<html><head>
<meta name="Generator" content="Novell Groupwise Client (Version 18.2.1 Build: 135777)">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body style="font: 10pt/normal Segoe UI; font-size-adjust: none; font-stretch: normal;"><div class="GroupWiseMessageBody" id="GroupWiseSection_1590082573000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_"><div>Scott,</div><div>After much trial and error, I figured it out for my system. I assume from your statement that you are using AD. I use eDirectory so I use the straight LDAP settings in ZendTo. I also have ZendTo running on SLES 15. Exact commands will be different for you since you use AD and possibly a different linux distro for ZendTo. But here are my steps in case it helps...</div><div><br></div><div>1. Retrieve the CA and server certs from my LDAP server in pem format.</div><div>2. Copy them into a folder on my ZendTo server and combine them into a single pem file.</div><div>3. Edit ldap.conf so the "TLS_CACERT" variable points to my combined pem file.</div><div>4. Use ldapsearch on my ZendTo server to verify that I can connect to my LDAP server over port 636.</div><div>5. Edit the ZendTo preferences.php file so the URL for the LDAP server uses the format <a href="ldaps://<server_name_or_ip>">ldaps://<server_name_or_ip></a>.</div><div>6. Restart the ZendTo web server.</div><div>7. Verify that logins work.</div><div><br></div><div>Hope that helps. If you have questions, let me know.</div><div>Ken<br></div>
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Open Sans";}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.groupwisereplyheader
{mso-style-name:groupwisereplyheader;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="GroupWiseMessageBody" id="GroupWiseSection_1589994085000_zendto@zend.to"><span class="GroupwiseReplyHeader">>>> Scott Silva via ZendTo <zendto@zend.to> 5/20/2020 1:01 PM >>><br></span><div>
<div class="WordSection1">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='color: rgb(31, 73, 125); font-family: "Calibri",sans-serif; font-size: 11pt;'>I never got it working on my system… If I can’t get it working I will probably have to drop the software when Windows forces the change…<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='color: rgb(31, 73, 125); font-family: "Calibri",sans-serif; font-size: 11pt;'><o:p> </o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><a name="_MailEndCompose"><span style='color: rgb(31, 73, 125); font-family: "Calibri",sans-serif; font-size: 11pt;'><o:p> </o:p></span></a></div>
<div>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentColor currentColor; padding: 3pt 0in 0in; border-image: none;">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><b><span style='font-family: "Calibri",sans-serif; font-size: 11pt;'>From:</span></b><span style='font-family: "Calibri",sans-serif; font-size: 11pt;'> ZendTo [mailto:zendto-bounces@zend.to]
<b>On Behalf Of </b>Ken Etter via ZendTo<br>
<b>Sent:</b> Wednesday, May 20, 2020 9:24 AM<br>
<b>To:</b> Jules Field <jules@zend.to>; ZendTo List <zendto@zend.to><br>
<b>Cc:</b> Ken Etter <KLE@msktd.com><br>
<b>Subject:</b> Re: [ZendTo] LDAP authentication<o:p></o:p></span></div>
</div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><o:p> </o:p></div>
<div id="GroupWiseSection_1589991464000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Jules,<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Is there anything special required to get LDAP working with SSL? I tried setting 'authLDAPUseSSL' to true, rebooted and logins fail. I then tried adding the port number
(after a colon) to the address in 'authLDAPServers' and rebooted and logins still fail. If I use an ldap browser to connect, it works although it does complain about the certificate. Do I need to import the certificate for ZendTo to be able to connect?
