I am new to yang. Below is my yang config.
container ntp {
tailf:info "NTP Configuration";
tailf:cli-oper-info "Display NTP information";
tailf:cli-incomplete-show-path;
//ntp server config
leaf-list server {
tailf:info "NTP servers";
ordered-by user;
tailf:cli-flat-list-syntax {
tailf:cli-replace-all;
}
type gw-types:ipv4-host;
max-elements 4;
}
container auth {
tailf:info "Configure NTP authentication keys";
list server {
tailf:info "Configured ip addresses";
tailf:cli-suppress-mode;
tailf:cli-sequence-commands;
tailf:cli-incomplete-command;
tailf:cli-compact-syntax;
key "serverip";
leaf serverip {
tailf:info "ip address";
type leafref {
path "/gw-system:ntp/server";
}
}
leaf key {
tailf:info "Authentication key ID for this server";
type uint32 {
range "1..65535";
}
}
choice authtype {
tailf:cli-incomplete-command;
leaf sha256 {
tailf:info "Value of the sha256 key";
type tailf:aes-cfb-128-encrypted-string {
tailf:info "Cleartext or AES encrypted key";
}
}
}
}
}
}
I want to achieve the below two requirements. Can someone please help me
I have used type leafrefin node serverip so that a user can input ip address which is present in the leaf-list server. When I tested it, I was able to input some random ip address also which is not present in the leaf-list server to whom my leaf serverip is referring. When I do commit then it gives error Illegal reference but I wanted that user should not be allowed to complete the command if he has given the random ip which is not present in the list. Is there any way to restrict him at run time when he is typing the command instead showing error at commit.
leaf serveripis referring to the leaf-list server. I want that if user try to remove the targeted node i.e. server then automatically all it's dependent should be deleted first. Like first all the dependents should be removed and then main node.
Or
it should give error to user that, delete the dependent node first before deleting targeted node. i.e. Before deleting the leaf-list server user should be asked to delete node serverip first. How can I achieve either of them?
As per my understanding in question 1 you want to restrict "leafref". But as per RFC 6020.
"A leafref cannot be restricted." - Refer RFC Section 9.9.1
leaf serverip {
tailf:info "ip address";
type leafref {
path "/gw-system:ntp/server";
}
}
In this leaf all the server IPs will be available and with tab we can get the same. If still want to apply some logic here then you can try :
choice or when statement to apply some logic here.
For the 2nd Question, You can try to make all mandatory leafs as key. It should work.
Related
I need to limit the concurrent sessions allowed per user in an apache SshServer. I found two references to this functionality, but they seem to be obsolete.
Here's the original patch back in 2010:
https://issues.apache.org/jira/browse/SSHD-95
I also found this reference to its usage:
http://apache-mina.10907.n7.nabble.com/How-to-set-max-count-connections-in-sshd-service-td44764.html
Which refers to a SshServer.setProperty() method.
I'm using sshd-core 2.4.0, and this method is absent from SshServer, I can't see any obvious replacement, and I can't find any documentation on what has happened to it or how I'm supposed to do this now.
I still see the MAX_CONCURRENT_SESSIONS key in ServerFactoryManager, so I assume the functionality is still in there somewhere, but I can't find where I need to set it.
Here's what the setup of the server looks like (it's for an SFTP server, but that shouldn't matter for the problem at ahnd, I thnk):
private val server = SshServer.setUpDefaultServer().apply {
val sftpSubsystemFactory = SftpSubsystemFactory().apply {
addSftpEventListener(sftpEventListener)
}
port = sftpPort
host = "localhost"
keyPairProvider = when {
sftpKeyname.isEmpty() -> throw IllegalStateException("No key name for SFTP, aborting!")
sftpKeyname == "NO_RSA" -> {
log.warn("Explicitly using NO_RSA, sftp encryption is insecure!")
SimpleGeneratorHostKeyProvider(File("host.ser").toPath())
}
else -> KeyPairProvider.wrap(loadKeyPair(sftpKeyname))
}
setPasswordAuthenticator { username, password, _ ->
// current evil hack to prevent users from opening more than one session
if (activeSessions.any { it.username == username }) {
log.warn("User attempted multiple concurrent sessions!")
throw IllegalUserStateException("User already has a session!")
} else {
log.debug("new session for user $username")
// throws AuthenticationException
authenticationService.checkCredentials(username, password)
true
}
}
subsystemFactories = listOf(sftpSubsystemFactory)
fileSystemFactory = YellowSftpFilesystemFactory(ftpHome)
start()
log.info("SFTP server started on port $port")
}
(From my comment) you can set the property directly:
server.apply {
properties[ServerFactoryManager.MAX_CONCURRENT_SESSIONS] = 50L
}
I'm trying to connect to a database via SSL within Google Apps Script, referencing these docs. The error is:
Execution failed: Failed to establish a database connection. Check connection string, username and password.
