<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
On 03/08/2010 22:01, Brad Beckenhauer wrote:
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.7600.16588">
<div>Hi Julian,</div>
<div> </div>
<div>I've tested the LDAP authenticator and it is "working" using the
last NSSLDAPAuthenticator.php file you sent to me. During testing I
managed to lock my account several times and did not know it until I
examined the zendto.log ( I wasted an hour figuring that out).</div>
<div> </div>
<div>My configuration:</div>
<div>Running the <a moz-do-not-send="true"
href="http://www.zendto.com/files/ZendTo-CentOS-x64-3.55-3.zip">ZendTo
version 3.59-1 64-bit CentOS Virtual Machine</a> from the download page.</div>
<div>LDAP: The authLDAPServers I tested where both Netware 6.5 and
SLES 10sp2. I could not get the SSL=true to work ( the issue could be
on my end).</div>
<div> </div>
<div>Suggestions:</div>
<div>1) How about an email_admin setting in the preferences. file
that notifies the administrator when an account is locked?</div>
</blockquote>
It would only be able to email the admin every time someone tries to
login to a locked account, for the reason described below.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div> </div>
<div>2) when an account is locked, add a commentsto the zendto.log
file stating the account is "locked" rather than wait until the next
login attempt.</div>
</blockquote>
Bit difficult that one. When it gets a login attempt, it counts the
number of successive failure attempts in the login log table. It
doesn't lock out a user as such, it merely works out that the user
should be locked out when a login attempt happens. Much safer that way,
as there's no "user locked out" flag that could somehow not be set when
it should be. It's all dependent on what it finds in the login log
table instead.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div> </div>
<div>3) the bin/README does not list the unlockuser utility. </div>
</blockquote>
Good point. Will fix that.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div> </div>
<div>4) food for thought: perhaps rather than create separate
utilities (adduser, deleteuser, listusers, setpassword, combine them
into one utility</div>
<div> </div>
<div>ie user.php</div>
<div> </div>
<div>user.php add john password <a moz-do-not-send="true"
href="mailto:email@address.com">email@address.com</a> 'john doe'
'organization'</div>
<div>user.php delete john</div>
<div>user.php unlock john</div>
<div>
<div>user.php unlock all</div>
</div>
<div>user.php listusers</div>
<div>user.php setpasswd john new_password</div>
</blockquote>
Possible, but it doesn't make a whole load of difference.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div> </div>
<div> </div>
<div>5) perhaps allow the admin to unlock a user via the webpage
rather than have to do it at the command line?</div>
</blockquote>
Yes, good idea. Will try to work on that.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div> </div>
<div>6) in the preferences.php add the following to enable LDAP</div>
<div> </div>
<div>example 1: Search LDAP using only One LDAPServer and from the
top of the 'O".</div>
<div>
<div> //<br>
// Settings for the LDAP authenticator.<br>
//<br>
// "authLDAPServers" Array of hostnames to try binding to<br>
// "authLDAPBaseDN" Base distinguished name for search/bind<br>
// "authLDAPAdmins" Cheap way to grant admin privs to users; an<br>
// array of uname's<br>
// "authLDAPUseSSL" connect using SSL/TLS. [ true|false ]</div>
<div> </div>
<div> 'authenticator' => 'LDAP',<br>
'authLDAPServers' => array('192.168.1.1'),<br>
'authLDAPBaseDN' => 'o=level1',<br>
'authLDAPAdmins' => array('admin1','admin2','admin3'),<br>
'authLDAPUseSSL' => false,<br>
</div>
<div>Example 2: Search LDAP using two LDAPServers and using and OU=.</div>
</div>
<div> //<br>
// Settings for the LDAP authenticator.<br>
//<br>
// "authLDAPServers" Array of hostnames to try binding to<br>
// "authLDAPBaseDN" Base distinguished name for search/bind<br>
// "authLDAPAdmins" Cheap way to grant admin privs to users; an<br>
// array of uname's<br>
// "authLDAPUseSSL" connect using SSL/TLS. [ true|false ]</div>
<div> </div>
<div> 'authenticator' => 'LDAP',<br>
'authLDAPServers' => array('192.168.1.1','192.168.1.2'),<br>
'authLDAPBaseDN' => 'ou=level1,o=level2',</div>
<div> 'authLDAPAdmins' =>
array('admin1','admin2','admin3'),<br>
'authLDAPUseSSL' => false,<br>
</div>
</blockquote>
Thanks for that.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div>Note: authLDAPUseSSL = false works. I could not get it to work
with a 'true' setting, but that may only be a fault on my systems.</div>
</blockquote>
That's purely down to the configuration of your systems.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div>Note: On authLDAPServers, I tested with both one and two
configured servers, both work, even if the first one listed does not
respond to the bind.</div>
<div>FYI: If the authLDAPServers is set high in the tree ( ie:
o=top), then ldap does search down to lower levels looking for
matches. Some organizations may want to exclude some lower ou's. I
did not test if the BaseDN could contain multiple search ou's.</div>
</blockquote>
Again that depends on the permissions of the username you give it to
search with. Only LDAP trees that user has permission to access would
be searched. It's all down to your LDAP server configuration.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div> </div>
<div>Perhaps something the emailDomainRegexp would work to include
only specific ou's below the o? (I've not looked at it myself).</div>
<div> </div>
<div>7) In the comments of the NSSLDAPAuthenticator.php please
add comments to make it look more like the comments section in the
NSSADAuthenticator.php file. Sample below:</div>
<div> </div>
<div>Example for preferences.php:</div>
<div> </div>
<div> 'authenticator' => 'LDAP',<br>
'authLDAPServers' => array('192.168.1.1','192.168.1.2'),<br>
'authLDAPBaseDN' => 'ou=users,o=domain',</div>
<div> // or 'authLDAPBaseDN' => 'o=domain',<br>
'authLDAPUseSSL' => false,</div>
</blockquote>
Yes, I've already added something very like that.<br>
<blockquote cite="mid:4C583D4C020000680005B321@smtp.aafp.org"
type="cite">
<div><br>
8) THANK YOU JULIAN!</div>
</blockquote>
No worries :-)<br>
Always good to make the software better for everyone.<br>
<br>
Many thanks for all your comments and suggestions.<br>
<br>
Jules<br>
<pre class="moz-signature" cols="72">
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.ZendTo.com">www.ZendTo.com</a>
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
</pre>
</body>
</html>