I am setting up a development server for Trino using Trino's docker image. I need to integrate Trino to LDAP so we decided to secure Trino behind a load balancer (see here) but after enabling password authentication, we see the following when we access Trino (https://trino_domain) WebUI:
My config.properties are as follows:
By right I should be prompted with the usual login screen with the password field enabled. There is no errors in the logs. The only warning I could find is
I could not find anything on google on this so I am not sure what is missing/wrong. Please help.
This is expected behavior when attempting to connect via http when the coordinator is configured for https.
This video might help you configure Trino with a load balancer and LDAP:
https://www.youtube.com/watch?v=KiMyRc3PSh0
I'm running a Keycloak instance in standalone mode. I have configure the Keycloak as an OIDC federated IdP in the WSO2 IS and configured the WSO2 IS as a client in the Keycloak. I also have an application running which is connected to WSO2 IS and uses Keycloak for federated authentication.
I can log into the application without any issues, but when I try to logout from the application, logout happens in the Keycloak but there's the following error in the Keycloak console,
[org.keycloak.services] (default task-17) KC-SERVICES0057: Logout for client 'WSO2-IS' failed: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I tried creating a keystore, standalone/configuration/application.keystore and importing the certificate of the WSO2 IS to it and importing the certificate of the Keycloak to WSO2 IS keystore. But it didn't work. (Note that application.keystore wasn't in the standalone/configuration/ location even after the sever was started.)
I also followed this guide to setup a keystore but nothing seems to work.
Is there something I'm missing in this setup ?
Fixed the issue after checking the certs in the truststore of the Keycloak.
Reason: cert of the WSO2 IS was not properly imported and truststore was not properly configured.
I have installed apollo 1.7.1 and using a broker with default setting. When I try to connect to this broker, got this error message.
Authentication failed. Credentials=[]
By default it comes with file based authentication setup. How can I disable this authentication?
Required Authorization for executing application, which I am not sure what I need to put
Popped up message: The server localhost is asking for username and password.The server reports that it is from spring.
Warning: Your username and password will be sent using basic authentication on a connection that is not secure
You should add security.basic.enabled=false in application.properties file and put it under src/main/resources path.
I am trying to resolve a problem whereby trying to set a users password over LDAP is failing because of an access denied error - even though I am authenticating against the AD with an admin user.
An answer found in stackoverflow says that either I have to run the IIS user as the admin user (which does work) or i should connect to LDAP via SSL.
I cant go with the first option because I am using Elastic Beanstalk which will create and terminate instances so i cant change/set the user that IIS will be running as. So I am trying to use the LDAP over SSL idea.
My question is does that still require that the client itself also have a certificate installed in order to establish trust with the Domain controller? Or does this work just by installing a cert on the Domain controller and allowing the connection over SSL?
If it requires a certificate on the client then I have the same problem as i cant install anything on the client server other than the deployed app since Beanstalk is going to recereate and terminate that instance at will.
So does LDAPS require a cert on the client?
Is there a better way to solve my problem given the infrastructure i am using?
So does LDAPS require a cert on the client?
no, LDAPS do not require client certificate. Domain controller certificate is sufficient to utilize LDAPS. More details about LDAPS and certificate requirement: LDAP over SSL (LDAPS) Certificate
trying to set a users password over LDAP is failing because of an access denied error
there might be over9000 reasons why you receive this message. You need to check whether you are successfully authenticated on DC, if yes, check whether you have permissions and privileges (especially, if UAC is enabled). I would set up audit policies (on failed user password changes) and check Security eventlog to figure out what is going wrong.
No.
For openldap, I achieved this by adding this line to ldap.conf. But be aware of that, when you do that, your connections will be open to attacks like man-in-the-middle or any other.
TLS_REQCERT never
This is what I found using trial and error approach:
Actually, LDAPS server always asks for client certificate. You can verify that by turning on SCHANNEL log and observing the following message:
If there is no client authentication certificate than LDAPS connection still succeeds, i.e. no client authentication certificate is required indeed. But if you have some invalid client authentication certificate (in my case it was an expired cert installed long ago by a third party app) the connection will fail w/o any error or warning in SCHANNEL log on the client side. It took me a while to figure this out.
Yes of corse your client need a certificate to allow ladps communication betwen
him and de server.
According to
windowsitpro.com:
As an option, you can use LDAPS for client authentication -- but doing so requires that you also install a client authentication certificate on each of your clients."