This is similar to the existing one - Setting up LDAP for Jupyter Server
Where ,instead of using "bind_user_password", i want to try using certificate, i.e below lines that is being currently used :
ldap_uri = ldap://ldap:389
ldap_default_bind_dn = cn=serviceaccount,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = 0hdsvmofnvp
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/CA/ldap.ca
I did went thru this document - https://github.com/jupyterhub/ldapauthenticator and we couldnt find the way to use certificate, please help to share the info on how to enable the same in jupyter using above lines.
yes , we are using jypter hub v 3.3.2
Related
I am not able to create connection between metabase and LDAP.
I am trying to set it up similar with our Zeppelin configuration:
ldapRealm.contextFactory.url = our_url<br>
ldapRealm.contextFactory.systemUsername = our_username<br>
ldapRealm.contextFactory.systemPassword = our_password
ldapRealm.userDnTemplate = cn={0},ou=people,dc=xha,dc=app<br>
ldapRealm.memberAttributeValueTemplate = cn={0},ou=people,dc=xha,dc=app<br>
ldapRealm.authorizationEnabled = true<br>
ldapRealm.searchBase = dc=xha,dc=app<br>
ldapRealm.userSearchBase = ou=people,dc=xha,dc=app<br>
ldapRealm.groupSearchBase = ou=group,dc=xha,dc=app<br>
ldapRealm.userSearchAttributeName = uid<br>
ldapRealm.userSearchFilter = (&(objectclass=*)(uid={0}))<br>
ldapRealm.memberAttribute = memberUid
When I tried similar configuration:
URL, Username, Password, worked well.
I tried use “ou=people,dc=xha,dc=app” for “USER SEARCH BASE”, but it did not work and I get error in log:
errors {:ldap-user-base "User search base does not exist or is
unreadable"}}
So it seems, that “USER SEARCH BASE” is in reality “GROUP SEARCH BASE”.
The only one value which working in “USER SEARCH BASE” is “OU=group,DC=xha, DC=app”
I tried for “USER FILTER”:<br>
cn={login},ou=people,dc=xha,dc=app<br>
(&(objectClass=)(uid={0}))<br>
(&(objectClass=)(uid={login}))<br>
(&(objectClass=)(memberUid={0}))<br>
(&(objectClass=)(memberUid={login}))<br>
{uid={login}}<br>
(&(objectclass=*)(cn={login}))<br>
I also tried with empty filter.
Nothing works yet and I am stuck on this for like 2 weeks.
In log is just:
{:errors {:password “did not match stored password”}}
I also tried steps in https://discourse.metabase.com/t/ldap-debugging/2741 but I am still not able to make it work.
Our “LDAP” accounts have no email -> https://discourse.metabase.com/t/autenticate-by-ldap-a-user-that-have-no-email/5215
I do not know if this is still “hardcoded” in version: 0.34.2
So, do you have any suggestions, how can I figured it out?
Thank you in advance
Peter
Actually I figured it out. "OU=people,DC=xha, DC=app" was correct, but our LDAP schema was huge and there were errors in LDAP's logs, that "SIZE LIMIT EXCEEDED". So we started using MariaDB for storing Metabase settings and I saved settings with "OU=group,DC=xha, DC=app" and then manually changed to OU=people,DC=xha, DC=appin MariaDB.
I need to deploy a second instance of DHIS2 on my server. I already have the first one running very well.
The challenge I have is that DHIS2 only uses one configuration file with the code below. I am confused how to setup a connection to my second database.
Please advise.
connection.dialect = org.hibernate.dialect.PostgreSQLDialect
connection.driver_class = org.postgresql.Driver
connection.url = jdbc:postgresql:millenium
connection.username = dhis
connection.password = dhis
connection.schema = update
encryption.password = abcd
You can run your instances with separate environment variables to point to two different DHIS2_HOME paths. Each path can contain it's own dhis2.conf, with it's own database.
For example, if you are using Tomcat to host your instances, you can set the "setenv.sh" file to set up the DHIS2_HOME variable.
I have an active Trac installation with multiple projects. I am using the AccountManagerPlugin to manage user accounts, and to allow users to manage their own accounts.
My current AccountManagerPlugin configuration looks like this:
[account-manager]
account_changes_notify_addresses =
authentication_url =
force_passwd_change = true
generated_password_length = 8
hash_method = HtDigestHashMethod
htdigest_realm = TracRealm
notify_actions = []
password_file = /home/sms/trac_sites/trac.htdigest
password_store = HtDigestStore
persistent_sessions = true
user_lock_max_time = 0
verify_email = false
This works great, except: Each Trac project currently requires separate authentication. The projects are unable to share their authentication cookies.
Setting auth_cookie_path = /trac does not work, because session data is stored in each project's own database; therefore one project cannot validate the cookie of another. Worse, this causes projects to overwrite each other's cookies.
Using an undocumented two-year-old monkey patch (SharedCookieAuthPlugin) seems like a bad idea.
Is there a solution?
SharedCookieAuthPlugin is indeed the way to go. The author of the plugin (k0s, alias Jeff Hammel) was the person who requested the auth_cookie_path option, specifically for his plugin. The fact that it hasn't been updated in two years just means that it works as it is.
I'm writing a VBscript that I would like to alter the anyonymous authentication configuration for a specific site on my web server. However, I'm unsure of how this is done in the commit path. Currently, I am able to change the setting on a global scale, but I only want to target one particular site folder. My best guess was to simply include the site path at the end of MACHINE/WEBROOT/APPHOST.
'CHANGE ANONYMOUS AUTHENTICATION GLOBALLY (working code):
Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
Set anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST")
anonymousAuthenticationSection.Properties.Item("enabled").Value = True
anonymousAuthenticationSection.Properties.Item("userName").Value = "myUser"
anonymousAuthenticationSection.Properties.Item("password").Value = "myPass"
adminManager.CommitChanges()
'MY BEST GUESS AT TARGETING A SPECIFIC SITE (returns error 80070005):
Set anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST/Sites/InsideFTL/Corp/redirects/netXposure")
The code that you have above should work, are you running it from an elevated command prompt?
You could also try to make sure that it is committing to ApplicationHost.config to make sure it is not a locking issue by setting CommitPath, and make sure that the identity under you are running the script has write access to it.
'CHANGE ANONYMOUS AUTHENTICATION For Default Web Site:
Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site")
anonymousAuthenticationSection.Properties.Item("enabled").Value = True
anonymousAuthenticationSection.Properties.Item("userName").Value = "myUser"
anonymousAuthenticationSection.Properties.Item("password").Value = "myPass"
adminManager.CommitChanges()
Hi is there an easy way to disable this host verification in j2ssh (assigning yes somewhere) that every time I connect to server I shoudn't type Yes ?
In SSH, there is a configuration option:
StrictHostKeyChecking=no
You can probably set this in j2ssh like this:
setConfig("StrictHostKeyChecking", "no")
Whether this is a good idea is left as an exercise for the reader.
If you don't want to validate the host, the following piece of code should do the job:
ssh.connect(hostname, new IgnoreHostKeyVerification());
Here is a snippet, just replace the parts from the example here.
SshClient ssh = new SshClient();
ssh.setSocketTimeout(30000);
SshConnectionProperties props = new SshConnectionProperties();
props.setHost(hostname);
props.setPort(port);
ssh.connect(props , new IgnoreHostKeyVerification()); // ignore unknown host warning
// Create a password authentication instance
PasswordAuthenticationClient pwd = new PasswordAuthenticationClient();
pwd.setUsername(username);
pwd.setPassword(password);
// Try the authentication
int result = ssh.authenticate(pwd);