<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
On 30/03/2011 02:12, Craig Chambers wrote:
<blockquote cite="mid:C9B7C970.11F5D%25craig@craigchambers.net"
type="cite">
<div>Success! Two things (I think) fixed it.</div>
</blockquote>
Well done! I will add a page mentioning you ldap.conf tweak.<br>
<blockquote cite="mid:C9B7C970.11F5D%25craig@craigchambers.net"
type="cite"><br>
<div>On that note, does the new APT repository configure PHP for
files greater than 2GB automatically? I have some problems
recompiling my PHP and didn't know if that would help?</div>
</blockquote>
The APT repo does not attempt to recompile PHP, no. For now I have
just set the defaults to only allow 2GB uploads in preferences.php
so it's not an issue when you're first installing it. If you want to
crack the 2GB nut, you can come back later and fix it yourself.<br>
<br>
The snag is that the libphp5.so binary would need recompiling after
every time it is patched by an Ubuntu/RedHat update, which is beyond
my control to do automatically.<br>
<br>
Jules.<br>
<br>
P.S. If you are interested in beta-testing the new user interface,
please let me know.<br>
<blockquote cite="mid:C9B7C970.11F5D%25craig@craigchambers.net"
type="cite">
<div><br>
</div>
<div>Thanks again,</div>
<div><br>
</div>
<div>- Craig </div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family: Calibri; font-size: 11pt; text-align:
left; color: black; border-width: 1pt medium medium;
border-style: solid none none; border-color: rgb(181, 196,
223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in
0in;"><span style="font-weight: bold;">From: </span> Jules
<<a moz-do-not-send="true" href="mailto:Jules@zend.to">Jules@zend.to</a>><br>
<span style="font-weight: bold;">Organization: </span> ZendTo<br>
<span style="font-weight: bold;">Reply-To: </span> ZendTo
Users <<a moz-do-not-send="true"
href="mailto:zendto@zend.to">zendto@zend.to</a>><br>
<span style="font-weight: bold;">Date: </span> Tue, 29 Mar
2011 09:14:25 +0100<br>
<span style="font-weight: bold;">To: </span> ZendTo Users
<<a moz-do-not-send="true" href="mailto:zendto@zend.to">zendto@zend.to</a>><br>
<span style="font-weight: bold;">Subject: </span> [ZendTo]
Re: AD/LDAP Authentication Help<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#ffffff" text="#000000"> 1 more thing. Have you
got it working over LDAP (rather than LDAPS) first? If you
let your SBS authenticate without SSL connections, then you
can at least test that much first.<br>
<br>
Jules.<br>
<br>
On 28/03/2011 23:17, Craig Chambers wrote:
<blockquote
cite="mid:C9A93035.1112D%25craig@craigchambers.net"
type="cite">
<div>First let me apologize for the length of this email.
When I get into situations like this I find it is best
to be as detailed as possible as it is usually some
assumption or unsaid detail that turns out to be the
solution. </div>
<div><br>
</div>
<div>Second, I think I am having other, more fundamental
issues than just certificate/AD authentication errors
since I can't seem to add new users using the included
scripts. </div>
<div>
<div><span class="Apple-style-span" style="white-space:
pre;"><br>
</span><span class="Apple-style-span"
style="white-space: pre;"><br>
</span></div>
<blockquote style="margin: 0px 0px 0px 40px;
border-style: none; padding: 0px;">
<div><span class="Apple-style-span"
style="white-space: pre;">~$<br>
sudo /opt/zendto/bin/adduser.php<br>
/opt/zendto/bin/preferences.php 'MyAdmin'<br>
'<password>' '<email address>'
'Administrator'<br>
'<organization>'<br>
<br>
<br>
<br>
PHP Warning:
include(/opt/zendto/bin/preferences.php):<br>
failed to open stream: No such file or directory
in<br>
/opt/zendto/bin/adduser.php on line 28<br>
<br>
PHP Warning: include(): Failed opening<br>
'/opt/zendto/bin/preferences.php' for inclusion<br>
(include_path='.:/usr/share/php:/usr/share/pear')
in<br>
/opt/zendto/bin/adduser.php on line 28<br>
<br>
PHP Notice: Use of undefined constant
NSSDROPBOX_LIB_DIR -<br>
assumed 'NSSDROPBOX_LIB_DIR' in<br>
/opt/zendto/bin/adduser.php on line 29<br>
<br>
PHP Warning:<br>
require_once(NSSDROPBOX_LIB_DIRSmartyconf.php):
failed to<br>
open stream: No such file or directory in<br>
/opt/zendto/bin/adduser.php on line 29<br>
<br>
PHP Fatal error: require_once(): Failed opening
required<br>
'NSSDROPBOX_LIB_DIRSmartyconf.php'<br>
(include_path='.:/usr/share/php:/usr/share/pear')
in<br>
/opt/zendto/bin/adduser.php on line 29</span></div>
<div><span class="Apple-style-span"
style="white-space: pre;"><br>
<br>
</span></div>
<div><span class="Apple-style-span"
style="white-space: pre;"></span></div>
</blockquote>
<div><span class="Apple-style-span" style="white-space:
pre;">Is<br>
this permissions related? I assume I need to use
sudo<br>
because I get the usage message when trying to add
users<br>
without and lots of permission errors when using the<br>
