<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
And this Google search "+php +ldaps bind microsoft +sbs" seems to
have produced quite a few useful documents that I would recommend
reading.<br>
<br>
Don't forget you can use a web browser as a connection tester, you
just have to ask it to connect to the LDAPS port number instead of
its default (80) and if you get a page not found or similar then the
SSL negotiation worked. Sometimes useful.<br>
<br>
On 28/03/2011 23:17, Craig Chambers wrote:
<blockquote cite="mid:C9A93035.1112D%25craig@craigchambers.net"
type="cite">
<div>First let me apologize for the length of this email. When I
get into situations like this I find it is best to be as
detailed as possible as it is usually some assumption or unsaid
detail that turns out to be the solution. </div>
<div><br>
</div>
<div>Second, I think I am having other, more fundamental issues
than just certificate/AD authentication errors since I can't
seem to add new users using the included scripts. <span
class="Apple-style-span" style="white-space: pre;">Here is the
message I get when I try to add a user with the adduser.php
script:</span></div>
<div>
<div><span class="Apple-style-span" style="white-space: pre;"><br>
</span></div>
<blockquote style="margin: 0px 0px 0px 40px; border-style: none;
padding: 0px;">
<div><span class="Apple-style-span" style="white-space: pre;">~$
sudo /opt/zendto/bin/adduser.php
/opt/zendto/bin/preferences.php 'MyAdmin'
'<password>' '<email address>' 'Administrator'
'<organization>'<br>
<br>
PHP Warning: include(/opt/zendto/bin/preferences.php):
failed to open stream: No such file or directory in
/opt/zendto/bin/adduser.php on line 28<br>
PHP Warning: include(): Failed opening
'/opt/zendto/bin/preferences.php' for inclusion
(include_path='.:/usr/share/php:/usr/share/pear') in
/opt/zendto/bin/adduser.php on line 28<br>
PHP Notice: Use of undefined constant NSSDROPBOX_LIB_DIR -
assumed 'NSSDROPBOX_LIB_DIR' in
/opt/zendto/bin/adduser.php on line 29<br>
PHP Warning:
require_once(NSSDROPBOX_LIB_DIRSmartyconf.php): failed to
open stream: No such file or directory in
/opt/zendto/bin/adduser.php on line 29<br>
PHP Fatal error: require_once(): Failed opening required
'NSSDROPBOX_LIB_DIRSmartyconf.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
/opt/zendto/bin/adduser.php on line 29</span></div>
<div><span class="Apple-style-span" style="white-space: pre;"><br>
</span></div>
<div><span class="Apple-style-span" style="white-space: pre;"></span></div>
</blockquote>
<div><span class="Apple-style-span" style="white-space: pre;">Is
this permissions related? I assume I need to use sudo
because I get the usage message when trying to add users
without and lots of permission errors when using the
listusers script.</span></div>
</div>
<div><br>
</div>
<div>Finally let me address the certificate issue.</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none;
padding: 0px;">
<div><i>"If your AD doesn't have a proper certificate, then you
will have all sorts of nasty problems making things work.
You really need a proper SSL certificate."</i></div>
<div><br>
</div>
</blockquote>
<div>Let me start of by saying that the LDAP server I am
authenticating to is SBS 2008. As with most SBS boxes, this
server has an internal name of server.domain.local but also can
be reached externally from remote.externaldomain.com. For those
reading this who may not know, SBS creates several certificates
when it is set up. First it creates a self signed root
certificate for all other certificates issued by that server.
The certificate name is DOMAIN-SERVER-CA. It also creates
an Alternative Name Certificate (sometimes called SAN or
UC) certificate whose trusted root is DOMAIN-SERVER-CA. with a
cn=remote.externaldomain.com but that includes
server.doamin.local as an alternative name. This is the
certificate that the domain uses for LDAP and AD encryption and
authentication. </div>
<div><br>
</div>
<div>To create a publicly trusted certificate you can run a wizard
(which when talking to MS SBS support, highly recommends using)
which will allow you to create a certificate that is signed by a
trusted third party (verisign, equifax, etc). The only issue
with this public certificate is that it is a simple SSL web
certificate made to validate remote.externaldomain.com and is
NOT an Alternate Name Certificate. MS support has confirmed that
this certificate is only used for email and Remote Web Workplace
access. It is not and cannot be used for LDAP authentication. MS
Active Directory support has told me that the certificate used
for LDAP validation MUST include the server name (I.e.
