I have a autentication working for a user (in the ldap) on a :
AP wifi => Freeradius (Pfsense) => ldap
I would like to have the folowing autentication working :
user1 on SSID-wifi1 => Freeradius (Pfsense) => ldap
user2 on SSID-wifi2 => Freeradius (Pfsense) => ldap
with "user1" menberof "SSID-wifi1" group in ldap
and "user2" menberof "SSID-wifi2" group in ldap
It works if I set the filter in freeRadius for ldap with
(&(uid=%{User-Name})(|(memberOf=cn=SSID-wifi1,ou=group,dc=mydomaine,dc=net)(memberOf=cn=SSID-wifi2,ou=group,dc=schugart,dc=net)))
but of course both user have access to both SSID...
I would like to use the folowing filter :
(&(uid=%{User-Name})(memberOf=cn=%{NAS-Identifier},ou=group,dc=mydomaine,dc=net))
but with this configuration the autentication fail...
I have check with wireshark (with the 1rst filter allowing wifi1 or wifi2), the AP wifi send the Nas-Identifier in all message send to freeRadius.
But in freeRadius exchange with ldap :
0.000000 192.168.0.radius 192.168.0.ldap LDAP 1283 searchRequest(2) "dc=mydomain,dc=net" wholeSubtree
0.001206 192.168.0.ldap 192.168.0.radius LDAP 151 searchResEntry(2) "cn=user1,ou=user,dc=mydomain,dc=net"
0.001240 192.168.0.ldap 192.168.0.radius LDAP 80 searchResDone(2) success [2 results]
0.008661 192.168.0.radius 192.168.0.ldap LDAP 116 bindRequest(1) "cn=admin,dc=mydomain,dc=net" simple
0.009042 192.168.0.ldap 192.168.0.radius LDAP 80 bindResponse(1) success
0.009098 192.168.0.radius 192.168.0.ldap LDAP 73 unbindRequest(4)
0.237144 192.168.0.radius 192.168.0.ldap LDAP 1265 searchRequest(3) "dc=mydomain,dc=net" wholeSubtree
0.237635 192.168.0.ldap 192.168.0.radius LDAP 151 searchResEntry(3) "cn=user1,ou=user,dc=mydomain,dc=net"
0.237654 192.168.0.ldap 192.168.0.radius LDAP 80 searchResDone(3) success [2 results]
the searchRequest(2) has the Nas-identifier fill correctlly
but the searchRequest(3) has the Nas-identifier empty ...
1rst question, why is there 2 time the searchRequest ?
2nd question, any idea why the second search filter has not the Nas-Identifier?
thanks for help
I have not found the problem but found a way tio do it working...
in the ldap file of radius declare 2 ldap serveur with different fileter :
ldap ldap1 {
...
user {
filter = "(&(uid=%{User-Name})(memberOf=cn=SSID-wifi1,ou=group,dc=mydomain,dc=net))"
......
ldap ldap2 {
...
user {
filter = "(&(uid=%{User-Name})(memberOf=cn=SSID-wifi2,ou=group,dc=mydomain,dc=net))"
......
in the "sites-enabled/inner-tunnel-peap.save" in the authorize section :
if (&NAS-Identifier == "SSID-wifi1") {
ldap1
}
if (&NAS-Identifier == "SSID-wifi2") {
ldap2
}
and in the "sites-enabled/default" comment ldap lines
Related
We have a SaaS product on the firebase platform, one of our customer asked us to provide a SSO experience to their users. They have an old ADFS as an IdP.
I though first to use Passport-Saml but then noticed that firebase auth could use Google Cloud Identity Platform for custom SAML IdP.
It worked pretty well and we got a user logged in first try. However, the user created in firebase is pretty empty.
Here is the user from the auth creation hook:
{
customClaims: {
}
disabled: false
displayName: null
email: null
emailVerified: false
metadata: {
creationTime: "2020-09-21T22:43:36Z"
lastSignInTime: "2020-09-21T22:43:36Z"
}
passwordHash: null
passwordSalt: null
phoneNumber: null
photoURL: null
providerData: [
0: {
providerId: "saml.xxxx"
uid: "xxxx"
}
]
tokensValidAfterTime: null
uid: "xxxx"
}
On the ADFS side, our customer has configured the claims to map LDAP as
E-mail-Addresses -> E-mail Address
SAM-Account-Name -> Name ID
If anyone has an idea on which SAML claim maps to firebase user attribute I would be very grateful, no luck in the doc.
edit
I created the ServiceProvider.xml using saml tools
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2020-09-25T02:53:54Z"
cacheDuration="PT604800S"
entityID="xxxx">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://xxx.firebaseapp.com/__/auth/handler"
index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
And did a bit more testing using saml test which was a great sandbox
The answer is twofold:
The ServiceProvider.xml file needs to specify the nameid format as email address
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
And the claim mapping from ADFS needs to be
E-mail-Addresses -> Name ID
I am just trying to configure LDAP authentication using JumpCloud service.
