User authentication in Elasticsearch without third party tools - security

Is there any way to do user authentication without any third-party tools; just need to prevent access with username and password.

Yes it is possible and you can use X-Pack, which is an Elastic Stack extension that provides security. By default, when you install Elasticsearch, X-Pack is installed with a 30-day trial.
here the docs: https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html
If you are looking for something open-source opendistro for elasticsearch provides the same services for free and has support for Active Directory, LDAP, Kerberos, SAML, and OpenID Connect, here the docs: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/
If you wish you can install the OSS version of elasticsearch, which includes only Apache 2.0 licensed code (here: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.6.1-linux-x86_64.tar.gz) and then install the standalone plugin for security with this command:
`sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-`1.4.0.0.zip
as described here:
https://opendistro.github.io/for-elasticsearch-docs/docs/install/plugins/#security
Let me know if you need help for configure authentication!
Good luck!

The basic auth part if free starting from Elasticsearch 6.8. However, you'll need to buy X-Pack for advanced stuff like LDAP Authn / Authz.
https://www.elastic.co/blog/security-for-elasticsearch-is-now-free

Related

Do we need X-Pack to enable security in Elasticsearch and kibana?

I made a cluster with 3 master and 5 data nodes.The cluster even have 25 working indices and 10 Dashboards.Now I am trying to enable authentication to this cluster.I have seen some articles saying elastic search have security services free from 7.0 version
[link](https://www.elastic.co/blog/security-for-elasticsearch-is-now-free).
But when i am going through tutorial its mentioned we need to enable xpack. xpack.security.enable: true.so is it like we need to have x-pack to fulfill this usecase ?
X-Pack is the name of the module that contains the security code.
For Elasticsearch versions prior to 6.3, X-Pack had to be installed separately as a plugin. Some X-Pack features were free to use (Basic license), some required a commercial license (e.g. Security). Starting with 6.3 the default download contains that X-Pack module already. X-Pack as a product and plugin do no longer exist.
Starting with Elasticsearch version 6.8/7.1 Elastic moved some basic security features from the commercial license into the free Basic tier, only requiring you to configure it.
The parameters for doing so are still prefixed with "xpack", as it is still a setting of an spect from within this module.

Does spring-integration-smb support SMB2 and SMB3?

I'm wondering what version(s) of the SMB protocol that spring-integration-smb extension is currently supporting. I understand that Microsoft will be deprecating SMB1 soon (or already) and that only SMB2 and/or SMB3 will be supported in Windows Server. Does spring-integration-smb support SMB2/SMB3 protocol today?
I've been reviewing the spring-integration-smb and jcifs code base but I haven't been able to find this answer yet.
Currently the Spring Integration SMB extension is based on the `compile "org.codelibs:jcifs:1.3.18.3" and according some resources in the Internet it support only SMB1: Smb version 2 upgrade issues
However according the latest news of that project, we are good to tackle their new version with announced SMB2 and SMB3 support: https://github.com/codelibs/jcifs
Feel, free to raise an issue in GitHub project and we also are open to accept a contribution on the matter.
In case SMB3 is required there is also a commercial option that supports all SMB dialects named jNQ developed by Visuality Systems.

Window Authentication Using Node JS on Linux

I have multiple apps on Linux server. I want to use Window Authentication for login in apps. How can I do it using on Linux. I already Have connection with Active Directory. I just need current username of requested user for getting user profile from active directory.
Can I do it without deploying apps on IISNODE ???
I want on Linux. Is there any module available for that?
You need to use either NTLM (simpler, but older and apparently less secure) or Kerberos (the new way and more secure, but a little more complicated to setup).
There is a Kerberos module for Node, but I have no experience with it: https://www.npmjs.com/package/kerberos
Search for "kerberos nodejs" and you should find more help.
I also found these walk-throughs to install modules on Apache to do it, in case they're helpful:
NTLM: http://modntlm.sourceforge.net/
Kerberos: https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html

Worklight HTTP Adapter not working with Kerberos

My team and I are currently doing a Worklight mobile project. One of our requirements is to retrieve data from MS CRM and Sharepoint via web service calls. The authentication mechanism that we are to make use of is Kerberos / Spnego.
We followed the instructions documented here, where we inserted the following into our HTTP adapter:
<authentication>
<spnego stripPortOffServiceName="true"/>
</authentication>
In addition, as mentioned in the same IBM site we have included the krb5.conf file into the ../server/conf directory in the project files.
However after invoking the adapter procedure, we encountered an error:
Runtime: Failed to create Kerberos login context
As there are very limited documentation around regarding Worklight working with Kerberos, we were unable to solve this issue. Hence we would like to seek for some help on this community. Is there something that we missed out on?
Unfortunately this type of configuration is not tested often at all and there are no more documentation on this subject matter. This will be discussed to see if documentation and testing can be improved.
The workaround that is currently used (by Desmond) is to continue using NTLM instead.

Opensource IAM tool used in development

I am looking for an Opensource lightweight IAM to be used in development as a substitute for the real commercial IAM in production. Something with basic IAM functionalities, easy to install & easily configured to inject HTTP headers like user group.
Is OpenAM a good option? Any recommendations?
OpenAM comes from a very good pedigree...is forked from OpenSSO which is open-sourced code from the original SUN Access Manager product. OpenSSO was abandoned by Oracle after the Sun acquisition, so another company took it over and promoted a developer community around it.
Overall its a good choice for your requirements; that is:
Production-ready - yes, this version and previous versions have been used in production implementations
basic IAM functionality - it contains basic web access management functions and more than a few advanced features.
Inject HTTP headers - Yes, this is a standard function among web access management products.
In the past, a limitation with OpenAM/OpenSSO is that it required Sun Directory as the configuration store; however, this has changed with recent releases allowing other directories to be used.
Expect that installation and configuration of OpenAM to be rather command-line intensive; that is, with a minimal package installation and then options set in config files or thru utilities.
Hope that helps...

Resources