I need to configure nginx to sign in by two kinds dn :
cn=appname,ou=Applications,o=example.com
uid=username,ou=People,o=example.com
Here is piece of code for ldap server:
ldap_server ldapserver {
url ldaps://ldap.example.com/o=example.com?uid,cn?sub?(..filter for search...)
}
However, only username can be signed in, appname can't.
But if I switch the position of uid and cn for that url, like
url ldaps://ldap.example.com/o=example.com?cn,uid?sub?(..filter for search...)
Then appname can be used to sign, username can't.
Is this nginx-ldap-auth's bug?
From looking at the source, the module appears to currently be designed in this way; it'll just consider the first attribute in your comma-separated list even though the ldap_url_parse function (what the module uses under the hood) supports specifying multiple attributes.
I would add a feature request / issue at https://github.com/kvspb/nginx-auth-ldap/issues.
In the meantime, you can use multiple ldap_server blocks to define two different configurations, one with one attribute and one with the other, such as:
ldap_server ldapserver_one {
url ldaps://ldap.example.com/o=hp.com?uid?sub?(..filter for search...)
}
ldap_server ldapserver_two {
url ldaps://ldap.example.com/o=hp.com?cn?sub?(..filter for search...)
}
location / {
auth_ldap "Authorised Only";
auth_ldap_servers ldapserver_one;
auth_ldap_servers ldapserver_two;
...
}
It'll require making two separate connections to your LDAP server, but it'll work.
Related
I've been battling this question/issue for a while now. And I am kinda stuck at this point, so, please help!
I need to set up a Conditional reverse proxy using NGINX. The Conditional part is based on the result of oath authentication, possible user roles.
Here's example of post auth map that I have:
map $auth_result $out_role {
'group-1' 'admin';
'group-2' 'editor';
'group-3' 'user';
default 'user';
}
I have three services that are behind reverse proxy;
localhost:123 - accepts admin, editor, user
localhost:111 - accepts only admin, editor users
localhost:222 - accepts only admin, editor users
So if user authenticated with user group user then he should always be redirected to localhost:123 and only to that. If user authenticated with admin or editor then he has allowance to all site resources.
I have tried using
location /foo/bar/ {
if($out_prole = 'user') {
return 304 localhost:123; # and be done with it
}
}
but that did not get me anywhere, for nginx not handling it's conditionals conveniently inside location blocks.
Now I'm looking for a way to accomplish that; Should I be setting up different server {...} blocks inside nginx? or maybe there's a way to accomplish this without conditionals?
Please help me find a direction with this problem, for I am stuck.
Thanks,
Vadim
I am trying to make an API call via Office Scripts (fetch) to a publicly available Azure Function-based API I created. By policy we need to have CORS on for our Azure Functions. I've tried every domain I could think of, but I can't get the call to work unless I allow all origins. I've tried:
https://ourcompanydoamin.sharepoint.com
https://usc-excel.officeapps.live.com
https://browser.pipe.aria.microsoft.com
https://browser.events.data.microsoft.com
The first is the Excel Online domain I'm trying to execute from, and the rest came up during the script run in Chrome's Network tab. The error message in office Scripts doesn't tell me the domain the request is coming from like it does from Chrome's console. What host do I need to allow for Office Scripts to be able to make calls to my API?
The expected CORS settings for this is: https://*.officescripts.microsoftusercontent.com.
However, Azure Functions CORS doesn't support wildcard subdomains at the moment. If you try to set an origin with wildcard subdomains, you will get the following error:
One possible workaround is to explicitly maintain an "allow-list" in your Azure Functions code. Here is a proof-of-concept implementation (assuming you use node.js for your Azure Functions):
module.exports = async function (context, req) {
// List your allowed hosts here. Escape special characters for the regular expressions.
const allowedHosts = [
/https\:\/\/www\.myserver\.com/,
/https\:\/\/[^\.]+\.officescripts\.microsoftusercontent\.com/
];
if (!allowedHosts.some(host => host.test(req.headers.origin))) {
context.res = {
status: 403, /* Forbidden */
body: "Not allowed!"
