I am attempting to upgrade EJBCA.
I attempted to run this on ubuntu 20.04, locally, using wildfly 18. Wildfly 18 results in this error: "CAUSE: Client certificate or OAuth bearer token required."
I have tried this two ways, by importing the keystore, truststore and superadmin from another instance and by creating the CA fresh and using the resulting superadmin.p12.
The home page loads, but the administration gives me the following error:
"AUTHORIZATIONDENIED
CAUSE: Client certificate or OAuth bearer token required. "
I can really use some help with this.
Things I have tried:
(1) I have downloaded superadmin.p12 and imported it into my browsers
(2) I have attempted to upload the superdmin cert:
bin/ejbca.sh ca importcacert ${NAME} ${NAME}.cacert.pem -initauthorization -superadmincn SuperAdmin
This results in The CA certificate is already imported.
(3) Both my keystore.jks and truststore.jks are moved into /ejbca/p12 and /opt/wildfly/standalone/configuration/keystore
(4) I did set "web.reqcertindb=false"
(6) I did try to enable ssl on wildfly 14 (https://docs.bitnami.com/bch/infrastructure/wildfly/administration/enable-ssl-wildfly/)
(7) I have tried a fresh Management_CA as well
The log of /ejbca/adminweb:
"08:20:01,270 ERROR [org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl] (default task-4) org.cesecore.authentication.AuthenticationFailedException: Client certificate or OAuth bearer token required.
08:20:01,279 WARN [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl] (default task-4) Language was not initialized for this session
08:20:01,279 WARN [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl]
I can provide more information if needs be.
Thank you
So, I have it running today. Here is what I learned:
It seems that if you set wildfly up as a service (per instructions) it is going to set up wildfly to run with launch.sh. Launch.sh is going to result in a cipher mistmatch. I needed to run the standalone.sh file instead
Adminweb must be contacted on 8443
if you need to run this thing on domain setup your going to need to post another question
Best,
I'm trying to set up Microsoft AD like user repository for IBM MQ v9 Queue Manager , but without success. I read the document https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q085490_.htm, but it's very unclear with all those diagrams, dashes and arrows. My final goal is to have ability to grant or rewoke authorizations based od AD groups. Can someone give me complete commands example how to configure queue manager to use AD for user repository?
IBM MQ is v9.0.0.0 and runs on CentOS v7. Active Directory is on Windows Server 2019 machine.
I tried to set AUTHINFO with MQSC commands. All commands are executed without problems. After that I refreshed security and tried to grant authorizations with setmqaut command, but unsuccessful.
I tried with this below MQSC commands:
DEFINE AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP) AUTHORMD(SEARCHGRP) FINDGRP(member) CONNAME('192.168.100.100') BASEDNG('OU=Groups,OU=MyCompany,DC=mycompany,DC=us') SHORTUSR('sAMAccountName') LDAPUSER('mybinduser') LDAPPWD('mypassword')
ALTER QMGR CONNAUTH(MY.AD.CONFIGURATION)
REFRESH SECURITY TYPE(CONNAUTH)
setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all
After I execute command:
setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all
This error is displyed i console: AMQ7026: A principal or group name was invalid.
And these below lines are recorded in queue manager log:
AMQ5531: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'myadgroup '. Returned count is 0.
Additional context is 'rc = 87 (Bad search filter)
[(&(objectClass=groupOfNames)(=myadgroup ))]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
----- amqzfula.c : 2489 -------------------------------------------------------
On Active Directory side these lines are recorded in log:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: MYADSERVER$
Account Domain: MYDOMAINNAME
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: mybinduser
Account Domain: MYDOMAINNAME
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x280
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: MYADSERVER
Source Network Address: 192.168.100.101
Source Port: 55592
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Here beleow is output of the command DIS AUTHINFO(MY.AD.CONFIGURATION) ALL
AMQ8566: Display authentication information details.
AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(192.168.100.100) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSGRP( )
CLASSUSR( ) FAILDLAY(1)
FINDGRP(MEMBER) BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)
BASEDNU( )
LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPPWD( ) SHORTUSR(sAMAccountName)
GRPFIELD( ) USRFIELD( )
AUTHORMD(SEARCHGRP) NESTGRP(NO)
SECCOMM(NO) ALTDATE(2019-07-25)
ALTTIME(08.14.20)
Here below is output from LdapAuthentication.jar tool:
java -jar LdapAuthentication.jar ldap://192.168.100.100:389 CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword OU=MyCompany,DC=mycompany,DC=us sAMAccountName adminusername adminpassword
#WMBL3: successful bind
#WMBL3: successfull search Starting Authentication Found the user, DN is CN=adminusername,OU=MyCompany,OU=Users,OU=MyCompany,DC=mycompany,DC=us
#WMBL3 : check if the password is correct
#WMBL3: successful authentication
#WMBL3 : Commands for WebUI ldap authentication :
1. mqsisetdbparms <INodeName> -n ldap::LDAP -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword
Or
mqsisetdbparms <INodeName> -n ldap::192.168.100.100 -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword
2. mqsichangeproperties <INodeName> -b webadmin -o server -n ldapAuthenticationUri -v \"ldap://192.168.100.100:389/OU=MyCompany,DC=mycompany,DC=us?sAMAccountName\"
3. mqsiwebuseradmin <INodeName> -c -u adminusername -x -r <sysrole for eg: local userid >
Here below is qmanager log after I applied changes in my AUTHINFO what you suggested Jul 25.
AMQ5531: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'wasadmin'. Returned count is 0.
Additional context is 'rc = 1 (Operations error)
[(&(objectClass=GROUP)(SAMACCOUNTNAME=wasadmin))]'.
ACTION: Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
This is myadgroup full DN:
CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us
This is output of the setmqaut command with full group DN:
setmqaut -m MY.QUEUE.MANAGER -t qmgr -g 'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us' +all
AMQ7047: An unexpected error was encountered by a command. Reason code is 2063.
And this is qmanager log after that command was executed:
AMQ5531: Error locating user or group in LDAP
EXPLANATION: The LDAP authentication and authorization service has failed in the ldap_search call while trying to find user or group 'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us'.
Returned count is 0.
Additional context is 'rc = 1 (Operations error) [(objectClass=groupOfNames)]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
If I try with CLASSGRP(GROUP) output of the setmqaut is:
AMQ7047: An unexpected error was encountered by a command. Reason code is 2063.
And qmqnager log is:
AMQ5531: Error locating user or group in LDAP
EXPLANATION: The LDAP authentication and authorization service has failed in the
ldap_search call while trying to find user or group
'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us'.
Returned count is 0.
Additional context is 'rc = 1 (Operations error) [(objectClass=GROUP)]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
Below is my last configured authinfo object:
AMQ8566: Display authentication information details.
AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(192.168.100.100) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(group)
CLASSUSR(USER) FAILDLAY(1)
FINDGRP(member)
BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)
BASEDNU(OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPPWD( ) SHORTUSR(sAMAccountName)
GRPFIELD(sAMAccountName) USRFIELD(sAMAccountName)
AUTHORMD(SEARCHGRP) NESTGRP(NO)
SECCOMM(NO) ALTDATE(2019-08-07)
ALTTIME(08.44.40)
Based on the your output I noted that you did not set LDAPPWD which is used by MQ to authenticate the LDAPUSER that you specified.
This is supported by the windows error you provided:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: mybinduser
Account Domain: MYDOMAINNAME
Failure Information:
Failure Reason: Unknown user name or bad password.
In the output of LdapAuthentication.jar it appears that you have the correct password available:
CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword
You can either specify the LDAPPWD or you can blank out your LDAPUSER and see if your AD allows anonymous bind (this is rare).
I noted that you have some other fields left blank that probably need to be filled in. I also suggest you always use ADOPTCTX(YES).
