Quarkus Elytron LDAP security not finding UID - ldap

I have added the Quarkus quarkus-elytron-security-ldap dependency to my project to enable basic auth on my REST services. I have configured it in my properties file as below. I know that it is connecting successfully to the LDAP repository, but it never finds the UID when doing a search:
quarkus.security.ldap.dir-context.principal=uid=serviceLdapAccount,ou=Systems,ou=Users,DC=COMPANY
quarkus.security.ldap.dir-context.url=ldap://some.server.com
quarkus.security.ldap.dir-context.password=*****
quarkus.security.ldap.identity-mapping.rdn-identifier=uid
quarkus.security.ldap.identity-mapping.search-base-dn=DC=COMPANY
I have confirmed that the user definitely exists in the repository and is included in the search base. But I always get this response:
[io.qua.ver.htt.run.sec.BasicAuthenticationMechanism] Found basic auth header requestAccountName:***** (decoded using charset UTF-8)
[org.wil.security] Obtaining lock for identity [requestAccountName]...
[org.wil.security] Obtained lock for identity [requestAccountName].
[org.wil.security] Trying to create identity for principal [requestAccountName].
[org.wil.security] Executing search [(uid={0})] in context [DC=COMPANY] with arguments [requestAccountName]. Returning attributes are []. Binary attributes are [].
[org.wil.security] Identity for principal [requestAccountName] not found.
Why can't it find the identity?

The seach-base-dn needed to be more specific:
quarkus.security.ldap.identity-mapping.search-base-dn=ou=Systems,ou=Users,DC=COMPANY
What I had before should work though, imo.

Related

Duplcated of How to access the original case sensitive username input in custom user storage provider of keycloak?

I developed a service provider interface (SPI) for User Federation in keycloak.
When I try to login with an existing case sensitive user, keycloak converts it to lower case, so at the end, the sent username was not found in my user API.
I am using keycloak 20.0.1 version and it is deploying in a docker container.
I found this post in stackoverflow that share an anwerd relatated for this, buth I do not get solution. I replaced conf/cache-ispn.xml as it metion, buth when keycloak starts it gets the error Cache 'users' has been requested, but no matching cache configuration exists.
I realy apreciate if some one knows if there is an alternative.
Regardles.
I tried to get original input username with case sensitive in keycloak login.

User not authenticated against LDAP in Sonar 5.6

I have set the proper LDAP configuration in Sonar 5.6.6 LTS (ldap plugin v2.2.0.608) and I see in logs that the connection is established.
When I first try to login with my LDAP-login, I am able to do so, but my user has of course no permissions - that is okay.
The problem occurs, when I want to first add my user and give him i.e. sonar-administrators group. When it is set and I try to login, Sonar authenticates me not against the external system (LDAP) but uses his own data base.
I am sure it worked with Sonar 4.5 but now I cannot configure it properly.
The problem was that creation of new users adds them by default to the local database of SonarQube. To change this default behavior I found out that the REST API endpoint to create users contains the flag 'local' which defines whether the user should be considered as a local user added to the local database or he should be added as an external user authenticated again an external system like LDAP.
So final answer is to use the following REST API endpoint:
private final String CREATE_USER_API = "/api/users/create?login={login}&name={name}&local=false"
Please note the following property: local=false at the end of the string.

Delete ldap attribute by keycloak

I'm evaluating keycloak for identity management using an existing (open)ldap server.
I've managed to get the telephoneNumber ldap attribute into keycloak.
The problem occurs if I try to remove a telephone number via keycloak: keycloak tries to set the ldap attribute to an empty string, which is not allowed. Is there a way to configure the user-attribute-ldap-mapper to delete the attribute if its empty?
Best wishes
Daniel
[edit] I've opend a bug report at keyloak for this issue

LdapAuthenticationProvider not checking if user is not active

I can auth my website with either ldap or by looking in db using different spring security authentication providers.
When i use the database auth, i use UserDetailsService, which correctly checks if my user is notActive and throws DisabledException correctly.
but using LdapAuthenticationProvider this does not occur. why?
spring security 2.0.1
Which LdapAuthenticator are you using? If you use BindAuthenticator it will bind as the given user, eventually the directory server should reject if the user account disabled/expired.
I haven't used LdapAuthenticationProvider myself, but if its not done automatically you can retrieve the userdetails, The UserDetails class has bunch of methods to check weather the account is enabled/locked/expired.

How to use LDAP credentials offline?

I would like to use an LDAP server (probably Apache directory) to manage logins and credentials for an application. From time to time the application needs to work offline (on a laptop) without a connection to the LDAP server.
What is the best way to replicate the credentials localy?
I have already thought about:
Using Mitosis to replicate the LDAP server on the laptop.
But it would be a quite "heavy" and complicated solution. Moreover Mitosis seems not be be finished yet.
Exporting the credentials as LDIF file that could be stored on the laptop.
But I would need a way to check that the LDIF file actually comes from the LDAP server (The file should include a kind of signature). Moreover I would like to reject LDIF files that haven't be updated for more than a week. It would be nice if I could avoid implementing signing and age check myself.
Any other ideas or tools that could help me?
Edited Edit: I had a look at Kerberos because the documentation of the Java-Kerberos-API seems to say that it is possible to use a cached ticket in a local cache and I thought this might be a solution for me. Moreover Kerberos can be added as plugin to Apache Directory.
But the Kerberos cache stores decrypted tickets (aiming at sharing them with other applications). I would need the crypted version of the ticket to be able to check the user password during an offline session. Conclusion: Kerberos doesn't offer a simple solution to my problem.
Knowing that it will be probably ok if the user have to log on once online before being able to log on offline, consider the following algorithm:
user provides your application with a (username + password)
application attempts to contact LDAP for authentication
working online? (e.g. connection successful)
application authenticates against LDAP using (username + password)
authentication succesful?
application stores or updates hash(password) as (cached_credentials) for (username) into local secure storage
application proceeds as authenticated [[STOP]]
authentication failed?
application proceeds as non-authenticated (incorrect credentials) [[STOP]]
working offline? (e.g. network error)
application attempts retrieve (cached_credentials) for (username) from local secure storage
(cached_credentials) exists AND more recent than (1 week)?
application compares (cached_credentials) against hash(password)
match?
application proceeds as authenticated [[STOP]]
no match?
application proceeds as non-authenticated (incorrect credentials) [[STOP]]
(cached_credentials) does not exist OR less recent than (1 week)?
application proceeds as non-authenticated (network error) [[STOP]]
This is (or was, IIRC), by the way, the same model employed by Windows NT+ for user authentication against domain controllers. Upon login an attempt is made to authenticate against the domain controller and create or update the local (cached) version of the user profile. If the domain controller is not available, the user is prompted to proceed with authentication against the credentials captured in the local (cached) profile (if one exists.)
EDIT
Yes, this is, in spirit, the same solution as copying an ldif file locally, except that you do not have to parse ldif when you're offline. :)
It is understood that you can store any additional attributes (permissions, etc.) in your cache
It is also understood that 'secure storage' is at least signed. :) You can do this easily enough with a SHA-1 hash and a secret, or you can use full-fledged cryptographic providers available on your platform (or in Java, if using Java.) You do not need to crypt it as long as no secret information is stored inside.
Here is the solution I decided to use (I have already described it in an edit to my question, but I would like to able to accept an answer to "close" the question):
As I have not found another solution, I decided to use an LDIF export, add a timestamp as comment at the beginning of the file and then sign the file. To sign the file I calculate an hash value (SHA-1) of the file + a secret key. The signature is added as comment at the beginning of the file. To check the signature I remove the first line of the signed file and recalculate the hash value.