HornetQs default SecurityManager (HornetQSecurityManagerImpl) will check users/roles that are stored in the hornetq-users.xml. I want use LDAP for authenticating users; I have two ways:
Using Jass, and use it with LDAP for authenticating users.
Implementing SecurityManager interface manualy, and using LDAP in my own security manager implementation.
Which one is better? Other approaches? What should i do? (experience, sample)
I'd say it's always better to use something that's ready and tested. Using JAAS with Ldap will give you an easier path as that should work nicely.
On the hornetq's distribution there's an example showing how to configure JAAS. You can just get the distribution zip at http://www.jboss.org/hornetq/downloads.html and refer the the examples that are part of hornetq already.
Related
I have nginx-unit server.
I don't use nginx, because my application is fully dynamic and test purpose products.
However it doesn't have basic authentication like apache.
Is there any alternative to basic authentication on nginx-unit ??
I should use nginx?? if so, is there any alternativce to basic authentication??
If I'm not wrong kerberos authentication works well if you don't want to use basic auth and your use case applies. You can use sssd with Samba to make it work.
If you are looking something simple (like checking name-values in URI) for authentication than you can try to use matching in routing.
I have an Elasticsearch installation (V7.3.2). Is it possible to secure this retrospectively? This link states that a password can only be set "during the initial configuration of the Elasticsearch". Basically, I require consumers of the restful API to provide a password (?) going forward.
The elastic bootstrap password is used to init the internal/reserved users used by the components or features of the elastic stack (kibana, logstash, beats, monitoring, ...).
If you want to secure the API, you need to create users/roles for your scenario on top.
Please use TLS in your cluster when handling with passwords and don't expose the cluster directly for security reasons.
Here are all informations regarding a secure cluster including some tutorials: https://www.elastic.co/guide/en/elasticsearch/reference/7.3/secure-cluster.html
EDIT: Added links as requested. Feel free to raise a new question here at SO if you're facing serious problems!
Here you can find a complete guide to install and secure ElasticSearch.
Basically the bootstrap password is used initially to setup the built-in ElasticSearch users (like "elastic", "kibana"). Once this is done, you won't be able access ElasticSearch anonymously but only with one of the built in users, e.g. "elastic".
Then you can use "elastic" user to create additional users (with their own password) and roles (e.g. to asses specific indexes only in read-only mode).
As #ibexit wrote it's highly recommended to secure your cluster and don't expose it directly (use a proxy server, secured with SSL).
I have a problem about something I've never really encountered before, that is connecting to an LDAP from a NodeJS application. Until now, I didn't even know there was such a thing as an LDAP, so I've been learning on the go. That's why this may be a stupid question, but I haven't found any concise answer.
The requirement is: "log to an LDAP from your application with the user and pass provided in your login screen". The client has an LDAP, and wants to use it to authenticate our application's users, so the user and pass entered in our log in screen are used to try to log in to the LDAP.
I understand that I need three things to connect to an LDAP:
the server's URL
A user (with pass)
And a DN to bind to
I'm currently using ldapjs to connect from NodeJS. The operation that I'd need to use to authenticate the user, I understand, it's the bind operation. For that, I need to have created the server (already done, and no problems) and pass the dn, and the password. I assume the DN includes the user. Something like
CN=myuser,OU=MyOrg,OU=Users,DN=MyLdapServer,DN=com
Which works... provided that the users belong to the same "branch". That is, if all of them are in, say, OU=MyOrg. That's why I'm able to "hardcode" the DN in the bind() and just change the user with a replace.
Problem is, not all of them belong to the same "branch" (I don't know the technical name for this). Say, I have some in OU=MyOrg, some in OU=MyOtherOrg...
So I don't know to begin with what the user's organization is, so I can't make him bind to the LDAP client because I lack the DN.
The client only provided us with an example, from another application that used ASP.NET and ADO.NET to do so, using something like a SQL command to get the LDAP info. Thing is, the equivalent to the DN was a more generic one. Something like
ldap://MyLdapServer.com/CN=[the_user_provided]
This, apparently, worked. If I try to do the same thing, using that more "general" DN route (which, I assume, is a node higher on the LDAP tree), providing one of the users' password, I get an authentication error.
So, how come? What am I missing? What do I need to log the users to LDAP using just the "CN=[username]" DN? Is that something that only ADO.NET can use?
Thanks, and sorry if it's too generic a question.
Per the comment I made:
To bind with Active Directory you do not need to know the full DN of the user. There is a list of all the different available methods on this page in the docs. So you could use user#domain.com as an example. Or just the supplied username would work in most cases.
I've been tasked with researching/writing an LDAP integration module to support any/all clients that use local LDAP authentication for our new app. As I've never worked with LDAP before, I'm trying to figure out what settings are required/not required, and what settings I'd need to capture from each LDAP system to be able to support them all. So if I'm storing data in a database about each LDAP server, what is needed about that server to be able to successfully auth with a username/password?
I see lots of ou/cn/dc references, but sometimes people don't use them in their connection strings? And unless pre-registered, it seems like I'd have no way of knowing the names of the groups/categories to query against. I was thinking about the SAML spec and was curious if LDAP systems have an endpoint to retrieve some kind of XML describing their LDAP hierarchy? Or if I'd just need to know/ask for it from a sysadmin in advance?
FWIW I'm using Node/ldapjs
There is no standard way of describing the LDAP hierarchy in the manner you were considering. LDAP is in fact self-describing, you can search for a particular entry regardless of it's position in the LDAP tree by looking up one of its attribute's value.
So, to get started with completely unknown LDAP you only require it's network parameters: hostname, port (and even that can be avoided if you consult SRV DNS records (_ldap._tcp.domain.com)) and authentication details in the form of bind DN and password.
After that you can search for users, typically by looking up with filter like (objectClass=inetOrgPerson), or groups of users with filter like (objectClass=groupOfNames). Then you would use common attributes such as username, CN or displayName to reference or display the users in the user interface.
As you can see from this LDAP servers are very self defining and this ideally works for most LDAP servers, but as you perceived in your question it can differ from one LDAP server to another.
So here is my list of LDAP configuration settings that should be configurable:
hostname/port number (if not using DNS discovery)
username/password (if not using anonymous access)
does the server use SSL (port 636 by default) (or detect support for StartTLS)
user filter and user base DN (e.g. (objectClass=inetOrgPerson) and o=users)
group filter and group base DN (e.g. (objectClass=groupOfNames) and o=groups)
Depending on your use case you could define what attributes are used for displaying the user, mapping them to other parts of your application/system or you could determine those from the returned set of attributes. I've seen implementations that have that very configurable and implementations that default to some standard schema.
I am capturing password change event on my DC(source domain) by implementing solution provided here.
Now I want to send this password, perhaps sets this password on a user on target domain. Now, this target domain is not have trust relationship with source domain. I know how I can set the password but stuck at implementing transport level security.
My question is -
What it the best and secure solution to implement transport level security like SSL? Some examples would be of great help.
I am using C#.net and following namespaces:-
System.DirectoryServices, System.DirectoryServices.Protocols, and
system.directoryservices.accountmanagement
Microsoft Identity Manager, which is included in the Windows Server license, will do this natively. You might consider using an off the shelf product rather than rolling your own.