Hashicorp Vault LDAP authentication issues - ldap

We use LDAP as our access into Hashicorp Vault.
One of our users was deleted and recreated in AD... This use cannot log into the vault any longer, receiving a "Authentication failed: internal error" (rather than a "Authentication failed: ldap operation failed" that we see for a user that is not in AD or with an invalid password)
The only error we see is in the vault_audit.log (with passwords, and assessors munged, ip changed, and replaced with my name as example):
{
"time": "2022-09-12T19:03:55.457492415Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:xxxxxxx",
"accessor": "hmac-sha256:yyyyyyy",
"display_name": "ldap-ssiegler",
"token_policies": [
"default"
],
"metadata": {
"username": "ssiegler"
},
"entity_id": "aca5c682-b0c4-2f51-9681-b4244a23720b",
"token_type": "service"
},
"request": {
"id": "275b5b49-80ff-ee5f-a7f8-1e0c5a3dc645",
"operation": "update",
"namespace": {
"id": "root"
},
"path": "auth/ldap/login/ssiegler",
"data": {
"password": "hmac-sha256:zzzzzzz"
},
"remote_address": "192.168.205.23"
},
"response": {},
"error": "internal error"
}
"error": "internal error"
being the only information...
I have removed the entities that referenced this user, with no change, and created a new entity that was able to have this ad user as an alias, so AD sees him...
Ideas?

Related

Zoho Recruit API Register / Login Candidate

Could someone guide me an idea of how to create the registration and login for candidates with the Recruit api? I'm making a flutter app and I need my candidates to register and log in trow the app and see the job opening, post jobs.
At the moment I created the user with [POST] https://recruit.zoho.com/recruit/v2/Candidates
{
"data": [
{
"Email": "mail#gmail.com",
"First_Name": "TheName",
"Last_Name": "TheLastName",
"Mobile": "000000000",
"Expected_Salary": "8000000",
"Country": "PY",
"Departamento": "Central",
"C_I": "37114594",
"Ciudad_de_residencia": "City",
"$Password":"myPassWord199**"
}
],
"trigger": [
"approval",
"workflow",
"blueprint"
]
}
Works Well, got success
{
"data": [
{
"code": "SUCCESS",
"details": {
"Modified_Time": "2022-06-15T20:47:23-04:00",
"Modified_By": {
"name": "Admin",
"id": "00000000000000"
},
"Created_Time": "2022-06-15T20:47:23-04:00",
"id": "00000000000000",
"Created_By": {
"name": "Admin",
"id": "00000000000000"
}
},
"message": "record added",
"status": "success"
}
]
}
But If I try to log in in the web version (for testing the new candidate) don't work, but if it see the dashboard, the user exist. Need to add something else?
Basically I need a register api and a login one for the created record of the candidate.
Any help will be awesome, Thanks

GCP API for Cloud SQL User doesn't fetch password

I am trying to get information about the users of a specific SQL Database Instance by using the Google.Apis.SQLAdmin API:
The return value contain a List of Users.
User:
{
"kind": string,
"password": string,
"etag": string,
"name": string,
"host": string,
"instance": string,
"project": string,
"type": enum (SqlUserType),
"sqlserverUserDetails": {
object (SqlServerUserDetails)
}
}
The "password" field remain null, no matter what I change through the GCP console.
Is there a reason for that? Am I missing a request parameter that will fetch this data?
Tried MySQL 5.7 and MySQL 8.0.
I don't need the password itself I just need to know if there is a password and it exist (also in the .net library the User class contain "PasswordPolicy").
This is the place in console where I add\change the password:
ImageOfTheConsole
Here you can see the api request and to try it using the right sided "Try This API":
https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/list
An example of a response I get for user with and a user without password:
{
"kind": "sql#usersList",
"items": [
{
"kind": "sql#user",
"etag": etag,
"name": "noPasswordUser",
"host": "%",
"instance": "my-1-test",
"project": "my-project"
},
{
"kind": "sql#user",
"etag": etag,
"name": "withPass",
"host": "%",
"instance": "my-1-test",
"project": "my-project"
}
]
}
Thank you.

How to list all projects inside GCP organization using Resource Manager API?

