I am looking for simple authentication to put into Storm UI to manage user permissions.
It seems only possible way is to configure Kerberos for entire cluster but I want to avoid using Kerberos and want simple authentication mechanism like username password or better if it can be integrated with okta.
Related
So, im doing research to know if its a good alternative to implement keycloak on the environment i'm working at.
Im using LDAP to manage users at my workingplace. I was wondering if is there a way to use keycloak as auth service in all upcoming systems and some of the existing ones. We are currently managing it with an IDP that we need to improve or replace, also there are some systems use their own login (this will eventually change).
The main problem i've crossed is that keycloak synchronizes against ldap and i dont want user data to be stored on keycloak, maybe if its only login data. User data is planned to be kept only on ldap's database in case that any userdata needs to be updated.
So is there a way to use keycloak only as an auth service fetching user credentials from ldap on every auth request?
pd: maybe i am mistaken on the meaning of what's an auth service an whats an IDP.
Actually it is not necessary that LDAP users are synced to Keycloak.
Keycloak supports both options
Importing and optionally syncing users from LDAP to Keycloak
or
Always getting the User info from LDAP directly.
But keycloak will always generate some basic federated user in it's database (e.g. for keeping up a session when using OpenID Connect - but you should not really care about that).
As far as I know (but I've not used that myself) you could also use keycloak to maintain the LDAP users data and write changes back to LDAP (see "Edit Mode" in Keycloak documentation)
Check Keycloak documentation regarding LDAP stuff to get more information https://www.keycloak.org/docs/6.0/server_admin/#_ldap
Beside the User-Data Topic, Keycloak provides a lot of different Protocols (like SAML and OpenIDConnect) to provide authentication for your services. So you could use different/multiple authentication protocols depending on your applications with just one "LDAP-Backend"
So i'm tasked with implementing SSO for our Windows application. Currently, after a user logs into the machine, he or she has to re-log in to our app when he or she loads the application. The application validates the user by querying a LDAP server.
What we're looking to have is for the user to automatically be logged into the app when they click on it. My understanding is that the LDAP authentication must still happen, but Im not exactly sure what the workflow would be, and how exactly we can validate a user without requiring them to re-enter a username / password. Note that this is not a web application so I can't use tools like SAML or OAuth (unless i'm mistaken about this too..?)
So my specific question is as follows:
Is it possible to use LDAP for SSO, and if so, how? Is it possible for me to authenticate a user with just his or her username, or is a password also required?
Any guidance would be appreciated, and am happy to provide further clarification if needed.
First of all, LDAP is a protocol, which you use to communicate with databases that implement this protocol.
So LDAP databases (commonly called directories) are ... databases and so do not provide SSO functionality.
To deploy a SSO solution, you need a SSO service. All your applications will have to be "compliant" with this service in a way or another.
The only way I can think of to make a "Windows SSO" without adding a third party application is that the applications can retrieve NTLM informations in requests made by the client and uses the user data to identify him. (but in term of security, I let you judge what you think about it ;) ) . See this php example
Some LDAP implementations, including OpenLDAP, provide some level of support the Generic Security Service Application Program Interface (GSSAPI) or SPNEGO (a specific GSSAPI implementation)
Although not trivial, it is possible to perform SSO from a "browser" that supports GSSAPI. AFIK, IE, Firefox, Safari and Chrome all provide some level of support for GSSAPI although each browser requires specific configuration (typically whitelisting of Servers).
There are many SSO Products that implement these features in a "probably" more secure and easier process than doing it yourself.
There are many known vulnerabilities details that have been exploited with GSAPPI/SPNEGO typically due to implementation issues.
dotCMIS supports both Basic and NTLM authentication.
I am currently using dotCMIS to connect to Alfresco using Basic Authentication.
I'd like to authenticate once with user/password for the sessions and then use Alfresco tickets, rather than pass user/password information for each request.
I think that Chemistry dotCMIS does not support authentication using tickets.
What would be the best way to add this capability?
Maybe with a custom authenticator? It would need to track, recover and get a new ticket reissued after a session timeout.
