<html><head>
<meta name="Generator" content="Novell Groupwise Client (Version 18.2.1 Build: 135777)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1590068012000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><div>Actually, true does not work. The joys of working remotely, I didn't realize that setting hadn't saved. Everything does work, I just need to leave that setting at false and the ldap URL needs to include "ldaps".</div><div><br>Ken<br></div>
<meta name="Generator" content="Novell Groupwise Client (Version 18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1590067611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><span class="GroupwiseReplyHeader">>>> Ken Etter via ZendTo <zendto@zend.to> 5/21/2020 9:31 AM >>><br></span><div>Thanks Jules! I had to correct a part of my ldap cert setup and now ldapsearch works correctly and zendto works correctly. Interestingly enough, I can now set authLDAPUseSSL to true or false and it works fine both ways. I think I was staring at it too long yesterday. A fresh look this morning and I realized what I had overlooked.</div><div><br></div><div>Thanks again for a great product!</div><div><br></div><div>Ken<br></div>
</div><div class="GroupWiseMessageBody" id="GroupWiseSection_1590052971000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <Jules@Zend.To> 5/21/2020 5:22 AM >>><br></span><div>
Ken,<div><br></div><div>
</div><div>
The UseSSL setting was for running it on a different port.</div>
It turns out the <a class="moz-txt-link-freetext" href="ldaps://server_ip_address">ldaps://server_ip_address</a> option (should use port
636 by default) is better. And as it's a ldap<b>s</b> URL, it will
use SSL/TLS anyway.<div><br></div><div>
So you can safely leave authLDAPUseSSL set to false. It's
over-ridden by the use of an ldaps URL.</div><div>
</div><div>
Cheers,</div><div>
Jules.</div><div>
</div>
<div class="moz-cite-prefix">On 20/05/2020 22:36, Ken Etter wrote:<br>
</div>
<blockquote cite="mid:WM!ff197050eb6f73e050b76a3efe03c27353cb837a26948fa2bef4204654b62eb9a656d75fd4c20ca46cf370a3f25433dd!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise Client (Version
18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1590009938000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Jules,<br>
I'm not running AD, but I do want to get SSL working with my
LDAP server. I configured everything and tested with
ldapsearch from my ZendTo server and ldapsearch works. The
command line I am using to test is:</div>
<div><br>
</div>
<div>ldapsearch -H <a href="ldaps://server_ip_address:636" moz-do-not-send="true">ldaps://server_ip_address:636</a> -x
-D "<my_user_name>" -w <my_password> -b
"<my_searchbase>" -s sub -a always "(objectClass=User)"
cn</div>
<div><br>
</div>
<div>That returns the correct info. I modified the LDAP section
trying both of these:</div>
<div><br>
</div>
<div>'authLDAPServers' =>
array('<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><server_ip_address>:636'),</div>
<div>
<div>'authLDAPServers' =>
array('<a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><server_ip_address>'),</div>
</div>
<div><br>
</div>
<div>Both work as long as 'authLDAPUseSSL' is set to false .