listusers script.</span></div>
</div>
<div><br>
</div>
<div>Finally let me address the certificate issue.</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border:
medium none; padding: 0px;">
<div><i>"If your AD doesn't have a proper certificate,
then you will have all sorts of nasty problems
making things work. You really need a proper SSL
certificate."</i></div>
<div><br>
</div>
</blockquote>
<div>Let me start of by saying that the LDAP server I am
authenticating to is SBS 2008. As with most SBS boxes,
this server has an internal name of server.domain.local
but also can be reached externally from
remote.externaldomain.com. For those reading this who
may not know, SBS creates several certificates when it
is set up. First it creates a self signed root
certificate for all other certificates issued by that
server. The certificate name is DOMAIN-SERVER-CA. It
also creates an Alternative Name Certificate (sometimes
called SAN or UC) certificate whose trusted root is
DOMAIN-SERVER-CA. with a cn=remote.externaldomain.com
but that includes server.doamin.local as an alternative
name. This is the certificate that the domain uses for
LDAP and AD encryption and authentication. </div>
<div><br>
</div>
<div>To create a publicly trusted certificate you can run
a wizard (which when talking to MS SBS support, highly
recommends using) which will allow you to create a
certificate that is signed by a trusted third party
(verisign, equifax, etc). The only issue with this
public certificate is that it is a simple SSL web
certificate made to validate remote.externaldomain.com
and is NOT an Alternate Name Certificate. MS support has
confirmed that this certificate is only used for email
and Remote Web Workplace access. It is not and cannot be
used for LDAP authentication. MS Active Directory
support has told me that the certificate used for LDAP
validation MUST include the server name (I.e.
SERVER.domain.local and NOT remote.externaldomain.com)
This leaves an SBS server with three supported
certificate options: </div>
<ol>
<li>Use the DOAMIN-SERVER-CA self-signed cert for
authentication and put a copy of its public key in the
Ubuntu servers list of trusted certificates (can't get
that to work)</li>
<li>Obtain an Alternative Name Certificate (expensive
relative to the simple web certificate. Possible to do
would prefer a cheaper alternative)</li>
<li>Use the self-signed remote.domain.com certificate
and have the zendto server ignore trust errors, which
would allow encryption but in theory would expose you
to a man in the middle attack. (Not sure if this is
possible)</li>
</ol>
<div><br>
</div>
<div>The first and third options are the least expensive
except and therefore preferable. I have tried installing
the certificate on the Ubuntu server in several places
but the SERVER-DOMAIN-CA certificate is still read as
untrusted by gnutls-cli. I am not sure if this is a
gnutls error or a certificate problem. Maybe it doesn't
matter since the handshake is occurring internally and
if encryption is occurring anyway (not sure if it is or
not). For now, a man-in –the-middle attack on my
internal network isn't a big concern.</div>
<div><br>
</div>
<div>After playing around with the ldp.exe utility and
ldapsearch here is a list of what works and doesn't. I
am including the ldp.exe list because that at least lets
us know what is working from a windows perspective.</div>
<div><br>
</div>
<div>===LDP.EXE===</div>
<div>Connecting to the server <server.domain.local>
<b>with</b> SSL (port 636) = works (SSL over 389 does
not work but that isn't surprising)</div>
<div>Supported SASL Mechanisms are listed as: GSSAPI;
GSS-SPNEGO; EXTERNAL; DIGEST-MD5; <span
class="Apple-tab-span" style="white-space: pre;"> </span></div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:
pre;"></span><b><span class="Apple-tab-span"
style="white-space: pre;"> </span>Start TLS</b> =
failed (I assume this is because am already connected to
the server via SSL)</div>
<div><br>
</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border:
medium none; padding: 0px;">
<div><b>Bind Simple</b> with DOMAIN\LDAP or <a
moz-do-not-send="true"
href="mailto:LDAP@domain.local">LDAP@domain.local</a>
and < LDAP password> = Authenticated as
DOMAIN\LDAP</div>
<div><b><br>
</b></div>
<div><b>Bind Simple</b> using only LDAP and
<password> (no domain) = Failed, Invalid
Credentials</div>
<div><b><br>
</b></div>
<div><b>Bind Simple with no credentials</b> =
Authenticated as NT Authority\Anonymous Login</div>
<div><br>
</div>
<div><b>Bind with credentials</b> USER:LDAP <span
class="Apple-tab-span" style="white-space: pre;"> </span>PASSWORD:<password>
DOMAIN:domain = Authenticated as DOMAIN\LDAP</div>
<div><span class="Apple-tab-span" style="white-space:
pre;"> </span></div>
<div><span class="Apple-tab-span" style="white-space:
pre;"><b>B</b></span><b>ind Advanced (DIGEST)</b>
with USER:LDAP <span class="Apple-tab-span"
style="white-space: pre;"> </span>PASSWORD:<password>
DOMAIN:domain = Failed Server error: 8009030C:
LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext
error, data 52e, v1772<span class="Apple-tab-span"
style="white-space: pre;"> </span>Error 0x8009030C
The logon attempt failed</div>
<div><span class="Apple-tab-span" style="white-space:
pre;"><b><br>
</b></span></div>
<div><span class="Apple-tab-span" style="white-space:
pre;"><b>B</b></span><b>ind Advanced (SASL) </b>=
Failed. Error <7>: ldap_bind_s() failed:
Authentication Method Not Supported.</div>
<div><br>
</div>
</blockquote>
<div>Connecting to the server <server.domain.local>
<b>without</b> SSL (port 389) = works same result as
above</div>
<div><br>
</div>
<div><b><span class="Apple-tab-span" style="white-space:
pre;"> </span>Start TLS</b> = works<span
class="Apple-tab-span" style="white-space: pre;">
ldap_start_tls_s(ld, &retValue,<br>
result, SvrCtrls, ClntCtrls) result <0></span></div>
<div><span class="Apple-style-span" style="white-space:
pre;"><span class="Apple-tab-span" style="white-space:
pre;"> </span>All<br>
the bind results are the same</span></div>
<div><span class="Apple-style-span" style="white-space:
pre;"><br>
<br>
</span></div>
<div><span class="Apple-style-span" style="white-space:
pre;"><span class="Apple-style-span"
style="white-space: normal;">===<span
class="Apple-style-span" style="white-space: pre;">GNUTLS</span>===</span></span></div>
<div><span class="Apple-style-span" style="white-space:
pre;">Running "gnutls-cli --print-cert -p 636
server.domain.local" from the<br>
Ubuntu box I get:</span></div>
<div><span class="Apple-style-span" style="white-space:
pre;"><br>
<br>
</span></div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border:
medium none; padding: 0px;">
<div>
<div>- Successfully sent 0 certificate(s) to server.</div>
<div>- Server has requested a certificate.</div>
<div>- Certificate type: X.509</div>
<div> - Got a certificate list of 1 certificates.</div>
<div> - Certificate[0] info:</div>
<div> - subject `CN=remote.externaldomain.com',
issuer `CN=domain-SERVER-CA', RSA key 2048 bits,
signed using RSA-SHA</div>
<div><br>
</div>
<div>-----BEGIN CERTIFICATE-----</div>
<div><Certificate key></div>
<div>-----END CERTIFICATE-----</div>
<div><br>
</div>
<div>- The hostname in the certificate matches
'server.domain.local'.</div>
<div>- Peer's certificate issuer is unknown</div>
<div>- Peer's certificate is NOT trusted</div>
<div>- Version: TLS1.0</div>
<div>- Key Exchange: RSA</div>
<div>- Cipher: AES-128-CBC</div>
<div>- MAC: SHA1</div>
<div>- Compression: NULL</div>
<div>- Handshake was completed</div>
<div><br>
</div>
<div>- Simple Client Mode:</div>
</div>
<div><br>
</div>
</blockquote>
<div>===LDAPSEARCH===</div>
<div>And finally some different ldapsearch results:</div>
<div><br>
</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border:
medium none; padding: 0px;">
<div>
<div>~$ ldapsearch -D LDAP -H <a
moz-do-not-send="true"
class="moz-txt-link-freetext"
href="ldaps://server.domain.local">ldaps://server.domain.local</a>
-b "ou=Users,,dc=doamin,dc=local" sAMAccountName</div>
<div>ldap_sasl_bind(SIMPLE): Can't contact LDAP server
(-1)</div>
</div>
<div><br>
</div>
<div>ldapsearch -w <password> -D <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:LDAP@domain.local">LDAP@domain.local</a>
-H <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="ldap://server.domain.local">ldap://server.domain.local</a>
-b "ou=Users,dc=domain,dc=local" sAMAccountName</div>
<div>WORKS! Lists users.</div>
<div><br>
</div>
<div>
<div>~$ ldapsearch -w
X0YnUm7NVHjdGJK0ncSOkAlmmyPHYN15X6oPWOtrvhu1aGEMCm
-D LDAPQuery -H <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="ldap://thor.henryv.local">ldap://thor.henryv.local</a>
-b
"ou=SBSUsers,ou=Users,ou=MyBusiness,dc=henryv,dc=local"
sAMAccountName</div>
<div>ldap_bind: Invalid credentials (49)</div>
<div><span class="Apple-tab-span" style="white-space:
pre;"> </span>additional info: 80090308: LdapErr:
DSID-0C0903AA, comment: AcceptSecurityContext error,
data 525, v1772</div>
</div>
<div>(I assume this is related to the ldp.exe error
using simple bind with no @domain.local)</div>
</blockquote>
<div><br>
</div>
<div>If you want ssh or vnc access to the server please
contact me outside the mailing list for login
credentials.</div>
<span id="OLK_SRC_BODY_SECTION"></span>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</div>
</div>
_______________________________________________
ZendTo mailing list
<a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a moz-do-not-send="true"
href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></span>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>