I'm meeting troubles with Squid Kerberos auth and the Squidguard ldapusersearch who I use to apply acl by Active Directory groups membership.
The problem is :
Squid and Squidguard see my user as : user#domain.local so the '%s' variable of squidguard is 'user#domain.local'
Into my ldap query there is no default property who can interpret this string.
Example :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And sAMAccountName should be only 'user' and not 'user#domain.local' !!!
So I found a solution but It's not very comfortable :
I edit a unused attribute of the AD user and I write into it my kerberos login so my conf looks like this :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?displayNamePrintable?sub?(&(displayNamePrintable=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And it works !!!
Anyone an idea to bypass the need to create a custom attribute in AD who contents ?
I precise that userPrincipalName is the same as the email and can't interpret Kerberos login.
Thanks all !!!
i am using Squid Version 3.4.5-20140514-r13135 with squidguard 1.5-beta and the strip-domain-realm Patch of Mathieu Parent which is able to strip the Domain and Strip the Realm.
So the users appear as "user" and not as "user#KERBEROSDOMAIN"
Here is an exmaple configuration thats working for me
dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard
ldapbinddn squidguard#domain.tld
ldapbindpass squidguardpass
ldapprotover 3
ldapcachetime 2400
stripntdomain true
striprealm true
src users {
ldapusersearch "ldap://ldapserver:3268/dc=ADDomain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=SQUID_USERS,OU=Squid_Groups,OU=Groups,DC=ADDomain,DC=com))"
}
Related
I have to implement authorization to access the etherpad UI so that it could not be public url.
For this, when i set the setting "requireAuthentication": true, then it throws web authentication throw browser as below
But In the application, when i access etherpad UI through iframe then it also shows authentication pop-up as above. Please suggest how i can make break through to access etherpad UI without auth pop-up in the application, But allow auth popup when it access from web browser instead of application ?
OR any other way also appreciated.
Just posting here because google searches for "etherpad basic authentication" led me here.
This solution only applies to etherpad-lite via Docker
I had been wanting to enable some basic authentication as well without using LDAP or some plugin.
Checkout the etherpad-lite Git project
git clone https://github.com/ether/etherpad-lite.git
Edit the settings.json.docker
-Made 1 change to the file by setting requireAuthentication to true
-Took note of those 2 variable names (ADMIN_PASSWORD,USER_PASSWORD)
.
.
"requireAuthentication": true
.
.
"users": {
"admin": {
// 1) "password" can be replaced with "hash" if you install ep_hash_auth
// 2) please note that if password is null, the user will not be created
"password": "${ADMIN_PASSWORD:null}",
"is_admin": true
},
"user": {
// 1) "password" can be replaced with "hash" if you install ep_hash_auth
// 2) please note that if password is null, the user will not be created
"password": "${USER_PASSWORD:null}",
"is_admin": false
}
},
*all the other stuff can be left alone so I left out of this snippet
Create a custom image of the etherpad-lite image
docker build --tag myetherpad .
Spin up your new etherpad instance and pass in those 2 variables
ADMIN_PASSWORD: "someAdminPassword"
USER_PASSWORD: "someUserPassword"
*I am using docker-compose so setting those variables will look a little different in vanilla Docker or K8
**There are definitely better ways to deliver authentication in etherpad-lite but I just needed a quick instance. This process would be very tedious if you were going to have more than a few users
I try to use virtocommerce Ecommerce, I already install the manager on my computer,he asks 3 parameter to connect.
login : admin
password : store
base URL : ??
If anyone can tell me what's the base URL that I can use it to connect.
Connect to demo site. Check for login parameters here: http://virtocommerce.com/try-now/online-demo
I am testing suid + AD using windows server 2008. I have the following simple structure for now:
+ Test_Users
-----internet_group
--------Matthew Vassallo (user)
-----normal_group
--------Kenneth Grech (user)
I would like to make an ldap query that contains a single common OU but with different groups. The following query worked out well for only one group and one OU:
(&(memberOf=OU=Test_Users,CN=internet_group,DC=matthew,DC=com)(sAMAccountName=%s))
How can I extend that please for more different groups? Thanks
Use:
(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
Then:
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
acl group1 external ldap_group internet_group
acl group2 external ldap_group normal_group
http_access allow internet_group
http_access allow normal_group
Another option is to build a complex filter:
(&(|(memberOf=CN=normal_group,OU=Test_Users,DC=matthew,DC=com)(memberOf=CN=internet_group,OU=Test_Users,DC=matthew,DC=com))(sAMAccountName=%s))
Choose the best option for you :)
Worked for me (&(objectClass=posixAccount)(|(ou:dn:=Users1)(ou:dn:=Users2)))
You need to be sure of the unique user uids!
AuthLDAPURL ldap://localhost/dc=ldapserver?uid?sub?(&(objectClass=posixAccount)(|(ou:dn:=Users1)(ou:dn:=Users2))) NONE
Require ldap-group cn=wsgihg,ou=WebAuth,dc=ldapserver
I have an interesting issue I've been trying to resolve for a few days.
