Messages

31

Installation and Upgrades / Re: help with configuring DocMGR to authenticate against zentyal LDAP

« on: February 24, 2013, 10:36:26 pm »

Regarding invalid password, how did you specify it?

Sorry, not sure what you mean

32

Installation and Upgrades / Re: help with configuring DocMGR to authenticate against zentyal LDAP

« on: February 24, 2013, 10:28:46 pm »

have you installed php5-ldap package on machine running DocMGR

Nope    Installing it has solved the error in the apache log but I can't log in:

Code: [Select]

API: Invalid username and/or password specified
Which log file on the zentyal server do I need to check in order to see if the DocMGR application is even sending a query?

33

Installation and Upgrades / Re: help with configuring DocMGR to authenticate against zentyal LDAP

« on: February 24, 2013, 09:49:21 pm »

Thanks Christian, I was really not sure what the correct entries should be.  The DocMGR is on a virtual box and the correct firewall rules have been set to access ldap across my LAN as other boxes are using it (ie my subsonic box).  Any way it still doesn't work
I have found the following entry in the apache log:

Code: [Select]

[error] [client 10.0.0.30] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/docmgr/lib/account/ldap.php on line 43, referer: http://docmgr.mydomain.com/docmgr/index.php
So i guess there is something wrong with the php coding??

34

Installation and Upgrades / help with configuring DocMGR to authenticate against zentyal LDAP

« on: February 24, 2013, 09:10:00 pm »

I am trying to set up DocMGR as a document management system, currently I have managed to get everything to work except authenticating users against my LDAP server which is Zentyal 2.2.

Here is the document ation form the DocMGR site:
http://www.docmgr.org/documentation/ldap-configuration/

Here is my ldap-config.php file for DocMGR:

Code: [Select]

<?php /******************************************************************************$ 
Fileame: ldap-config.php 

Purpose: Contains all settings for ldap connectiving and attribute mapping 

Created: 11-20-2005 
*******************************************************************************$ 

/************************************************************ 
LDAP Connectivity 
************************************************************/ 

//your ldap server uri 
define("LDAP_SERVER","ldap://10.0.0.1"); 

//your ldap server port 
define("LDAP_PORT","389"); 

//the dn to bind to your server with 
define("BIND_DN","dc=myserver,dc=mydomain,dc=com"); 

//the password of the above specified dn 
define("BIND_PASSWORD","secret"); 

//your search attribute base for accounts 
define("LDAP_BASE","ou=Users,dc=myserver,dc=mydomain,dc=com"); 

//default base for creating accounts 
define("LDAP_CREATE_BASE",LDAP_BASE); 

//a search filter to limit valid accounts to 
define("LDAP_FILTER","(uid=*)"); 

//password encrytion in database 
define("LDAP_CRYPT","MD5"); 

//ldap protocol 
define("LDAP_PROTOCOL","3"); 

//default group id for a new account 
define("DEFAULT_GID","100"); 

//base of our tree 
define("LDAP_ROOT","cn=ebox,dc=myserver,dc=mydomain,dc=com"); 

/*********************************************************** 
Attribute Mapping *
**********************************************************/ 
define("LDAP_UID","uid"); define("LDAP_UIDNUMBER","uidNumber"); 
define("LDAP_GIDNUMBER","gidNumber"); 
define("LDAP_USERPASSWORD","userPassword"); 
define("LDAP_CLEARPASSWORD","plainPassword"); 
define("LDAP_CN","cn"); 
define("LDAP_SN","sn"); define("LDAP_GECOS","gecos"); 
define("LDAP_TELEPHONENUMBER","telephoneNumber"); 
define("LDAP_GIVENNAME","givenName"); define("LDAP_MAIL","mail"); 

//your dn in your directory should look like this: 
//<UID>=<login>,<LDAP_BASE> 
//ex: uid=mylogin,ou=people,dc=mydomain,dc=com
I have posted on the DocMGR project forum but the response time is not exactly quick

I would be grateful for any suggestions as I am not entirely sure these settings are correct.

