<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16588"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI" bgColor=#ffffff text=#000000>
<DIV>Hi Julian,</DIV>
<DIV> </DIV>
<DIV>I've tested the LDAP authenticator and it is "working" using the last NSSLDAPAuthenticator.php file you sent to me. During testing I managed to lock my account several times and did not know it until I examined the zendto.log ( I wasted an hour figuring that out).</DIV>
<DIV> </DIV>
<DIV>My configuration:</DIV>
<DIV>Running the <A href="http://www.zendto.com/files/ZendTo-CentOS-x64-3.55-3.zip">ZendTo version 3.59-1 64-bit CentOS Virtual Machine</A> from the download page.</DIV>
<DIV>LDAP: The authLDAPServers I tested where both Netware 6.5 and SLES 10sp2. I could not get the SSL=true to work ( the issue could be on my end).</DIV>
<DIV> </DIV>
<DIV>Suggestions:</DIV>
<DIV>1) How about an email_admin setting in the preferences. file that notifies the administrator when an account is locked?</DIV>
<DIV> </DIV>
<DIV>2) when an account is locked, add a commentsto the zendto.log file stating the account is "locked" rather than wait until the next login attempt.</DIV>
<DIV> </DIV>
<DIV>3) the bin/README does not list the unlockuser utility. </DIV>
<DIV> </DIV>
<DIV>4) food for thought: perhaps rather than create separate utilities (adduser, deleteuser, listusers, setpassword, combine them into one utility</DIV>
<DIV> </DIV>
<DIV>ie user.php</DIV>
<DIV> </DIV>
<DIV>user.php add john password <A href="mailto:email@address.com">email@address.com</A> 'john doe' 'organization'</DIV>
<DIV>user.php delete john</DIV>
<DIV>user.php unlock john</DIV>
<DIV>
<DIV>user.php unlock all</DIV></DIV>
<DIV>user.php listusers</DIV>
<DIV>user.php setpasswd john new_password</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>5) perhaps allow the admin to unlock a user via the webpage rather than have to do it at the command line?</DIV>
<DIV> </DIV>
<DIV>6) in the preferences.php add the following to enable LDAP</DIV>
<DIV> </DIV>
<DIV>example 1: Search LDAP using only One LDAPServer and from the top of the 'O".</DIV>
<DIV>
<DIV> //<BR> // Settings for the LDAP authenticator.<BR> //<BR> // "authLDAPServers" Array of hostnames to try binding to<BR> // "authLDAPBaseDN" Base distinguished name for search/bind<BR> // "authLDAPAdmins" Cheap way to grant admin privs to users; an<BR> // array of uname's<BR> // "authLDAPUseSSL" connect using SSL/TLS. [ true|false ]</DIV>
<DIV> </DIV>
<DIV> 'authenticator' => 'LDAP',<BR> 'authLDAPServers' => array('192.168.1.1'),<BR> 'authLDAPBaseDN' => 'o=level1',<BR> 'authLDAPAdmins' => array('admin1','admin2','admin3'),<BR> 'authLDAPUseSSL' => false,<BR></DIV>
<DIV>Example 2: Search LDAP using two LDAPServers and using and OU=.</DIV></DIV>
<DIV> //<BR> // Settings for the LDAP authenticator.<BR> //<BR> // "authLDAPServers" Array of hostnames to try binding to<BR> // "authLDAPBaseDN" Base distinguished name for search/bind<BR> // "authLDAPAdmins" Cheap way to grant admin privs to users; an<BR> // array of uname's<BR> // "authLDAPUseSSL" connect using SSL/TLS. [ true|false ]</DIV>
<DIV> </DIV>
<DIV> 'authenticator' => 'LDAP',<BR> 'authLDAPServers' => array('192.168.1.1','192.168.1.2'),<BR> 'authLDAPBaseDN' => 'ou=level1,o=level2',</DIV>
<DIV> 'authLDAPAdmins' => array('admin1','admin2','admin3'),<BR> 'authLDAPUseSSL' => false,<BR></DIV>
<DIV>Note: authLDAPUseSSL = false works. I could not get it to work with a 'true' setting, but that may only be a fault on my systems.</DIV>
<DIV>Note: On authLDAPServers, I tested with both one and two configured servers, both work, even if the first one listed does not respond to the bind.</DIV>
<DIV>FYI: If the authLDAPServers is set high in the tree ( ie: o=top), then ldap does search down to lower levels looking for matches. Some organizations may want to exclude some lower ou's. I did not test if the BaseDN could contain multiple search ou's.</DIV>
<DIV> </DIV>
<DIV>Perhaps something the emailDomainRegexp would work to include only specific ou's below the o? (I've not looked at it myself).</DIV>
<DIV> </DIV>
<DIV>7) In the comments of the NSSLDAPAuthenticator.php please add comments to make it look more like the comments section in the NSSADAuthenticator.php file. Sample below:</DIV>
<DIV> </DIV>
<DIV>Example for preferences.php:</DIV>
<DIV> </DIV>
<DIV> 'authenticator' => 'LDAP',<BR> 'authLDAPServers' => array('192.168.1.1','192.168.1.2'),<BR> 'authLDAPBaseDN' => 'ou=users,o=domain',</DIV>
<DIV> // or 'authLDAPBaseDN' => 'o=domain',<BR> 'authLDAPUseSSL' => false,</DIV>
<DIV><BR>8) THANK YOU JULIAN!</DIV>
<DIV> </DIV>
<DIV> </DIV></BODY></HTML>