squid basic_ldap_auth strip nt domain from usernames - linux

I need to migrate from a windows based proxy to a linux one.
In the old server Squid uses mswin_auth.exe to authenticate user against an Active Directory domain. For this reason my users now enter ntdomain\username in the browser popup for proxy authentication.
In the linux Centos server Squid will use basic_ldap_auth, in this case the ntdomain must not be entered by the user. It will be very annoying for my users to change the old habit. Is there a way to automatically remove the ntdomain from the entered username?
In squid.conf I have
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ntdomain.parentd.it
...
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it -S
thanks in advance

Use -K option in your request (it Strip Kerberos realm from usernames):
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -K -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it and all be fine.

This is my solution: I created to small bash script based on sed to strip the domain and used it squid.conf as in
auth_param basic program /usr/local/bin/squid_auth
where the file /usr/local/bin/squid_auth is
#!/bin/bash
/usr/bin/sed -u "s/^ve[\\]//i"|/usr/bin/sed -u "s/^ve%5c//i"|/usr/lib64/squid/basic_ldap_auth -R -b "dc=ve,dc=dipvvf,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ve,DC=dipvvf,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ve.dipvvf.it
The domain name is ve

Related

Nexus IQ read password from --password-stdin

I am running Nexus IQ scan on linux environment. Is there anyway to read password from --password-stdin or anything similar? Our concern is the password is in clear text in bash history.
java -jar ./nexus-iq-cli-1.75.0-01.jar -X -i "APPGNL" -a ${username}:${password} -s ${nexus_iq_url} ${docker_image_name}.tar
I understand that you want to read a password from a file. In your command, you can substitute ${password} with $(cat /password/directory).
Here are 2 potential options:
--pki-authentication
Delegate to the JVM for authentication
https://help.sonatype.com/integrations/nexus-iq-cli#NexusIQCLI-Parameters
Or, this might work to hide the credentials. I'm not sure if they will appear in logs though.
java -jar ./nexus-iq-cli-.jar #cli-auth.txt -i Test123 -s http://localhost:8070 -t build ./sample-application.zip
https://help.sonatype.com/integrations/nexus-iq-cli#NexusIQCLI-LoadingParametersFromFileLoadingParametersfromaFile

OpenLDAP Local configuration for Application Authentication

I have installed openLDAP on a Centos 7 server that is already running FreeIPA for user authentication. http://www.tecmint.com/setup-ldap-server-and-configure-client-authentication
The purpose of openLDAP is for a Nodejs application to manage users for the app. and will be running on separate server.
I can see that slapd is running (ps -ef | grep slapd):
ldap 1287 1 0 06:40 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
So I was trying to change the defaults using the ldapadd command and I suspect to be connecting to the FreeIPA LDAP that is configured on the box (on some coammands using -x -h it is asking for a password which hasn't been set yet):
sudo ldapadd -H ldapi:/// -f ldaprootpasswd.ldif
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
If I run an ldapsearch then I seem to be able to connect to openLDAP:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=co
I thought maybe that I could connect externally using a Windows LDAP tool but I get a connection error. I did confirm that the port is open and visible externally.
nmap -p 389 10.18.16.243
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-28 11:25 GMT Daylight Time
Nmap scan report for 10.18.16.243
Host is up (0.00s latency).
PORT STATE SERVICE
389/tcp filtered ldap
MAC Address: BB:BB:BB:BB:BB:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds
I tried using -h instead of -H:
sudo ldapadd -a -x -h localhost -p 389 -D cn=Manager,dc=my-domain,dc=com -W -f ldaprootpasswd.ldif
This prompts me for a password but I have only just installed openLDAP and not set a password yet (olcRootPW is in the ldif file I am trying to apply).
Does anyone have experience with openLDAP for user authentication or have any ideas what config needs changing to get this up an running?
The secret incantation was:
sudo ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Since "-a" forces add new entries when using ldapmodify this would be the same as above:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
"-Q" -- Enable SASL Quiet mode. Never prompt.
"-Y" -- Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.

Setting Parent Site in Server using ssoadm

I have created a site in OpenAM.
./ssoadm create-site -s "Site1" -i http://localhost:8080/opensso -u amadmin -f password-file
I would like to set this Site as a Parent Site in this server.
I can do this easily using the Admin Console, but my challenge is to do this using ssoadm, or through CLI.
I tried googling but can't find any examples. Also, list-server-cfg does not show any property that corresponds to Parent Site.
EDIT: I did try something like ./ssoadm update-server-cfg --options -u amadmin -f password-file -s "http://localhost:8080/opensso" -a parentsite="Site1" but all this does is to create a new property called parentsite and the value "Site1". This did not work for me.
Use add-site-members:
ssoadm add-site-members -s "Site1" -e http://localhost:8080/opensso -u amadmin -f password-file

Write to stdin which asks for password

I am working on a bash script to configure openldap and add ldif script with users and groups.
How can I write the password from the bash script ?
This is the script I run when it asks for password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif
EDIT:
I tried this and created a passwd.txt file with the password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -y'passwd.txt' -f /etc/ldap/base.ldif
But gets this error:
Warning: Password file passwd.txt is publicly readable/writeable
ldap_bind: Invalid credentials (49)
man ldapadd.
-W
Prompt for simple authentication. This is used instead of specifying the password on the command line.
-w passwd
Use passwd as the password for simple authentication.
-y passwdfile
Use complete contents of passwdfile as the password for simple authentication.
So seems you are looking for option of -w or -y, not -W
There're two possibilities:
ldapadd reads the password from the standard input.
ldapadd reads the password directly from the current TTY.
In the first case it's enough to use something like this echo 'MySecretPassword' | ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif. The second one is more complicated because you need a tool like expect. Check if the simple redirection works first.

How do I clone an OpenLDAP database

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).
From man slapcat (from OpenLDAP 2.3) :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.
(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)
Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.
I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.
For example, dump database from a master server under dc=master,dc=com and load it in a backup server
$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.
Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.
ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.
Export your DB with slapcat:
slapcat > ldif
Import the DB with slapadd (make sure the LDAP server is stopped):
slapadd -l ldif
Some appointments:
Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):
include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.
I prefer copy the database through the protocol:
first of all be sure you have the same schemas on both servers.
dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif
and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif
in one line:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a
By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files
(Not enough reputation to write a comment...)
Ldapsearch opens a connection to the LDAP server.
Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")
Thanks, Vish. Worked like a charm! I edited the command:
ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif
ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif
Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

Resources