I have deployed AADDS on my AzureAD domain.
I have changed passwords of users to generate the initial sync hash.
I have created a FreeRADIUS VM under Ubuntu 18.04 LTS capable of connecting through LDAP inside the ADDDS subnet with an User with "AAD DC Administrators" group.
I have setup an Ubiquiti Uni-Fi UAP nanoHD WPA2 Enterprise wireless network with a RADIUS profile to authenticate with the FreeRADIUS VM.
Testing Wi-Fi login with iPhone XR and a Windows 10 laptop.
The initial LDAP authentication to bind is successful.
User is matched succesfully on the directory.
User attributes are processed with warnings.
(2) ldap: Processing user attributes
(2) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(2) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
Authentication fails since there is not a mapped "User-Password" attribute available.
(2) [ldap] = ok
(2) if ((ok || updated) && User-Password) {
(2) if ((ok || updated) && User-Password) -> FALSE
(2) [expiration] = noop
(2) [logintime] = noop
(2) } # authorize = ok
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(2) Failed to authenticate the user
I have researched and tried the following.
"ntlm_auth" is not possible at the moment because of Samba limitations (only for Azure Files).
Changing the value of "dsHeuristics" in the Active Directory settings to enable "userPassword" attribute is not possible because of permissions limitations of AADDS.
***Call Modify...
ldap_modify_s(ld, 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com',[1] attrs);
Error: Modify: Insufficient Rights. <50>
Server error: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Error 0x2098 Insufficient access rights to perform the operation.
My settings are exactly as shown at https://stackoverflow.com/a/55931232/5163441
This person claims it works as it for him so it is finding an attribute to compare for the password.
I don't see any relevant attribute I could use for authentication.
Dn: CN=John Smith,OU=AADDC Users,DC=example,DC=com
accountExpires: 9223372036854775807 (never);
badPasswordTime: 0 (never);
badPwdCount: 0;
cn: John Smith;
codePage: 0;
countryCode: 0;
displayName: John Smith;
distinguishedName: CN=John Smith,OU=AADDC Users,DC=example,DC=com;
dSCorePropagationData (2): 8/13/2019 7:53:04 PM Coordinated Universal Time; 0x0 = ( );
instanceType: 0x4 = ( WRITE );
lastLogoff: 0 (never);
lastLogon: 8/14/2019 6:17:50 PM Coordinated Universal Time;
lastLogonTimestamp: 8/14/2019 4:05:51 PM Coordinated Universal Time;
logonCount: 4;
mail: jsmith#example.com;
memberOf (13): OU=AADDC Users,DC=example,DC=com; CN=AAD DC Administrators,OU=AADDC Users,DC=chr,DC=cl;
msDS-AzureADMailNickname: jsmith;
msDS-AzureADObjectId: <ldp: Binary blob 16 bytes>;
name: John Smith;
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com;
objectClass (4): top; person; organizationalPerson; user;
objectGUID: a8123123-3f4f-4123-9123-b530ff123123;
objectSid: S-1-5-21-545123123123-358123123-844123123-1123;
preferredLanguage: en-US;
primaryGroupID: 513 = ( GROUP_RID_USERS );
pwdLastSet: 8/14/2019 2:19:10 PM Coordinated Universal Time;
sAMAccountName: jsmith;
sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT );
userAccountControl: 0x200 = ( NORMAL_ACCOUNT );
userPrincipalName: jsmith#example.com;
uSNChanged: 30696;
uSNCreated: 20588;
whenChanged: 8/14/2019 4:06:06 PM Coordinated Universal Time;
whenCreated: 8/13/2019 7:21:29 PM Coordinated Universal Time;
I have yet to test Kerberos and maybe OAuth2.
EDIT:
I didn't check the packets that were being sent by the client and there was something I didn't study before.
By sending a plain text login with a tool such as NTRadPing it will authenticate correctly since it will contain the "User-Password" attribute.
In the other hand trying to login through Wi-Fi will be usually an "EAP" hashed password.
(10) Received Access-Request Id 21 from 10.0.0.50:56480 to 10.0.0.10:1812 length 217
(10) User-Name = "jsmith#example.com"
(10) NAS-Identifier = "18e829123123"
(10) Called-Station-Id = "18-E5-39-B1-E3-D1:Test"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "C0-91-C0-58-BA-AC"
(10) Connect-Info = "CONNECT 0Mbps 802.11a"
(10) Acct-Session-Id = "7394227D45123123"
(10) WLAN-Pairwise-Cipher = 1123123
(10) WLAN-Group-Cipher = 1123123
(10) WLAN-AKM-Suite = 1123123
(10) Framed-MTU = 1400
(10) EAP-Message = 0x02fe001231236d617274696e657a40636872123123
(10) Message-Authenticator = 0x5fd0a8123123984b6b996f2941123123
I will continue researching.
EDIT 2:
I cannot find a viable way to do this as of now but I have found another way to make RADIUS work through NPS with AADDS.
