Unable to authenticate with LDAP plugin - plugins

I am using LDAP plugin for authentication.
I did below setting inside LDAP plugin file -
AuthLDAPURL = ldap://:389/ou=openshift,dc=,dc=,dc=com?uid?sub?(objectClass=*).
Commented below lines
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_user_module modules/mod_authz_user.so
After doing above setting , we are able to start/ restart broker service successfully using command – service openshift-broker restart
But still we are unable to login with users which are present inside LDAP directory. It is authenticating from htpasswd file which is default one.
Please let us know how can we bypass or remove default authentication with LDAP Auth ?
any help will be really appreciated. Waiting for the response.
Thanks,
Jyoti

Related

How Mastodon Configured Login Using SSO

How Mastodon configure login using SSO, such as openid with keycloak? I search in Github and configure Mastodon follow this guide, but it doesn't work.
This is my environment variable:
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=SSO
OIDC_AUTH_ENDPOINT=https://SSO_URL/realms/mastodon/.well-known/openid-configuration
OIDC_ISSUER=https://SSO_URL/realms/mastodon
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile"
OIDC_UID_FIELD=uid
OIDC_CLIENT_ID=masto
OIDC_REDIRECT_URI=https://MASTODON_URL/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET=***
I checked the error log via this command but it is empty.
docker-compose logs | grep ERROR
Even the text of the SSO button has not changed.
There is the screenshot of sso button
my config:
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=My IDM
OIDC_DISCOVERY=true
OIDC_ISSUER=https://<keycloak_url>/auth/realms/<real>
OIDC_AUTH_ENDPOINT=https://<keycloak_url>/auth/realms/<real>/.well-known/openid-configuration
OIDC_SCOPE=openid,profile,email
OIDC_UID_FIELD=preferred_username
OIDC_CLIENT_ID=<client id>
OIDC_CLIENT_SECRET=<client secret>
OIDC_REDIRECT_URI=https://<mastodon URL>/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
Tested with Mastondo 3.5.3 and Keycloak 7.0.1
Maybe, only change yours OIDC_SCOPE and OIDC_UID_FIELD environments values.
I cannot comment but Erik suggestion was really good, here is our minimal configuration using Keycloak in discovery mode:
# Enable OIDC
OIDC_ENABLED=true
# Name your button (ignored in current 3.5.3 but fix is done in upcoming releases)
OIDC_DISPLAY_NAME=Login with MySSO
# Where to find your Keycloak OIDC server
OIDC_ISSUER=https://<keycloak_domain>/realms/<my_realm>
# Use discovery to determing all OIDC endpoints
OIDC_DISCOVERY=true
# Scope you want to obtain from OIDC server
OIDC_SCOPE=openid,profile,email
# Field to be used for populating user's #alias
OIDC_UID_FIELD=preferred_username
# Client ID of the client you configured for Mastodon in Keycloak
OIDC_CLIENT_ID=<keycloak_client_id>
# Client secret of the client you configured for Mastodon in Keycloak (in production, use secrets Docker secrets in our case)
OIDC_CLIENT_SECRET=<keycloak_client_secret>
# Where OIDC server should come back after authentication
OIDC_REDIRECT_URI=https://<mastodon_domain>/auth/auth/openid_connect/callback
# Assume emails are verified by the OIDC server
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
So only difference is that we didn't have to add the OIDC_AUTH_ENDPOINT thanks to OIDC discovery.

How to link / export existing Keycloak user to LDAP

I'm using Keycloak and just setup some OpenLDAP. Importing from LDAP to Keycloak works fine. Even new registrations and updates to users are synced nicely. But I can't find any way to:
a) Export existing Keycloak users to LDAP
b) Linking existing Keycloak users to existing LDAP users
when users already exist in Keycloak, during import I get the following error:
23:56:39,507 WARN
[org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-22) User 'foo' is not updated during sync as he already exists in
Keycloak database but is not linked to federation provider 'ldap'
Any Ideas? Did I missed something obvious?
To send users to LDAP please try to use options "Edit mode: Writable" and "Sync Registrations: ON" on ldap configuration page in Keycloak (User Federation->Ldap).

