Does anybody successfully authenticate against AD global catalog using http://drupal.org/project/ldap? I've got the following configuration:
LDAP server:
ldaps://service.mydomain.com
LDAP port:
3269
Binding Method:
Service Account Bind
Base DNs for LDAP users:
DC=service,DC=mydomain,DC=com
DC=otherdomain,DC=mydomain,DC=com
AuthName attribute:
userPrincipalName
The module successfully authenticate users, which are members of parent domain called "service", but LDAP search can't find any user from "otherdomain", which is connected to parent domain inside AD domain forest. I´m able to test LDAP search using ldp.exe and using this tool I can find any user from any domain.
Also, there is the following error message in the Drupal watchdog:
ldap_search() function error. LDAP Error: Referral, ldap_search() parameters: ldap_search() call: base_dn: DC=otherdomain,DC=mydomain,DC=com, filter = (userPrincipalName=somebody#otherdomain.mydomain.com), attributes: , attrsonly = 0, sizelimit = 0, timelimit = 0, deref = , scope = 3
Any help will be greatly appreciated.
The LDAP client should follow the referral that is being returned in the search result - or an LDAP directory proxy server should be installed to automatically follow referrals.
When the LDAP directory server was unable or unwilling to perform the search operation, it may return a referral indicating that another server may be able to perform the requested operation. It is the responsibility of the LDAp client to "chase" referrals. Referrals are indicated by the presence of the referral field and the search result code being set to 10.
You have to write: ldaps://ldapserver:3269 in the LDAP server field and keep the same port number in LDAP port field.
Related
I have setup Apache Drill version 1.15 in distributed mode on 3 nodes with ZK on the same 3 nodes.
Now, I am trying to configure Plain Authentication in Drill using PAM.
I already have 2 existing users in the 3 nodes with same password and they are present in /etc/passwd and /etc/shadow.
I have followed the steps mentioned here, to configure authentication setup on the Drill cluster.
But, on entering correct username and password, it throws Invalid Username/Password error.
My drill-override.conf looks like:
drill.exec: {
cluster-id: "[cluster_name]",
zk.connect: "[host1]:2181,[host2]:2181,[host3]:2181"
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam",
pam_profiles: [ "sudo", "[profile1]", "[profile2]" ]
}
}
I have set, user1 as an admin and user2 as normal user.
Is it that Drill, doesnt work with existing Users in the linux system and wants users to be created explicitly (which i really doubt), or anything else that I am missing?
pam_profiles is array of PAM profiles, not users.
Example of pam_profiles configs: pam_profiles: [ "sudo", "login" ]. See details in doc.
You can add other PAM profiles from your /etc/pam.d.
Im trying to configure ADFS to work as a Claim Provider (I suppose AD will be the identity provider in this case).
Just for simple testing, ive tried the following on windows server 2016 machine:
1) Setup AD and domain = t1.testdom (Its working cause im actually able to login with the domain)
2) Setup DNS. Added a host (A) for adfs as fs.t1.testdom
3) selfsigned certificate (https://technet.microsoft.com/library/hh848633):
powershell> New-SelfSignedCertificate -DnsName "*.t1.testdom"
4) created a dedicated service account for gMSA
5) setup ADFS.
Server name set as fs.t1.testdom
service>authentication method is enabled as form authentication
6) Also fixed the SPN via powershell to make sure all needed SPNs are there and given to the right user account and that no duplicates are found
--
However, when I try to access the login page on browser via https://fs.t1.testdom/adfs/ls I get the error. The log on server manager says the following:
`There are no registered protocol handlers on path /adfs/ls to process the incoming request`
So is there a way to reach at least the login screen? So I can move on to the next error.
this is what I get on the /ls screen:
Finally found the solution after a week of google, tries, server rebuilds etc!
(This guru answered it in a blink and no one knew it!
https://www.experts-exchange.com/questions/28994182/ADFS-Passive-Request-There-are-no-registered-protocol-handlers.html)
The IdP-Initiated SSO page (https://fs.t1.testdom/adfs/ls/idpinitiatedsignon.aspx). Note that if you are using Server 2016, this endpoint is disabled by default and you need to enable it first via the AD FS console or
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
--
My question is, if this endpoint is disabled, why isnt it listed in the endpoints section of ADFS Management console?!!
I'm writing some cron job in python for Openstack that should read server ids from a database and then get the servers from the API by using the python-novaclient.
In pseudo code things should work like this:
session = login_to_keystone(user="admin", password="something") #or use a token
nova_client = get_nova_client(session)
#the servers array holds dictionaries with server, user and tenant ids as strings
# e.g. {"server_id": "1-2-3", "tentant_id": "456", user_id: "11111-2222"}
for server in servers:
server_obj = nova_client.servers.get(server.server_id)
...do stuff with server_obj (read data from it, delete,...)...
