In Domino 9.0.x server running LDAP, It seems that LDAP clients does not honors ACL roles.
I am trying to hide dismissed email addresses using reader role ($Readers field), so only specific people can see them for administration purposes.
I need that an antispam appliance querying Domino via LDAP can see those roles-hidden addresses, to correctly allowing valid recipient control checks.
In this way, relevant email messages can be received while new email addresses will be available to existent external senders.
It seems that LDAP authenticated client does not "own" any roles, and cannot see any role-hidden address, while web browsing on directory with the same authenticated account can.
Anyone use role access with LDAP?
Is there any documentation about limitations on ACL roles in LDAP access?
Related
I am new to the xmpp server and still learning. I have chosen ejabberd server for my chat application. I have started the server but can't able to access the web admin interface. as you can see the ejabberd#localhost is already running. configuration
I started the server and it was supposed to show web admin interface but unfortunately it is not showing. I don't know what am i doing wrong.
With that configuration, the webadmin page is in
http://localhost:5280/admin/
When the browser asks login credentials, provide the JID of some account in ejabberd with admin rights (it may be vinayak#localhost or something like that) and its password.
This means that you should have already registered an account in ejabberd, and grant it admin rights in ejabberd.yml configuration file, see https://docs.ejabberd.im/admin/installation/#administration-account
Can I create a walled garden allowing only my organisation's users/ clients to use my ejabberd instance/ service.
This includes registration of users done only by my backend and preventing other clients' users to register or access the server. Additionally users of another server can not be added by existing users.
This includes registration of users done only by my backend
Then probably limit mod_register using the options access_from and ip_access:
https://docs.ejabberd.im/admin/configuration/modules/#mod-register
And then write your custom web application that sends ReST or XMP-RPC queries to ejabberd's
https://docs.ejabberd.im/developer/ejabberd-api/#understanding-ejabberd-commands
and executes the "register" API command:
https://docs.ejabberd.im/developer/ejabberd-api/admin-api/#register
and preventing other clients' users to register
If you use your custom web to show a formulary, that's your duty.
or access the server.
Additionally users of another server can not be added by existing users.
You may want to disable S2S (server-to-server), so communication from/to your XMPP server to other XMPP servers is not allowed.
Currently we are using ldap plugin (version 2.1.0.507) for our Sonarqube (version 5.6.1) user authentication but our ldap is not configured for email. Thus every time we add an email locally for notifications it is wiped away when you log out via the ldap sync. Is there a way to disable the sync so that our locally configured emails remain?
Nope, not possible. LDAP Plugin fully delegates authentication, as well as synchronization of usernames and emails (+ groups if Group Mapping is configured).
No workaround, your best shot here really is to propagate email addresses in your LDAP server (which seems like a fair expectation for a user directory).
I would like to do authentication at proxy on behalf of user via Kerberos/Negotiate protocol.
user will authenticate with form login with server, server knows the who the user is, and server has to authenticate to backend server on behalf of user using kerberos.
Please help me with sample code or point me to some good references.
thank you in advance
-csr
Michael: the OP is asking about what MS calls "constrained delegation," the S4U Kerberos extension they invented, rather than the standard delegation (TGT forwarding) to which you're referring.
CSR: first off: is the user providing their Kerberos password in your "form login?" If so, you don't need to use S4U; you can just kinit with the password and get credentials directly.
If not, then this is indeed one use case for which S4U is intended. You didn't say, but I'll assume you're in a Windows environment, although S4U has been added to MIT Kerberos as well.
Rather than have the client forward a TGT, S4U allows the domain administrator to authorize a service principal to independently impersonate any user to a limited set of other services. To enable a service for constrained delegation:
MMC "Users and Computers" snap-in
select the properties for the service account
"Delegation" tab
"trust... for delegation to specified services"
In your case, you'll also need to set "use any authentication protocol;" this enables "protocol transition." If your service were authenticating the user with Kerberos, you could have the DC require the service to present a recent ticket from the client, proving it has some business doing this. Since you're using different authentication method, though, you have to forgo that check; that's what protocol transition does.
I'd start here for understanding S4U: http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx.
I have written a patch for Apache mod_auth_kerb implementing constrained delegation for Unix web services, so it does in fact work. :)
Have the client to send a forwardable (OK-AS-DELEGATE) ticket to you. You can extract the TGT from that and impersonate to perform your task. This works in my case when I receive a service ticket from IE or FF and bind against the AD for the user.
I am building a web application that will also allow my users to register/transfer a domain and manage email addresses through my application. However, I'm not exactly sure how to do that yet. I think there are services with APIs that will allow me to register domain names. However, working with DNS, MX records, email addresses and running an email server is something I've never done before. What do I need to know about automating this process of managing email accounts, and what sorts of solutions already exist?
for the email address part, have a look at How to communicate with a mail server through a web application
the dns part is pretty much the same, but you need a dns authoritative server with a database backend, such as powerdns (database configuration docs)
if you don't want to run the dns servers yourself, powerdns also offers hosting with API access