JumpCloud is public LDAP server with web adminisration. For connectiong to LDAP I am using built-in modul and following this tutorial: http://symfony.com/doc/current/security/ldap.html
It seems the system will connect succesly on to LDAP but cannot authenticate users.
Output header:
Output header
Here are my settings:
config/services.yaml
Symfony\Component\Ldap\Ldap:
arguments: ['#Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
arguments:
- host: ldap.jumpcloud.com
port: 636
encryption: ssl
options:
protocol_version: 3
referrals: false
config/packages/security.yaml
providers:
my_ldap:
ldap:
service: Symfony\Component\Ldap\Ldap
base_dn: ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com
default_roles: ROLE_USER
uid_key: uid
extra_fields: ['mail']
filter: ({uid_key}={username})
firewalls:
main:
anonymous: false
http_basic_ldap:
service: Symfony\Component\Ldap\Ldap
dn_string: 'uid=LDAP_ADMIN_USERNAME,ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com'
search_password: 'LDAP_ADMIN_PASS'
Manual connection test:
$dn = "uid=LDAP_ADMIN_USERNAME,ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com";
$password = "LDAP_ADMIN_PASS";
$ldap = Ldap::create('ext_ldap', ['connection_string' => 'ldaps://ldap.jumpcloud.com:636']);
$ldap->bind($dn, $password);
$query = $ldap->query('ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com', '(objectClass=inetOrgPerson)');
$results = $query->execute();
This code have returned valid output:
array (size=3)
0 => object(Symfony\Component\Ldap\Entry)[5504]
private 'dn' => string 'uid=janakdom,ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com' (length=68)
private 'attributes' => ..
1 => object(Symfony\Component\Ldap\Entry)[5093]
private 'dn' => string 'uid=ldapservice,ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com' (length=71)
private 'attributes' => ...
2 => object(Symfony\Component\Ldap\Entry)[4926]
private 'dn' => string 'uid=test,ou=Users,o=MY_ORG_ID,dc=jumpcloud,dc=com' (length=64)
private 'attributes' => ...
A absolutely don't know where the problem could be. I tried everything what occurred to me. I also use oficial JumpCloud documentation
I would ask you for help.
Thank you very much
DJ
Full disclosure, I work for JumpCloud, in support for the last couple years, and in a technical editor capacity now. A couple of changes to your configuration may help:
1) Under "providers > my_ldap > ldap:", there is no "search_dn", which will need to be the service LDAP Bind DN created in JumpCloud and appears to have been configured under "security > firewalls > main > http_basic_ldap:" per the screenshot above as 'uid=LDAP_ADMIN_USERNAME,ou=users,o=,dc=jumpcloud,dc=com'.
2) Under "security > firewalls > main > http_basic_ldap:", the "dn_string" is used to construct the FUll LDAP Bind DN of the user being authenticated. Per the example in the documentation, this needs to be set with the proper syntax for value substitution as noted below.
'uid={username},ou=users,o=,dc=jumpcloud,dc=com'
Hope this helps -- if not, I would definitely suggest opening a case with support#jumpcloud.com.
Brandon
I use knpuniversity/oauth2-client-bundle and league/oauth2-google to connect users in my Symfony 4 web app using a "Sign in with Google" feature. I followed this tuto. I registered my app in Google.
I set access_type: offline in the knpu.oauth2.client.google configuration (config/packages/knpu_oauth2_client.yaml file)
I try to get the user refresh token in my GoogleAuthenticator::getUser(League\OAuth2\Client\Token\AccessToken $credentials) method (which extends KnpU\OAuth2ClientBundle\Security\Authenticator\SocialAuthenticator).
Unfortunately, $credentials->getRefreshToken() always returns null.
Why don't I get the user refresh token ?
As per documentation, "Refresh tokens are only provided to applications which request offline access". So, when instantiating the provider you need to set the accessType.
