I am trying understand kerberos & LDAP.
Working openldap(user information) & kerberos(authentication) are already installed.
I have migrated unix user(user01) to openldap using "migrationtools".
Below user and host principles are also created using kadmin..
addprinc user01
addprinc -randkey host/host01.example.com
addprinc -randkey host/host02.example.com
Let's say, I have 3 hosts:
host01.example.com
host02.example.com
host03.example.com
Now, my question is: how I can make sure that "user01" can access only on host01 & host02, NOT host03 ?
Thanks,
Obaid
Seems like we can do some workaround using sssd.
We can do it by editing "/etc/sssd/sssd.conf" and using "access_provider" parameter.
Considering my environment (openldap+krb5), first I tried with below parameters file "/etc/sssd/sssd.conf":
[domain/default]
access_provider = ldap
ldap_access_filter = memberOf=cn=demo1,ou=Groups,dc=example,dc=com
But, as soon as I put this parameter "access_provider = ldap" all the LDAP users failed to login.
Then I tried simple access method as below parameters in file "/etc/sssd/sssd.conf":
access_provider = simple
simple_allow_groups = demo1,demo2
Simple access provider worked for me.
In above example demo1 & demo2 are groups defined only on openldap and "access_provider = simple" is working. So, it is a potential candidate as my solution. And I am using "id_provider = ldap".
I would like to hear other thoughts/solution about this, so that we can find a good solution not only for me but also for others having similar scenario.
Thanks,
Obaid
Related
I have a regression with a TCP\IP connection string post a firebird 3 migration from v2.5. The FirebirdClient version is 4.6.1 but I've tested with the latest stable version and it also doesn't work (v7.10.1).
The error message is "Your user name and password are not defined. Ask your database administrator to set up a Firebird login".
The stacktrace:
at FirebirdSql.Data.FirebirdClient.FbConnectionInternal.Connect()
at FirebirdSql.Data.FirebirdClient.FbConnectionPoolManager.Pool.GetConnection(FbConnection owner)
at FirebirdSql.Data.FirebirdClient.FbConnectionPoolManager.Get(ConnectionString connectionString, FbConnection owner)
at FirebirdSql.Data.FirebirdClient.FbConnection.Open()
The user was created via the IBExpert UI.
Here's how the connection string looks (not real life connection data obviously):
#"Database=inet://10.000.0.000:3050/C:\Database.FDB;User=MY_USER;Password=secret";
The same user works if using a standard same network connection string as below:
#dialect=3;initial catalog=C:\Database.FDB;data source=localhost;user id=MY_USER;password=secret;character set=ISO8859_1;pooling=True;connection lifetime=30;server type=Default;port number=3050
My firebird.conf is set like so:
ServerMode = Super
DefaultDbCachePages = 100K
FileSystemCacheThreshold = 100M
TempBlockSize = 2M
TempCacheLimit = 4000M
AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi
UserManager = Legacy_UserManager, Srp
WireCrypt = Enabled
RemoteServicePort = 3050
LockMemSize = 30M
LockHashSlots = 30011
RemoteAccess = true
Not sure what I'm missing here. The connection string above works with SYSDBA. According to the firebird documentation I've read it looks fine. I've read all other stackoverflow tickets with the same issue but don't see any answers that work for me. Any ideas?
Recent versions of FirebirdSql.Data.FirebirdClient support the version 13-15 wire protocol of Firebird 3, and then only support Srp authentication. Your old version supported only up to the v12 protocol (Firebird 2.5) and then would use the legacy authentication. If you created the user using the Legacy_UserManager (the default in your configuration), then you cannot authenticate with version 7.10.1 (where you could with 4.6.1), because as far as the Srp authentication plugin is concerned, the user does not exist.
It looks like you created the user either using gsec, which always applies the default user manager (FYI, gsec is deprecated since Firebird 3), or you used CREATE USER without USING PLUGIN Srp (or with USING PLUGIN Legacy_UserManager). You can verify this by checking the output of select sec$user_name, sec$plugin from sec$users. The solution would be to drop the user and then create it again with the right user manager (USING PLUGIN Srp).
