<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Hi Jules,</div><div><br></div><div>Unfortunately, that didn't seem to work. Still getting "Authentication Error: The username or password was incorrect." I am wondering if it is something more fundamental that is the problem. It appears that via SSL TLS does not work because my AD servers certificate isn't trusted even though I tried to add it to the trusted list. But I am not sure if that matters since I have SSL set to false. When set to false does it use Kerberos for authentication or does it just send authentication credentials in the clear?</div><div><br></div><div>I also tried setting up users manually using the user management php scripts but when I try and run:</div><blockquote style="margin:0 0 0 40px; border:none; padding:0px;"><div>~$ sudo /opt/zendto/bin/listusers.php /opt/zendto/config/preferences.php</div></blockquote><div><br></div><div>I get the following message:</div><blockquote style="margin:0 0 0 40px; border:none; padding:0px;"><div>PHP Notice: Undefined index: HTTPS in /opt/zendto/lib/NSSDropbox.php on line 40</div><div>PHP Notice: Undefined index: SERVER_NAME in /opt/zendto/lib/NSSDropbox.php on line 40</div><div>PHP Notice: Undefined index: REQUEST_URI in /opt/zendto/lib/NSSDropbox.php on line 40</div></blockquote><div> </div><div>At this point I have spent about a solid week trying to figure this out and am about to throw in the towel as this is obviously above my (admittedly limited) abilities. I would to have this running for our office however so I am willing, if anyone has any other ideas or can help further I am all ears. In fact at this point, depending on the cost, I would be willing to pay someone to help me set this up. I can even set up a new VM with ssh and/or VNC credentials so that we are sure my mucking about hasn't created more problems that were there originally. </div><div><br></div><div>Let me know,</div><div><br></div><div>- Craig</div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Jules <<a href="mailto:Jules@zend.to">Jules@zend.to</a>><br><span style="font-weight:bold">Organization: </span> ZendTo<br><span style="font-weight:bold">Reply-To: </span> ZendTo Users <<a href="mailto:zendto@zend.to">zendto@zend.to</a>><br><span style="font-weight:bold">Date: </span> Wed, 09 Mar 2011 13:25:49 +0000<br><span style="font-weight:bold">To: </span> ZendTo Users <<a href="mailto:zendto@zend.to">zendto@zend.to</a>><br><span style="font-weight:bold">Subject: </span> [ZendTo] Re: AD/LDAP Authentication Help<br></div><div><br></div><div>
<div bgcolor="#ffffff" text="#000000">
<br>
<br>
On 08/03/2011 23:34, Craig Chambers wrote:
<blockquote cite="mid:C99BFD05.10B6C%25craig@craigchambers.net" type="cite">
<div>
<div>Hello,</div>
<div><br>
</div>
<div>I am having issues getting LDAP?AD authentication to work.
I have read the archives and they all mention using ldapsearch
to test your settings but I am not sure exactly how the
ldapsearch strings match the fields in the preferences.php
file.</div>
<div><br>
</div>
<div>If I run the following ldapsearch, which seems to be the
shortest string that will return the expected results, (items
in brackets are of course substituted with valid information)
:</div>
<div><br>
</div>
<div>
<blockquote style="margin: 0px 0px 0px 40px; border-style:
none; padding: 0px;">
<div><i>~$ ldapsearch -w <mypassword> -D
LDAP@<domain>.local -H <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><server ip> -b
"ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local"
sAMAccountName</i></div>
</blockquote>
<div><br>
</div>
<div> I get a list of the users in the AllowedUsers OU so it looks like I can query the LDAP server. However when I try
and translate this to the preferences.php file I get:</div>
<div><br>
</div>
<blockquote style="margin: 0px 0px 0px 40px; border-style:
none; padding: 0px;">
<div><span class="Apple-tab-span" style="white-space: pre;"></span><i>LDAP
Error: Unable to connect to any of the LDAP servers;
could not authenticate user.</i></div>
<div><i>Authentication Error: The username or password was incorrect.</i></div>
</blockquote>
</div>
</div>
</blockquote>
The "-D" you are passing in with the "-w" doesn't authenticate
correctly. Why do you need to specify the @<domain>.local,
surely just "LDAP" should work as the rest should be taken by
default.<br>
<blockquote cite="mid:C99BFD05.10B6C%25craig@craigchambers.net" type="cite">
<div>
<blockquote style="margin: 0px 0px 0px 40px; border-style: none;
padding: 0px;">
<div><br>
</div>
</blockquote>
<div>I currently have both LDAP and AD active in the
preference.php file to see if I could get either to work which
is why I assume I am getting two error messages. <br>
</div>
</div>
</blockquote>
That will definitely break it. You must only have 1 "authenticator =
....." line uncommented, otherwise the first one will probably get
over-ridden by the later ones.<br>
<br>
Leave all the settings in the LDAP section commented out, for
starters.<br>
<br>
Try this set for the AD ones:<br>
<br>
'authenticator' => 'AD',<br>
'authLDAPBaseDN1' =>
'ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local',<br>
'authLDAPServers1' => array('<server ip>'),<br>
'authLDAPAccountSuffix1' => '',<br>
'authLDAPUseSSL1' => false,<br>
'authLDAPBindUser1' => 'LDAP@<domain>.local',<br>
'authLDAPBindPass1' => '<mypassword>',<br>
'authLDAPOrganization1' => '<your organisation name>',<br>
'authLDAPBaseDN2' => '',<br>
'authLDAPServers2' => array(),<br>
'authLDAPAccountSuffix2' => '',<br>
'authLDAPUseSSL2' => false,<br>
'authLDAPBindUser2' => '',<br>
'authLDAPBindPass2' => '',<br>
'authLDAPOrganization2' => '',<br>
<br>
If you want to restrict it to certain "allowed users", then instead
of putting it in the authLDAPBaseDN1, use the settings immediately
below it like this:<br>
<br>
// If both of these are set, then only users who are members of
the given<br>
// role/group can log in to ZendTo.<br>
'authLDAPMemberKey' => 'memberOf',<br>
'authLDAPMemberRole' =>
'cn=AllowedUsers,OU=Users,OU=MyBusiness,dc=<domain>,dc=local',<br>
<br>
and hence just add your users to the group "Allowed Users" within
the OU=Users subtree. So let any user authenticate, just only allow
the users in that you want. They should get a more sensible error
message then too.<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</div></div>
_______________________________________________
ZendTo mailing list
<a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></span></body></html>