<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 17/01/2013 17:54, Mike Brudenell
wrote:<br>
</div>
<blockquote
cite="mid:CAPXCWauA11bFPvzh3spaqyyWYVq705_xeKvabmtLwXJeDNerVA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra" style="">Hi, Jules!</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">On 17 January 2013 16:56, Jules <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:Jules@zend.to" target="_blank">Jules@zend.to</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If
you set all the 2nd forest settings to blank (or empty
arrays) rather than commenting them out, you should have
better luck.</blockquote>
</div>
<br>
Nope… We have the 2nd forest settings set to blank (see
below), not commented out.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">
Originally we'd got them all set to blank ('') and noticed
that this produced a PHP error string at the top of the page
(ie, the PHP error text was getting output mingled in with the
HTML). That was fixed by changing</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div class="gmail_extra" style=""> 'authLDAPServers2'
=> '',</div>
</blockquote>
<div class="gmail_extra">to</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div class="gmail_extra" style=""> 'authLDAPServers2'
=> array(),</div>
</blockquote>
<div class="gmail_extra">as per its introductory comment, which
we'd initially missed.</div>
</div>
</blockquote>
If they were originally arrays in my default file, they need to be
arrays still, even empty ones.<br>
<blockquote
cite="mid:CAPXCWauA11bFPvzh3spaqyyWYVq705_xeKvabmtLwXJeDNerVA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"> (I can't remember the PHP error text
exactly but it was that the range for a for/foreach was
invalid.)</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">That left us with these forest2
settings:</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div class="gmail_extra" style="">
<div class="gmail_extra" style="">
'authLDAPBaseDN2' => '',</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style=""> 'authLDAPServers2'
=> array(),</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style=""> 'authLDAPAccountSuffix2'
=> '',</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style=""> 'authLDAPUseSSL2'
=> '',</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style=""> 'authLDAPBindUser2'
=> '',</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style=""> 'authLDAPBindPass2'
=> '',</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style=""> 'authLDAPOrganization2'
=> '',</div>
</div>
</blockquote>
<div class="gmail_extra">
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">
With these in place entering an invalid password produces
the two ghastly and unfriendly LDAP error messages followed
by the human-friendly "Invalid username or password" message
from the ErrBadLogin config string.</div>
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">The problem is that in the
authenticate() function within lib/NSSADAuthenticator.php
the code flow goes like this:</div>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div class="gmail_extra" style="">
<div class="gmail_extra" style="">Check username/password in
forest1</div>
</div>
<div class="gmail_extra" style="">
<div class="gmail_extra" style="">Check username/password in
forest2</div>
</div>
</blockquote>
<div class="gmail_extra">
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">Without the "if
(empty($this->_ldapServers2)) { return FALSE; }" bail out
test between the two the forest2 test is always performed.</div>
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">So the PHP code in the
forest2 block tries to connect to no LDAP servers (because
none are configured for forest2 in the preferences). So it
complains bitterly that it can't: that's produces the two
unfriendly LDAP errors before the human-friendly "You
got the username/password wrong" (sic) message.</div>
</div>
</div>
</blockquote>
I'll definitely take a look in the light of what you've said. Other
people haven't raised this in the past, they've got it working. So
I'll see what happens when I set up mine with only 1 forest.<br>
<blockquote
cite="mid:CAPXCWauA11bFPvzh3spaqyyWYVq705_xeKvabmtLwXJeDNerVA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">In passing…</div>
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">We're actually running
ZendTo 4.08-something on one server and 4.10-5 on another.
Between the two versions the bailout test has been added
between the forest1/forest2 code blocks within the
validUsername() function so was presumably added to fix the
problem for that function. It's just also needed between the
same two codeblocks within the authenticate() function as
well.</div>
</div>
</div>
</blockquote>
Aha! Many thanks! :-)<br>
<br>
Yes, just looked at the code, you're totally right.<br>
<br>
Jules.<br>
<br>
<blockquote
cite="mid:CAPXCWauA11bFPvzh3spaqyyWYVq705_xeKvabmtLwXJeDNerVA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_extra" style=""><br>
</div>
<div class="gmail_extra" style="">Cheers,</div>
<div class="gmail_extra" style="">Mike B-)</div>
<div><br>
</div>
-- <br>
<font size="1"><font face="'arial narrow', sans-serif"><span
style="font-size:small">IT Services, The University of
York, Heslington, York YO10 5DD, UK<br>
Tel: +44-1904-323811</span><span style="font-size:small"><br>
Disclaimer: <</span><a moz-do-not-send="true"
href="http://www.york.ac.uk/docs/disclaimer/email.htm"
target="_blank"><span style="font-size:small">http://www.york.ac.uk/docs/disclaimer/email.htm</span></a><span
style="font-size:small">></span></font><br>
</font>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng MBCS CITP CEng
'When I read Shakespeare I am struck with wonder
That such trivial people should muse and thunder
In such lovely language.' - D.H. Lawrence
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
</pre>
</blockquote>
</body>
</html>