We use mTLS authentication between clients and Kafka cluster and some ACLs configured on topics.
A client has in his subject name the email address, like:
Owner: EMAILADDRESS=user#my-domain.com, CN=my-service, OU=my-ou, O=my-org, L=my-loc, ST=my-state, C=my-country
But when the client calls kafka cluster we see the email address converted with his [OID code].
[2022-07-13 10:37:32,549] INFO Principal = User:1.2.840.113549.1.9.1=#3uR2XK21ru2nwVymHN9u4B7wQCs4wrhcPavdGktA,CN=my-service,OU=my-ou,O=my-org,L=my-loc,ST=my-state,C=my-country is Denied Operation = Write from host = 10.10.10.2 on resource = Topic:LITERAL:my-topic for request = Produce with resourceRefCount = 1 (kafka.authorizer.logger)
Could someone explain me why this happen and how to get the email address literal instead?
[OID code] https://oidref.com/1.2.840.113549.1.9.1
You cannot get the email address as a literal because Kafka parses the principal DN (Distinguished Name) as described in rfc2253, which doesn't support the EMAILADDRESS attribute. Unsupported attributes are encoded as in your example.
The next step depends on what you're trying to achieve.
If you are trying to use the email address in the ACL rule, then you can do one of:
if you can, issue certificates where the email address is in one of the supported attributes, such as within the CN.
use a script to encode it and get the correct value, which you can use as-is in the ACL rule.
If you don't mean to use the email address, and instead you mean to use other attributes which appear as literals (like the CN), you can either:
If you have access, the best option is to issue certificates without an email in the subject name and create ACL rules accordingly.
Another option might be to use Kafka ssl principal mapping rules to strip the email address and
leave the rest for use in ACL rules. This rule should do the work:
RULE:^1.2.840.113549.1.9.1=.,(CN=.)/$1
Furthermore, EMAILADDRESS oid is deprecated as mentioned here: https://oidref.com/1.2.840.113549.1.9.1 altNames should be used instead. You can see an example here: On certificates, what type should E-mail addresses be when in subjectAltName.
Related
When a Cardano address is entered for payment, Daedalus identifies it as a valid address immediately. Even if there is a single character change, it shows it as an invalid address. Were are these addresses stored and how it is identified as a valid address.
There are two verification mechanisms, giving a certain level of certainty it's a valid address.
First, the wallet software can check it's valid address discrimination: Cardano Shelley mainnet addresses start with addr...
Second, the address - being a bech32 encoded string - has a checksum. This checksum for the given string length is not fully bulletproof but in almost all cases allows an instant offline validation for the given address.
In a network capture between a Windows client and an Active Directory server, I see that the field cname-string contains user#domain.com (to be precise, it is the field as-req -> req-body -> cname -> cname-string -> CNameString).
According to RFC 4130 in Section 5.2.2. Realm and PrincipalName:
name-string:
This field encodes a sequence of components that form a name, each
component encoded as a KerberosString. Taken together, a
PrincipalName and a Realm form a principal identifier. Most
PrincipalNames will have only a few components (typically one or
two).
Also in Section 5.3. Tickets:
cname
This field contains the name part of the client's principal
identifier.
To me, that means cname should only contain the username without the domain. The domain is obtained via the realm and together they form the principal identifier (basically paraphrasing the RFC here).
Am I wrong? Have you come across setups where the domain was part of the cname? How did the target service handle that? I see that the realm is added again to the cname, resulting user#domain.com#domain.com, which obviously prevents a correct matching.
There is at least one case when this can happen: enterprise principals. You should see the NT-ENTERPRISE somehwere as well as CANONICALIZE bit set. The AD contains an upnSuffix for the supplied enterprise principal. See also RFC 6806 for this.
I have many clients that uses SSO, for that we use SAML 2. Many of my clients uses providers like Okta, PingIdentity and a bunch of them ADFS. Doing the integration with ADFS always at the beginning raises and error, and then they fix this with the following setup on their side:
Transform Incoming Claim
Incoming claim = UPN
Outgoing Claim = Name ID
Outgoing name ID format = Email
The error that we saw on the saml reponse is that they do not send a nameID, instead we see this:
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></samlp:StatusCode></samlp:Status>
This is just happening with ADFS integrations, and I want to know what should I know about claim rules on ADFS in order to underestand this error and explain to my following clients that uses ADFS.
This is a Transform claim rule.
In the client metadata, you should see something like:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
These are the allowed NameID formats.
The outgoing NameID format needs to be one of these.
So e.g. email would be:
Incoming claim = Email
Outgoing Claim = NameID
Outgoing name ID format = Email
You would first have the normal email LDAP rule and then the Transform rule as above.
I'm working on implementing a web service that uses X509 certificates for authentication and authorization of the caller.
Is it proper to specify the entity type (i.e. "end user" or "device") as part of the subject name, with, say, OU RDN?
Is it proper to specify the identity of the entity as part of the subject name, with CN RDN?
Is the best place for the authorization tokens to be part of the X509.v3 extensions (I understand authorization info, like "have access to cookie jar", doesn't belong in subject name section)?
If I am to include custom extension values into the certificates, is the proper way to do so is to apply for an OID (through PEN), and create child OID(s) that designate authorization information, and use these OID(s) as OIDs for the extensions? If that's wrong for some reason, any pointers to how this should be done in a standard way, would be appreciated.
It is proper to specify the entity's identity in the Common Name (CN) field of the Subject Distinguished Name (DN).
For a user or device, it would be appropriate to also specify the Organization (O) and/or Organizational Unit (OU) to which they belong in the Subject DN. There is also the User ID (UID) component.
There is a standard profile of X.509 for authorization assertions specified in RFC 5755. An attribute certificate bears one or more attributes about an identity such at group membership, role, clearance level, etc, as well as referencing the public key certificate (that is, the usual kind of X.509 certificate) of the identity to which the authorization information applies.
This standardized approach avoids any need to devise custom X.509 extensions, and hence, apply for an official OID (which is just as well, because I don't know the "offical" procedure for this.)
I have been asked to implement some email address validation on a web app - I'm sure we've all been there a thousand times... however, this time I have been asked to do an MX Lookup on the domain to see if it accepts emails.
Does anyone know of any potential problems with doing this? Is an mx lookup a reliable way of finding out if a domain accepts email? are there any edge cases where a valid email address could fail an MX lookup check?
Thanks for your advice!
are there any edge cases where a valid email address could fail an MX lookup check?
Yes, in that where there is no MX record, MTAs fall back to using the A record instead. So only allowing MX records would fail a class of mail servers that work in the real world.
Allowing any name with an MX or A record at least detects obvious mistypings that result in NXDOMAIN. However it will still allow mistypings that end up at squatter sites. A further step for addresses resolved by A records might be to check where port 25 is accepting connections on that address.
You can only check if there is an mail server registered for the domain.
If the server also accepts mails and if the address is valid (not syntactically but in the sense that there exists a inbox for it and so on...) you will only find out when sending the e.g. registration email
sample on how to do this in PHP
function mailserver_exists($email) {
list($user,$domain) = split('#',$email);
//included check for 'A' after [comment from bobince][1]
return checkdnsrr($domain,'MX') || checkdnsrr($domain,'A');
}
if(domain_exists('joe#foreigndomain.xx')) {...} else {...}
Yes you can use 'TinyTim#192.184.165.13' too. The PHP documentation for checkdnsrr(host, type) states
host may either be the IP address in
dotted-quad notation or the host name