But as soon as I set 'authLDAPUseSSL' equal to true and
restart apache, ZendTo complains that it cannot connect.</div>
<div><br>
</div>
<div>Any suggestions?</div>
<div>Ken<br>
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589994770000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules
<a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To"><Jules@Zend.To></a> 5/20/2020 1:12 PM >>><br>
</span>
<div> Ken,
<div><br>
</div>
<div> </div>
<div> You almost certainly want to do the change that will
be needed for Active Directory in the Autumn (the Fall).</div>
<div> Basically you leave the UseSSL settings set to false,
but change the server hostname by putting <a class="moz-txt-link-rfc2396E" href="ldaps://" moz-do-not-send="true">"ldaps://"</a> on the front of
it.</div>
<div> </div>
<div> If it is complaining about the certificate, then I
guess you are using a locally-signed cert on your LDAPS
server(s). In which case, take a look at the
troubleshooting guide linked from the 2nd paragraph of</div>
<div> <a class="moz-txt-link-freetext" href="https://zend.to/activedirectory.php" moz-do-not-send="true">https://zend.to/activedirectory.php</a></div>
<div> </div>
<div> Also, that page talks about what you need in
preferences.php and your ldap.conf. Both the LDAP and AD
authenticators use the same library, as querying AD is
basically the same as LDAP just with the odd minor
modification to the code.</div>
<div> </div>
<div> Cheers,</div>
<div> Jules.</div>
<div> </div>
<div class="moz-cite-prefix">On 20/05/2020 17:23, Ken Etter
wrote:<br>
</div>
<blockquote cite="mid:WM!c6bb4e935bab58d34c046cc87631a6bd628a4d14f25ac3ec616fbd23b990b74f9341c29e8860ba91a1cc6dc4df82b35c!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise Client
(Version 18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589991464000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Jules,</div>
<div>Is there anything special required to get LDAP
working with SSL? I tried setting 'authLDAPUseSSL' to
true, rebooted and logins fail. I then tried adding
the port number (after a colon) to the address in
'authLDAPServers' and rebooted and logins still fail.
If I use an ldap browser to connect, it works although
it does complain about the certificate. Do I need to
import the certificate for ZendTo to be able to
connect? If so, do you have any directions for this?</div>
<div><br>
Thanks!</div>
<div>Ken<br>
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589979559000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>> Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To" moz-do-not-send="true"><Jules@Zend.To></a>
5/20/2020 8:59 AM >>><br>
</span>
<div> I always forget about it too!
<div><br>
</div>
<div> And I wrote it :-(</div>
<div> </div>
<div class="moz-cite-prefix">On 20/05/2020 13:48,
Ken Etter wrote:<br>
</div>
<blockquote cite="mid:WM!ca4469d817e4470a73e4853ab5f6d7340d84c4fe9446705708728955bd673400dfb859b1863fa69f97972e336ef8d230!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell Groupwise
Client (Version 18.2.1 Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589978827000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>Thanks Jules! I completely forgot about
that feature. That explains it.</div>
<div><br>
</div>
<div>Ken<br>
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589964896000_Jules@Zend.To"><span class="GroupwiseReplyHeader">>>>
Jules <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To" moz-do-not-send="true"><Jules@Zend.To></a>
5/20/2020 4:54 AM >>><br>
</span>
<div> Ken,
<div><br>
</div>
<div> </div>
<div> ZendTo actively locks out (for 24
hours) users who have failed too many
login attempts in a day.</div>
<div> This protects against hackers using
your ZendTo to attempt to find passwords
by brute force.</div>
<div> </div>
<div> There are 2 ways of seeing who is
currently locked out, and to manually
unlock them immediately:</div>
<div> 1. The web interface for an Admin user
(it's one of the red buttons).</div>
<div> 2. But if you can't get to that, then
run /opt/zendto/bin/unlockuser and it will
show its command-line usage. You should
just be able to run</div>
<tt> sudo /opt/zendto/bin/unlockuser -a</tt>
<div><br>
</div>
<div> to unlock every temporarily-locked
account.</div>
<div> </div>
<div> Hope that helps,</div>
<div> Jules.</div>
<div> </div>
<div class="moz-cite-prefix">On 19/05/2020
22:28, Ken Etter via ZendTo wrote:<br>
</div>
<blockquote cite="mid:WM!8f8e5b8d4c23527c2eb3958915c6518cb1fcc1baaac338cccdb8ab8ca53040a5a670830ab713e0e1a0fdf5aa4e178fd9!@mx.jul.es" type="cite">
<meta name="Generator" content="Novell
Groupwise Client (Version 18.2.1 Build:
135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589921280000_KLE">
<div>And now it is working again. Since
a trace on my ldap server showed I
wasn't even getting a query from
ZendTo, I decided to see what my
firewall was seeing. ZendTo is
installed in my DMZ. I log into the
firewall and do a couple of logins to
ZendTo with other accounts and watch
what shows up in the firewall. Then I
try my login again and it works and
shows up in the firewall as expected.