SERVER.domain.local and NOT remote.externaldomain.com) This
leaves an SBS server with three supported certificate options: </div>
<ol>
<li>Use the DOAMIN-SERVER-CA self-signed cert for authentication
and put a copy of its public key in the Ubuntu servers list of
trusted certificates (can't get that to work)</li>
<li>Obtain an Alternative Name Certificate (expensive relative
to the simple web certificate. Possible to do would prefer a
cheaper alternative)</li>
<li>Use the self-signed remote.domain.com certificate and have
the zendto server ignore trust errors, which would allow
encryption but in theory would expose you to a man in the
middle attack. (Not sure if this is possible)</li>
</ol>
<div><br>
</div>
<div>The first and third options are the least expensive except
and therefore preferable. I have tried installing the
certificate on the Ubuntu server in several places but the
SERVER-DOMAIN-CA certificate is still read as untrusted by
gnutls-cli. I am not sure if this is a gnutls error or a
certificate problem. Maybe it doesn't matter since the handshake
is occurring internally and if encryption is occurring anyway
(not sure if it is or not). For now, a man-in –the-middle attack
on my internal network isn't a big concern.</div>
<div><br>
</div>
<div>After playing around with the ldp.exe utility and ldapsearch
here is a list of what works and doesn't. I am including the
ldp.exe list because that at least lets us know what is working
from a windows perspective.</div>
<div><br>
</div>
<div>===LDP.EXE===</div>
<div>Connecting to the server <server.domain.local> <b>with</b>
SSL (port 636) = works (SSL over 389 does not work but that
isn't surprising)</div>
<div>Supported SASL Mechanisms are listed as: GSSAPI; GSS-SPNEGO;
EXTERNAL; DIGEST-MD5; <span class="Apple-tab-span"
style="white-space: pre;"> </span></div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space: pre;"></span><b><span
class="Apple-tab-span" style="white-space: pre;"> </span>Start
TLS</b> = failed (I assume this is because am already
connected to the server via SSL)</div>
<div><br>
</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none;
padding: 0px;">
<div><b>Bind Simple</b> with DOMAIN\LDAP or <a
moz-do-not-send="true" href="mailto:LDAP@domain.local">LDAP@domain.local</a>
and < LDAP password> = Authenticated as DOMAIN\LDAP</div>
<div><b><br>
</b></div>
<div><b>Bind Simple</b> using only LDAP and <password> (no
domain) = Failed, Invalid Credentials</div>
<div><b><br>
</b></div>
<div><b>Bind Simple with no credentials</b> = Authenticated as
NT Authority\Anonymous Login</div>
<div><br>
</div>
<div><b>Bind with credentials</b> USER:LDAP <span
class="Apple-tab-span" style="white-space: pre;"> </span>PASSWORD:<password>
DOMAIN:domain = Authenticated as DOMAIN\LDAP</div>
<div><span class="Apple-tab-span" style="white-space: pre;"> </span></div>
<div><span class="Apple-tab-span" style="white-space: pre;"><b>B</b></span><b>ind
Advanced (DIGEST)</b> with USER:LDAP <span
class="Apple-tab-span" style="white-space: pre;"> </span>PASSWORD:<password>
DOMAIN:domain = Failed Server error: 8009030C: LdapErr:
DSID-0C0904D1, comment: AcceptSecurityContext error, data 52e,
v1772<span class="Apple-tab-span" style="white-space: pre;"> </span>Error
0x8009030C The logon attempt failed</div>
<div><span class="Apple-tab-span" style="white-space: pre;"><b><br>
</b></span></div>
<div><span class="Apple-tab-span" style="white-space: pre;"><b>B</b></span><b>ind
Advanced (SASL) </b>= Failed. Error <7>:
ldap_bind_s() failed: Authentication Method Not Supported.</div>
<div><br>
</div>
</blockquote>
<div>Connecting to the server <server.domain.local> <b>without</b>
