zmNinja / ldap

[agauthier51]

Hello,

Trying to have ldap auth for ZM, znNinja on Andoid works, but requires old app "admin" auth, probably for the API. There is a popup window for ldap authentication. Only real issue is password showed clear.
zmNinja Linux doesn't works at all, auth always fails.

Regards,
Arnaud

[agauthier51]

As requested, here are more details from the configuration.

Configuration of ZM is "as from scratch" with all defaults, OPT_USE_AUTH off

Proxy is as follow:
redirect http -> https

<VirtualHost *:443>
ServerName xxx.yyy.ch
ServerAdmin aaaa@yyy.com

SSLEngine on
SSLCertificateFile blah.crt
SSLCertificateKeyFile blah.key
SSLCACertificateFile something.crt

RewriteEngine On
RewriteRule ^/$ https://xxx.yyy.ch/zm/ [R]

<Location /zm>
AuthName "ZoneMinder Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldapserverip/ou=people,dc=yyy,dc=ch?uid?sub?(objectClass=*)"
Require valid-user
</Location>

ProxyPass /zm/ http://ZoneMinderServerIp/zm/
ProxyPassReverse /zm/ http://ZoneMinderServerIp/zm/
ProxyPreserveHost On

ProxyRequests Off
AllowEncodedSlashes NoDecode
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ErrorLog ${APACHE_LOG_DIR}/xxx.error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/xxx.log combined
</VirtualHost>

Works fine for Web Access & zmNinja, only have errors on the zmNinja Settings screen (but Montage and all views are working !)

ZM Settings:
* ZM portal url: https://login:password@xxx.yyy.ch/zm
* path to cgi-bin: https://login:password@xxx.yyy.ch/zm/cgi-bin
* ZM api url: https://login:password@xxx.yyy.ch/zm/api

No ZM authentication, but Use SSL
Logs will follow by mail....

[asker]

Couple of notes:

1. The logs you sent me are not debug logs - you need to enable debug in zmNinja settings
2. Please don't truncate logs - I need to see everything to make sure I get the full picture
3. Please post a screenshot of your ZM settings in ZMNinja (mask out password, public IP)
4. Can you please check if this problem goes away if you disable SSL ? (and also disable SSL at ZM)
5. Again, for zmNinja Linux, I need full debug logs

thx

Hello,

Trying to have ldap auth for ZM, znNinja on Andoid works, but requires old app "admin" auth, probably for the API. There is a popup window for ldap authentication. Only real issue is password showed clear.
zmNinja Linux doesn't works at all, auth always fails.

Regards,
Arnaud

[agauthier51]

Well, after a few check & changes on my side I was able to run ZM Linux the same way as ZM Android.

from the Apache logs I have non authenticated "tries" from the zmNinja devices on the followings:
GET /zm/api/monitors.json HTTP/1.1" 401 756
GET /zm/index.php?view=watch&mid=1 HTTP/1.1" 401 756
GET /zm/cgi-bin/nph-zms?mode=single&monitor=1&scale=50&rand=40908 HTTP/1.1" 401 756

a curl works fine, and requires login. Seems some accesses are forgetting the user:pass

$ curl -I https://user:pass@xxx.yyy.ch/zm/api/monitors.json
HTTP/1.1 200 OK
Date: Wed, 20 Jan 2016 14:29:07 GMT
Server: Apache/2.4.7 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Content-Length: 5316
Content-Type: application/json; charset=UTF-8
Set-Cookie: ZMSESSID=hmfkt282939k9qb2fm7cei6al0; expires=Wed, 20-Jan-2016 18:29:07 GMT; Max-Age=14400; path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin

$ curl -I https://xxx.yyy.ch/zm/api/monitors.json
HTTP/1.1 401 Unauthorized
Date: Wed, 20 Jan 2016 14:40:45 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
WWW-Authenticate: Basic realm="ZoneMinder Login"
Content-Type: text/html; charset=iso-8859-1

Checking the logs. But DEV logs from the linux App aren't anonymized...

Regards,
Arnaud

[asker]

Okay, I think I have a fix.

Let's test it first with your desktop client - do you use 32bit or 64bit? I'll send you a new version to test