If so, do you have any directions for this?<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><br>
Thanks!<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Ken<o:p></o:p></span></div>
</div>
<div id="GroupWiseSection_1589979559000_Jules@Zend.To">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>>>> Jules <<a href="mailto:Jules@Zend.To">Jules@Zend.To</a>> 5/20/2020 8:59 AM >>></span></span><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>I always forget about it too!<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>And I wrote it :-(<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>On 20/05/2020 13:48, Ken Etter wrote:<o:p></o:p></span></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<div id="GroupWiseSection_1589978827000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Thanks Jules! I completely forgot about that feature. That explains it.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Ken<o:p></o:p></span></div>
</div>
<div id="GroupWiseSection_1589964896000_Jules@Zend.To">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>>>> Jules
<a href="mailto:Jules@Zend.To"><Jules@Zend.To></a> 5/20/2020 4:54 AM >>></span></span><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Ken,
<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>ZendTo actively locks out (for 24 hours) users who have failed too many login attempts in a day.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>This protects against hackers using your ZendTo to attempt to find passwords by brute force.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>There are 2 ways of seeing who is currently locked out, and to manually unlock them immediately:<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>1. The web interface for an Admin user (it's one of the red buttons).<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>2. But if you can't get to that, then run /opt/zendto/bin/unlockuser and it will show its command-line usage. You should just be able to run<o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><tt><span style="font-size: 10pt;">sudo /opt/zendto/bin/unlockuser -a</span></tt><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>
<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>to unlock every temporarily-locked account.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Hope that helps,<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Jules.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>On 19/05/2020 22:28, Ken Etter via ZendTo wrote:<o:p></o:p></span></div>
</div>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<div id="GroupWiseSection_1589921280000_KLE">
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>And now it is working again. Since a trace on my ldap server showed I wasn't even getting a query from ZendTo, I decided to see what my firewall was seeing. ZendTo is installed
in my DMZ. I log into the firewall and do a couple of logins to ZendTo with other accounts and watch what shows up in the firewall. Then I try my login again and it works and shows up in the firewall as expected. I had changed nothing, I just logged into the
firewall to see the activity. Frustrating not knowing why, but things are working again. I assume the firewall between the DMZ and the rest of the network was the issue, but I have no idea how or why since it just started working.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>My apologies for all the clutter on the mailing list.<o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Ken<o:p></o:p></span></div>
</div>
<div id="GroupWiseSection_1589920870000_KLE">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>>>> Ken Etter 5/19/2020 4:48 PM >>></span></span><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>I have other software that also does LDAP authentication and my account works fine there. A trace on my LDAP server shows the login happening as expected. So it is as if ZendTo
thinks my account is not an LDAP account and is trying to authenticate elsewhere and failing.<br>
<br>
Ken<o:p></o:p></span></div>
</div>
</div>
<div id="GroupWiseSection_1589920611000_KLE@msktd.com_1FEF159614D20000B1ED8700B3004500_">
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span class="groupwisereplyheader"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>>>> Ken Etter 5/19/2020 4:41 PM >>></span></span><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'>Doing some more digging into this and not making much progress. I was working on moving ZendTo ldap authentication from port 389 to port 636 (SSL). Something wasn't working
right, but now my account is locked out of ZendTo. Doing a trace from my LDAP server shows that I don't even get a request from ZendTo. ZendTo is working for all accounts except mine. Is there anything at all within ZendTo that might give me a clue as to what
is going on?<o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><br>
<br>
<o:p></o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><strong><span style='color: black; font-family: "Arial",sans-serif; font-size: 10pt;'>Ken Etter</span></strong><span style='color: black; font-family: "Arial",sans-serif; font-size: 10pt;'>, System Administrator</span><span style='color: black; font-family: "Open Sans"; font-size: 10pt;'><o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='color: rgb(0, 171, 226); font-family: "Arial",sans-serif; font-size: 10pt;'>Architectural Group</span><span style='color: black; font-family: "Open Sans"; font-size: 10pt;'><o:p></o:p></span></div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='color: black; font-family: "Arial",sans-serif; font-size: 10pt;'>260.432.9337 |
</span><span style='color: black; font-family: "Open Sans"; font-size: 10pt;'><a href="http://msktd.com/"><span style='color: black; font-family: "Arial",sans-serif; text-decoration: none;'>msktd.com</span></a><o:p></o:p></span></div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='color: black; font-family: "Open Sans"; font-size: 10pt;'><a href="http://msktd.com/"><span style="color: black; text-decoration: none;"><img width="226" height="70" id="_x0000_i1025" src="cid:NPUHLAZJCLNS.IMAGE_12.png" border="0"></span></a><o:p></o:p></span></div>
</div>
<div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 3.75pt;"><span style='color: black; font-family: "Open Sans"; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
</div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
</div>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>'Teach a man to reason, and he will think for a lifetime.' - Phil Plait<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</div>
</div>
</blockquote>
<div>
<div class="MsoNormal" style="margin: 0in 0in 0pt;"><span style='font-family: "Segoe UI",sans-serif; font-size: 10pt;'><o:p> </o:p></span></div>
</div>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The current UK shipping forecast:<o:p></o:p></pre>
<pre>Shannon, Rockall: South backing southwest 5 to 7, occasionally gale 8 later in<o:p></o:p></pre>
<pre>Shannon. Moderate or rough. Rain, showers later. Good, occasionally poor.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
</div>
</div>
</div>
</div>
</div>
</div></div></body></html>