Create a Windows Server VM in the AADDS subnet and install the NPS role.
Configure NPS but don't register it into the domain since it won't work because AADDS doesn't gives you the required permissions to do so.
Configure your RADIUS client to aim to this NPS server and it will still work, the NPS server doesn't has to be registered into the domain for RADIUS to work.
Related
I've spun up a local avalanche network using the avalanche network runner and I've successfully connected to it using geth:
❮❮❮ geth attach ws://127.0.0.1:35260/ext/bc/C/ws
Welcome to the Geth JavaScript console!
instance: v0.8.4-rc.3
coinbase: 0x0100000000000000000000000000000000000000
at block: 0 (Wed Dec 31 1969 18:00:00 GMT-0600 (CST))
modules: eth:1.0 net:1.0 rpc:1.0 web3:1.0
To exit, press ctrl-d or type exit
I'm trying to send a transaction from one account to another. I've found that this avalanche network pre-seeds account 0x8db97C7cEcE249c2b98bDC0226Cc4C2A57BF52FC with some ETH based on this comment and confirmed it using geth:
> eth.getBalance("0x8db97C7cEcE249c2b98bDC0226Cc4C2A57BF52Fc")
5e+25
However, when I try to send a transaction from this account, it fails:
> eth.getBalance("0x8db97C7cEcE249c2b98bDC0226Cc4C2A57BF52Fc")
5e+25
> eth.sendTransaction({from:"0x8db97C7cEcE249c2b98bDC0226Cc4C2A57BF52FC", to:"0x8db97C7cEcE249c2b98bDC0226Cc4C2A57BF52FD", value: web3.toWei(0.05, "ether")})
Error: unknown account
at web3.js:6365:37(47)
at send (web3.js:5099:62(35))
at <eval>:1:20(15)
I suspect it's because I don't have the account in the list of accounts:
> eth.accounts
[]
I've tried to import the account using geth account import <path to keyfile> but that did not result in eth.accounts having an entry.
I've also tried to use the personal.importRawKey function, but that doesn't work either:
> personal.importRawKey("56289e99c94b6912bfc12adc093c9b51124f0dc54ac7a766b2bc5ccf558d8027", "lol")
Error: the method personal_importRawKey does not exist/is not available
at web3.js:6365:37(47)
at send (web3.js:5099:62(35))
at <eval>:1:22(5)
> personal
{
listAccounts: undefined,
ecRecover: function(),
getListAccounts: function(callback),
importRawKey: function(),
lockAccount: function(),
newAccount: function github.com/ethereum/go-ethereum/internal/jsre.MakeCallback.func1(),
openWallet: function github.com/ethereum/go-ethereum/internal/jsre.MakeCallback.func1(),
sendTransaction: function(),
sign: function github.com/ethereum/go-ethereum/internal/jsre.MakeCallback.func1(),
unlockAccount: function github.com/ethereum/go-ethereum/internal/jsre.MakeCallback.func1()
}
Do I need to import this account? If so, how?
How do I send a transaction using geth on a local avalanche network using the default funded address by the avalanche network runner?
Turns out I was on the right track with importing the private key but I had to enable the personal namespace in the avalanche node.
The personal namespace can be enabled by adding internal-private-personal to the C Chain config being used by the node.
Once this namespace is enabled, you can connect to your node with geth and issue
> personal.importRawKey("56289e99c94b6912bfc12adc093c9b51124f0dc54ac7a766b2bc5ccf558d8027", "lol")
"0x8db97c7cece249c2b98bdc0226cc4c2a57bf52fc"
> personal.unlockAccount("0x8db97C7cEcE249c2b98bDC0226Cc4C2A57BF52FC", "lol", 300)
which then enables the account for spending.
I'm actually looking for a way to get login history for a specific username.
I have tried these ways but didn't work:
1. eventid 4624
It only shows logins to the DC itself, Not in the entire domain. E.g. a user has logged in to the DC. So Eventviewer logs this as an event with eventid 4624. But if a user logs in to another server (not DC) , nothing will be logged in DC's Eventviewr.
2. eventid 4769
It's about tickets that DC creates and assigns. But is wasn't helpful.
So how can I get the login history of a user in entire domain?
I reproduce your scenario and getting the expected result.
Event ID 4624 - An account was successfully logged on.
This event records every successful attempt to log on to the local computer. It includes critical information about the logon type (e.g. interactive, RemoteInteractive , batch, network, or service), SID, username, network information, and more. Monitoring this particular event is crucial as the information regarding logon type is not found in DCs. you can get a user login history report without having to manually crawl through the event logs.
Open the PowerShell ISE → Run the following script, adjusting the timeframe:
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely
foreach ($e in $slogonevents){
# Logon Successful Events
# Local (Logon Type 2)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){
write-host "Type: Local Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11]
}
# Remote (Logon Type 10)
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){
write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUser: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
Reference : Active Directory: How to Get User Login History using PowerShell - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)
You can also try with one easiest alternative way using A tool like ADAudit Plus that audits specific logon events as well as current and past logon activity to provide a list of all logon-related changes for particular user.