I'm currently working with an Windows Server 2003 machine that is running a standard instance of Active Directory.
The directory contains two domain components (DCs) that both house users that are going to be authorizing against the directory, via my application.
I'm using :
The IP address of the server as the host name
An SSL connection via port 3269
The GSS Negotiate Auth Mechanism
A BaseDN that is a parentDN of both DC's
The sAMAccountName as the login name
The problem is, I cannot successfully authorize any users from DC1, yet all of the ones who belong to DC2 are completely fine and work great. I get this error on DC1 :
8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.
However, using Softerra's LDAP Broswer, I can connect in and authorize the same exact user without any issue, so I know the credentials are correct.
From what I can tell, both of these DC's are configured the same... I've browsed both of them for something, anything that is different... but have found nothing that really stands out.
I posted something months ago about this particular setup, and the code I'm using is in that thread as well.
Set callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
Any help here would be much appreciated.
Thanks!
I was able to get this working, but for the life of me I cannot figure out why this was the case. Basically, this error...
8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece System.DirectoryServices.Protocols.LdapException: The supplied credential is invalid.
...was dead on. The issue was that users logging in under what I called DC2 needed to issue the bind with the domain AND sAMAccountName (Ex. LIB\JSmith), as opposed to DC1, which allowed just the sAMAccountName to be entered.
I figured the best way to make this programmatic was to use the principal binding account to query for the DN of the user. From that DN, using some crafty RegEx, I'm able to capture the domain they inherit from, and issue two separate binds.
SearchResultEntry ResultEntry = userResponse.Entries[0];
//Let's get the root domain of the user now using our DN RegEx and that search result
Regex RegexForBaseDN = new Regex(config.LdapAuth.LdapDnRegex);
Match match = RegexForBaseDN.Match(ResultEntry.DistinguishedName);
string domain = match.Groups[1].Value;
//Try binding the user with their domain\username
try
{
var thisUser = new NetworkCredential{
Domain = domain,
UserName = username,
Password = Pin
};
//If this goes well, we'll continue forward
ldapconn.Bind(thisUser);
}
//If that doesn't work, try biding them with the highest level domain
catch (LdapException ex)
{
if (ex.ErrorCode.Equals(LdapErrorCodes.LDAP_INVALID_CREDENTIALS))
{
var thisUserOnce = new NetworkCredential{
Domain = config.LdapAuth.LdapDomain,
UserName = username,
Password = Pin
};
//If this goes well, we'll continue forward
ldapconn.Bind(thisUserOnce);
}
}
It's not nearly as elegant as I would have wanted, but it does work for this particular scenario.
However, I'm still really interested in why the naming conventions are different depending on which DC the user inherit's from.
I installed a clean jboss 7.1.Final Server.
after running it, I made an sh add_user.sh in the bin folder
I chose a) for Management User
I entered:
Realm (ManagementRealm) : joerg
Username : joerg
Password : superpassword
Re-enter Password : superpassword
when I entered then http://localhost:9990/console/ it was forwarded to http://localhost:9990/console/App.html
the problem is, that if I go to the URL http://localhost:9990/console/App.html I can't log in, because i get the typical HTTP-Basic Authentication promt for username and password (looks like there is a .htaccess but i never made one)
If I try
login: joerg
password: superpassword
it is not working
(on the shell the username and password works with the jboss diagnostic reporter jdr.sh)
In your example, you will need to enter the ManagementRealm as the realm that your primary user account will resolve to. Your example would be:
Realm (ManagementRealm) : ManagementRealm
Username : joerg
Password : superpassword
Re-enter Password : superpassword
From the official documentation, this is explained as follows:
It is important to leave the name of the realm as 'ManagementRealm' as
this needs to match the name used in the server's configuration, for
the remaining fields enter the new username, password and password
confirmation.
Provided there are no errors in the values entered you will then be
asked to confirm that you want to add the user, the user will be
written to the properties files used for authentication and a
confirmation message will be displayed.
With JBoss Application Server 7.1.x being so customisable, you can build your own realm configurations as required, but for the initial instance, make sure you use the ManagementRealm.
Folow these steps:
open jboss-as-x.x.x.Final\standalone\configuration\mgmt-users.properties and delete the user (i.e delete the line which has the username you want to use, such as admin=2c7123264278731425d1f53aeb55da1e)
open jboss-as-x.x.x.Final\domain\configuration\mgmt-users.properties and delete the user (i.e delete the line which has the username you want to use, such as admin=2c7123264278731425d1f53aeb55da1e)
run jboss-as-x.x.x.Final\bin\add-user.bat and add user in the following way:
Select user type a
Realm (ManagementRealm) : ManagementRealm
Username : admin
Password : password
Re-enter Password : password
If you get JBAS015243: The user ‘admin’ already exists in at least one properties file. error, then you didn't complete steps 1 and 2.