I am trying to list all projects I have in GCP by using the projects.list method from the Resource Manager API but I cannot figure out what access token to be used.
Let's say I have three projects:
My Project 44572
Testing
My First Project
And when I use the projects.list method it should give me the output as this:
{
"projects": [
{
"name": "My Project 44572",
"parent": {
"type": "organization",
"id": "ORG_ID"
},
"projectId": "PROJECT_ID",
"projectNumber": "PROJECT_NUMBER",
"lifecycleState": "ACTIVE",
"createTime": "2020-06-15T08:38:04.712Z"
},
{
"name": "Testing ",
"parent": {
"type": "organization",
"id": "ORG_ID"
},
"projectId": "PROJECT_ID",
"projectNumber": "PROJECT_NUMBER",
"lifecycleState": "ACTIVE",
"createTime": "2020-06-15T08:35:59.480Z"
},
{
"name": "My First Project",
"parent": {
"type": "organization",
"id": "ORG_ID"
},
"projectId": "PROJECT_ID",
"projectNumber": "PROJECT_NUMBER",
"lifecycleState": "ACTIVE",
"createTime": "2020-06-15T08:33:23.859Z"
}
]
}
But if I am using the Access Token which I got by using service account of My Project 44572 I am getting the following output:
{
"projects": [
{
"name": "My Project 44572",
"parent": {
"type": "organization",
"id": "ORG_ID"
},
"projectId": "PROJECT_ID",
"projectNumber": "PROJECT_NUMBER",
"lifecycleState": "ACTIVE",
"createTime": "2020-06-15T08:38:04.712Z"
}
]
}
So, what access token I should use so that I would get all projects under my organization?
The projects.list method requires the permission resourcemanager.projects.get. You can grant the account any role containing the permission at org level to achieve your goal, e.g., -
roles/viewer
roles/editor
roles/owner
Alternatively, you can use the resources.searchAll method which requires the cloudasset.assets.searchAllResources permission. You can grant the account any role with this permission at org level:
roles/cloudasset.viewer
roles/cloudasset.owner
roles/viewer
roles/editor
roles/owner
To list all the projects within an organization 456:
gcloud asset search-all-resources \
--asset-types="cloudresourcemanager.googleapis.com/Project"
--scope=organizations/456
Documentation:
https://cloud.google.com/asset-inventory/docs/searching-resources
https://cloud.google.com/asset-inventory/docs/reference/rest/v1p1beta1/resources/searchAll
Related post:
How to find, list, or search resources across services (APIs) and projects in Google Cloud Platform?
I solved the problem by assigning the service account of "My Project 44572" Owner role at Organization level and now when i use the access token generated by this service account it would list all the projects in my organization

