I am trying to integrate Nagios with SimpleSAMLPHP for SingleSignOn company wide.
I have installed simplesaml and Nagios on apache.
Looking out for configuration settings wherein I can specify SAML settings for Nagios.
Has anyone worked on it?
I don't think it's possible to do this without setting the Apache REMOTE_USER variable. The Nagios server is rendered by php and cgi scripts. The php scripts have a user variable attached to the Apache server's REMOTE_USER, and this can be removed to substitute for any other php variable. BUT, most of the functionality and restrictions are being processed in the cgi scripts.
Based on this issue on the Nagios Core GitHub repo, it doesn't look like they are planning on offering any other methods of passing information to the cgi scripts. Nagios X doesn't appear to offer any options either based on this forum post
For authentication in Nagios Core these may be the best options:
Continue using Htaccess Authentication
Wrap the entire application within another to protect it (but you lose per-user privileges)
Manually change the Apache REMOTE_USER variable when someone logs in (maybe a security risk if at all possible)
Migrate to Icinga, which does offer more authentication options
At my place of employment, we will likely be using #3 or #4 based on what's possible and more secure.
Related
I am currently using golang pq library to connect to postgres database. I am successfully connecting using kerberos principal, but i can't figure out where can i specify keytab file to use to. In the source code it kinda happens magically, using some third-party library. It actually works, but i need to know for sure how does it know where my keytab is stored, so it can request initial ticket.
Usually Kerberos clients do not directly use a keytab; they expect the initial ticket to be already acquired and present in the environment. That is, you're expected to kinit before running the program, and afterwards the client's GSSAPI library looks for the KRB5CCNAME environment variable, which points at a file containing the ticket cache left by kinit.
(Normally with MIT Kerberos or Heimdal it could be many other things besides a file... but the 'pq' library uses a very minimal pure-Go Kerberos implementation which only accepts a traditional file-based ccache. So be careful if Krb5 on your distro was set up to use 'DIR' or 'KEYRING' or 'KCM' cache types, those aren't going to work here.)
If the initial ticket isn't present, the MIT Krb5 implementation will in fact automatically use a keytab to acquire the ticket if the KRB5_CLIENT_KTNAME environment variable is pointing to one. Unfortunately, the 'pq' library doesn't use the system Kerberos library, so that won't work here either. (But it also wouldn't work if your OS was using Heimdal Kerberos; it's a MIT-specific extension.)
So the approach that will always work is to set KRB5CCNAME to a temporary path, then use either kinit or k5start to acquire a ticket from the keytab, before running your program. (The k5start tool will also keep automatically renewing or re-acquiring the ticket before it expires, without needing to use cron.)
Really, the whole krb_unix.go file is disappointing. If they can call the native SSPI on Windows, surely they could call the native GSSAPI on Linux...
I am looking to use Cypress for end to end testing for some kubernetes applications. Typically, I access these applications via OIDC through kong, however cypress doesn't support this, but does support key-auth via an API key. Is there a way of setting up the service so that I can use both of these simultaneously?
I think you cannot use more than one authentication plugin in an XOR scenario. This would only work for AND as long as the plugins do not use the same headers.
I also faced this problem and I solved it by setting up one service (pointing to the backend) and multiple routes (one for normal traffic, one for test traffic). You then can activate different plugins on each route instead of sticking it to the service.
The only downside is the slightly different base path you use for testing, but I think this is less problematic than the downside of testing with a different way of authentication.
Ok I am attempting to transfer a manual change to powershell,
Attempting to grant IIS_IUSRS access to /LM/SmtpSvc/ and /LM/SmtpSvc/1/ nodes in the IIS Metabase.
I have googled extensively and can not find an example of what i am looking for.
I have been trying to play with
$smtp = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpServerSetting'
But I am in a little over my head with WMI.
Any help would be appreciated. This setting is required for resolving
This.
Not an exact answer, but the best I have so far. Following the Guide here I chose option 1 and changed the app pool to network service. I will still work on a way to do the permissions settings with powershell.
Update (solution untested)
I found this answer on another post that details how to do it using scripts in the iis6.0 resource toolkit. To get these scripts on server 2012 you have to install the IIS6.0 resource toolkit, the only way i can find to do a silent install of this one was located here from there you can call the scripts using cscript.exe. I stuck with the changing user on the app pool option because it fits in with other things as well.
I am working on URL-rewrite module of Apache web server. To start with I am not able to configure the same for Windows7. Moving forward, my exact problem statement is -
I have a webapp for which i need to set a cookie everytime a user visits my app. Once the cookie is set I need to read it next time the user visits and modify my URL according to that. I need to set/read the cookie in perl.
I am completely new to perl and Apache Web server.
Well, it depends.
Here are a few ways:
Plain old CGI
CGI::Cookie
If using mod_perl under Apache 1.3.x: Apache::Cookie
If using mod_perl2 under Apache 2.x: Apache2::Cookie
I am DBA. I am trying to write bunch of scripts that I could execute from one central server. Ideal would be to send all the scripts from central server to say 50+ servers across multiple win domains (for databases management purposes).
The problem I am running into is - security. Seems like PowerShell Remoting is the way to go. But when I send a script to another server, I get 'not digitally signed' error.
I could 'self sign'. But that cert if only trusted on local machine. So that option is out.
Maybe Certificate Authority is a way to go. Or adding trusted hosts. I just have no clue on this one, so if you know any blog posts or how to do this - it would be big help.
Well, it's a security risk, but there's always the possibility of setting the execution policy to RemoteSigned, keeping a local repository on each server and calling those as needed via PS-Remoting. I don't like that idea one bit though.
If you are doing remote execution, you will need to sign your scripts. A detailed step by step can be found here. It even covers deploying the cert via GPO so that it's domain trusted.
I would use PowerShell remoting. This would allow you to run it as remote commands instead of remote scripts. If you catch the bottom of this SimpleTalk article, after "Persistent Sessions". It shows the option of executing a set of commands against each server instead of the script. This should prevent having to deal with the remote signed issue and provide a little more control.
The only thing to deal with on remote sessions is your credentials. I have not tried this on multiple domains but a few stand-alone servers.