I have a service with usernames and passwords already set up that I want to add a Jabber service to.
Is there any open source XMPP servers that I can customise to use my existing usernames and passwords in a Postgres DB?
You can do this with Openfire. You can either write your own extension to support a custom authentication mechanism, or you might be able to manage it with some simple configuration (check the section on Authentication Integration).
Related
We use Keycloak REST api to send update password email to users. In my setup Keycloak and application making REST calls to Keycloak (using keycloak admin client library) is deployed inside Kubernetes cluster. From my application I am using Kubernetes service name to talk to keycloak.
e.g. http://keycloak-http:8100/auth
With this setup, update password link in email becomes like this
http://keycloak-http:8100/auth/realms/test/login-actions/action-token?key=somekey
So I need to change only host in this URL.
I looked at executeActions.ftl file in keycloak theme and it doesn't have any specific parameter for just host which I can customize.
Any ideas how I can achieve this?
Thanks in advance.
In my case, Keycloak 9+, I used the "Frontend URL" in the Realm Setting to specify the hostname.
I had a similar issue, and it turns out that by default, the host name is filled with the request hostname. (Using Keycloak 6.0.1)
All i had to do was to trigger the email generation with the hostname i wanted in the email.
--> Trigger the update action from the url you need (and that is accessible)
http://externalurl.keycloak.com/auth/...
You can also change the hostname provider, to use a FixedHostnameProvider, or a custom one (it is RequestHostnameProvider by default)
https://www.keycloak.org/docs/latest/server_installation/#_hostname
Currently we are using ldap plugin (version 2.1.0.507) for our Sonarqube (version 5.6.1) user authentication but our ldap is not configured for email. Thus every time we add an email locally for notifications it is wiped away when you log out via the ldap sync. Is there a way to disable the sync so that our locally configured emails remain?
Nope, not possible. LDAP Plugin fully delegates authentication, as well as synchronization of usernames and emails (+ groups if Group Mapping is configured).
No workaround, your best shot here really is to propagate email addresses in your LDAP server (which seems like a fair expectation for a user directory).
My web application is currently configured to connect to LDAP for user validation without relying on application server settings. In other words, my applications utilizes naming params to connect to LDAP hence its agnostic to application server ie. JBoss or Websphere.
Naming params used are as follows:
ldapURL
ldapPrincipal (bind user)
ldapCredentials (bind user's password)
ldapAuthentication
ldapSearchBase
The requirement now is to allow encrypted password in the ldapCredentials naming param. I have a way out of this situation is using custom SecurityLoginModule to encrypt password and supply it to application using naming param. My application would then decrypt it and then proceed with LDAP user validation. However, this results into additional application installation step.
So I was wondering if there is a way to use application server security domain (or some other way) to store the user credentials in secured fashion on application server and later application would pick it up at the time of user validation with LDAP without writing server specific code in my application. I know that we can use security domain to perform data source connection without writing server specific code. But if I do this for LDAP then I make server talk to LDAP which is not what am looking. Basically may still continue to use Federated users instead of LDAP.
Any decent application server (including JBoss and WebSphere) have server provided LDAP registry, which you can configure and use without any application specific code, and I'd strongly suggest to utilize that instead of writing your own ldap connection code.
Regarding encryption:
for WebSphere traditional, you can plug in your own class into server infrastructure to encrypt passwords see - Plug point for custom password encryption
for WebSphere Liberty - you have out of the box support for aes and hash.
for JBoss first link in Google showed me this How do I encrypt the bindCredential password in Wildfly, but maybe JBoss experts will guide you to something different.
We have a recently sharded mongodb cluster. Before sharding, for read-only access, all users used to connect to one of the secondaries. We need a similar read-only access now when users connect to 'mongos' (after sharding). One option is to enable authentication and add user user roles. But that will mean changing java code on some app module which connect to the mongos using the java connector.
Is there a way to obtain read-only access without enabling authentication ?
You can only create read-only roles by enabling authentication. If you do not want to enable authentication, your human users have to specify their read preference explicitly when connecting. As they may forget this, I would advise you enable authentication. It will allow you more granular access in the future and will allow users to continue the data when the secondary servers are down (e.g. maintenance).
I am looking for a single sign on approach for an ODBC connection to a Postgres database.
The plan is to login to a web application and then use a a single sign on scheme such as oauth or CAS to automatically login to a client application.
The client application does not verify the credentials itself, but uses them via ODBC to connect to the Postgres database server. Unlike web applications we cannot use a single databaes user here, but need individual database accounts for security reasons.
In theory Postgres does support PAM and PAM supports both CAS and oauth. But I was not able to find any documentation on that. Especially the part of how to specify the token in ODBC is unclear to me.
With PAM auth, keep in mind that this is a broad field and books could be written about it. I do something similar to what you do though and can answer the part about ODBC. The following provides a walkthrough for a related service you may find helpful:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-postgresql-using-two-factor-authentication-from-wikid
The big thing to remember is that with PAM the password provided is passed on to the PAM module, so you have to pass in the username and password. This gets sent to PAM as if the user was logging on to the system. Beyond that it's up to you to configure PAM appropriately for your service.