use League\OAuth2\Client\Provider\Google;
$provider = new Google([
'clientId' => '{google-client-id}',
'clientSecret' => '{google-client-secret}',
'redirectUri' => 'https://example.com/callback-url',
'accessType' => 'offline',
]);
In knpu_oauth2_client configuration, you can do:
google:
type: google
client_id: '%env(OAUTH_GOOGLE_CLIENT_ID)%'
client_secret: '%env(OAUTH_GOOGLE_CLIENT_SECRET)%'
redirect_params: {}
access_type: offline
I need some help understanding how to configure AWS Pinpoint analytics in Amplify. I'm currently using Amplify for Auth and have it configured like this in my index.js file:
export const configureAmplify = () => {
window.LOG_LEVEL="DEBUG"
Hub.listen('auth', data => handleAmplifyHubEvent(data))
Hub.listen('analytics', data => handleAmplifyHubEvent(data))
Amplify.configure({
Auth: {
identityPoolId: "redacted",
region: "us-west-2",
userPoolId: "redacted",
userPoolWebClientId: "redacted",
mandatorySignIn: false,
cookieStorage: {
domain: process.env.NODE_ENV === 'development' ? "localhost" : "redacted",
path: '/',
expires: 1,
secure: false
}
}
})
}
To add Analytics, I started by adding this to my configureAmplify() function:
Analytics: {
disabled: false,
autoSessionRecord: true,
AWSPinpoint: {
appId: 'redacted',
region: 'us-east-1',
endpointId: `wgc-default`,
bufferSize: 1000,
flushInterval: 5000, // 5s
flushSize: 100,
resendLimit: 5
}
}
Upon user sign-in or refresh from cookie storage I called
Analytics.updateEndpoint({
address: user.attributes.email, // The unique identifier for the recipient. For example, an address could be a device token, email address, or mobile phone number.
attributes: {
},
channelType: 'EMAIL', // The channel type. Valid values: APNS, GCM
optOut: 'ALL',
userId: user.attributes.sub,
userAttributes: {
}
})
After doing this, it seems to me that the data in the Pinpoint console is not accurate. For example, there are currently 44 sessions displayed when no endpoint filter is applied. If I add an endpoint filter by userAttributes: userId then no matter which ID I select, it shows all 44 sessions associated with that user. I suspect that is because the EndpointID is established at startup, and is not changed by the updateEndpoint call.
I have also tried omitting the Analytics key when I initially configure Amplify, and then calling Analytics.configure() after the user is signed in. With this approach, I can construct a user-specific endpointId. However, I think that doing it this way will mean that I don't capture any of the Authentication events (sign-in, sign-up, auth failure), because Analytics is not configured until after they occur.
So my question is what is the proper timing for configuring Amplify Analytics? How can I accurately capture session, auth and custom events, AND uniquely identify them by user id?
It's not necessary to assign a custom endpoint id, amplify will handle it automatically and all events will be tracked per device. Instead, if you really need it, update the endpoint with the userId after sign-in.
The advantage of adding the userId is that all the endpointIds of a user are automatically associated to that userId, thus when you update a user's attribute, it will be synchronized across the endpoints.
As you are using Cognito, Amazon Cognito can add user IDs and attributes to your endpoints automatically. For the endpoint user ID value, Amazon Cognito assigns the sub value that's assigned to the user in the user pool. To learn about adding users with Amazon Cognito, see Using Amazon Pinpoint Analytics with Amazon Cognito User Pools in the Amazon Cognito Developer Guide.
I am using telegram.php to connect my bot. When I use sendmessage all of thing is ok in my logs but I do not receive anything from the bot.
When I check my log there is a problem like this:
ok: False
curl_error_code: 51
curl_error: SSL: no alternative certificate subject name matches target host name 'api.telegram.org'
I donit know what to do to fix it.
I don't know this telegram bot, but I see that it uses GuzzleHttp.
During the initialization it doesn't accept any configuration Request::initialize()
public static function initialize(Telegram $telegram)
{
if (!($telegram instanceof Telegram)) {
throw new TelegramException('Invalid Telegram pointer!');
}
self::$telegram = $telegram;
self::setClient(new Client(['base_uri' => self::$api_base_uri]));
}
you should check its documentation. I see that there are a lot of setters which makes you able to overwrite the default settings.
What you need is to set the the \GuzzleHttp\RequestOptions::VERIFY to false in the client config:
$this->client = new \GuzzleHttp\Client([
'base_uri' => 'someAccessPoint',
\GuzzleHttp\RequestOptions::HEADERS => [
'User-Agent' => 'some-special-agent',
],
'defaults' => [
\GuzzleHttp\RequestOptions::CONNECT_TIMEOUT => 5,
\GuzzleHttp\RequestOptions::ALLOW_REDIRECTS => true,
],
\GuzzleHttp\RequestOptions::VERIFY => false,
]);
For fix this problem copy this Url to browser and set webhook:
https://api.telegram.org/botTOKEN/setWebhook?url=https://yourwebsite.com
Solution 2 of The Error
Let’s follow these simple steps:
Download this bundle of root certificates: https://curl.haxx.se/ca/cacert.pem
Put in any location of your server.
Open php.ini and add this line:
curl.cainfo = "[the_location]\cacert.pem"
Restart your webserver.
That’s it. 🙂