I have a CentOS VM with an ready installed Pingaccess Server Testenvironment with access to the Pingaccess Admin UI.
Now I would need to set up an Agent-Authentification on the system but sadly have no experience configuring Pingaccess sofar. I also find it dificult to find documentation to complete my task.
I would appreciate any hints and pointers in right direction or information on how this kind of setup can be configured and what else I might need? Is it even possible to set it up in a local VM?
Here a slightly more detailed description of the scenario:
An application that itself is not able to use a corresponding protocol (Oauth, SAML2, ...) (e.g. a small PHP script or something similar) that cannot do anything other than output a user name that it reads from the HTTP headers.
Set up an Agent that extends the header attributes and e.g. something like Header-UserName. The application can then access the web server variables and use these values without having to worry about how the authentication works. The agent, on the other hand, can do the protocols and handle authentication via the server (here PingAccess).
Thanks a lot in advance.
Related
This is my first post under the Apache tag, so not sure if I have posted it in the correct spot. Apologies if it's not.
We recently had an audit done on our Apache server. It's running on a Windows Server 2012 R2, and I installed Apache 2.4.27 through WAMP.
The results from the Audit are fairly specific, but I don't know where to go in the Config file to fix these. My IMIT department has gone through a number of changes and we no longer have someone who can help me, so I'm stuck.
The three areas I need to correct are:
1) MISSING SECURITY HEADERS Recommendation: Implement HTTP security headers in the web applications to prevent exploitation of vulnerabilities.
2) Recommendation: Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. Additionally, use access restrictions or disable directory indexing for any that do.
3) The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. Recommendation: Disable these methods.
I have looked in the config and in various documentation online but the Windows install for Apache seems to be unique, and I don't want to risk screwing up something that breaks the install.
Any ideas would be greatly appreciated.
Chris
Find httpd.conf file. It should be in the conf folder in the localization where Apache is installed like for ex:
C:/Apache/Apache/conf/httpd.conf
If you're not sure where that is - open task manager, find httpd.exe and check it's properties.
Then add required configuration there.
Check out this helpful github:
https://github.com/h5bp/server-configs-apache/blob/master/dist/.htaccess
You can check your configuration files for syntax errors without starting the server by using apachectl configtest or the -t command line option.
I am studying LDAP server(ADLDS)
I figured out that extended operation is implemented in ldap server.
For example, oid(1.3.6.1.4.1.4203.1.11.3) stands for whoami command.
If I give 1.3.6.1.4.1.4203.1.11.3 to ldap server, server would respond who the user is.
In this situation, I hope to make my own command with new oid.
How can I make this possible?
Thank you.
Some LDAP directory servers will allow you to extend them and define your own extended operation. This needs code and some expertise in the internals of the server.
I would strongly recommend that you consider open source directory servers, if you want to pursue that route, as getting full access to the code will make things easier.
I have a file (or set of files under a directory) published on my web server. Each of this resource needs to be access-protected based on the user's credentials and authority.
The authorization details are stored in a DB, so I need to make a call to the Java code in application server to determine the access.
Everytime the user hits this particular path in the webserver, I need to ensure s/he has access to the requested resource by, ensuring he is logged in and has the necessary priveleges to access this resource.
The webserver is apache - Can you please point me to the settings in apache that allows me to secure resource access using the above logic?
Thanks for the suggestions to correct the Tag and the Question!:
My Web Server is Apache HTTPD
Agree that this is not a Java Question: The only reason why I am bringing the Java perspective, is that I am most likely going to use some Java POJOs to go and check for user authorization for a particular directory that is stored in the DB - That is unless there is a trick in the apache httpd configuration that goes and checks the DB automatically - something similar to the one that is pointed out here...At the end of the it, I need to check if a particular user (authenticated previously by the Single Sign On Server (Sun access manager)) has access to a particular directory (user mapping to directory stored in the DB) and protect the resources under the directory accordingly.
Please let me know if that clarifies.
i am not sure why this is tagged with java - unless your db structure is VERY sepcific, you might able to get it done with apache authz and authn:
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
or, for an ovierview:
http://httpd.apache.org/docs/2.2/howto/auth.html
OpenDS provides command-line access to many necessary account functions via its manage-account utility. For example, to disable an account:
manage-account set-account-is-disabled --operationValue true
--baseDN uid=someuser,ou=People,dc=example,dc=com" --hostname hostname --port 389
--bindDN "cn=Directory Manager" --bindPassword password
This is fine and dandy is you have a sysadmin to administer your ldap server but in a scenario where you have 1000s of users all over the globe this becomes a problem (imagine a user locked out of their account in Japan while the sysadmin is asleep in the US). We'd like to be able to programmatically tie into some of these manage-account functions so we can provide local admins/managers the ability to manage their own users.
Can anybody provide any insight on if this is possible and if so how? We are writing this in C# and I can't find any examples on it. Looking at the .NET API docs I thought System.DirectoryServices.Protocols.ExtendedRequest looked promising but cannot figure out how to use it.
Any help would be greatly appreciated, thanks!
The Manage-Account tool uses an LDAP extended operation, which code is in opends/src/server/org/opends/server/extensions/PasswordPolicyStateExtendedOperation.java.
Alternately, you can check the OpenDJ LDAP SDK, which has support for the extended operation, and will allow you to quickly write a client application.
OpenDJ LDAP SDK is documented at http://opendj.forgerock.org/opendj-ldap-sdk/ (and the doc is in the developer's guide : http://opendj.forgerock.org/doc/dev-guide/OpenDJ-Dev-Guide.html).
Regards,
Ludovic
The source code for manage-account is available, one can re-create the encodings from there. Also, one could set up a directory server, run manage-account, record the steps the tool takes from the access log, then write code to re-create those steps.
I'm trying to publish my program so that it can get updates and am told I have to publish my changes to a web server or file share server, but I have no idea about how I can go about getting one...are there free ones that will perform what I need to accomplish?
Ok, I don't know what to do and comments seem to go ignored.
I've tried setting the publish location to sites.google.com/site/mysite.com/filecabinetpage/PQCMFILES
and I got an error saying I needed "Front Page Server Extension Capabilities".
I tried setting it to http://productivityquotient.hostzi.com/PQCMFILES/ and it told me:
Error 1 Failed to connect to 'http://productivityquotient.hostzi.com/PQCMFILES/' with the following error: Unable to create the Web site 'http://productivityquotient.hostzi.com/PQCMFILES'. An error occurred accessing your site configuration files. Authors - if authoring against a web server, please contact the webmaster for this server's site. Webmasters - please see the server's application event log for more details. 1 1 Contact Manager
I tried setting it to a directory on the microsoft site and it said: "unable to create directory. files moved" or something like that.
I can't host it on an ftp server if I intend to use the updates feature and I don't know what to do...
Maybe Microsoft's free web hosting will allow you to do this.
000webhost.com is actually a pretty reliable host, with decent and free advertisement-free hosting. It also supports typical web server things such as FTP access, cpanel and e-mail accounts.
Their limit on free hosting is basically low disk space (1.5 GB) and bandwidth (100 GB/mo) and some minor content restriction. If that seems fine for you, then I highly recommend it. Even on free accounts, their ticket response time is blazing.
NearlyFreeSpeech, while not free, lets you host your application on a pay as you go plan. There are free web-hosts, but most lack the features of costies, such as FTP access.