Step 1 : Download ADAdudit Plus in your VM and install it.
Step 2: Add your Server name ,Username and password.
Step 3 : Follow the below picture to get the logon details of particular user.
Reference : https://www.manageengine.com/products/active-directory-audit/kb/ad-user-login-history-report.html
I'm using freeradius server to return the group name, the LDAP is 389 DS:
In /etc/raddb/mods-enabled/ldap:
ldap {
server = 'freeipa.dc=server,dc=example,dc=com
# port = 389
# identity = 'cn=admin,dc=server,dc=example,dc=com'
# password = mypass
base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
...
}
group {
base_dn = 'cn=groups,cn=accounts,dc=server,dc=example,dc=com'
dc=example,dc=com
name_attribute = cn
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = memberOf
...
}
The debug:
rlm_ldap (ldap): Reserved connection (2)
(0) Using user DN from request "uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
(0) Checking for user in group objects
(0) EXPAND (&(cn=ipausers)(objectClass=ipausergroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) --> (&(cn=ipausers)(objectClass=ipausergroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))
(0) Performing search in "cn=ipausers,cn=groups,cn=accounts,dc=server,dc=example,dc=com" with filter "(&(cn=ipausers)(objectClass=ipausergroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))", scope "sub"
(0) Waiting for search result...
(0) Search returned no results
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
But the filter isn't returning any results (0) Search returned no results !! I'm missing something ?
Thanks,
Hello I have a local blockchain, Geth client, 2 nodes and clique proof of authority algorithm.
I start geth with this command:
geth --datadir node2/ --syncmode 'full' --port 30312
--rpc --rpcport 8546 --rpccorsdomain "*"
--ipcpath geth.ipc --rpcapi 'personal,db,eth,net,web3,txpool,miner'
--bootnodes 'enode://702efed8e606...ad041b4371a91989#127.0.0.1:30310'
--networkid 2456 --gasprice '1' --mine
--unlock '0x46004DEAfddb60d11cA04501df8C52aE4679Be8f' --password password.txt
but because of unlock now everyone can transfer ether from this account to some other account
like so:
const Web3 = require("web3");
var web3Client = new Web3(new Web3.providers.HttpProvider("http://localhost:8546"));
await web3Client.eth.sendTransaction({
from: "0x46004DEAfddb60d11cA04501df8C52aE4679Be8f",
to: "0xE77e5634A46153e1cfCa02350cf212BdbC18fbC6",
value: 23
});
but if I remove --unlock from geth command I can no longer seal blocks
WARN [06-01|14:44:52] Block sealing failed err="authentication needed: password or unlock"
is it possible to seal blocks in some other way so I won't have to unlock the account anymore?
Unfortunately, geth needs access to the private key to sign transactions, so you have to have it unlocked, otherwise it can't sign.
What you can do, is have this node signing, and get rid of
--ipcpath geth.ipc --rpcapi 'personal,db,eth,net,web3,txpool,miner'
instead, give the rpc to another node without an unlocked account.
Use this other node for all your interactions, and allow the first one to sign.
Cheers;
Evan
I have configured Liferay to use LDAP server which works fine as long as Import is enabled.
As soon as I switch on Export enabled option,and user tries to login it throws exception.Strangely the user from Liferay is exported to LDAP server.
Caused by: javax.naming.directory.SchemaViolationException: [LDAP:
error code 67 - NOT_ALLOWED_ON_RDN: failed for MessageType :
MODIFY_REQUEST_Message ID : 6_ Modify Request_ Object :
'cn=johndoe+mail=johndoeldap#liferay.com+sn=doe,dc=example,dc=com'_
Modification[0]_ Operation : replace_
Modification_sn: doe Modification1_
Operation : replace_ Modification_sn: doe
Modification2_ Operation : replace_
Modification_givenName: johndoe Modification3_
Operation : replace_ Modification_mail:
johndoeldap#liferay.com Modification[4]_
Operation : replace_ Modification_cn: doe
doeorg.apache.directory.api.ldap.model.message.ModifyRequestImpl#32d7606a:
ERR_62 Entry
cn=johndoe+mail=johndoeldap#liferay.com+sn=doe,dc=example,dc=com does
not have the cn attributeType, which is part of the RDN";]; remaining
name
'cn=johndoe+mail=johndoeldap#liferay.com+sn=doe,dc=example,dc=com'
[Sanitized]
Post configuring LDAP on liferay,I am able to correctly connect to LDAP and view users too.
Below is the user mapping configuration
Below is export and Group mapping config
LDAP config
I got it sorted up by correcting the User field mapping.
While importing,data was imported from LDAP without any exceptions but on the other hand,while exporting the data to LDAP,there was duplicacy in terms of 'cn' attribute being used multiple times for mapping(both for Screen name and Full name),which must have been used uniquely.So even though the user data is exported from liferay,yet this led to SchmenaViolationException and did not allow user to login in to portal.