Below is my suggested updates to your AUTHINFO object:
ALTER AUTHINFO(MY.AD.CONFIGURATION) +
AUTHTYPE(IDPWLDAP) +
AUTHORMD(SEARCHGRP) +
FINDGRP('member') +
ADOPTCTX(YES) +
CONNAME(192.168.100.100) +
CHCKCLNT(REQUIRED) +
CHCKLOCL(OPTIONAL) +
CLASSGRP(GROUP) +
CLASSUSR(USER) +
FAILDLAY(1) +
BASEDNG('OU=MyCompany,DC=mycompany,DC=us') +
BASEDNU('OU=MyCompany,DC=mycompany,DC=us') +
LDAPUSER('CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us') +
LDAPPWD(mybinduserpassword) +
SHORTUSR(sAMAccountName) +
GRPFIELD(sAMAccountName) +
USRFIELD(sAMAccountName) +
NESTGRP(NO) +
SECCOMM(NO)
*Note I have not tested this against AD, but I have setup IIB to authenticate the WebUI/REST calls against AD and also took inspiration from two presentations/write ups from Mark Taylor from IBM:
MQ Integration with Directory Services - Presented at MQTC v2.0.1.6
MQdev Blog: IBM MQ - Using Active Directory for authorisation in Unix queue managers
I was able to configure mbsync and mu4e in order to use my gmail account (so far everything works fine). I am now in the process of using mu4e-context to control multiple accounts.
I cannot retrieve emails from my openmailbox account whereas I receive this error
Reading configuration file .mbsyncrc
Channel ombx
Opening master ombx-remote...
Resolving imap.ombx.io... ok
Connecting to imap.ombx.io (*.*.10*.16*:*9*)...
Opening slave ombx-local...
Connection is now encrypted
Logging in...
IMAP command 'LOGIN <user> <pass>' returned an error: NO [AUTHENTICATIONFAILED] Authentication failed.
In other posts I've seen people suggesting AuthMechs Login or PLAIN but mbsync doesn't recognizes the command. Here is my .mbsyncrc file
IMAPAccount openmailbox
Host imap.ombx.io
User user#openmailbox.org
UseIMAPS yes
# AuthMechs LOGIN
RequireSSl yes
PassCmd "echo ${PASSWORD:-$(gpg2 --no-tty -qd ~/.authinfo.gpg | sed -n 's,^machine imap.ombx.io .*password \\([^ ]*\\).*,\\1,p')}"
IMAPStore ombx-remote
Account openmailbox
MaildirStore ombx-local
Path ~/Mail/user#openmailbox.org/
Inbox ~/Mail/user#openmailbox.org/Inbox/
Channel ombx
Master :ombx-remote:
Slave :ombx-local:
# Exclude everything under the internal [Gmail] folder, except the interesting folders
Patterns *
Create Slave
Expunge Both
Sync All
SyncState *
I am using Linux Mint and my isync is version 1.1.2
Thanks in advance for any help
EDIT: I have run a debug option and I have upgraded isync to version 1.2.1
This is what the debug returned:
Reading configuration file .mbsyncrc
Channel ombx
Opening master store ombx-remote...
Resolving imap.ombx.io... ok
Connecting to imap.ombx.io (*.*.10*.16*:*9*)...
Opening slave store ombx-local...
pattern '*' (effective '*'): Path, no INBOX
got mailbox list from slave:
Connection is now encrypted
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Openmailbox is ready to
handle your requests.
Logging in...
Authenticating with SASL mechanism PLAIN...
>>> 1 AUTHENTICATE PLAIN <authdata>
1 NO [AUTHENTICATIONFAILED] Authentication failed.
IMAP command 'AUTHENTICATE PLAIN <authdata>' returned an error: NO [AUTHENTICATIONFAILED] Authentication failed.
My .msyncrc file now contains these options instead
SSLType IMAPS
SSLVersions TLSv1.2
AuthMechs PLAIN
At the end, the solution was to use the correct password. Since openmailbox uses an application password for third-party e-mail clients I was using the wrong (original) password instead of the application password.
When sendmail is configured with password that starts with the character #, authentication is failed. Sendmail throwed an error that "AUTH=client, available mechanisms do not fulfill requirements".
Is this is a known issue.?
Is that a restriction with sendmail or ssl authentication or rules parsing?
Sample default-auth-info file :-
sendmailtest#gmail.com
sendmailtest#gmail.com
#12345678
smtp.gmail.com:587
LOGIN PLAIN DIGEST-MD5 CRAM-MD5 NTLM
LINUX platform
Sendmail version : 8.14.0
sasl version : 2.1.22
Thanks in advance for the help..
It seems that readauth function in sendmail/usersmtp.c file ignores lines starting
with #.
BTW Have you considered using FEATURE(authinfo) instead of confDEF_AUTH_INFO/DefaultAuthInfo?
Anyway makemap command also by default treats # as a comment indicator but it may be changed using -D command line option.
I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin
You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.