Rundeck - problem with jaas LDAPS configuration - rundeck

[SOLVED - answer in comments]
I've followed how-to from https://docs.rundeck.com/docs/administration/security/authentication.html#communicating-over-secure-ldap-ldaps
Authentication works great for LDAP, but when I change to LDAPS (I am only changing providerUrl="ldap://" to ldaps:// stanza in custom jaas conf), error is being returned:
ERROR jaas.JettyCachingLdapLogModule - Naming error
javax.naming.CommunicationException: simple bind failed: <AD IP>
AD is listening on port 636.
I suspect problem can be with authenticationMethod="simple" - but when I am trying to change it to "tls:simple" (per https://docs.oracle.com/cd/E53394_01/html/E54912/ldapsecure-75.html) Rundeck claims there's syntax issue.
Do you had similar problem?
How switch from simple auth to tls?

Related

ActiveMQ Artemis mutual SSL issue

I run into the same issue described in ActiveMQ Artemis AMQ229031 error with mutual SSL.
Setup is done as per official example.
It looks there is something went wrong in the code. I was able to reproduce the mentioned issue.
Clients side says:
Exception in thread "main" javax.jms.JMSSecurityException: AMQ229031: Unable to validate user from /127.0.0.1:47822. Username: null; SSL certificate subject DN: CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
Server side log file says:
021-06-22 06:27:49,209 WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /127.0.0.1:47404. Username: null; SSL certificate subject DN: CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
I think Artemis finds the certificate, but it was unable to validate.
Upgrading to release 2.18.0 solves the issue. It works fine now.

KeyCloak fails to send email using SMTP with status 500

I have Keycloak running in a Kubernetes cluster. Authentication works but I need to set up e-mail to be able to send e-mails for verification and password reset.
I have SendGrid set up as an SMTP Relay. These settings (host, port and api key) work when I send mail using the SendGrid java client. However, when pressing Test connection in KeyCloak I get:
[Error] Failed to load resource: the server responded with a status of 500 ()
[Debug] Remove message (services.js, line 14)
[Debug] Added message (services.js, line 15)
[Error] Can't find variable: error
https://<domain>/auth/resources/ong8v/admin/keycloak/js/controllers/realm.js:76 – "Possibly unhandled rejection: {}"
[Debug] Remove message (services.js, line 14)
There isn't much to go on here. I have an e-mail address set up for the currently logged in user. I've also tried resetting the password in case the Test connection functionality was broken but that didn't work either.
The Realm Settings settings user for email are as such:
host: smtp.sendgrid.net
port: 587
from: test#<domain>
Enable StartTLS: true
Username: "apikey"
Password: <api key>
Any idea what can be wrong? Or how to find out? For instance, maybe I can get a more meaningful error message somehow.
Edit:
I got the server logs.
Failed to send email: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: smtp.sendgrid.net, 587; timeout 10000;
nested exception is: java.net.SocketTimeoutException: connect timed out
Edit 2:
I've tried sending mail using Telnet using the exact same settings and that works. So apparently it's something with Keycloak or its underlying Java libraries that's causing issues sending e-mail.
Turns out that Keycloak works and that emails were blocked by the hosting provider.

Keycloak is stripping the port from my redirect_uri in the Location header. Why?

I have the following allowed redirect uri set for my client: exp://192.168.2.212:19000
After a code exchange using the following URL:
GET /auth/realms/xxxxx/protocol/openid-connect/auth?code_challenge=m71Cl...D4hw&redirect_uri=exp%3A%2F%2F192.168.2.212%3A19000&client_id=3B03...
X-Forwarded-For: 178.84.x.x
X-Forwarded-Host: oidc.production.my.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 09918a799a23
X-Real-Ip: 178.84.x.x
I get a HTTP/1.1 302 Found with the following Location field:
Location: exp://192.168.2.212?state=T0pvzPyHF6&session_state=b1cf16ad-b.....
The port is missing. My (Expo) client in android emulator then barfs about not being able to connect to 192.168.2.212 port 80. Naturally.
I am using the docker hub images 11.0.0
How can I prevent this? Is it a bug?
(The iOS version of my app uses a different redirect_uri (exp://127.0.0.1:19000), but although Keycloak strips the port there as well and it receives a Location: exp://127.0.0.1?state=T0p... it does connect to port 19000 and works fine for some reason.)
EDIT: Note that authentication works fine on iOS, and I run exactly the same Keycloak settings in iOS as Android (It's a React Native application).
Keycloak logs no error, and the following debug message:
13:24:33,365 DEBUG [org.keycloak.events] (default task-47) type=LOGIN, realmId=neemop, clientId=3B03FD35, userId=28619cd3-c51d-4756-9d06-fb47********, ipAddress=178.84.x.x, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=exp://192.168.2.212:19000, consent=no_consent_required, code_id=a0faa4d4-6826-4c2f-9243-*******, response_mode=query, username=ron.arts#mydomain.com, authSessionParentId=a0faa4d4-6826-4c2f-9243-*******, authSessionTabId=-Pn******
shows the redirect_uri is parsed correctly. It's just that in the actual HTTP response the Location: header omits the port. Which imho should not happen.
Seems like a bug: https://issues.redhat.com/browse/KEYCLOAK-9405?_sscc=t
Tested on 12.0.4 and it still occurs. It appears to be an issue with any non-http(s) protocol
another bug has been submitted to keycloak team:
https://issues.redhat.com/browse/KEYCLOAK-17141
a fix is available in keycloak version >= 13.0.0

EAC Admin Console is not opening up?

When I try to hit my site, I am getting the following error:
Error Tue May 10 16:54:40 IST 2016 1462879480679
/atg/endeca/assembler/droplet/InvokeAssembler A problem occurred
assembling the content for content item /content/Web/Home Pages. The
response received was {previewModuleUrl=http://localhost:8006/ifcr,
#type=ContentSlot, atg:currentSiteProductionURL=www.local.com:7103,
canonicalLink=com.endeca.infront.cartridge.model.NavigationAction#49dded95,
ruleLimit=1, #error=com.endeca.infront.content.ContentException:
com.endeca.navigation.ENEConnectionException: Error establishing
connection to retrieve Navigation Engine request
'http://localhost:15000/graph?node=0&profiles=NoPriceRange|site&offset=0&nbins=0&merchdebug=1&irversion=640'.
Tried all: '2' addresses, but could not connect over HTTP to server:
'localhost', port: '15000' Check MDEX Logs and specified query
parameters. , contentCollection=/content/Web/Home Pages}. Servicing
the error open parameter.
When I try to access EAC Admin Console to restart MDEX Engine, it is not getting loaded. Why that might be?
Ensure your endeca servers are running. Try to access localhost:8500/cas?wsdl
Is the Dgraph port provided as 15000 in all configurations?

APACHEDS LDAP error

I want login to a flex application that it deployed on jboss 5.1.0 .
During installation I configured ldap, with APACHEDS, and the software accept the credentials.
Now when i try to login JBOSS return me the following error:
LDAP: error code 80 - OTHER: failed for MessageType : SEARCH_REQUEST
Where is the problem?
Thanks
Since it is SEARCH_REQUEST that is returned I would suspect that the error is not finding the bind DN of your user.