What I've come up with is the following, but it's not right as I get a EndpointNotFound exception. I'm using Devstack with Juno.
from keystoneclient.v2_0 import client as keystone_client
from keystoneclient import session
from novaclient import client as nova_client
#the url is the admin endpoint
keystone = keystone_client.Client(token="my-admin-token",
auth_url="http://192.168.1.1:35357/v2.0",
endpoint="http://192.168.1.1:35357/v2.0")
key_session = session.Session(auth=keystone)
nova = nova_client.Client(2, session=key_session)
#let's assume the servers array is already populated
for server in servers:
server_obj = nova.servers.get(server.server_id) #Exception happens here
I need to run this as admin as servers can belong to any tenant and they might even be deleted by the cron job.
Thanks for any help!
UPDATE:
The information I need was that I can use the admin tenant for retrieving all servers (regardless of their owner). This allows me also to use the publicURL.
My current solution looks like this:
from keystoneclient.auth.identity import v2
from keystoneclient import session
from novaclient import client as nova_client
auth = v2.Password(auth_url="http://192.168.1.1:5000/v2.0",
username="admin",
password="my_secrete",
tenant_name="admin") # the admin's tenant
auth_session = session.Session(auth=auth)
nova = nova_client.Client(2, session=auth_session)
for server in servers:
... do stuff like nova.servers.get("some id")
In order to get a list of servers from all tenants, you need to perform two tasks:
Log in as a user with admin privileges, and
Tell the Nova API that you want a list of servers for all tenants.
Logging in as an admin user
It looks like you're trying to use the admin_token defined in keystone.conf for authentication. This may work, but this mechanism is meant primarily as a means of bootstrapping Keystone. When interacting with the other services, you are meant to log in using a username/password pair that has been defined in Keystone with admin credentials. I think that what #anoop.babu has given you will work just fine:
>>> nova = nova_client.Client('2', USERNAME, PASSWORD,
PROJECT_ID, AUTH_URL)
Where:
USERNAME = admin
PASSWORD = password_for_admin_user
PROJECT_ID = admin
AUTH_URL = http://your_api_server:5000/v2.0
We can test this client out using something like:
>>> nova.hypervisors.list()
[<Hypervisor: 2>]
That tells us we've authenticated successfully.
Listing all servers
If we simply called nova.servers.list(), we are asking for a list of Nova servers owned by the admin tenant, which should generally be empty:
>>> nova.servers.list()
[]
In order to see servers from other tenants, you need to pass the all_tenants search option:
>>> nova.servers.list(search_opts={'all_tenants':1})
[<Server: cirros0>]
And that should get you where you want to be.
Here you have given auth_url as your endpoint. endpoint is actually the publicURL of the service.
You can find the publicURL using the below CLI Command
nova endpoints
and check for keystone details.
You can also get an authenticated keystone object using below api version without using endpoint,
import keystoneclient.v2_0.client as keystone_client
keystone = keystone_client.Client(auth_url = my_auth_url , username = my_user_name , password = my_password , tenant_name = my_tenant_name )
And create a session object as below,
from keystoneclient import session
key_session = session.Session(auth=keystone)
An alternate and simplified approach to get nova client authorized without keystone is,
from novaclient import client as nova_client
nova = nova_client.Client('2', USERNAME, PASSWORD, PROJECT_ID, AUTH_URL)
server_obj = nova.servers.find( name=my_server_name )
OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
but I am getting the error as asked below
Not able to configure J2ee agent on adding my customized data store for users
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error
but it did not help me much.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.
To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
network error, firewall issues preventing the agent from contacting OpenAM
SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)
I'm currently working on a website developed with Symfony2 and I need to send messages in an Amazon SQS. In order to do that I added to my composer.json:
"aws/aws-sdk-php": "2.4.*"
Then when I try to create a queue or list queues I've got a 403 error saying:
Access to the resource https://sqs.us-west-2.amazonaws.com/ is denied.
EDIT:
added the full error message
AWS Error Code: AccessDenied, Status Code: 403, AWS Request ID:
2fe34c11-7af8-5445-a768-070159a0953e, AWS Error Type: client, AWS
Error Message: Access to the resource
https://sqs.us-west-2.amazonaws.com/ is denied., User-Agent:
aws-sdk-php2/2.4.11 Guzzle/3.7.4 curl/7.25.0 PHP/5.4.3
Here is a sample code of what I do:
$aws = Aws::factory(array(
'key' => 'my-key',
'secret' => 'my-secret',
'region' => 'us-west-2'
));
$sqs = $aws->get('sqs');
return new Response(var_dump($sqs->listQueues()));
What do I do wrong to get this error ?
After digging I discovered that the account I was using wasn't granted the access to SQS service.
To give a SQS access to an account you have to go to the amazon management console. Then click on IAM. Under this section click on Users and then you can manage permission for each account you created.
Make sure that both the following policies allow access to the SQS queue
Resource (SQS) based policy: The SQS queue should allow your identity to use the queue. You define this using the queue policy (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sqs-policy). The default queue policy will allow access only to the owner of the queue (owner of the queue is the identity that created the queue).
Identity based policies: The policy for the identity that is accessing the queue should have permission to invoke operations on the queue.
Make sure that the access is not restricted by either one of them.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html
I had the same strange issue, I had everything set up including policies and permission, after a couple of hrs I found out I was getting 403 error because of wrong aws region was configured in my application it was supposed to be ap-south-1 by default it was us-east-1