<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
On 17/03/2011 22:38, Craig Chambers wrote:
<blockquote cite="mid:C9A7C9CB.1103A%25craig@craigchambers.net"
type="cite">
<div>Hi Jules,</div>
<div><br>
</div>
<div>Unfortunately, that didn't seem to work. Still getting
"Authentication Error: The username or password was incorrect."
I am wondering if it is something more fundamental that is the
problem. It appears that via SSL TLS does not work because my AD
servers certificate isn't trusted even though I tried to add it
to the trusted list. But I am not sure if that matters since I
have SSL set to false. When set to false does it use Kerberos
for authentication or does it just send authentication
credentials in the clear?</div>
</blockquote>
If SSL is set to false it works exactly as it would normally, it
just sends everything in the clear.<br>
If your AD doesn't have a proper certificate, then you will have all
sorts of nasty problems making things work. You really need a proper
SSL certificate.<br>
<blockquote cite="mid:C9A7C9CB.1103A%25craig@craigchambers.net"
type="cite">
<div><br>
</div>
<div>I also tried setting up users manually using the user
management php scripts but when I try and run:</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none;
padding: 0px;">
<div>~$ sudo /opt/zendto/bin/listusers.php
/opt/zendto/config/preferences.php</div>
</blockquote>
<div><br>
</div>
<div>I get the following message:</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none;
padding: 0px;">
<div>PHP Notice: Undefined index: HTTPS in
/opt/zendto/lib/NSSDropbox.php on line 40</div>
<div>PHP Notice: Undefined index: SERVER_NAME in
/opt/zendto/lib/NSSDropbox.php on line 40</div>
<div>PHP Notice: Undefined index: REQUEST_URI in
/opt/zendto/lib/NSSDropbox.php on line 40</div>
</blockquote>
</blockquote>
They are just "Notices" as it says, and they have no effect on the
execution of the code. You need to set the "error_reporting" option
correctly in your php.ini to stop these appearing.<br>
<br>
<blockquote cite="mid:C9A7C9CB.1103A%25craig@craigchambers.net"
type="cite">
<div> </div>
<div>At this point I have spent about a solid week trying to
figure this out and am about to throw in the towel as this is
obviously above my (admittedly limited) abilities. I would to
have this running for our office however so I am willing, if
anyone has any other ideas or can help further I am all ears. In
fact at this point, depending on the cost, I would be willing to
pay someone to help me set this up. I can even set up a new VM
with ssh and/or VNC credentials so that we are sure my mucking
about hasn't created more problems that were there originally. <br>
</div>
</blockquote>
I will happily help you out. Without using SSL for your AD, the
credentials will still be encrypted from the end user to the ZendTo
server, they will just be plaintext from the ZendTo server to the AD
server. That may or may not be a problem for you. Clearly you have
something amiss with your AD's SSL certificate, so I would advise
trying to get it working without SSL first, to prove that everything
else is right.<br>
<br>
Also, I don't like the <a class="moz-txt-link-rfc2396E" href="mailto:LDAP@yourdomain.local">"LDAP@yourdomain.local"</a> as the username,
surely just "ldap" should work okay as the user.<br>
<br>
Jules.<br>
<br>
<blockquote cite="mid:C9A7C9CB.1103A%25craig@craigchambers.net"
type="cite">
<div><br>
</div>
<div>Let me know,</div>
<div><br>
</div>
<div>- Craig</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family: Calibri; font-size: 11pt; text-align:
left; color: black; border-width: 1pt medium medium;
border-style: solid none none; border-color: rgb(181, 196,
223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in
0in;"><span style="font-weight: bold;">From: </span> Jules
<<a moz-do-not-send="true" href="mailto:Jules@zend.to">Jules@zend.to</a>><br>
<span style="font-weight: bold;">Organization: </span> ZendTo<br>
<span style="font-weight: bold;">Reply-To: </span> ZendTo
Users <<a moz-do-not-send="true"
href="mailto:zendto@zend.to">zendto@zend.to</a>><br>
<span style="font-weight: bold;">Date: </span> Wed, 09 Mar
2011 13:25:49 +0000<br>
<span style="font-weight: bold;">To: </span> ZendTo Users
<<a moz-do-not-send="true" href="mailto:zendto@zend.to">zendto@zend.to</a>><br>
<span style="font-weight: bold;">Subject: </span> [ZendTo]
Re: AD/LDAP Authentication Help<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#ffffff" text="#000000"> <br>
<br>
On 08/03/2011 23:34, Craig Chambers wrote:
<blockquote
cite="mid:C99BFD05.10B6C%25craig@craigchambers.net"
type="cite">
<div>
<div>Hello,</div>
<div><br>
</div>
<div>I am having issues getting LDAP?AD authentication
to work. I have read the archives and they all mention
using ldapsearch to test your settings but I am not
sure exactly how the ldapsearch strings match the
fields in the preferences.php file.</div>
<div><br>
</div>
<div>If I run the following ldapsearch, which seems to
be the shortest string that will return the expected
results, (items in brackets are of course substituted
with valid information) :</div>
<div><br>
</div>
<div>
<blockquote style="margin: 0px 0px 0px 40px;
border-style: none; padding: 0px;">
<div><i>~$ ldapsearch -w <mypassword> -D
LDAP@<domain>.local -H <a
moz-do-not-send="true"
class="moz-txt-link-freetext" href="ldap://">ldap://</a><server
ip> -b
"ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local"
sAMAccountName</i></div>
</blockquote>
<div><br>
</div>
<div> I get a list of the users in the AllowedUsers OU
so it looks like I can query the LDAP server.
