Authentication Mechanisms

ZendTo currently supports 5 different authentication mechanisms, each of which is described below:

  • Local — The simplest to use; a database table of usernames and passwords hashes maintained with a few simple commands
  • IMAP — Perfect if you have an IMAP mail server but no centrally managed authentication system
  • AD — Microsoft Active Directory; used by many large sites
  • LDAP — Other LDAP-based managed authentication system
  • SAML-based — A wide range of SAML-based authentication systems including OAuth, Shibboleth, Microsoft Azure AD, Yubikeys and others

The authenticator used is controlled by the setting "authenticator" in preferences.php.

Local

This uses a simple table held in the ZendTo database (SQLite by default, but can be MySQL, as set by the SqlBackend setting) and users are added, deleted, edited and listed with simple commands in the directory /opt/zendto/bin. The commands are documented in /opt/zendto/bin/README.txt.

Note that only password hashes are stored.

There are no configuration settings for this authentication mechanism, except for the MySQL connection details if you choose to use MySQL. SQLite is entirely automatic.

IMAP

This will check usernames against your IMAP server. If required, an optional domain name can be added onto the end of the usernames as they are checked so that users do not have to enter their full email address to satisfy your IMAP server's configuration.

Settings are:

authIMAPServer
The full hostname of your IMAP server. To specify a port number add, for example, ":993" to the server name. To use SSL connections, add "/ssl" to the server string. For example, if using port 993 with an SSL connection to the server named imap.mydomain.com, set this to "imap.mydomain.com:993/ssl". There are other options available too, which will help with systems such as Zimbra.
authIMAPDomain
If set, this domain name will be added to the end of the username entered as some IMAP servers require the full email address in the form user@domain.com to authenticate successfully.

Active Directory

This is provided for sites which use Microsoft's Active Directory system for authenticating users and storing information about them. Note that all users must have an email address set in your AD database, or else they will not be able to send files to anyone.

The AD authenticator in ZendTo can check users against two completely separate forests, which is useful if you have a part of your organisation that is not incorporated into your primary forest. If you do not wish to use the second forest, simply leave all its settings blank.

The settings required to make this work for your site vary widely between sites, and you should consult the person who designed your Active Directory organisation for the correct strings to enter here. There is more help on configuring ZendTo for Active Directory. Otherwise, the best route to work out the settings is to play with the "ldapsearch" utility (included as an optional part of all major Linux distributions) until you can get that to locate a user and print information about them, such as their "cn" attribute. The supplied preferences.php file also contains an example value for each setting, which will show you the type of information each setting needs.

Settings are:

authLDAPBaseDN1
The Base DN for searches for users in your forest.
authLDAPServers1
A list of all the AD controllers in your forest. Authentication is attempted against each one in turn until a connection is made.
authLDAPAccountSuffix1
The account suffix added to the end of each username. Can be left blank.
authLDAPUseSSL1
Do the AD controllers support SSL connections? If so, use them.
authLDAPBindUser1
The username used to bind to the AD controller to retrieve information about users. This is blank on sites that allow anonymous binds, but otherwise you should set it to a special user account that only has rights to read AD information and nothing else.
authLDAPBindPass1
The password for the username used to bind to the AD controller as described above. Leave blank if your site allows anonymous binds.
authLDAPBaseOrganization1
The name of the user's organization, as used in the "New Dropoff" form on the website.
authLDAPBaseDN2
Leave blank if not using a 2nd forest.
authLDAPServers2
Leave blank if not using a 2nd forest.
authLDAPAccountSuffix2
Leave blank if not using a 2nd forest.
authLDAPUseSSL2
Leave blank if not using a 2nd forest.
authLDAPBindUser2
Leave blank if not using a 2nd forest.
authLDAPBindPass2
Leave blank if not using a 2nd forest.
authLDAPBaseOrganization2
Leave blank if not using a 2nd forest.

LDAP

This is rarely used, having been mostly surpassed by Microsoft Active Directory. However a few sites still use LDAP-based authentication. The mechanism and settings are roughly similar to the Active Directory settings described above. It supports one LDAP domain.

Settings are:

authLDAPBaseDN
The BaseDN of all LDAP searches for users.
authLDAPServers
The list of hostnames of your LDAP servers. They are tried in turn until a connection is made.
authLDAPAccountSuffix
The suffix added to the end of username when searching. Can be left blank.
authLDAPUseSSL
Do your LDAP servers support SSL connections? If so, use them.
authLDAPBindDn
The DN of the username permitted to search your LDAP database for information about users.
authLDAPBindPass
The password of the user permitted to search your LDAP database for information about users.
authLDAPFullName
The names of the attributes (separated by a space) used to construct the user's full name.
authLDAPMemberKey
authLDAPMemberRole
If set, the name of the attribute (normally "memberOf") and the name of the role of which any ZendTo user must be a member. This allows you to restrict ZendTo access to some users (such as all the people) but not others (such as role accounts and special accounts not owned by people).

SAML-based

ZendTo includes integration with the widely-used SimpleSAMLphp library. Configuration is described in detailed steps, and can be used to authenticate users against

  • OAuth
  • Shibboleth
  • Microsoft Azure AD
  • Hardware tokens such as Yubikeys
  • ADFS
  • Facebook
  • Twitter
  • WindowsLive
  • and others...