LDAP ACL Plugin for Zookeeper

I have customized a new LDAP plugin to provide basic Zookeeper Authenication.
some thing like
setAcl /zookeeperPath ldap:<Group>:crwda
and when I check for the znodes
addAuth ldap:<uid>:password
will grant me access to the znodes
I know this can be done using the kerberos. But in my enterprise Linux Auth is doe through sssd. kerberos is not enabled.
I am afraid I have done some customization that should have not been done. Because, I did not get any reference from internet to do it.
If theare are any plugins thats been already used please help.
There are no ldap auth plugin for zookeeper. As zookeeper supports SASL kerberos authentication. But additional ACLs can be set using Active directory or LDAP group permissions. This can be achieved by implementing
org.apache.zookeeper.server.auth.AuthenticationProvider
and settng -D params as
-Dzookeeper.authProvider.1=class.path.to.XyzAuthenticationProvider

Moodle LDAP authentication

I'm using moodle 2.7 ,i need to use LDAP authentication for allowing users to login using external LDAP server(with their username and password).i have tried with the apache directory studio.But i got "Invalid login" error.But the login details were correct.
Please suggest me with some other LDAP server and how to add user details in that server and do authentication in moodle.
FusionDirectory is a reasonable alternative. It's based on OpenLDAP and it's pretty well documented.
Assuming that you're in a Linux environment, you can install it relatively easily/quickly via SSH. Once the download is complete, follow the on-screen instructions which is not that wildly different from setting up any odd CMS/LMS. The default URL is yourdomain.url/fusiondirectory.
When that's all done and dusted, you'll be taken back to the login page where you can sign in for the first time using the credentials you created during the set up process.
You can use your dashboard to add users/groups.
Once you've got a few users in there, it's now time to jump back to Moodle. Hop over to Site Admin -> Plugins -> Authentication -> Manage Authentication and enable "LDAP Server" then open up its settings. Fill in the details of your LDAP server such that it matches the details of the FusionDirectory.
This will set up the connection, but you will finally need to set up a cron job to regularly sync your databases together. Jump to SSH or cPanel->Cron jobs (Whatever option you prefer) and run the following crontab:
wget -q -O /dev/null https://yourdomain.url/auth/ldap/cli/sync_users.php
It's up to you how frequently you choose to set it.
HTH.

CQ Basic Authentication

i have a requirement to implement basic authentication at dispatcher side
I have below basic auth configuration in my virtual host(www.abc.com) configuration file.
<Location /content/abc/jp-JP >
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /opt/cq/www/htdocs/password(this is name of file, contains uname and password)
Require valid-user
</Location>
when i try to access www.abc.com/jp-JP getting basic auth prompt and authenticated succefully from password file(username and password file ) located under /opt/cq/www/htdocs . after first prompt successfully validated username and password , second prompt displaying with requires username and password .The server Says (Sling development). if i disable basic authentication in apache sling authentication service of publish instance ..then it's redirecting me to correct page what i expected ..but unable to publish contents from author(blocked inside replication agent queue). so enabled back..but basic authentication blocked with The server Says (Sling development).
I am sure it is difficult to understand what i am trying to say here ..but any idea how to by pass prompt of "The server Says (Sling development)" from dispatcher level basic auth. Any help would be appreciated!!!
Let me paraphrase your description: you have setup HTTP Basic Auth on the Apache level and it works fine, but the credentials entered in the browser are sent not only to the Apache but also to the CQ. CQ treats credentials as its own username and password and returns error. Disabling HTTP Basic Authentication Handler authenticator is not an option, as it's used by the replication process.
In order to make Apache HTTP Basic and the CQ publish coexists, you can remove the Authorization header (used in the HTTP Basic Auth) on the Apache, using mod_headers module and its RequestHeader directive. Enable the mod_headers and place following line in your VirtualHost configuration:
RequestHeader unset Authorization
Apache will use the header to authenticate the request, but then it'll be removed and CQ won't get it.