I had changed nothing, I just logged
into the firewall to see the activity.
Frustrating not knowing why, but
things are working again. I assume the
firewall between the DMZ and the rest
of the network was the issue, but I
have no idea how or why since it just
started working.</div>
<div><br>
</div>
<div>My apologies for all the clutter on
the mailing list.</div>
<div><br>
</div>
<div>Ken<br>
</div>
<meta name="Generator" content="Novell
Groupwise Client (Version 18.2.1
Build: 135777)">
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589920870000_KLE"><span class="GroupwiseReplyHeader">>>>
Ken Etter 5/19/2020 4:48 PM
>>><br>
</span>
<div>I have other software that also
does LDAP authentication and my
account works fine there. A trace on
my LDAP server shows the login
happening as expected. So it is as
if ZendTo thinks my account is not
an LDAP account and is trying to
authenticate elsewhere and failing.<br>
<br>
Ken<br>
</div>
<meta name="Generator" content="Novell
Groupwise Client (Version 18.2.1
Build: 135777)">
</div>
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589920611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><span class="GroupwiseReplyHeader">>>>
Ken Etter 5/19/2020 4:41 PM
>>><br>
</span>
<div>Doing some more digging into this
and not making much progress. I was
working on moving ZendTo ldap
authentication from port 389 to port
636 (SSL). Something wasn't working
right, but now my account is locked
out of ZendTo. Doing a trace from my
LDAP server shows that I don't even
get a request from ZendTo. ZendTo is
working for all accounts except
mine. Is there anything at all
within ZendTo that might give me a
clue as to what is going on?<br>
</div>
<span id="GWSignatureSent" style="padding-right: 0px; padding-left: 0px; margin-bottom: 5px; display: block;"><span style="display: block;"><br>
<span style="font-size: 10pt; display: inline-block; -ms-word-wrap: normal;">
<div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><font color="#000000" face="Arial"><strong>Ken
Etter</strong>, System
Administrator</font></div>
<div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><font color="#00abe2" face="Arial">Architectural
Group</font></div>
<div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><font color="#000000" face="Arial">260.432.9337</font><font color="#000000" face="Arial"><span>
</span>|<span> </span></font><a style="border: currentColor; border-image: none; color: rgb(0, 0, 0); text-decoration: none;" href="http://msktd.com/" moz-do-not-send="true"><font color="#000000" face="Arial">msktd.com</font></a></div>
<br>
<div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><a style="border: currentColor; border-image: none; color: rgb(0, 0, 0); text-decoration: none;" href="http://msktd.com/" moz-do-not-send="true"><img style="border: currentColor; border-image: none;" src="cid:JNPAJOQKNBAX.IMAGE_5.png"></a></div>
<div>
<div style="color: rgb(0, 0, 0); text-transform: none; text-indent: 0px; letter-spacing: normal; font-style: normal; font-weight: 400; word-spacing: 0px; white-space: normal; orphans: 2; widows: 2; background-color: inherit; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-caps: normal; text-decoration-style: initial; text-decoration-color: initial;"><br>
</div>
</div>
</span></span></span><span style="margin-bottom: 5px; display: block;"><br>
</span></div>
</div>
<div><br>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<div><br>
</div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
The current UK shipping forecast:
Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in
Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'One of the deep secrets of life is that all that is really worth
doing is what we do for others.' - Lewis Carroll
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div>
</div>
</blockquote>
<div><br></div>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Adversity is like a strong wind. I don't mean just that it holds
us back from places we might otherwise go. It also tears away from
us all but the things that cannot be torn, so that afterward we see
ourselves as we really are, and not merely as we might like to be.'
- Arthur Golden
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</div>
</div></div></body></html>