I have an openvpn CE running with slef certified signed certificates.
I wanted to add also Google LDAP functionnality.
So i did.
But its seems i cannot use anymore my old certificates as it asks for a Username/Password now there is LDAP configured.
Is there a way to have both authentication process working at the same time ?
Thx !
Maybe the question was not clear.
Is there a way to bypass LDAP Authentication for some users on OpenVPN CE ?
I want my network server to connect automatically, using certs, but not LDAP.
Thanks !
Related
I have mattermost installed in my local server, currently login to it using http://192.168.x.x:8065, and I've setup a ddns port forwarding for it, means that I can login to mattermost using http://xxx.ddns.net:8065 as well.
Now I'm going to install https SSL for it, I tried using self-signed certificate, it seems work fine when I login from my desktop (chrome, firefox, desktop app).
But when it comes to iPhone native app, my mattermost will trigger error message:
Please check connection, Mattermost unreachable. If issue
persists, ask administrator to check WebSocket port.
and now all the messages coming to mattermost will not be shown and no notification at all until we manually refresh the app.
Is there any suggestion on overcoming this issue? Is it because iPhone tried to block any untrusted / self-signed certificate?
Thank you.
Best regards,
Kong
You are correct that the iPhone does not trust your self-signed certificate out of the box. An easier way to get this working would be to get a free SSL certificate for xxx.ddns.net using a service like Let's Encrypt, which will be trusted out-of-the-box by your iPhone.
This is especially straightforward to do with Mattermost, as it has built in support for using a Let's Encrypt certificate. You can configure this by following the steps in the documentation here
I am trying to resolve a problem whereby trying to set a users password over LDAP is failing because of an access denied error - even though I am authenticating against the AD with an admin user.
An answer found in stackoverflow says that either I have to run the IIS user as the admin user (which does work) or i should connect to LDAP via SSL.
I cant go with the first option because I am using Elastic Beanstalk which will create and terminate instances so i cant change/set the user that IIS will be running as. So I am trying to use the LDAP over SSL idea.
My question is does that still require that the client itself also have a certificate installed in order to establish trust with the Domain controller? Or does this work just by installing a cert on the Domain controller and allowing the connection over SSL?
If it requires a certificate on the client then I have the same problem as i cant install anything on the client server other than the deployed app since Beanstalk is going to recereate and terminate that instance at will.
So does LDAPS require a cert on the client?
Is there a better way to solve my problem given the infrastructure i am using?
So does LDAPS require a cert on the client?
no, LDAPS do not require client certificate. Domain controller certificate is sufficient to utilize LDAPS. More details about LDAPS and certificate requirement: LDAP over SSL (LDAPS) Certificate
trying to set a users password over LDAP is failing because of an access denied error
there might be over9000 reasons why you receive this message. You need to check whether you are successfully authenticated on DC, if yes, check whether you have permissions and privileges (especially, if UAC is enabled). I would set up audit policies (on failed user password changes) and check Security eventlog to figure out what is going wrong.
No.
For openldap, I achieved this by adding this line to ldap.conf. But be aware of that, when you do that, your connections will be open to attacks like man-in-the-middle or any other.
TLS_REQCERT never
This is what I found using trial and error approach:
Actually, LDAPS server always asks for client certificate. You can verify that by turning on SCHANNEL log and observing the following message:
If there is no client authentication certificate than LDAPS connection still succeeds, i.e. no client authentication certificate is required indeed. But if you have some invalid client authentication certificate (in my case it was an expired cert installed long ago by a third party app) the connection will fail w/o any error or warning in SCHANNEL log on the client side. It took me a while to figure this out.
Yes of corse your client need a certificate to allow ladps communication betwen
him and de server.
According to
windowsitpro.com:
As an option, you can use LDAPS for client authentication -- but doing so requires that you also install a client authentication certificate on each of your clients."
I don't know if someone is familiar with Tivoli Directory Server (ldap) but I guess there is something more or less the same in every ldap software.
So, there is a setting for ssl authentication which can be serverClientAuth and serverAuth. With serverAuth it is sufficient for the server to provide the certificate and the client (jxplorer) just accepts it to connect. With serverClientAuth except from the certificate provided by the server also the client needs to have its certificate on the server.
In my setup I have the serverClientAuth setting. So I was wondering if it is possible for jxplorer to provide the client certificate to the ldap server.
Any thoughts are welcome. Thanks.
Yes it is possible, and there is a menu provided specifically for that purpose, which lets you define they KeyStore, truststore, and various other SSL things.
How can I know that, my application (using LDAP/exchange server and Exchange Web Service) supports LDAP over SSL?
I am new to this concept. I do not know the concept of SSL certificate too. Can any one explain me it in simple terms. Please reply as soon as possible. I need it to use.
Thanks In advance.
Your exchange admin needs to setup LDAPS which is the secure version of LDAP.
I got solution, here are the links...enjoy..
verify LDAP over SSL
Enable LDAP over SSL/ LDAPS
I would like to use NTLM authentication with Tomcat so that Iexplorer send automatically both the user id+pwd to webapp. Is this possible?
With "BASIC" authentication IE pops up the usual pwd dialog but I want to skip this dialog. ( Note, I use JNDIReal/ldap)
Yes, it's now possible with Waffle Tomcat Authenticator that supports Negotiate (NTLM v1, v2, etc., and Kerberos).
Tutorial:
http://code.dblock.org/ShowPost.aspx?id=103
Waffle:
http://dblock.github.io/waffle/
Waffle works on windows server only
Yes it is. The Tomcat Wiki references a documentation about Samba code that enables Tomcat to do NTLM authentication.
The Samba community implemented a Servlet filter that allows to athenticate users agains a domain controller.
Alternatively, if you're on a Windows server, you can have IIS do the authentication and redirect requests to Tomcat. Here's the documentation: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
JCIF is now (2011) deprecated (does not support NTLM v2).
JESPA is not free but may work out for you
Waffle is windows server only
You may want to check out UnboundID's LDAP solution www.unboundid.com/products/ldapsdk/
Haven't tried it yet but seems like a compromise.
Here is a quick comparison between UnboundID SDK, JNDI and Netscape SDK: www.unboundid.com/products/ldap-sdk/docs/advantages/comparison.php . It may be biased since it's on unbound's website but hey, gives you a good idea why you might consider it.
people from the JCIFS project (the one reerenced in mkoller's answer) says that the solution they provide is not compatible with NTLMv2...
http://jcifs.samba.org/src/docs/ntlmhttpauth.html
you should check http://www.ioplex.com/jespa.html, which is not free...
I have used JCIFS, Waffle and IIS side by side.
JCIFS does not support NTLM v2, sometimes prompts users
Waffle support NTLM v2, but sometimes prompts user
IIS is the only solutio where promptless NTLM authentication works 100% of the time