Thanks

35

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 13, 2013, 11:08:18 am »

Thanks for all the advice, I have ended up going with denyhosts http://denyhosts.sourceforge.net/ that (as I understand it) relies on adding entries to the /etc/hosts.deny which is not modified by zentyal rather than using IPtables - although I am happy to be corrected on this 

36

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 12, 2013, 03:30:43 pm »

One of the "sneaky tricks" of SMF search is that it's global only from the home page, it seems. I found a few more results when searching from there.

Now feeling slight stupid
Thanks

37

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 12, 2013, 02:54:56 pm »

Thanks half_life

I realise that both fail2ban and zentyal firewall both use IPtables, my concern was based on the fact that zentyal tends to over write changes made to config files (hence the need for the pre and post set hooks).

I did do a search on the forum for fail2ban but only this post was found

I'll give it a try and see what happens

38

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 12, 2013, 12:43:13 pm »

Christian read this bit again:

What I want is to block access from an IP address where there have been more than X number of failed login attempts.

It's not that hard to grasp 

Fail2ban looks like it will do the job, but t works by modifying the IPtables on the ubuntu firewall - what I want to know is whether or not it will work with zentyals firewall?

39

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 12, 2013, 12:00:05 pm »

Thanks christian, both servers are running zentyal (one is v2.0 the other v2.2 - I gave up with v3.0 ).  To enable automated rsync jobs via ssh login is already via an RSA key so no password is required - it's really easy to setup   On most of my servers I generally have password authentication disabled for ssh but on one I need it enabled, this is the one I would like to block failed login attempts.

40

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 12, 2013, 11:23:00 am »

@christian - I can't allow access from a specified IP address as the IP of the client machine is allocated dynamically by the ISP and so will change periodically.

@rob - I need ssh as I run rsync over an ssh connection as a cron job for automated off site back up - I don't know how to set this up over a vpn 

What I want is to block access from an IP address where there have been more than X number of failed login attempts.  @ichat - Fail2Ban looks ideal but will it work with the zentyal firewall?

41

Installation and Upgrades / Re: How to add Disclaimer to all outgoing mail.

« on: February 11, 2013, 01:52:51 pm »

try:
http://forum.zentyal.org/index.php/topic,6664.0.html

42

Installation and Upgrades / Re: blocking access attempts by IP address

« on: February 11, 2013, 01:45:26 pm »

will fail2ban work ok with zentyals firewall?

I can't allow ssh from a specific IP address as it is often dynamic
thanks

43

Installation and Upgrades / blocking access attempts by IP address

« on: February 09, 2013, 05:42:38 pm »

We have had a number of breaking attempts via ssh.  Nobody has got in but it floods the syslogs with alerts.  Is there any way to configure the zentyal firewall and/or IDS to block access according to number of failed attempts and IP address?  I suspect it might be do able via the events and dispatchers?

Thanks

44

Installation and Upgrades / Re: How To?? Link aggregation

« on: February 07, 2013, 12:15:25 pm »

hehe.... bonding external interfaces 
purpose here would be to implement hardware failover in case one NIC fails isn't it? 
If goal is to increase internet bandwidth, then, at least for what I understand, bonding will not help, reason being that from outside, you will have 2 different IP addresses.
Bonding on external interface would help if you had (perhpas you have BTW  ) only 100Mb/s interfaces on your server and more than 100Mb/s internet bandwidth from your provider.
If you have 2 providers with 100Mb/s... the best you can do is... load balancing or something at external router level but I can't see what as you still have 2 external IPs

Unless you have a switch that is capable of proper link aggregation then you will need a round robin set up which (as far as I understand) doesn't really give much of an increase in bandwidth, so really you will just be using it for redundancy.  Having 2 separate ISP interfaces is likely to be faster and can be load balanced as well 

45

Installation and Upgrades / Re: How To?? Link aggregation

« on: February 06, 2013, 11:03:32 am »

I see that you are using the internal interfaces for bonding.
Would this be feasible for external interfaces also?
I'm doing load balancing at the moment, but this is not the same as bonding.

Cheers.

I can't see why not, just as long as they have a fixed IP address.