SSL (port 389) = works same result as above</div>
<div><br>
</div>
<div><b><span class="Apple-tab-span" style="white-space: pre;"> </span>Start
TLS</b> = works<span class="Apple-tab-span"
style="white-space: pre;"> ldap_start_tls_s(ld, &retValue,
result, SvrCtrls, ClntCtrls) result <0></span></div>
<div><span class="Apple-style-span" style="white-space: pre;"><span
class="Apple-tab-span" style="white-space: pre;"> </span>All
the bind results are the same</span></div>
<div><span class="Apple-style-span" style="white-space: pre;"><br>
</span></div>
<div><span class="Apple-style-span" style="white-space: pre;"><span
class="Apple-style-span" style="white-space: normal;">===<span
class="Apple-style-span" style="white-space: pre;">GNUTLS</span>===</span></span></div>
<div><span class="Apple-style-span" style="white-space: pre;">Running
"gnutls-cli --print-cert -p 636 server.domain.local" from the
Ubuntu box I get:</span></div>
<div><span class="Apple-style-span" style="white-space: pre;"><br>
</span></div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none;
padding: 0px;">
<div>
<div>- Successfully sent 0 certificate(s) to server.</div>
<div>- Server has requested a certificate.</div>
<div>- Certificate type: X.509</div>
<div> - Got a certificate list of 1 certificates.</div>
<div> - Certificate[0] info:</div>
<div> - subject `CN=remote.externaldomain.com', issuer
`CN=domain-SERVER-CA', RSA key 2048 bits, signed using
RSA-SHA</div>
<div><br>
</div>
<div>-----BEGIN CERTIFICATE-----</div>
<div><Certificate key></div>
<div>-----END CERTIFICATE-----</div>
<div><br>
</div>
<div>- The hostname in the certificate matches
'server.domain.local'.</div>
<div>- Peer's certificate issuer is unknown</div>
<div>- Peer's certificate is NOT trusted</div>
<div>- Version: TLS1.0</div>
<div>- Key Exchange: RSA</div>
<div>- Cipher: AES-128-CBC</div>
<div>- MAC: SHA1</div>
<div>- Compression: NULL</div>
<div>- Handshake was completed</div>
<div><br>
</div>
<div>- Simple Client Mode:</div>
</div>
<div><br>
</div>
</blockquote>
<div>===LDAPSEARCH===</div>
<div>And finally some different ldapsearch results:</div>
<div><br>
</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none;
padding: 0px;">
<div>
<div>~$ ldapsearch -D LDAP -H <a class="moz-txt-link-freetext" href="ldaps://server.domain.local">ldaps://server.domain.local</a> -b
"ou=Users,,dc=doamin,dc=local" sAMAccountName</div>
<div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div>
</div>
<div><br>
</div>
<div>ldapsearch -w <password> -D <a class="moz-txt-link-abbreviated" href="mailto:LDAP@domain.local">LDAP@domain.local</a> -H
<a class="moz-txt-link-freetext" href="ldap://server.domain.local">ldap://server.domain.local</a> -b "ou=Users,dc=domain,dc=local"
sAMAccountName</div>
<div>WORKS! Lists users.</div>
<div><br>
</div>
<div>
<div>~$ ldapsearch -w
X0YnUm7NVHjdGJK0ncSOkAlmmyPHYN15X6oPWOtrvhu1aGEMCm -D
LDAPQuery -H <a class="moz-txt-link-freetext" href="ldap://thor.henryv.local">ldap://thor.henryv.local</a> -b
"ou=SBSUsers,ou=Users,ou=MyBusiness,dc=henryv,dc=local"
sAMAccountName</div>
<div>ldap_bind: Invalid credentials (49)</div>
<div><span class="Apple-tab-span" style="white-space: pre;"> </span>additional
info: 80090308: LdapErr: DSID-0C0903AA, comment:
AcceptSecurityContext error, data 525, v1772</div>
</div>
<div>(I assume this is related to the ldp.exe error using simple
bind with no @domain.local)</div>
</blockquote>
<div><br>
</div>
<div>If you want ssh or vnc access to the server please contact me
outside the mailing list for login credentials.</div>
<span id="OLK_SRC_BODY_SECTION"></span>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>