I have elastic-search domain placed inside a VPC. I am able to connect to the domain from VPC with no issues. But for more security, I want authentication to be username:password based. I am using using elasticsearch-dsl to make the connection. Any idea how to setup a username and password based connection to the domain?
I tried updating the domain config, in order to set MasterUser and MasterPassword(Not sure if the right process).
aws es update-elasticsearch-domain-config --domain-name test-domain --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true
I get this error:
An error occurred (BaseException) when calling the UpdateElasticsearchDomainConfig operation: You don't have permissions to enable Advanced Security options.
Is this the right thing to do? If not, How can we enable password based authentication?
An error occurred (BaseException) when calling the UpdateElasticsearchDomainConfig operation: You don't have permissions to enable Advanced Security options.
The above error you are getting indicates you don't have the permissions to update the advanced security configuration.
You need to use the master user credentials when calling the update api.
Refer to the documentation here to get more info on master user:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html
Apologies in advance for sounding naive but I am new to this and stuck since days to no good.
I have set up LDAP on apache web server using below link and it is working good.
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
I am able to login to the application using a valid account in the directory. Now I want to create a non-ldap user (common user for API access) that can be allowed access through the web server? Is it possible? How?
I would strongly advise to create API accounts in your Active Directory. (in the company I work for, we use that and call them service accounts)
Centralizing access is the best practice, if you start mixing authentication methods in your application/website it can quickly become a nightmare of spaghetti code to maintain.
Centralizing access also improves security by allowing you to manage access in a single place.
If you do not want to go this way, you have the possibility to create a secondary authentication method through local users that would be stored in a database.
If you go this way, please do not store passwords in a non-encrypted way. Look for the following functions: password_hash and password_verify. When using SQL to transact with your database, make sure you do not end up with SQL injection, it can be disastrous to have SQL Injection in your login script.
I'm trying to create a self-hosted app. This app would provide a custom express server with some routes and also provides a CouchDB access using pouchdb-server. I would like the node server to be able to configure the database and create the admin username/password, and then create the roles functions. How can I configure CouchDB from my nodejs app?
I would like to:
Stop admin party and create an admin with a password. I found that the web client makes a PUT request to http://localhost:5984/_node/couchdb#localhost/_config/admins/<username> with password in payload, but I would like to do it using express-pouchdb, so HTTP is not possible
Create users roles I would like to set up several roles
Set up permissions which roles can update which databases, what databases are readable by who etc...
Please note that I can't do direct http requests to CouchDB, since I'm using pouch-db-express in my node app to serve the db to the client, and I would like my express app to configure the couchDB instance managed by pouchdb-express
Stop admin party and create an admin with a password
I'm pretty sure the only way to interact with the _config endpoint is with HTTP, as I see no config plugin on the plugins page. Even if there was a plugin, it would use HTTP. Is there some reason HTTP is actually not possible? Or you just don't want to use it?
Create users roles
The PouchDB authentication plugin can do this for you.
Set up permissions
The authentication plugin also gives you access to the _security endpoint for this. Then you'll also need to create the appropriate design documents, using the standard put() API.
I was trying to setup LDAP auth in Presto and was able to configure "user-based" authentication but have some issue with configuring "group-based" auth.
I'm always receiving message that my user is not in LDAP group while ldapsearch utility shows that I'm in.
I did not found any parameter/option in config.properties to use to pass user/password for LDAP search (I suppose that functionality used to find in user is in AD group) while in our infrastructure anonymous searches are restricted. So it might be the case.
It would be nice if someone will tell me:
are there any parameter (maybe undocumented) to provide user/password
to query ldap?
any workaround to implement "group-based" search?
thanks
I have successfully assembled over a half dozen passport strategies (facebook, twitter, linkedin, instagram, tumblr, google, youtube) exchange account info with oauth1 and oauth2 token, into a single standalone auth server that saves session in Mongo and creates active profiles, with token/session/code/id fields and with many standardized atribute fields in SQL server using Tedious.js. These passport tools are excellent, thank you.
My last challenge for this project is not going as well, username and password into an active directory repository, to look up and auth in the same way. I have been trying over and over again passport-ldap, passport-ldapauth (based on ldapauth-gfork, based on ldapjs), passport-windowsauth and passport-kerberos, and seem to be getting related credential errors (deep in code, adding console.logs to try and figure out what I am getting syntactically wrong).
Are there any other resources and documentation to accessing LDAP/AD in Node.js using any strategy of Passport? The DN versus ou syntax and where the account access user (have a service account specifically set up to access the AD) for the repository versus the account user you are looking up and the filters make it very difficult to find anything error related to figure out where I am going wrong. Do you match to sAMAccountName or uid? I keep consistently getting "unauthorized" errors.
Unlike the other 70 passport strategies, where the doc and examples are clear and just work, not so much for ad/ldap passport. Can anyone point me to a good test, doc or setup that works well specifically with Passport.js and Active Directory?
While this is an old question I thought, as the maintainer of passport-ldapauth, I should clarify LDAP authentication a little.
LDAP authentication is different from those strategies you've used before. Those OAuth strategies can really be configured only one way - provide the required options, and then it works. This part is the same with LDAP, but the actual values to the options differ from one server to the other. The questions you are asking, like do you match to sAMAccountName or uid, are really up to you and the LDAP server.
General things like what does a DN look like, what is search base, or what is the syntax of search filter have been defined extensively in RFCs. If one is not familiar with the basics it can be difficult to get the authentication to work. Often the AD/LDAP server maintainer input is needed to have proper settings, eg. what search base allows finding all required users but does not cause unnecessary load on the LDAP server.
LDAP authentication usually works in three steps:
Using a service account (in passport-ldapauth, bindDn and bindCredentials), bind against the LDAP server.
Once bound, perform the configured search substituting the placeholder with user provided username. This determines if the given username is found from the LDAP server.
Use the DN of the search result, together with user provided password, and bind against the LDAP server. This verifies the password.
If you wish to have users login using their SAMAccountName, your search filter could be eg. (sAMAccountName={{username}}). If you wish that the users use uid, the filter could be just (uid={{username}}). If you want to enable both, use (|(sAMAccountName={{username}})(uid={{username}})). The search filter syntax is specified in RFC 4515.
I was able to authenticate to AD via passport-ldapauth.
One key was knowing to use server opts which are different than in some LDAP examples online
searchBase: 'ou=Accounts,dc=mydomain,dc=com'
searchFilter: '(sAMAccountName={{username}})' // {{username}} comes from the html form.
You also need to know if you need ldaps and TLS or not. (I did not) I spent a good amount of time digging through ldapjs.org.
Microsoft have released an official library for this:
https://github.com/AzureAD/passport-azure-ad
Add to your project from npm directly:
npm install passport-azure-ad
Or Auth0's passport-azure-ad-oauth2 for OAuth2 flows.
I am not sure how flexible you are with your requirements, but I was researching the same subject and stumbled upon a specific solution from Microsoft that uses AD FS as an Oauth provider
https://msdn.microsoft.com/en-us/library/dn633593.aspx
A superficial reading shows that a web client contacts AD to get a JWT token, then this token is sent to your server, which then authenticates the token with the AD server.
The AD server needs to be configured to accept your server as a relying party that needs its identity service.
I am a consultant. The company that I am doing work for has given me limited access to a couple servers. I do not have permission to log on to the ldap server.
I am using the following to bind:
(sAMAccountName={{username}})
If I cannot physically log on to the ldap server am I not able to authenticate via ldap?
If they give me access to log on to the server, ldapauth works.
Gina