Note that in theory you could have the user both for Srp and Legacy_UserManager (e.g. if the same user needs to be used by an application that cannot authenticate with Srp), but it is far more secure to have the user only exist for one plugin.
On a related note, the configuration you have applied is insecure. It is far more secure to leave out Legacy_Auth of the AuthServer setting or - if you still have applications that cannot apply Srp - to put it last (for both AuthServer and AuthClient). Similarly, it is recommended to put Legacy_UserManager last in UserManager (or leave it out entirely), so by default - if you use gsec, or don't include USING PLUGIN xxx in CREATE USER - it will create more secure Srp-type users.
I'm trying to create some kind of user authentication to prevent unwanted access to my NodeRED's User Interface. I've searched online and found 2 solutions, that for some reason didn't worked out. Here they are:
Tried to add the httpNodeAuth{user:"user", pass:"password"} key to the bluemix-settings.js but after that my dashboard kept prompting me to type username and password, even after I typed the password defined at pass:"password" field.
Added the user defined Environtment Variables NODE_RED_USERNAME : username and NODE_RED_PASSWORD : password . But nothing has changed.
Those solutions were sugested here: How could I prohibit anonymous access to my NodeRed UI Dashboard on IBM Cloud(Bluemix)?
Thanks for the help, guys!
Here is a little bit of the 'bluemix-settings.js'
autoInstallModules: true,
// Move the admin UI
httpAdminRoot: '/red',
// Serve up the welcome page
httpStatic: path.join(__dirname,"public"),
//GUI password authentication (ALEX)
httpNodeAuth: {user:"admin",pass:"$2y$12$W2VkVHvBTwRyGCEV0oDw7OkajzG3mdV3vKRDkbXMgIjDHw0mcotLC"},
functionGlobalContext: { },
// Configure the logging output
logging: {
As described in the Node-RED docs here, you need to add a section as follows to the settings.js (or in the case of Bluemix/IBM Cloud the bluemix-settings.js file.
...
httpNodeAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
...
The pass files is a bcrypt hash of the password. There are 2 ways listed in the docs about how to generate the hash in the correct way.
if you have a local copy of Node-RED installed you can use the following command:
node-red admin hash-pw
As long as you have a local NodeJS install you can use the following:
node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here
You may need to install bcryptjs first with npm install bcryptjs first.
I have a FreeSWITCH v1.6.13 on my Debian 8( From git) and it is OK.
After that i installed the last FusionPBX to manage my PBX telephony FS.
But it gives me error : 403 You must define a domain called x.x.x.x in your directory...
Both i installed by FusionPBX guid in their web site.
FreeSWITCH and FusionPBX.
Im going crazy cause about 4 days i Am working and not a good result yet.
I know Fusion store data in DB and i give him a Pgsql user name and password.( not the default one it suggest after ./install command) and also FS with --enable-core-pgsql-supprt in ./configureaiton with -C.
And i searched a lot, and all says as this link.
But when i go to sip status from FusionPBX, it says that my ip is correct, and also i did what they say but no success.
Just one time it worked! and i did not why it work.
And after it does not work and again says 403 you must ....
And after that i create an extention, i go to FS terminal and type user_exist 101 (user i created in fusionpbx)it return me false.
Can it be DB issue?
I do not know why just one time it worked and after i after that again gave me 403 error.
Cause i did changed a lot i could not understand what was the cause to work it.
Is it a bug?
What exactly i am doing wrong??
Really any help will appreciate.
EDIT 1 :
My softphone is android zoiper for test the created extention in fusion.
Make sure you are using the "Extension" number as the username in zoiper. Also go to the extension's settings page to see the current password for that extension. I have used Zoiper on my android phone with FusionPBX. So I know it will work.
Zoiper account settings will be:
Account Name: Any name.
Hostname: ip/hostname of FusionPBX
Username: extension number
Password: extension password.
One thing that confused me a lot when I first tried fusionpbx is the "Users" vs "Extensions". From what I can tell "Users" are only for logging into the web UI of FusionPBX, for things like checking voicemail and managing other features. The "Users" are not SIP users.