However when I try and translate this to the
preferences.php file I get:</div>
<div><br>
</div>
<blockquote style="margin: 0px 0px 0px 40px;
border-style: none; padding: 0px;">
<div><span class="Apple-tab-span"
style="white-space: pre;"></span><i>LDAP
Error: Unable to connect to any of the LDAP
servers; could not authenticate user.</i></div>
<div><i>Authentication Error: The username or
password was incorrect.</i></div>
</blockquote>
</div>
</div>
</blockquote>
The "-D" you are passing in with the "-w" doesn't
authenticate correctly. Why do you need to specify the
@<domain>.local, surely just "LDAP" should work as the
rest should be taken by default.<br>
<blockquote
cite="mid:C99BFD05.10B6C%25craig@craigchambers.net"
type="cite">
<div>
<blockquote style="margin: 0px 0px 0px 40px;
border-style: none; padding: 0px;">
<div><br>
</div>
</blockquote>
<div>I currently have both LDAP and AD active in the
preference.php file to see if I could get either to
work which is why I assume I am getting two error
messages. <br>
</div>
</div>
</blockquote>
That will definitely break it. You must only have 1
"authenticator = ....." line uncommented, otherwise the
first one will probably get over-ridden by the later ones.<br>
<br>
Leave all the settings in the LDAP section commented out,
for starters.<br>
<br>
Try this set for the AD ones:<br>
<br>
'authenticator' => 'AD',<br>
'authLDAPBaseDN1' =>
'ou=AllowedUsers,ou=Users,ou=MyBusiness,dc=<domain>,dc=local',<br>
'authLDAPServers1' => array('<server ip>'),<br>
'authLDAPAccountSuffix1' => '',<br>
'authLDAPUseSSL1' => false,<br>
'authLDAPBindUser1' =>
'LDAP@<domain>.local',<br>
'authLDAPBindPass1' => '<mypassword>',<br>
'authLDAPOrganization1' => '<your organisation
name>',<br>
'authLDAPBaseDN2' => '',<br>
'authLDAPServers2' => array(),<br>
'authLDAPAccountSuffix2' => '',<br>
'authLDAPUseSSL2' => false,<br>
'authLDAPBindUser2' => '',<br>
'authLDAPBindPass2' => '',<br>
'authLDAPOrganization2' => '',<br>
<br>
If you want to restrict it to certain "allowed users", then
instead of putting it in the authLDAPBaseDN1, use the
settings immediately below it like this:<br>
<br>
// If both of these are set, then only users who are
members of the given<br>
// role/group can log in to ZendTo.<br>
'authLDAPMemberKey' => 'memberOf',<br>
'authLDAPMemberRole' =>
'cn=AllowedUsers,OU=Users,OU=MyBusiness,dc=<domain>,dc=local',<br>
<br>
and hence just add your users to the group "Allowed Users"
within the OU=Users subtree. So let any user authenticate,
just only allow the users in that you want. They should get
a more sensible error message then too.<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</div>
</div>
_______________________________________________
ZendTo mailing list
<a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a moz-do-not-send="true"
href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></span>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>