I can use these exact same parameters from another db client (Sequel Pro) and it works fine. I've got the db accepting connections from any IP address (0.0.0.0/0).
I believe I've eliminated all the other variables (user name, password, etc. etc.), its only when I attempt to use SSL within Apps Script that it fails.
Can anyone provide a working example of connecting to a MySQL database with SSL within Google Apps Script?
My apps script:
function connectDb() {
var address = 'x.x.x.x'; // no, I'm not literally using x's in my ip address
var instanceUrl = 'jdbc:mysql://' + address + ':3306/';
var clientSslKey = '-----BEGIN RSA PRIVATE KEY-----\n' +
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
/* snip */
'-----END RSA PRIVATE KEY-----';
var clientSslCertificate = '-----BEGIN CERTIFICATE-----\n' +
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
/* snip */
'-----END CERTIFICATE-----';
var serverSslCertificate = '-----BEGIN CERTIFICATE-----\n' +
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n' +
/* snip */
'-----END CERTIFICATE-----';
// https://developers.google.com/apps-script/reference/jdbc/jdbc#getconnectionurl-info
var connParams = {
user: 'temp',
// no password set
_serverSslCertificate: serverSslCertificate,
_clientSslCertificate: clientSslCertificate,
_clientSslKey: clientSslKey,
};
var conn = Jdbc.getConnection(instanceUrl, connParams);
}
EDIT
I filed a bug here which got marked as a duplicate of this other one which as a "P2" priority. Maybe that means it will be fixed soonish?
I can confirm that I can connect to a MySQL database with SSL within Google Apps Script.
It's important to note useSSL=true is indeed necessary
I was able to get it working by following the example at https://issuetracker.google.com/issues/36761592#comment18 (relevant snippet repeated below):
var conn = Jdbc.getConnection('jdbc:mysql://<ip address>/<db name>?useSSL=true', {
user: '<user>',
password: '<pass>',
_serverSslCertificate: '-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----',
_clientSslCertificate: '-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----',
_clientSslKey: '-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----'
});
If you're using a Google Cloud SQL instance, you may want to consider using getCloudSqlConnection(). Presumably it's encrypted as well (based on the fact that I can indeed get a connection when the corresponding instance has "Only secured connections are allowed to connect to this instance." enabled), and, importantly, doesn't require you to manage (i.e. not lose control of) the key and certs yourself.
Hi I need help with assigning static IP addresses from Active Directory
I'm using FreeRadius version 3.0.10
I understand, that I should use LDAP atribute mapping, but with no success.
Trying to do something like
update reply {
Framed-IP-Address = &msRADIUSFramedIPAddress
}
also, msRADIUSFramedIPAddress is binary, so there should be some conversion.
I found this example where right side was
=&Atribute-of-type-Octets
but not sure if this would do something or just should a use some special atribute
While trying to run radius -X the msRADIUSFramedIPAddress is unknown atribute
I'm just so lost in this mapping, reading and trying several days.
I would really appreciate help.
Thank you
Juraj Lehotsky
In v3.1.x and I believe v3.0.x it will attempt an autocast between the types.
So in
mods-available/ldap
ldap {
update {
reply:Framed-IP-Address := 'msRADIUSFramedIPAddress'
}
}
Should work.
If not you'll need to do
mods-available/ldap
ldap {
update {
Tmp-Octets-0 := 'msRADIUSFramedIPAddress'
}
}
sites-available/default
authorize {
ldap
if (&Tmp-Octets-0) {
update reply {
Framed-IP-Address := &Tmp-Octets-0
}
}
}
I'm trying to create a user provider so that I can authenticate through an Active directory server.
The problem is that, unlike most other LDAP servers, Active directory doesn't allow to retrieve some user's password attribute, even encrypted.
Here is my User class :
class LdapUser implements UserInterface
{
private $username;
private $first_name;
private $last_name;
private $password;
private $salt;
private $roles;
public function __construct($username, $first_name, $last_name, $password, $salt, array $roles) {
$this->username = $username;
$this->first_name = $first_name;
$this->last_name = $last_name;
$this->password = $password;
$this->salt = $salt;
$this->roles = $roles;
}
...
