ZoneMinder Forums

Hello,

Trying to have ldap auth for ZM, znNinja on Andoid works, but requires old app "admin" auth, probably for the API. There is a popup window for ldap authentication. Only real issue is password showed clear.
zmNinja Linux doesn't works at all, auth always fails.

Regards,
Arnaud

As requested, here are more details from the configuration.

Configuration of ZM is "as from scratch" with all defaults, OPT_USE_AUTH off

Proxy is as follow:
redirect http -> https

<VirtualHost *:443>
ServerName xxx.yyy.ch
ServerAdmin aaaa@yyy.com

SSLEngine on
SSLCertificateFile blah.crt
SSLCertificateKeyFile blah.key
SSLCACertificateFile something.crt

RewriteEngine On
RewriteRule ^/$ https://xxx.yyy.ch/zm/ [R]

<Location /zm>
AuthName "ZoneMinder Login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldapserverip/ou=people,dc=yyy,dc=ch?uid?sub?(objectClass=*)"
Require valid-user
</Location>

ProxyPass /zm/ http://ZoneMinderServerIp/zm/
ProxyPassReverse /zm/ http://ZoneMinderServerIp/zm/
ProxyPreserveHost On

ProxyRequests Off
AllowEncodedSlashes NoDecode
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ErrorLog ${APACHE_LOG_DIR}/xxx.error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/xxx.log combined
</VirtualHost>

Works fine for Web Access & zmNinja, only have errors on the zmNinja Settings screen (but Montage and all views are working !)

ZM Settings:
* ZM portal url: https://login:password@xxx.yyy.ch/zm
* path to cgi-bin: https://login:password@xxx.yyy.ch/zm/cgi-bin
* ZM api url: https://login:password@xxx.yyy.ch/zm/api

No ZM authentication, but Use SSL
Logs will follow by mail....

Couple of notes:

1. The logs you sent me are not debug logs - you need to enable debug in zmNinja settings
2. Please don't truncate logs - I need to see everything to make sure I get the full picture
3. Please post a screenshot of your ZM settings in ZMNinja (mask out password, public IP)
4. Can you please check if this problem goes away if you disable SSL ? (and also disable SSL at ZM)
5. Again, for zmNinja Linux, I need full debug logs

thx

agauthier51 wrote:Hello,

Trying to have ldap auth for ZM, znNinja on Andoid works, but requires old app "admin" auth, probably for the API. There is a popup window for ldap authentication. Only real issue is password showed clear.
zmNinja Linux doesn't works at all, auth always fails.

Regards,
Arnaud

Well, after a few check & changes on my side I was able to run ZM Linux the same way as ZM Android.

from the Apache logs I have non authenticated "tries" from the zmNinja devices on the followings:
GET /zm/api/monitors.json HTTP/1.1" 401 756
GET /zm/index.php?view=watch&mid=1 HTTP/1.1" 401 756
GET /zm/cgi-bin/nph-zms?mode=single&monitor=1&scale=50&rand=40908 HTTP/1.1" 401 756

a curl works fine, and requires login. Seems some accesses are forgetting the user:pass

$ curl -I https://user:pass@xxx.yyy.ch/zm/api/monitors.json
HTTP/1.1 200 OK
Date: Wed, 20 Jan 2016 14:29:07 GMT
Server: Apache/2.4.7 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Content-Length: 5316
Content-Type: application/json; charset=UTF-8
Set-Cookie: ZMSESSID=hmfkt282939k9qb2fm7cei6al0; expires=Wed, 20-Jan-2016 18:29:07 GMT; Max-Age=14400; path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin

$ curl -I https://xxx.yyy.ch/zm/api/monitors.json
HTTP/1.1 401 Unauthorized
Date: Wed, 20 Jan 2016 14:40:45 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
WWW-Authenticate: Basic realm="ZoneMinder Login"
Content-Type: text/html; charset=iso-8859-1

Checking the logs. But DEV logs from the linux App aren't anonymized...

Regards,
Arnaud

Okay, I think I have a fix.

Let's test it first with your desktop client - do you use 32bit or 64bit? I'll send you a new version to test