Configuring for Active Directory

Many people have trouble getting the BaseDN and bind details correct to successfully configure ZendTo to use your Active Directory authentication system.

The easiest way to get these configuration settings correct is to use the ldapsearch command (normally part of ldap-utils package or similar) to experiment with different values until it works on the command line.

For this example, we will use the site "example.com", connecting to the AD server "ad_server.example.com" as user "ad_read_user" with password "ad_read_password". The correct BaseDN will be "OU=Staff,OU=users,DC=example,DC=com". If you run the command

ldapsearch -x -LLL -E pr=200/noprompt -h ad_server.example.com -D 'ad_read_user' -w 'ad_read_password' -b 'OU=Staff,OU=users,DC=example,DC=com' -s sub '(sAMAccountName=*)' cn mail memberOf

Experiment with different values for

  • ad_server.example.com
  • ad_read_user
  • ad_read_password
  • OU=Staff,OU=users,DC=example,DC=com

When you get them right, the command will output the username, email address and group information for all the users it finds. You should make sure this includes all the users you want to be able to use ZendTo (very often you don't want the "OU=Staff," bit if you want all your users to be able to use ZendTo).

When you have got them right, the corresponding preferences.php settings are

  • 'authenticator' => 'AD',
  • 'authLDAPBaseDN1' => array('OU=Staff,OU=users,DC=example,DC=com'),
  • 'authLDAPServers1' => array('ad_server.example.com'),
  • 'authLDAPAccountSuffix1' => '@example.com',
  • 'authLDAPUseSSL1' => false, for testing, strongly advise true in production
  • 'authLDAPBindUser1' => 'ad_read_user',
  • 'authLDAPBindPass1' => 'ad_read_password',
  • 'authLDAPOrganization1' => 'Example Company Inc',