}
And here is my loadUserByUsername method (In my UserProvider class) :
public function loadUserByUsername($username)
{
$server = "my_ldap_server";
$root_dn = "my_root_dn";
$root_pw = "my_root_pw";
$ds = ldap_connect($server);
if ($ds) {
ldap_bind($ds, $root_dn, $root_pw);
$search = ldap_search($ds, "my_branch", "(sAMAccountName=".$username.")", array("sn", "givenName"));
$info = ldap_get_entries($ds, $sr);
if($info['count'] > 0) {
$user = $info[0];
return new LdapUser($username, $user['givenName'][0], $user['sn'][0], '???PASSWORD???', '???SALT???', array('ROLE_USER'));
} else {
throw new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
}
ldap_close($ds);
} else {
echo "Connexion au serveur LDAP impossible";
}
}
As you can see, I can't pass the password to my LdapUser class, since it's not accessible through Active Directory.
However, I think it's still possible to authenticate te user, by doing a ldap_bind($username, $password) with the password entered by the user in the login form. The problem is I can't figure out how to access this password in my LdapUserProvider class.
I tried $_POST['password'] but I got an undefined index error...
Any help would be welcome :)
There are a few LDAP Authentication bundles ready to use.
As pointed out below, you can try FR3D/LdapBundle, but it needs FOSUserBundle to work. You can also try IMAG (BorisMorel/LdapBundle), if you don't want to (or don't need to) use FOSUserBundle. BorisMorel uses php-ldap to work, it requires no additional bundle nor any zend components.
Even if you don't want to use them, I'd suggest you check out BorisMorel's implementation for more information. The code's quite simple to understand as it's very straightforward.
Your code sets the authentication state of a connection by transmitting a bind request. Does this code attempt to search for an entry, retrieve the password from that entry and then bind as that distinguished name? If so, even if you could retrieve the password, a properly configured directory server will not allow the transmission of a pre-encoded password. Passwords should always be transmitted in clear text over a secure connection (TLS or SSL) so the server can perform password quality and history validation. Therefore, your code must know the clear-text password beforehand. Alternatively, a LDAP-compliant server might allow the use of a proxied authentication for certain entries.
see also
LDAP: Mastering Search Filters
LDAP: Search best practices
LDAP: Programming practices
Try FR3dLdapBundle
The 2.0.x branch has support with Active Directory if you install Zend\Ldap component from Zend Framework 2
I have an intranet server on a Windows domain (server is Windows 2003, IIS6, NTFS permissions). It is on the domain Domain01. I have users from two domains in the same forest that access this intranet: Domain01 and Domain02 (DCs also running Windows 2003). Currently, the users are required to login by entering either:
Domain01\username or username#Domain01
My users are completely and thoroughly confused by having to enter the domain each time they log in.
Is there any way to simply allow them to log in by entering just their username and password WITHOUT the domain? For example, have the server try Domain01 by default, and if the login fails to try Domain02?
NOTE: I would like to do this via IIS or server settings if possible, rather than programmatically (for reference, I am using ASP.NET 2.0).
Yes. Usually what I do is do a global catalog search using the supplied user name as the sAMAccountName. Doing this with a PrincipalSearcher requires getting the underlying DirectorySearcher and replacing it's SearchRoot. Once I find the corresponding user object I extract the domain from the user object's path and use that as the domain for the authentication step. How you do the authentication varies depending on what you need it to do. If you don't need impersonation you can use PrincipalContext.ValidateCredentials to make sure that the username/password match using a PrincipalContext that matches the domain of the user account that you previously found. If you need impersonation check out this reference.
// NOTE: implement IDisposable and dispose of this if not null when done.
private DirectoryEntry userSearchRoot = null;
private UserPrincipal FindUserInGlobalContext( string userName )
{
using (PrincipalSearcher userSearcher = new PrincipalSearcher())
{
using (PrincipalContext context
= new PrincipalContext( ContextType.Domain ))
{
userSearcher.QueryFilter = new UserPrincipal( context );
DirectorySearcher searcher
= (DirectorySearcher)userSearcher.GetUnderlyingSearcher();
// I usually set the GC path from the existing search root
// by doing some string manipulation based on our domain
// Your code would be different.
string GCPath = ...set GC path..
// lazy loading of the search root entry.
if (userSearchRoot == null)
{
userSearchRoot = new DirectoryEntry( GCPath );
}
searcher.SearchRoot = userSearchRoot;
using (PrincipalContext gcContext =
new PrincipalContext( ContextType.Domain,
null,
GCPath.Replace("GC://",""))
{
UserPrincipal userFilter = new UserPrincipal( gcContext );
userFilter.SamAccountName = userName;
userSearcher.QueryFilter = userFilter;
return userSearcher.FindOne() as UserPrincipal;
}
}
}
}