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>This protects
against hackers using your ZendTo to
attempt to find passwords by brute
force.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>There are 2 ways of
seeing who is currently locked out,
and to manually unlock them
immediately:<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>1. The web interface
for an Admin user (it's one of the red
buttons).<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>2. But if you can't
get to that, then run
/opt/zendto/bin/unlockuser and it will
show its command-line usage. You
should just be able to run<o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><tt><span style="font-size: 10pt;">sudo /opt/zendto/bin/unlockuser
-a</span></tt><span>
<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>to unlock every
temporarily-locked account.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Hope that helps,<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Jules.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>On 19/05/2020 22:28,
Ken Etter via ZendTo wrote:<o:p></o:p></span></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<div id="GroupWiseSection_1589921280000_KLE">
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>And now it is working
again. Since a trace on my ldap
server showed I wasn't even
getting a query from ZendTo, I
decided to see what my firewall
was seeing. ZendTo is installed in
my DMZ. I log into the firewall
and do a couple of logins to
ZendTo with other accounts and
watch what shows up in the
firewall. Then I try my login
again and it works and shows up in
the firewall as expected. I had
changed nothing, I just logged
into the firewall to see the
activity. Frustrating not knowing
why, but things are working again.
I assume the firewall between the
DMZ and the rest of the network
was the issue, but I have no idea
how or why since it just started
working.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>My apologies for all the
clutter on the mailing list.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Ken<o:p></o:p></span></div>
</div>
<div id="GroupWiseSection_1589920870000_KLE">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span>>>> Ken Etter
5/19/2020 4:48 PM >>></span></span><span><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>I have other software
that also does LDAP
authentication and my account
works fine there. A trace on my
LDAP server shows the login
happening as expected. So it is
as if ZendTo thinks my account
is not an LDAP account and is
trying to authenticate elsewhere
and failing.<br>
<br>
Ken<o:p></o:p></span></div>
</div>
</div>
<div id="GroupWiseSection_1589920611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span>>>> Ken Etter
5/19/2020 4:41 PM >>></span></span><span><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span>Doing some more digging
into this and not making much
progress. I was working on
moving ZendTo ldap
authentication from port 389 to
port 636 (SSL). Something wasn't
working right, but now my
account is locked out of ZendTo.
Doing a trace from my LDAP
server shows that I don't even
get a request from ZendTo.
ZendTo is working for all
accounts except mine. Is there
anything at all within ZendTo
that might give me a clue as to
what is going on?<o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span><br>
<br>
<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><strong><span style='color: black; font-family: "Arial",sans-serif; font-size: 10pt;'>Ken Etter</span></strong><span style='color: black; font-family: "Arial",sans-serif; font-size: 10pt;'>, System
Administrator</span><span style="color: black;"><o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='color: rgb(0, 171, 226); font-family: "Arial",sans-serif; font-size: 10pt;'>Architectural
Group</span><span style="color: black;"><o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='color: black; font-family: "Arial",sans-serif; font-size: 10pt;'>260.432.9337 |
</span><span style="color: black;"><a href="http://msktd.com/" moz-do-not-send="true"><span style='color: black; font-family: "Arial",sans-serif; text-decoration: none;'>msktd.com</span></a><o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span><o:p> </o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style="color: black;"><a href="http://msktd.com/" moz-do-not-send="true"><span style="color: black; text-decoration: none;"><img width="282" height="87" id="_x0000_i1025" src="cid:DYHIDSTJWHWA.IMAGE_13.png" border="0"></span></a><o:p></o:p></span></div>
</div>
<div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style="color: black;"><o:p> </o:p></span></div>
</div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>'Teach a man to reason, and he will think for a lifetime.' - Phil Plait<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</div>
</div>
</blockquote>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span><o:p> </o:p></span></div>
</div>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The current UK shipping forecast:<o:p></o:p></pre>
<pre>Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in<o:p></o:p></pre>
<pre>Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div><br></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<div><br></div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Learn from yesterday, live for today,
look to tomorrow, rest this afternoon.' - Charles M Schulz
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div></div></body></html>