I'm doing a project to control a club room (light, door-lock, ...) using a web-interface and a Discord bot.
I have set up a Samba-based ActiveDirectory to manage accounts and the LDAP will contain a discordid field to link Discord accounts.
I want the Discord bot to get a Kerberos TGT on the behalf of user using the Discord id as username and no password. Obviously only the Kerberos authenticated Discord bot can do that.
In other words,
I want to get a TGT for a user
With no password and the TGT requester being Kerberos authenticated
Using an integer as username (not a problem, I can easily get the real username linked to the integer)
Like a sudo -u, but at the Kerberos level (I won't sudo -u for real). This way, Kerberos aware services "just works" without knowing what is Discord.
I understand concepts of Kerberos but I'm a complete beginner (this was my first ActiveDirectory).
I see that the MIT Kerberos support plugins, I think it's mandatory for my purpose but I haven't found any good API documentation yet.
Do you have any hints or recommendations to achieve that ?
Related
I am working on Microsoft Graph with powershell script.
I am using authorization grant flow to get the access token to retrieve the emails from a shared mailbox using my user account, whenever I provide my login credentials, its giving me below error related to the MFA.
Invoke-RestMethod :
{"error":"invalid_grant","error_description":"AADSTS50076: Due to a
configuration change made by your administrator, or because you moved
to a new location, you must use multi-factor authentication to
access '00000003-0000-0000-c000-000000000000'
Is there any way to launch a MFA authentication window from powershell script?
Any help or example is appreciated.
You say “you provide credentials”, do you mean you’re setting the username and password in powershell?
You have several ways, it would suggest to use the “device code flow”. Then the login part is done in the browser, where you have all those multi-factor things configured.
Someone made a great blog about it, https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/
We've got an install of Azure Devops server that currently authenticates against our active directory server and authentication works, but it appears to do so by means of browser basic authentication (the browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such that users that have never logged in, actually get a login page... not just the basic authentication prompt in the browser.
I appreciate any input, I've used and administered azure devops in the cloud for a LONG time, but the devops server stuff I'm new to.
NOTE: I've played with IIS settings for authentication (enabling and disabling basic authentication and forms auth etc, but nothing really seemed to help there)
it appears to do so by means of browser basic authentication (the
browser modal prompt that asks for a simple user name and password).
I'm wondering if there is some way to configure authentication such
that users that have never logged in, actually get a login page... not
just the basic authentication prompt in the browser.
What's the login page do you mean?
1.If you mean the login page to connect to TFS web portal, as I know using basic prompt with username+password is the only appraoch.
Web Portal:
Only logic page:
2.But if you mean something used for authentication when accessing the code. I think you must be familiar with PAT which is widely used in Azure Devops Service. IIS Basic Authentication is not recommended. You can check Enabling IIS Basic Authentication invalidates using Personal Access Tokens and Use the TFS Cross Platform Command Line with TFS using basic authentication or personal access tokens (PATs).
Hope it helps to resolve your puzzle :)
So after lots of research, I found that in the differences between azure devops server and azure devops services documentation. In this documentation it states that it uses windows authentication, and you will never be presented with any login experience.
I'd vote that this should be something that be configured to show a login screen, as sometimes we want to log in as users other than the users we logged into the machine as.
I have an application which uses LDAP authentication against AD, which works fine. However the UserDN and password for accessing LDAP are in clear text in the config files, and I would like to avoid clear text passwords.
In Softerra LDAP browser you have the option to authenticate with "Currently logged in user", does anyone know if this type of Windows Authentication is possible with Spring LDAP? Or is there perhaps another way to avoid credentials in config files (like using the credentials of the user trying to authenticate)?
With Microsoft SQL server, it is possible to do Windows Authentication via JDBC, since Microsoft provides some native code, has anyone heard about a similar functionality when using LDAP against AD?
"Currently logged in user"
this may mean that Kerberos based SASL authentication is used
You may check
https://docs.spring.io/spring-security-kerberos/docs/current/reference/htmlsingle/#ssk-kerberosldap
and
https://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.1.RELEASE/api/org/springframework/security/kerberos/client/ldap/KerberosLdapContextSource.html
The latter shows how the Kerberos ticket cache can be used.
I'm using the Rocket.Chat REST API for some automated user management. This was working great after I installed Rocket.Chat and my admin user had a username/password combo. Then, I activated the "iframe authentication" system in the admin panel. Now, when I try to use the REST API "login" endpoint, I get the error "User has no password set". Any ideas why this is happening? When I look at the user document in the MongoDB for Rocket.Chat, there is no "password" field (seems to have been deleted when I activated the iframe authentication).
UPDATE: I disabled the "iframe authentication" system and set a new password on my account. Looking at the DB now, that user has a "password" entry, so the password is there. But, now I can't log in because it says my password is incorrect. In summary, this software has a lot of bugs, it seems.
My question is basically the same as this question SoftLayer API OpenIdConnect Reset Password.
Once SoftLayer users are linked to IBM Bluemix users, the softlayer API can no longer be used to reset user passwords.
The only answer to the previous question indicates that "a bluemix api" must be used.
I've been searching for such an api but I'm not finding much, a million links for API design and connect on Bluemix but nothing for resetting the password in an automated fashion.
Can anyone point me to an API can can be used to reset or change the password for SoftLayer IBMid linked users?
Thanks!
Update:
I continue to search for a solution, I've downloaded and installed the BlueMix CLI and the Cloud Foundry CLI cf.
The bluemix CLI doesn't seem to have any password functionality, cf has a user password function but after prompting for Current Password and New and Confirm, it reports that current password doesn't match, which leads me to believe that the CF user functions are not tied to the IBMid open id server. (makes sense, just wanted to make sure and rule it out as an option)