Since Oauth 2 support will only be here with SonarQube 5.4 I'm trying to make it work with Azure AD DS (preview)
The principle is Azure AD can have a emulation point for legacy AD domain services supporting ntlm kerberos ldap and so on (think of it as a domain controller basically)
I've configured the AAD DS part and updated the dns servers of my sonarqube machine.
The domain resolves properly from sonarqube VM. Then I installed the LDAP module and added this to the sonar config file.
But sonarqube doesn't work anymore when I try that (also tried variations of that)
Note that I'm running on Ubuntu (up to date) with sonarqube 5.3 and the machine is not "joined" to the domain.
Any idea how to make it work? I've found only little documentation about that.
Thanks
sonar.security.realm=LDAP
ldap.windows.compatibilityMode=true
sonar.forceAuthentication=true
ldap.url=ldap://10.0.0.5:10389
ldap.user.baseDn=cn=users,dc=baywetdev,dc=onmicrosoft,dc=com
sonarqube released support for AAD via Oauth on march the 8th.
This is now the recommended approach.
For more information see https://github.com/SonarQubeCommunity/sonar-auth-aad
Related
I'm trying to authenticate a SPA against an active directory.
My understand till now is:
- using ADFS as an STS for getting tokens
- using ADAL.js for simplifying communication with ADFS
In order to setup a prove of concept, I created a virtual machine on Azure based on windows server 2016. Then installed an AD and an ADFS.
ADFS works correctly when I am on the virtual machine, I can see its metadata url on https.
Now I would like to develop my SPA from my development machine, but I cannot reach the ADFS endpoint from outside Azure.
The question is: is it correct/allowed trying to authenticate from a computer outside that network?
I read many possibilities without finding a solution:
- using an express route for establishing a VPN
- using an ADFS proxy
- joining the AAD
Thank you.
Definitely - I do it all the time.
No - you don't need Express Route / Proxy.
In your VM configuration in Azure under "Overview", are you using the DNS name you see there.
Under "Networking", have you enabled http and https?
We are developing a HTML5/Angular web application with a server backend that willb be hosted in MS Azure which will also authenticate via the Azure Active Directory. However, during development, there is occasionally the need to work offline and disconnected from the internet. When this happens it is not possible to debug and test the application as it is not possible to reach Active Directory to authenticate.
It is possible to create a local Virtual Machine in VirtualBox with all the necessary AD functionality included and then switch the software to use that local VM in development mode but then Azure AD in release mode?
If it is, what steps/roles etc.. will need to be installed in my local Server VM.
Many thanks
Alan
No, it is impossible to use the feature provide by Azure AD without internet connect.
It is possible to create a local Virtual Machine in VirtualBox with all the necessary AD functionality included and then switch the software to use that local VM in development mode but then Azure AD in release mode?
If you want to use the authentication, you may need to setup your own Identity Provider server when you are working off-line. There are a lot of open source library can help to setup the Identity Provider server like IndentyServer,
AspNet.Security.OpenIdConnect.Server etc.
In our current Production Setup, we have setup SSRS and have been able to successfully use the SSRS reports in our .NET Web Application since years. We have used Impersonation in Web.Config (there might be other solutions available, we had to go with this) as shown below.
<identity impersonate="true" userName="domainname/username" password="password"></identity>
This solution worked well becuase our Active Di
rectory and SSRS server are located in the same Network / domain.
Now, as part of our Azure migration, we have migrated our SSRS server to an Azure VM. and we are able to view the reports using Report Server Manager within the VM. Now, when we access the Web Application (App Service - Web App), we are getting the following error. Below is the updated impersonation attribute that we have used.
<identity impersonate="true" userName="username#ouremailaddressdomainname.onmicrosoft.com" password="password"></identity>
"Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'The user name or password is incorrect"
Obviously, this is because of the fact that we don't have a Active Directory domain setup in Azure. Below are my questions.
Can we utilize the users available in the default Directory that gets created on Azure?
If yes, how do I specify the impersonization?
Thanks,
Prawin
With your planned setup you cannot use identity impersonation. This is because the AppService Web Apps do run in an isolated sand-boxed environment which cannot be part of a Windows Domain.
You have couple of options:
Change the reporting server to use mixed mode Authentication and create local for the SQL Server login and user with appropriate permissions. Then configure your reporting application to provide these SQL Server credentials
Move your Web Application to same VM (will not require Domain environment) as your Reporting Server (or just the part which deals with the reports)
Move your application to a separate VM and utilize the Azure Active Directory Domain Services to make the VMs part of same domain (an overkill IMO)
I would vote for the first option, as it requires least changes and leverages PaaS services (App Service). Everything else is overkill or just an abuse of the cloud platform.
I am trying to host the neo4j server on an Azure Ubuntu VM and opened up the endpoint to enable access from my machine so that I can access the webadmin portal and also debug Asp.net portal code from my machine.
I am however unable to understand how to password protect the access to neo4j endpoint on that VM so that its not open for everyone on the net. looking for at least a simple protection like:
http://<user>:<pass>#myneo4j.cloudapp.net:7474/db/data
Is there any guide on how to setup the neo4j on the Azure cloud that I can refer to.
I found authentication-extension but unable to understand if this is all i need when setting up connection via Neo4jClient
Regards
Kiran
If you use ubuntu you can set up nginx as reverse proxy: http://joewhite86.wordpress.com/2013/05/29/secure-neo4j-webadmin-using-http-auth-and-ssl/
Once I downloaded the right version of 'authentication-extension' and put it in the plugin folder, it was exactly what i wanted,
added few users and pointed the URI to database as below :
http(s)://<user>:<pass>#myneo4j.cloudapp.net:7474/db/data.
and that's all I needed to protect my back end like old fashion SQL server ways.
Objective:
Setup Git repository on Oracle Linux 6. Users connecting from Windows, Mac and Linux, using AD credentials. I would like to limit access base on AD groups. I have been searching for a way to set this up. I have seen several options that allow for fine grained access control of the repository but I haven't found anything that can use AD groups to manage access.
So the question is: Is this even possible? Can someone point me in the direction of documentation that would explain the process?
Update:
There now appear to be more options:
GitLab supports LDAP authentication
Gogs supports LDAP too
Update:
GitBlit, "an open-source, pure Java stack for managing, viewing, and serving Git repositories", supports LDAP authentication out of the box:
LDAP can be used to authenticate Users and optionally control Team memberships. When properly configured, Gitblit will delegate authentication to your LDAP server and will cache some user information in the usual users.conf file.
GitBlit also lists support for Windows authentication, but only when installed on Windows, and only tested against local accounts.
Previous answer:
If you move your Git server to Bonobo Git Server on Windows you can use Windows authentication:
Windows Authentication
This authentication is very useful when your git server sits inside the company network and your accounts and logging information could be managed via IIS. The advantage of this approach is that your users won’t have to create another account for logging to Bonobo Git Server. They will use the existing Windows account they use on the network.
Doing this from Linux is possible, but unlikely to be easy. You'll probably have to set PAM up to use either LDAP or Kerberos authentication and then do quite a lot of configuration. If you've got Windows licences I strongly recommend checking out Bonobo.