Authentication Mechanisms
ZendTo currently supports 5 different authentication mechanisms, each of which is described below:
- Local — The simplest to use; a database table of usernames and passwords hashes maintained with a few simple commands
- IMAP — Perfect if you have an IMAP mail server but no centrally managed authentication system
- AD — Microsoft Active Directory; used by many large sites
- LDAP — Other LDAP-based managed authentication system
- SAML-based — A wide range of SAML-based authentication systems including OAuth, Shibboleth, Microsoft Azure AD, Yubikeys and others
The authenticator used is controlled by the setting "authenticator" in preferences.php.
Local
This uses a simple table held in the ZendTo database (SQLite by default, but can be MySQL, as set by the SqlBackend setting) and users are added, deleted, edited and listed with simple commands in the directory /opt/zendto/bin. The commands are documented in /opt/zendto/bin/README.txt.
Note that only password hashes are stored.
There are no configuration settings for this authentication mechanism, except for the MySQL connection details if you choose to use MySQL. SQLite is entirely automatic.
IMAP
This will check usernames against your IMAP server. If required, an optional domain name can be added onto the end of the usernames as they are checked so that users do not have to enter their full email address to satisfy your IMAP server's configuration.
Settings are:
- authIMAPServer
- The full hostname of your IMAP server. To specify a port number add, for example, ":993" to the server name. To use SSL connections, add "/ssl" to the server string. For example, if using port 993 with an SSL connection to the server named imap.mydomain.com, set this to "imap.mydomain.com:993/ssl". There are other options available too, which will help with systems such as Zimbra.
- authIMAPDomain
- If set, this domain name will be added to the end of the username entered as some IMAP servers require the full email address in the form user@domain.com to authenticate successfully.
Active Directory
This is provided for sites which use Microsoft's Active Directory system for authenticating users and storing information about them. Note that all users must have an email address set in your AD database, or else they will not be able to send files to anyone.
The AD authenticator in ZendTo can check users against two completely separate forests, which is useful if you have a part of your organisation that is not incorporated into your primary forest. If you do not wish to use the second forest, simply leave all its settings blank.
The settings required to make this work for your site vary widely between sites, and you should consult the person who designed your Active Directory organisation for the correct strings to enter here. There is more help on configuring ZendTo for Active Directory. Otherwise, the best route to work out the settings is to play with the "ldapsearch" utility (included as an optional part of all major Linux distributions) until you can get that to locate a user and print information about them, such as their "cn" attribute. The supplied preferences.php file also contains an example value for each setting, which will show you the type of information each setting needs.
Settings are:
- authLDAPBaseDN1
- The Base DN for searches for users in your forest.
- authLDAPServers1
- A list of all the AD controllers in your forest. Authentication is attempted against each one in turn until a connection is made.
- authLDAPAccountSuffix1
- The account suffix added to the end of each username. Can be left blank.
- authLDAPUseSSL1
- Do the AD controllers support SSL connections? If so, use them.
- authLDAPBindUser1
- The username used to bind to the AD controller to retrieve information about users. This is blank on sites that allow anonymous binds, but otherwise you should set it to a special user account that only has rights to read AD information and nothing else.
- authLDAPBindPass1
- The password for the username used to bind to the AD controller as described above. Leave blank if your site allows anonymous binds.
- authLDAPBaseOrganization1
- The name of the user's organization, as used in the "New Dropoff" form on the website.
- authLDAPBaseDN2
- Leave blank if not using a 2nd forest.
- authLDAPServers2
- Leave blank if not using a 2nd forest.
- authLDAPAccountSuffix2
- Leave blank if not using a 2nd forest.
- authLDAPUseSSL2
- Leave blank if not using a 2nd forest.
- authLDAPBindUser2
- Leave blank if not using a 2nd forest.
- authLDAPBindPass2
- Leave blank if not using a 2nd forest.
- authLDAPBaseOrganization2
- Leave blank if not using a 2nd forest.
LDAP
This is rarely used, having been mostly surpassed by Microsoft Active Directory. However a few sites still use LDAP-based authentication. The mechanism and settings are roughly similar to the Active Directory settings described above. It supports one LDAP domain.
Settings are:
- authLDAPBaseDN
- The BaseDN of all LDAP searches for users.
- authLDAPServers
- The list of hostnames of your LDAP servers. They are tried in turn until a connection is made.
- authLDAPAccountSuffix
- The suffix added to the end of username when searching. Can be left blank.
- authLDAPUseSSL
- Do your LDAP servers support SSL connections? If so, use them.
- authLDAPBindDn
- The DN of the username permitted to search your LDAP database for information about users.
- authLDAPBindPass
- The password of the user permitted to search your LDAP database for information about users.
- authLDAPFullName
- The names of the attributes (separated by a space) used to construct the user's full name.
- authLDAPMemberKey
- authLDAPMemberRole
- If set, the name of the attribute (normally "memberOf") and the name of the role of which any ZendTo user must be a member. This allows you to restrict ZendTo access to some users (such as all the people) but not others (such as role accounts and special accounts not owned by people).
SAML-based
ZendTo includes integration with the widely-used SimpleSAMLphp library. Configuration is described in detailed steps, and can be used to authenticate users against
- OAuth
- Shibboleth
- Microsoft Azure AD
- Hardware tokens such as Yubikeys
- ADFS
- WindowsLive
- and others...