IIS basic authentication using LDAP - iis

I have a web service which needs to use HTTP authentication with IIS. The only hurdle is that the user's credentials are in LDAP. Is there a way to configure IIS to use LDAP credentials for it's basic authentication? I thought I could set the default domain or realm to part of the LDAP connection string, but haven't had any luck.
Thanks,
-Will

What I would do (I'm assuming you're using a third party LDAP, and that there isn't a built in way of doing this; I haven't checked) is set up MADAM and implement a custom IUserSecurityAuthority by extending Madam.UserSecurityAuthorityBase to check the credentials against LDAP.
All you will have to do is override a handful of methods to authenticate from LDAP. If you happen to be using an LDAP Membership Provider for forms authentication, you can skip implementing that separately and use the example MembershipSecurityAuthority included with MADAM.
Excerpt from that example file here:
protected override bool ValidateUser(string userName, string password)
{
return MembershipProvider.ValidateUser(userName, password);
}
Potentially useful LDAP user validation code

There is a codeplex project that looks like it has exactly what you need.
It has a great Search function so you can even test what Roles the user is in.
http://ldapwebservice.codeplex.com/

Related

Create a Realm in Websphere Application Server 8.5

I am looking for a simple way to create a "realm" within WAS 8.5. I am specifically looking for something similar to the APACHE realm system in which a user, upon first access to a site, is presented with a javaScript username / password dialog and, if authenticated, is allowed to use the site. In Tomcat, this is accomplished by modifying the tomcat-users.xml file, adding a username, passowrd and role. Any suggestions are appreciated.
In WebSphere it is already built in, you just need to configure repository from where you want to take users e.g internal file based, or LDAP.
Than you need to enable Application security via Global Security.
Check this page for more details Enabling security
I followed these steps to implement basic authentication. http://itcareergrowth.com/blog/2018/02/25/configuring-basic-authentication-in-web-sphere-application-server/#.WpQiSOdMGUk

LDAP auth in presto

I was trying to setup LDAP auth in Presto and was able to configure "user-based" authentication but have some issue with configuring "group-based" auth.
I'm always receiving message that my user is not in LDAP group while ldapsearch utility shows that I'm in.
I did not found any parameter/option in config.properties to use to pass user/password for LDAP search (I suppose that functionality used to find in user is in AD group) while in our infrastructure anonymous searches are restricted. So it might be the case.
It would be nice if someone will tell me:
are there any parameter (maybe undocumented) to provide user/password
to query ldap?
any workaround to implement "group-based" search?
thanks

