I am using ActiveMQ 5.16.2 and try to secure the ActiveMQ Web console with LDAP. I have followed this guide.
Because I am not that familiar with LDAP I used ldapsearch from openldap-clients to perform some initial queries to check if my roleFilter and userFilter within LdapRoleAuthorizationModule have the correct settings.
When using ldapsearch I have received the following error:
ldap_bind: Strong(er) authentication required (8)
Ldap_bind: additional info:00002028:ldapERR:DSID-0C09027F,comment: The server requires binds to turn on the integrity checking if SSL/TLS are not already active on the connection, data 0, v3839
I tried to search how I can configure a secured ldaps connection from my ActiveMQ VM to solve this error but was not able to find a good solution.
Could someone give advice / help please?
Related
I want to configure LDAP connection for Jupyterhub, but i don't know what are the setting to use as there are so many, I tried using this as reference https://github.com/jupyterhub/ldapauthenticator and https://github.com/hansohn/jupyterhub-ldap-authenticator .Still i am not able to figure out which settings are most, it would be helpful if you could identify which are must and how the LDAP login works in jupyterhub.
If you have any opensource LDAP connection working example, please share.
I have successfully setup SASL PLAIN and PLAINTEXT security for Kafka brokers, in a sense that clients cannot consume or produce successfully without providing kafka_client_jaas.conf with valid username and password credentials, due to authentication failure.
However, I cannot do the same for Zookeeper, so that for example kafka_topics.sh successfully connects to Zookeeper, without having KAFKA_OPTS setting java.security.auth.login.config that would point to any jaas.conf file. I imagined it would have to point to same kafka_client_jaas.conf as console consumers and producers, since there is a Client section defined for authentication to Zookeeper. I added following three lines to zookeeper.properties file (I don't know what is the third line used for):
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
I created zookeeper_jaas.conf (defining Server section) and started Zookeeper with KAFKA_OPTS pointing to it, and added Client section to kafka_server_jaas.conf so that brokers authenticate properly to Zookeeper, pretty much as described here:
Kafka SASL zookeeper authentication
but I cannot provoke authentication failure when running kafka_topics.sh, as already mentioned. Where did I go wrong?
I am hoping someone can help me out with a frustrating configuration problem I'm having with IBM FileNet Content Manager 5.2.1 (aka P8 5.2.1).
We have an existing system setup that uses Microsoft Active Directory as our LDAP directory service for P8 and that has worked fine to date. That said, we are now wanting our .NET apps to talk to P8 (via the Content Platform Engine .NET API) using WCF instead of legacy (and now deprecated) WSE but we have run into a problem. WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well (in the process, changing LDAP to use port 636 instead of 389).
Following both Microsoft's and IBM's docs, I first enabled LDAP over SSL on Active Directory and tested accordingly. Using Microsoft's LDAP utility, ldp.exe, I can successfully connect and bind to Active Directory on port 636 over SSL.
The next step however is where I hit a wall - Enabling SSL for Content Platform Engine. I followed all the steps involving adding the Active Directory Server's CA certificate to the CPE's application server keystore - no problem. The next step in the configuration instructions however asks you to start the Administration Console for CPE (ACCE) and reconfigure the directory configuration properties - telling it to use SSL on port 636 and... KABOOM! When I attempt to save the configuration, the save fails, stating
An unexpected exception occurred. Message was: Failed connecting to ldap://ad1.domain.com:636
Unfortunately, I can't find any additional info as to why it failed to connect - I assumed it was due to something minor, such as a port conflict. To test that theory, I installed Microsoft's LDAP test utility on the CPE server and attempted to connect to the Active Directory Server over SSL on port 636. Much to my surprise, that worked just fine - grrrr...
I am now at something of a loss as to what to look at next. Anybody out there with experience configuring CPE to use SSL in an Active Directory environment?
Thanks in advance for any-and-all assistance.
WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well
This is not true. FileNet can work with non-secure LDAP, while at the same time working with WCF.
Now, if you would like to solve why FileNet will not connect to a secure LDAP, then you should start with your WebSphere
Check WebSphere's Keystores to ensure that the AD's key is contained. Follow #M.Tamboli's advice and restart WebSphere.
Also make sure that you check WebSphere's SystemOut.log logs, as you may find more info in there.
I'm not sure if it is necessary, but you may also want to add/change the LDAP config that is setup within WebSphere itself.
We are running WebSphere Application Server v8.5 on AIX 7, which we configured to use ldap security. Everything is working fine, but project went halt for some time and our WAS was down. Now we see that ldap cerficates were expired, hence we are unable to connect to dmgr & admin console. Can somebody help to resolve it?
We know how to configure ldap on WAS, but dont no how to change expired ldap cerficate with new cerficates. (We received new non-expiry certificates from ldap team but dont no how to configure it on WAS).
You need to disable security, restart dmgr, replace certificates and reenable security.
To disable security:
stop/kill the dmgr
run the following from the dmgr\bin folder:
wsadmin -conntype NONE
At the wsadmin prompt, type securityoff and then type exit.
Restart your dmgr.
UPDATE
Do you have Federated or Standalone Ldap configured? You should have in LDAP configuration link to SSL configuration. There you will need to add your new certificate to the Signers store (this is very simplified description as I'm not sure which repository you are using).
I'm pretty new to PostgreSQL, having a fair amount of experience with MS SQL Server. One feature of PostgreSQL that has caught my eye is SSPI authentication, which I hoped would make the transition from MS SQL easier. However, I can't seem to get it to work.
For now, both server and client are running on the same Windows 7 machine, which is not a member of a domain. If I understand correctly, SSPI auth falls back from Kerberos to NTLM, so it should work without a domain - am I right?
When I try to connect (from a .NET application via Npgsql), I get an NpgsqlException with the message: Fatal: 28P01: password authentication failed for user "xxx" The message is a bit puzzling to me because I'm not using password authentication.
My pg_hba.conf:
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
host all all 127.0.0.1/32 sspi
Npgsql connection string:
Server=127.0.0.1;Port=5432;Database=mydb;Integrated Security=true;
What am I doing wrong here? Or is it that it just doesn't work without a domain?
Ok, got it. I can't allow MD5 and SSPI authentication at the same time. So be it There is no "fall-through" mechanism - only the first authentication method that matches the request is attempted. So all that was left to do was to remove the first two lines from pg_hba.conf and create a role with the same name as my Windows login. What's bugging me is that what is obviously a configuration error is silently ignored, not even a warning in the log - is there any reason behind this?