You have implement a new authentication provider for this. It shouldn't be difficult.
But I would recommend using PortCMIS and the Browser binding instead of DotCMIS.
We have a Siteminder running in our organization and I want to use Kerberos to authenticate users.
The setup is like this:
Our appserver has siteminder agent that can authenticate users, agent connects to Siteminder, siteminder connects to active directory.
My question is this - what do I need to do on my appserver in order to be able to use Kerberos to authenticate users.
I might accept a good guide to how to do it as an answer.
This guide says you need to set your service account to system and set authentication in IIS to be anonymous only. This sounded totally crazy to me at first, but as you read on they explain how the additional ISAPI dll they have you add will intercept the SiteMinder auth and should pass the authentication through. Not sure if it's actually kerberos or not...
I would like to authenticate the users of my web2py application with AFS. Unfortunately, it seems like the pam.py module doesn't support AFS, only local users. Is it possible to do that with pam, or should I use something else?
Using PAM is probably what you want to do, since web2py doesn't have any built-in support for AFS or krb5. In order to authenticate non-local users, you would need to specify a different PAM service to authenticate to, and modify the local PAM configuration to make that service authenticate to AFS.
It looks like pam_auth.py module doesn't support using PAM services besides the default "login", but it looks simple to make it do so, or create your own. You just need to do something like this:
from gluon.contrib.pam import authenticate
def mypam_auth():
def pam_auth_aux(username, password):
return authenticate(username, password, "myservice")
auth.settings.login_methods.append(mypam_auth())
Where "myservice" is just a service name you choose. Then you need to modify the local PAM configuration to make "myservice" authenticate to AFS. On Linux, this usually means creating a file /etc/pam.d/myservice, and filling it with PAM configuration to authenticate to AFS.
Most AFS cells these days use Kerberos 5 for authentication, so this just means you need to authenticate to Kerberos 5, and don't need to bother any AFS stuff (unless you want to verify that the user has a valid AFS account; but that's more of a question of authorization than authentication). There are a few guides and examples for setting up PAM with krb5 logins, such as: http://techpubs.spinlocksolutions.com/dklar/kerberos.html#PAM_configuration
You can just try to follow one of those guides, but you probably only need the 'auth' section, since you don't need to worry about sessions and tickets and all of that. You may only need something like this in /etc/pam.d/myservice:
auth required pam_krb5.so no_ccache use_first_pass
auth required pam_deny.so
If by "AFS authentication" you mean the old kaserver krb4-based authentication instead of krb5 (that is, you use 'klog' to authenticate to AFS, instead of 'kinit' and 'aklog' or 'klog.krb5'), you would instead need to use the pam_afs.so PAM module. Something like this might work:
auth required pam_afs.so use_first_pass
auth required pam_deny.so
If you don't have control over the local PAM configuration on the local machine, you can instead try to authenticate users by spawning a 'kinit' (krb5) or 'klog' (old kaserver) command, and giving the command a password on it's standard input. That's not very elegant, but it should work.
Since web2py is web-based, and since AFS uses Kerberos, you'll certainly need to pass a Kerberos ticket between the user and the web2py layer, so as to let web2py obtain an AFS token in the name of the user.
You can authenticate a browser to a web server using Kerberos with SPNEGO. The browser needs to be configured to allow delegation (as described in this example with a Java SPNEGO filter).
If you manage to get a delegated Kerberos ticket once in your web2py application, you should be able to use aklog to get the AFS token.
I'm not very familiar with web2py, but a quick look at the documentation doesn't show much indication for support for SPNEGO: you may have to implement it yourself. (If you can find an existing GSS library that support it, it should "only" be a matter of passing the SPNEGO tokens back and forth between the browser and this library, provided it's configured properly. This may be a bit off-topic in Python, but this Java/JGSS tutorial could give you an indication of what's required, if you find a Python equivalent to JGSS.)
Beware not to share your AFS tokens for all incoming requests (potentially from different users) under the same process user running web2py. You may want to consider looking into PAGs (process authentication groups) from the web2py layer. You'll need to tie back these processes to the request arriving to web2py.