Passport Active Directory node.js

I have successfully assembled over a half dozen passport strategies (facebook, twitter, linkedin, instagram, tumblr, google, youtube) exchange account info with oauth1 and oauth2 token, into a single standalone auth server that saves session in Mongo and creates active profiles, with token/session/code/id fields and with many standardized atribute fields in SQL server using Tedious.js. These passport tools are excellent, thank you.
My last challenge for this project is not going as well, username and password into an active directory repository, to look up and auth in the same way. I have been trying over and over again passport-ldap, passport-ldapauth (based on ldapauth-gfork, based on ldapjs), passport-windowsauth and passport-kerberos, and seem to be getting related credential errors (deep in code, adding console.logs to try and figure out what I am getting syntactically wrong).
Are there any other resources and documentation to accessing LDAP/AD in Node.js using any strategy of Passport? The DN versus ou syntax and where the account access user (have a service account specifically set up to access the AD) for the repository versus the account user you are looking up and the filters make it very difficult to find anything error related to figure out where I am going wrong. Do you match to sAMAccountName or uid? I keep consistently getting "unauthorized" errors.
Unlike the other 70 passport strategies, where the doc and examples are clear and just work, not so much for ad/ldap passport. Can anyone point me to a good test, doc or setup that works well specifically with Passport.js and Active Directory?
While this is an old question I thought, as the maintainer of passport-ldapauth, I should clarify LDAP authentication a little.
LDAP authentication is different from those strategies you've used before. Those OAuth strategies can really be configured only one way - provide the required options, and then it works. This part is the same with LDAP, but the actual values to the options differ from one server to the other. The questions you are asking, like do you match to sAMAccountName or uid, are really up to you and the LDAP server.
General things like what does a DN look like, what is search base, or what is the syntax of search filter have been defined extensively in RFCs. If one is not familiar with the basics it can be difficult to get the authentication to work. Often the AD/LDAP server maintainer input is needed to have proper settings, eg. what search base allows finding all required users but does not cause unnecessary load on the LDAP server.
LDAP authentication usually works in three steps:
Using a service account (in passport-ldapauth, bindDn and bindCredentials), bind against the LDAP server.
Once bound, perform the configured search substituting the placeholder with user provided username. This determines if the given username is found from the LDAP server.
Use the DN of the search result, together with user provided password, and bind against the LDAP server. This verifies the password.
If you wish to have users login using their SAMAccountName, your search filter could be eg. (sAMAccountName={{username}}). If you wish that the users use uid, the filter could be just (uid={{username}}). If you want to enable both, use (|(sAMAccountName={{username}})(uid={{username}})). The search filter syntax is specified in RFC 4515.
I was able to authenticate to AD via passport-ldapauth.
One key was knowing to use server opts which are different than in some LDAP examples online
searchBase: 'ou=Accounts,dc=mydomain,dc=com'
searchFilter: '(sAMAccountName={{username}})' // {{username}} comes from the html form.
You also need to know if you need ldaps and TLS or not. (I did not) I spent a good amount of time digging through ldapjs.org.
Microsoft have released an official library for this:
https://github.com/AzureAD/passport-azure-ad
Add to your project from npm directly:
npm install passport-azure-ad
Or Auth0's passport-azure-ad-oauth2 for OAuth2 flows.
I am not sure how flexible you are with your requirements, but I was researching the same subject and stumbled upon a specific solution from Microsoft that uses AD FS as an Oauth provider
https://msdn.microsoft.com/en-us/library/dn633593.aspx
A superficial reading shows that a web client contacts AD to get a JWT token, then this token is sent to your server, which then authenticates the token with the AD server.
The AD server needs to be configured to accept your server as a relying party that needs its identity service.
I am a consultant. The company that I am doing work for has given me limited access to a couple servers. I do not have permission to log on to the ldap server.
I am using the following to bind:
(sAMAccountName={{username}})
If I cannot physically log on to the ldap server am I not able to authenticate via ldap?
If they give me access to log on to the server, ldapauth works.
Gina

How to use Liferay authentication for external web app using email/password

I have another web app, that uses the liferay user database. But before a user can access this website he needs be authenticated first. How can I achieve this functionality, I've tried searching the WS api for authentication using email/password, but found none.
Also the user should still be able to login to the liferay portal. And the login should be like another liferay web service.
Any hints?
Hmm, since I have access to the database maybe 1 way is to hash the password given by the client? and validate against the values stored in the database.
Found out that PwdEncryptor class is the one responsible for encrypting the password, unfortunately it has too many dependencies with liferay that I'm unable to pull it out :-?
Thanks
It might not be the best approach but this solution might be what you're looking for. It will just require the company id, email and password of the user. In my case I have the default company id from liferay.
To authenticate an email/password, you can call other liferay webservice in my case: get-user-id-by-email-address. And then authenticate the user via HTTP Basic. When using jersey rest webservice to call the liferay web service you can code that like this:
String url += String.format("user/get-user-id-by-email-address?companyId=%s&emailAddress=%s",
properties.getProperty("default.company.id"), email);
ClientConfig config = new DefaultClientConfig();
Client client = Client.create(config);
client.addFilter(new HTTPBasicAuthFilter(email, password));
WebResource service = client.resource(url);
ClientResponse response = service.accept("application/json").post(ClientResponse.class);
if (response.getClientResponseStatus() == com.sun.jersey.api.client.ClientResponse.Status.OK) {
//valid user
} else {
//invalid user
}
You could implement a Single-Sign-On solution on your site by configuring Liferay to use CAS or OpenSSO. There are various sources: OpenSSO-Liferay, CAS-Liferay.

Win2k3 password Authentication using LDAP in VC++

I need to implement the Win2k3 password validation policy. As my application resides on Win2k3 cane we validate the password directly with windows domain password by using LDAP. This is because application design does not want to store 8/more password entry into DB and validate new password against that. As Windows already does same thing and using LDAP we can lookup into windows server.
Can any one please let me know LDAP API to fulfill above requirement in VC++.
There is an API that Secure Ops, Novell's Identity Manager, and other products use to plugin to the password change functionality. (I do not know the API name, sorry).
It requires a password filter installed on each domain controller, since the only time it can catch the clear text password to try and do anything with it is when it is being changed, and it might be changed on any given DC at any moment in time.

Resources