};
return;
}
// Handle the normal request and generate the expected response.
context.res = {
status: 200,
body: "Allowed!"
};
}
Please note:
Regular expressions are needed to match the dynamic subdomains.
In order to do the origin check within the code, you'll need to set * as the Allowed Origins on your Functions CORS settings page.
Or if you want to build you service with ASP.NET Core, you can do something like this: https://stackoverflow.com/a/49943569/6656547.
It appears that I can only have one Top Level Domain (TLD) associated with one firebaseapp SSL hosting. Is that true?
For example, I'd like https://x.example.com to go to my https://x.firebaseapp.com and https://y.example.com to go to my https://y.firebaseapp.com
When I try I see: (see image below) (I'm using https://city.tidalforce.org/ for a different firebase app at https://cityregister.firebaseapp.com/ but I'd like to use the same domain for another app with another full name such as https://y.tidalforce.org
Is this possible?
In short no, although you may be able to host different apps in different subfolders like https://example.com/x, https://example.com/y and if they have javascript router for example, if you are using Angular for front-end and using Angular-router or something you will nee to provide appropriate rewrite rules like:
"rewrites": [ {
"source" : "/x/**",
"destination" : "/x/index.html"
},
{
"source" : "/grid/**",
"destination" : "/grid/index.html"
} ]
to rewrite url requests from that folder to route correctly.
Hope it helps :)
I have Asterisk server with Freeradius server on the same machine and trying to authenticate with Radius if a user can make a call or not but I am getting an error while calling that is:
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Is there something that I am missing in one of Radius files that I have to add?
The issue is that no module in the authorize section of your virtual server has taken responsibility for processing the request.
You should remove the contents of the authorize section, and list the following modules:
authorize {
pap
chap
mschap
digest
eap
}
You should then run the server in debug mode radiusd -X to see which module is taking responsibility for the request (you'll see one returns ok or updated where the others return noop). We'll call this the auth module
Once you've figured out which module will take responsibility for the request you'll need to provide a suitably hashed password.
Here are the password hashes that will work with the different modules.
pap - any
chap - Cleartext-Password, CHAP-Password
mschap - Cleartext-Password, NT-Password
digest - Cleartext-Password, Digest-HA1
eap - Depends on inner method (respond to this answer and I can give further guidance).
For testing you can put the password in a flat file local to the server. The module which deals with these flat files is the files module.
To add entries to the users file, first truncate /etc/raddb/users (alter for your installation).
Then add the following entry to the top:
<username> <password attr> := <password>
With values in <> replaced with the real values.
Remove the unused modules in authorize, and add the files module at the top.
authorize {
files
<auth module>
}
Then remove all the modules from authenticate and add the <auth module>
authenticate {
<auth module>
}
That should give you up and running. If no modules take responsibility for the request, please post the list of attributes in the request from the top of the debug output, and i'll help you identify it.
You need configure your radius to add missing headers
You can enabled full debug on radius server, it will show you all packets radius server get.
Freeradius allow add any header into packet on any stage, see doc.
I am trying to send activation mail to the currently registered user.In mail body,I need to send a link like http://example.com/account/activation?username=d&email=g.Now, for debugging on local machine, I manually write it as localhost:30995/account/activation?username=d&email=g. But, when my port number changes, I need to rewrite it.
I tried another question
on this website,but, compiler gives error like url.action doesnot exist.
Please give me fresh solution as I am confused with that solution.
Use a Url.Action overload that takes a protocol parameter to generate your URLs:
Url.Action("Activation", "Account", new { username = "d", email = "g" }, "http")
This generates an absolute URL rather than a relative one. The protocol can be either "http" or "https". So this will return http://localhost:XXXXX/account/activation?username=d&email=g on your local machine, and http://example.com/account/activation?username=d&email=g on production.
In short, this will stick whatever domain you're hosting your app on in front of your URL; you can then change your hostname/port number/domain name as many times as you want. Your links will always point to the host they originated from. That should solve the problem you're facing.
Try using IIS / IIS-Express instead of Casinni web server that comes with visual studio.
You could add bindings to have the right URL (with host entries of course).
This will avoid the port numbers in your links.