Is it possible to create Realm through the CLI - GUI?
I would like to know if it is possible to create a realm via CLI - GUI. (I started the gui with the command “. \ Jboss-cli.sh --gui”)
If possible, how can I do this?
Thank you
Pretty certain you can't use the Jboss-cli for that, but you can use kcadm.sh to manage realms and clients. See official docs.
It just uses Keycloak's rest endpoints, so you could use another tool to make those requests if you wish e.g postman/newman.
However if you require a GUI, why not just use the web based admin panel?
If it is running on a remote server you can use ssh with the -N flag to forward the remote port to some local port which you can access with your browser.
Related
I'm currently learning about Kerberos and all the details of it. Learned how to set up a Kerberos KDC and admin server on Ubuntu, and I can now create user principals and get a TGT using kinit etc.
What I didn't get is how does an application authenticate users. I get the theory, but I want to see it in action. So what I want to do is write a small HTTP application in Linux (C/C++) and have it authenticate users based on Kerberos tickets.
I've been searching the web but couldn't find anything. Could someone give me a hint where to start?
Turn on Tracing for kerberos on Linux this is easy: (do this first it will start giving you feedback)
env KRB5_TRACE=/dev/stdout
Then you could use Curl as #Michael-O said, but with verbose logging turned on that would help you get a feel for things. (as described here)
Check curl version
$ curl -V #- It should support the feature "GSS-Negotiate"
Login using kinit
$ kinit
Use curl
$ curl -v --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt
http://localhost:14000/webhdfs/v1/?op=liststatus
"--negotiate" option enables SPNEGO
"-u" option is required but ignored (the principle specified during
kinit is used)
"-b" & "-c" options are used to store and send http cookies.
SPNEGO is a authentication mechanism that knows how to facilitate kerberos via GSS-Negotiate. THis would be the fastest way to get a feel for things but it's a lot of logs and not always the most clear.
What I didn't get is how does an application authenticate users. I get the theory, but I want to see it in action. So what I want to do is write a small HTTP application in Linux (C/C++) and have it authenticate users based on Kerberos tickets.
For the server, I would choose one of these options:
Apache with the mod_auth_gssapi module (not the old mod_auth_kerb... but it works too),
or Python using Flask and flask-gssapi (good choice if you want to see how the underlying gssapi functions are used).
There are several others, e.g. Golang's gokrb5 has an SPNEGO example.
In all cases, the GSS-API (or the Windows equivalent, SSPI) will be used on both the client and server, starting with gss_init_sec_context(). The "direct" Kerberos functions are generally not used in programs (except old ones that predate GSS-API).
(Note that normally GSS-API produces raw Kerberos tokens, but with HTTP Negotiate auth they're wrapped inside SPNEGO tokens, so you have to specifically request the SPNEGO mechanism when initializing GSS-API.)
Use curl, it has everything builtin.
I am have AWS EC2 Server with my App Backend and Database there.
My new developer needs to upload few things in the Database and update Backend code but I don't want to give him the PEM.
He needs to SSH
Whats the best possible way to do it? I was thinking of creating an IAM User for him - but I only want him to give SSH Access, so permission would that be? I could only find a general full permission EC2 which would also give him permission to edit the Security Group and things like that.
I do trust him well, but I just don't want to give him full access in general.
What can I do?
Why not allow your developer to connect using session manager.
If you use this he can access the environment either in his browser or via the AWS CLI.
He should be able to mimic a regular session but without having the key, then when he's done you remove the permissions of the server. You can also enable logging to check the history of his sessions actions.
If you want to update code you should at some point take a look at using code deploy to have the code automatically rolled out without even accessing the server.
We have a GUI that manages Cloud Foundry, and there's a link that show an instance with IP white list external dependency (quite large) How can I easily re-create this config as JSON, and recreate to diff Foundry env ?
It's not entirely clear what is being presented in your GUI but it sounds like it might be the application security groups. You might try running cf security-groups or cf security-group <name> to see if this information matches up with what's displayed in the GUI.
If that's what you want, you can use the following API calls to obtain the JSON data & recreate it in another environment.
1.) List all the security groups: http://apidocs.cloudfoundry.org/1.40.0/security_groups/list_all_security_groups.html
2.) List security groups applied to all applications: http://apidocs.cloudfoundry.org/1.40.0/security_group_running_defaults/return_the_security_groups_used_for_running_apps.html
3.) List security groups applied to all staging containers: http://apidocs.cloudfoundry.org/1.40.0/security_group_staging_defaults/return_the_security_groups_used_for_staging.html
4.) Retrieve a particular security group: http://apidocs.cloudfoundry.org/1.40.0/security_groups/retrieve_a_particular_security_group.html
And you can find more details about the API calls here: http://apidocs.cloudfoundry.org/
You can also run the cf cli commands above with the -v flag to show the HTTP requests being made by the CLI to obtain the information that's displayed.
Hope that helps!
I configured my Bitbucket repo to be read-only accessible via REST API publicly. There are some JSON configuration files that I need to read the content using GET HTTP method.
https://<bitbucket-repo-url>/config.json?raw
I want to switch to a secure method using Access Keys.
I want to try to test this using curl, but I don't know the arguments on including the access keys. Can anyone help?
Access keys are for SSH only. They will not work with any HTTP-based utilities (like curl) or endpoints (like the one you list in your example).
Is this Bitbucket Server (the on-premise version)? If so, https://confluence.atlassian.com/bitbucketserver/permanently-authenticating-with-git-repositories-776639846.html?_ga=2.188793826.854670382.1505151098-758028192.1431549295 may be helpful for you.
I'm using moodle 2.7 ,i need to use LDAP authentication for allowing users to login using external LDAP server(with their username and password).i have tried with the apache directory studio.But i got "Invalid login" error.But the login details were correct.
Please suggest me with some other LDAP server and how to add user details in that server and do authentication in moodle.
FusionDirectory is a reasonable alternative. It's based on OpenLDAP and it's pretty well documented.
Assuming that you're in a Linux environment, you can install it relatively easily/quickly via SSH. Once the download is complete, follow the on-screen instructions which is not that wildly different from setting up any odd CMS/LMS. The default URL is yourdomain.url/fusiondirectory.
When that's all done and dusted, you'll be taken back to the login page where you can sign in for the first time using the credentials you created during the set up process.
You can use your dashboard to add users/groups.
Once you've got a few users in there, it's now time to jump back to Moodle. Hop over to Site Admin -> Plugins -> Authentication -> Manage Authentication and enable "LDAP Server" then open up its settings. Fill in the details of your LDAP server such that it matches the details of the FusionDirectory.
This will set up the connection, but you will finally need to set up a cron job to regularly sync your databases together. Jump to SSH or cPanel->Cron jobs (Whatever option you prefer) and run the following crontab:
wget -q -O /dev/null https://yourdomain.url/auth/ldap/cli/sync_users.php
It's up to you how frequently you choose to set it.
HTH.