<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
On 21/07/2010 20:57, Brad Beckenhauer wrote:
<blockquote cite="mid:4C470AE30200006800059B72@smtp.aafp.org"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.7600.16588">
<div><font face="Arial" size="3">I just installed ZendTo/Centos-64
3.56-2 using the vm.</font></div>
<div> </div>
<div><font face="Arial" size="3">IMAP authentication works for my
test account but I need to switch to AD authentication for my internal
clients.</font></div>
<div> </div>
<div><font face="Arial" size="3">I installed the openldap-client on
the vm (yum install openldap-client ) so I could use the utility for
debugging.</font></div>
<div> </div>
<div><font face="Arial" size="3">I can run the ldap-search command
and it returns a Success using the below command line.</font></div>
<div> </div>
<div><font face="Arial" size="3"># ldapsearch -h MyADServer1 -b
ou=ZendToUsers,dc=xxx,DC=yyy,DC=org -x
-D"cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org" -W
"sAMAccountName=test"</font></div>
<div> </div>
<div><font face="Arial" size="3">Note that my Administrator is not in
the same context as my user named 'test'.</font></div>
<div> </div>
<div> </div>
<div><font face="Arial" size="3">from: preferences.php</font></div>
<div> </div>
<div><font face="Arial" size="3"> //'authenticator' => 'IMAP',</font></div>
<div> </div>
<div> </div>
<div><font face="Arial" size="3"> 'authenticator' =>
'AD',<br>
'authLDAPAdmins' => array('test','admin2','admin3'),<br>
'authLDAPBaseDN1' =>
'ou=ZendToUsers,DC=xxx,DC=yyy,DC=org',<br>
'authLDAPServers1' => array('MyADServer1','MyADServer2'),<br>
'authLDAPAccountSuffix1' => </font><a moz-do-not-send="true"
href="mailto:%27@yyy.org%27"><font face="Arial" size="3">'@yyy.org'</font></a><font
face="Arial" size="3">,<br>
'authLDAPUseSSL1' => false,<br>
'authLDAPBindUser1' =>
'cn=Administrator,cn=Users,dc=xxx,dc=yyy,dc=org',<br>
'authLDAPBindPass1' => 'Secret Password for the above user
is entered here',<br>
</font></div>
<div> </div>
<div><font face="Arial" size="3">restart apache</font></div>
<div><font face="Arial" size="3">service httpd restart</font></div>
<div> </div>
<div><font face="Arial" size="3">try to login on the webpage and I
get two errors:</font></div>
<div> </div>
<div><font size="3"><font face="Arial">LDAP Error Check User: Unable
to connect to any of the LDAP servers; could not authenticate user. <br>
</font></font></div>
</blockquote>
That mean exactly what it says. It couldn't ldap_bind() to any of the
AD servers. The code is fairly simple to read, it's in
NSSADAuthenticator.php in the validate function. I very much doubt your
authLDAPBindUser1 is correct or usable. I don't think it supports the
LDAPBindUser1 being in a totally different place from the other users.
Create a user in the same place that has no permissions other than
being able to read the directory, in the same place as everything else.
It certainly does not need to be, and *shouldn't* be, an administrator,
it should be able to do nothing other than read the AD. Then it should
work. All you can put in authLDAPBindUser1 is a username, not a
complete AD path.<br>
<br>
If you need to be able to do that, then I suggest you tweak
NSSADAuthenticator.php so that it supports this.<br>
<br>
What it does is this:<br>
@ldap_bind($ldapConn,$this->_ldapBindUser,$this->_ldapBindPass)<br>
<br>
So it takes the connection to the LDAP/AD server, with just a username
and password. If that bind operation works, then it can proceed. If
that fails, then you get the error you are seeing.<br>
<br>
Have you tried just setting<br>
<font face="Arial" size="3"> 'authLDAPBindUser1' =>
'Administrator</font>',<br>
in your preferences.php?<br>
I still most definitely advise against using any sort of Administrator
account for this, that will probably have far more privileges than it
needs.<br>
<br>
You might even find that anonymous binds are allowed, they are in quite
a lot of networks.<br>
<br>
Hope that helps a bit,<br>
Jules.<br>
<blockquote cite="mid:4C470AE30200006800059B72@smtp.aafp.org"
type="cite">
<div> </div>
<div><font size="3"><font face="Arial">Authentication Error The
username or password was incorrect.</font></font></div>
<div> </div>
<div><font face="Arial" size="3">beating my head on this and looking
for a pointer on what I'm doing wrong.</font></div>
<div> </div>
<div><font face="Arial" size="3">I won't be able to work on this
again until next Monday.</font></div>
<div><font face="Arial" size="3">thanks</font></div>
<div><font face="Arial" size="3">Brad</font></div>
<div> </div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zendto.com">ZendTo@zendto.com</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.ZendTo.com">www.ZendTo.com</a>
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
</pre>
</body>
</html>