LDAP Question

[celladv]

I have a Zentyal server I installed and I want to use LDAP to authenticate users from our help desk software.  The software is hosted from another company, and the Zentyal server is inside our office.  I have gone bonkers trying to set this up.  Is this possible?  The helpdesk software is H2Desk.  If I get this working, I also want to integrate it to authenticate users from our wordpress system and chamilo learning system.

Thanks in advance.
-Martin

[christian]

According to H2Desk, their product does support LDAP
http://support.h2desk.com/index.php?pid=knowledgebase&cmd=viewentclient&id=177

then real question might not be support capability but implementation: you have to be sure that mechanism is to first check for local account then to search in LDAP. This permits accounts not defined in your directory to access H2Desk interface (e.g. administrators, operators..)
It also supposes that H2Desk is not already configured to rely on another LDAP server 

[celladv]

Thanks for the reply.  It seems (I've have tried some sample PHP files) to do a simple bind test and getting back "failed".  Dumb question, do I have to change anything in Zentyal to allow ldap on external IPs or outside of localhost?

[christian]

The answer is almost in your question    yes, you have to open ldap port outside. If you can do it, I suggest you allow access only to server(s) supposed to authenticate. This for at least two main reasons:
- browsing LDAP anonymously is - hopefully - permitted
- authentication doesn't implement - unfortunately - LDAPS, meaning password is sent using almost clear text (base64) 

[robb]

I'm not an LDAP whiz but is it possible to set up a VPN between your network and the hosting server so you are sure your data can be captured in between sites?

[christian]

Robb, this is always feasible, technically speaking at least 
I mean this has nothing to do with LDAP. Once VPN is established, you are virtually - BTW this is the goal - connect on local network, then can access any service open to your network range. This said, it might not be practical, for service provider, to connect server that is on the other hand, reachable via internet, to any VPN. And even if this is feasible, this has to be strongly controlled by the one managing targeted network.

Please let me explain why VPN is not the secret wonderful answer to any situation:
if you establish VPN link with device that has other interfaces open out of VPN tunnel, you have to be 100% sure that there is NO routing capability on this device, otherwise it will provide access to your network for all devices accessing this "router".
let's rephrase it: if H2Desk is connecting to your network via VPN but is, on the other side, open to internet because this is the way clients are accessing it, in case this server is compromised, then access to your network via VPN may occur.
If you compare this with LDAPS and firewall rules allowing only H2Desk server to access using only LDAPS protocol...

[robb]

Completely clear. So there must be a guarantee from the provider that there is no routing from/to any other interface to the interface the VPN connects to.

This is offtopic but in Zentyal, VPN is implemented to use the client interface to contact the internet and not the Zentyal External interface to contact the internet. Isn't this against that rule that there shouldn't be any routing  from the internet to the interface where VPN is configured on??

in scheme:

Internet --- Zentyal --- VPN--- Client --- Internet

Client is connected to Zentyal Local Lan through VPN but is also connected to the internet through it's own internet connection. Wouldn't it be better to use Zentyal external interface as Gateway when connected through VPN?

[christian]

well... I would rather hack Zentyal LDAP implementation to allow LDAPS and set firewall rules accordingly. I would feel much more comfortable with this