Update Account (PUT) Endpoint in new Yodlee API for MFA

Background
I am using the newer Yodlee Aggregation API that differs from what I was previously building off of.
I am currently using this endpoint in the account registration flow to put the MFA response:
PUT /{cobrandName}/v1/providers/{providerAccountId}
My request looks like this:
{
url: `${this.rest}providers/${providerAccountId}`,
headers: {
'Authorization': `cobSession=${self.appToken}, userSession=${token}`
},
form: {
'MFAChallenge': JSON.stringify(newMfa)
}
}
where this.rest is my personal rest url, providerAccountId is the appropriate providerAccountId for the refresh, self.appToken is the current cobrand session token, token is the current user's login token, and newMfa is a JSON object being stringified that matches this profile:
{
"loginForm": {
"mfaTimeout": 94650,
"formType": "questionAndAnswer",
"row": [
{
"id": "SQandA--QUESTION_1--Row--1",
"fieldRowChoice": "0001",
"form": "0001",
"label": "What is the name of your state?",
"field": [
{
"id": "SQandA_QUESTION_1_1",
"name": "QUESTION_1",
"isOptional": false,
"value": "Enter the answer",
"valueEditable": true,
"type": "text"
}
]
},
{
"id": "SQandA--QUESTION_2--Row--2",
"fieldRowChoice": "0001",
"form": "0001",
"label": "What is the name of your first school",
"field": [
{
"id": "SQandA_QUESTION_2_2",
"name": "QUESTION_2",
"isOptional": false,
"value": "Enter the answer",
"valueEditable": true,
"type": "text"
}
]
}
]
}
with the exeption being the value fields of the field object, which have been encrypted with PKI as per instructions.
Issue
However, when I carry out this PUT request, I get this error from Yodlee:
{ errorCode: 'Y803',
errorMessage: 'MFAChallenge or providerParam required',
referenceCode: 'p1460412835654A4Q24t' }
though I clearly have an MFAChallenge parameter in my form. Any ideas on why I could be getting this error if the MFAChallenge is present (and note that it is the only info that is passed through the PUT request other than through headers or url parameters)? I tried putting it through as body data, but that doesn't seem to work, and very few of the API endpoints actually seem to use body over form encoded strings, though there was at least one.
You have to send this information MFAChallenge as part of URL, see below example
https://developer.api.yodlee.com/ysl/restserver/v1/providers/10114184?MFAChallenge=%7B%20%22loginForm%22%3A%20%7B%20%20%20%20%20%22mfaTimeout%22%3A%2094650%2C%20%20%20%20%20%22formType%22%3A%20%22questionAndAnswer%22%2C%20%20%20%20%20%22row%22%3A%20%5B%20%20%20%20%20%7B%20%20%20%20%20%20%20%20%20%22id%22%3A%20%22SQandA--QUESTION_1--Row--1%22%2C%20%20%20%20%20%20%20%20%20%22fieldRowChoice%22%3A%20%220001%22%2C%20%20%20%20%20%20%20%20%20%22form%22%3A%20%220001%22%2C%20%20%20%20%20%20%20%20%20%22label%22%3A%20%22What%20is%20the%20name%20of%20your%20state%3F%22%2C%20%20%20%20%20%20%20%20%20%22field%22%3A%20%5B%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22id%22%3A%20%22SQandA_QUESTION_1_1%22%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22name%22%3A%20%22QUESTION_1%22%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22isOptional%22%3A%20false%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22value%22%3A%20%22Enter%20the%20answer%22%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22valueEditable%22%3A%20true%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22text%22%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%20%20%20%20%20%20%20%20%20%5D%20%20%20%20%20%7D%2C%20%20%20%20%20%7B%20%20%20%20%20%20%20%20%20%22id%22%3A%20%22SQandA--QUESTION_2--Row--2%22%2C%20%20%20%20%20%20%20%20%20%22fieldRowChoice%22%3A%20%220001%22%2C%20%20%20%20%20%20%20%20%20%22form%22%3A%20%220001%22%2C%20%20%20%20%20%20%20%20%20%22label%22%3A%20%22What%20is%20the%20name%20of%20your%20first%20school%22%2C%20%20%20%20%20%20%20%20%20%22field%22%3A%20%5B%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22id%22%3A%20%22SQandA_QUESTION_2_2%22%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22name%22%3A%20%22QUESTION_2%22%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22isOptional%22%3A%20false%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22value%22%3A%20%22Enter%20the%20answer%22%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22valueEditable%22%3A%20true%2C%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22text%22%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%20%20%20%20%20%20%20%20%20%5D%20%20%20%20%20%7D%20%5D%20%7D

Invalid Path error while inserting job from google cloud storage to google bigquery

I am trying to insert a job through HTTP Post request, but i am getting Invalid path error.
My request body is as follows:
{
"configuration": {
"load": {
"sourceUris": [
"gs://onianalytics/PersData.csv"
],
"schema": {
"fields": [
{
"name": "Name",
"type": "STRING"
},
{
"name": "Age",
"type": "INTEGER"
}
]
},
"destinationTable": {
"datasetId": "Test_Dataset",
"projectId": "lithe-anvil-404",
"tableId": "tb_test_Pers"
}
}
},
"jobReference": {
"jobId": "10",
"projectId": "lithe-anvil-404"
}
}
For the sourceuri parameter, I am passing "gs://onianalytics/PersData.csv", where onianalytics is my bucket name and PersData.csv is my csv file (from which I want to upload data into google bigquery).
I am getting below response:
"status": {
"state": "DONE",
"errorResult": {
"reason": "invalid",
"message": "Invalid path: gs://onianalytics/PersData.csv"
},
"errors": [
{
"reason": "invalid",
"message": "Invalid path: gs://onianalytics/PersData.csv"
}
]
},
"statistics": {
"creationTime": "1387276603674",
"startTime": "1387276603751",
"endTime": "1387276603751"
}
}
My bucket is under the same projectid which has the BigQuery service activated. Also, I have Google Cloud Storage enabled under APIs and Auth. Following scopes are added while authenticating:
googleapis.com/auth/bigquery, googleapis.com/auth/cloud-platform, googleapis.com/auth/devstorage.full_control,googleapis.com/auth/devstorage.read_only,googleapis.com/auth/devstorage.read_write
I am inserting this job by "Try it!" link which is available on developers.google.com/bigquery/docs/reference/v2/jobs/insert.
In fact I am able to create buckets and objects in goggle cloud storage through APIs. But when i try to insert job from the uploaded object (which is a csv file), i got "Invalid Path" error. Can anyone please help me to identify why this error is occurring?
The error I get when trying the code above is "Not found: URI gs://onianalytics/PersData.csv".
I'm wondering if instead of /onianalytics/ you had a different path with invalid characters?