I am using Confluence 4.2.5 (build 3284) with CAS SSO connected to my LDAP server and would like to be able to call synchroniseUserDirectories() from the LDAP server when a user changes their password so that the change is instantaneous.
The way it works now is that users have to wait for the Confluence to run it's periodic LDAP synchronization which can be disconcerting for them.
I have tried using the XML-RPC interface to call changeUserPassword() (as an administrator) but it doesn't work. The operation raises an exception "Error changing password for user ...". I presume that that is because the user is defined in the LDAP but I can't tell for sure because the exception message wasn't clear about the cause.
Here is example code that I would like to be able to use. It doesn't work.
#!/usr/bin/env python
import xmlrpclib
url = 'https://docs.example.com'
admin_user = 'frobisher'
admin_pass = 'supersecretstuff'
username = 'bigbob'
new_password = 'bigbobsbigsecret'
server = xmlrpclib.ServerProxy(url + '/rpc/xmlrpc')
token = server.confluence2.login(admin_user, admin_pass)
# CITATION: https://developer.atlassian.com/display/CONFDEV/Remote+Confluence+Methods
# this doesn't exist but would be my preferred approach.
# It raises a NoSuchMethodException exception.
server.confluence2.synchroniseUserDirectories(token)
# this throws a general exception, because of the LDAP? The message
# wasn't clear about the source of the problem.
#server.confluence2.changeUserPassword(token,
# username,
# password)
server.confluence2.logout(token)
Is there any way to do this using SOAP or REST? I was concerned about REST because it sounds like it is still a prototype.
If none of those approaches will work, can it be done with a simple plugin considering that this must be a push operation from the LDAP server to the Confluence server? I have no experience writing plugins but I do some java work occasionally.
Any hints would be greatly appreciated.
The short answer is "no". The ability to synchronise remote user directories is not exposed as a remote operation in Confluence.
The long answer is "yes", you can write a plugin to do this. If you're already familiar with java, then perhaps the best answer is to just show you some source code I've written that performs a similar function: https://bitbucket.org/jaysee00/confluence-user-sync-api This plugin gives you SOAP, XML-RPC and JSON-RPC methods to force an individual user account to be synced in to Confluence from a remote directory.
That might suit your purposes as-is, but I imagine it would be possible to edit the source of this plugin and change it to synchronise an entire directory, too.
Good day everyone, I have been trying to put my moodle online so pcs from internet can access it, but until now, no luck at all. (Im using moodle 2.3.2 on Windows Server 2008 and IIS 7).
I tried to configure the moodle file config.php, setting the directive $CFG -> wwwroot = "my-public-ip/moodle". Then, when I access to moodel from the server, I can access it by "http://my-public-ip/moodle", when I try to access via localhost, it sends an error which it is OK.
But the funny part comes when I try to access the server from an outside pc. When I type "http://my-public-ip/moodle" it simply cant "see" the configuration I made to the config.php file (it says: This server cna only be accessed via localhost/moodle) it looks like the outside pcs are either ignoring it, or searching for another configuration file. I dont know what the hell is happening, this is very odd.
Any ideas?? tnx!!!
Change the following file:
lib-->setuplib.php
Redirect ($CFG->wwwroot, get_string('wwwrootmismatch', 'error', $CFG->wwwroot), 3);
for
Redirect ($CFG->wwwroot, get_string('wwwrootmismatch', 'error', $CFG->wwwroot), 0);
I realise this is an old question, but it's also worth pointing out you may need to also run the database search and replace script, at:
http://my-public-ip/moodle/admin/tool/replace/index.php
as referenced in Method 2 here.
This is required if you change the name of the site once you have installed it. If you were already using Moodle under "localhost", then there will be a number of references to the old localhost address stored in the database that need to be updated to the new IP-based address.
It might be because the http:// part is missing?
$CFG->wwwroot = "my-public-ip/moodle"
should be
$CFG->wwwroot = "http://my-public-ip/moodle"