We Keep Coding

How do I authenticate against ldap.google.com?

I was able to connect ldaps://ldap.google.com using the downloaded cert.
I'm trying to do the user authentication against it, always failed
My settings, we are using GSuite Business plus planning.
The connection url: ldaps://ldap.google.com
edit mode: read only
users DN: dc=xxxx,dc=xx (no filter applied)
search scope: subtree
Bind type:
When I set it to ‘none’ I get error: “error during sync of users” in server log:
error code 50: insufficient access rights
Uncaught server error: LDAP query failed.
When I enter a user:
User + #domain = LDAP: error 50 - Not authorized to authenticate password
User without #domain = error 49 - Incorrect password
User in DN = uid or cn=xxxx, ou=xxxx - error 50 - Not authorized to authenticate password
Anything I'm missing? or google ldap don't allow it?

mbsync authentication failed

I was able to configure mbsync and mu4e in order to use my gmail account (so far everything works fine). I am now in the process of using mu4e-context to control multiple accounts.
I cannot retrieve emails from my openmailbox account whereas I receive this error
Reading configuration file .mbsyncrc
Channel ombx
Opening master ombx-remote...
Resolving imap.ombx.io... ok
Connecting to imap.ombx.io (*.*.10*.16*:*9*)...
Opening slave ombx-local...
Connection is now encrypted
Logging in...
IMAP command 'LOGIN <user> <pass>' returned an error: NO [AUTHENTICATIONFAILED] Authentication failed.
In other posts I've seen people suggesting AuthMechs Login or PLAIN but mbsync doesn't recognizes the command. Here is my .mbsyncrc file
IMAPAccount openmailbox
Host imap.ombx.io
User user#openmailbox.org
UseIMAPS yes
# AuthMechs LOGIN
RequireSSl yes
PassCmd "echo ${PASSWORD:-$(gpg2 --no-tty -qd ~/.authinfo.gpg | sed -n 's,^machine imap.ombx.io .*password \\([^ ]*\\).*,\\1,p')}"
IMAPStore ombx-remote
Account openmailbox
MaildirStore ombx-local
Path ~/Mail/user#openmailbox.org/
Inbox ~/Mail/user#openmailbox.org/Inbox/
Channel ombx
Master :ombx-remote:
Slave :ombx-local:
# Exclude everything under the internal [Gmail] folder, except the interesting folders
Patterns *
Create Slave
Expunge Both
Sync All
SyncState *
I am using Linux Mint and my isync is version 1.1.2
Thanks in advance for any help
EDIT: I have run a debug option and I have upgraded isync to version 1.2.1
This is what the debug returned:
Reading configuration file .mbsyncrc
Channel ombx
Opening master store ombx-remote...
Resolving imap.ombx.io... ok
Connecting to imap.ombx.io (*.*.10*.16*:*9*)...
Opening slave store ombx-local...
pattern '*' (effective '*'): Path, no INBOX
got mailbox list from slave:
Connection is now encrypted
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Openmailbox is ready to
handle your requests.
Logging in...
Authenticating with SASL mechanism PLAIN...
>>> 1 AUTHENTICATE PLAIN <authdata>
1 NO [AUTHENTICATIONFAILED] Authentication failed.
IMAP command 'AUTHENTICATE PLAIN <authdata>' returned an error: NO [AUTHENTICATIONFAILED] Authentication failed.
My .msyncrc file now contains these options instead
SSLType IMAPS
SSLVersions TLSv1.2
AuthMechs PLAIN

At the end, the solution was to use the correct password. Since openmailbox uses an application password for third-party e-mail clients I was using the wrong (original) password instead of the application password.

keycloak admin cli unable to authenticate

I am new to keycloak. I have been following the admin cli guide to automate realm creation ( inside a dockerfile ). The kcadm call to create realm is failing with authentication error - "HTTP error - 401 Unauthorized".
These are the 3 lines which I am trying to execute and the exception is thrown at the last line -
i) $JBOSS_HOME/bin/add-user-keycloak.sh -r master -u uadmin -p ${UADMIN_PWD}
( started the keycloak server after this )
ii) $JBOSS_HOME/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master -user uadmin --password ${UADMIN_PWD}
iii) $JBOSS_HOME/bin/kcadm.sh create realms -s realm=myrealm -s enabled=true
Top of the stack is here -
04:53:48,721 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1) RESTEASY002005:
Failed executing POST /admin/realms:org.jboss.resteasy.spi.UnauthorizedException: Bearer
at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:160)
at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
I inspected the $HOME/.keycloak/kcadm.config file and the content is as below -
$ cat kcadm.config
{
"serverUrl" : "http://localhost:8080/auth",
"realm" : "master",
"endpoints" : { }
}
There is no authentication token , which I could see there.
( One more observation, the "config credentials" command does not throw any exception if an invalid credential is passed. It would be helpful if there is an exception thrown. )
Any pointers for what am I doing wrong here, for the authentication issue during realm creation ?

Actually there was a typo error in the command --
"ii) $JBOSS_HOME/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master -user uadmin --password ${UADMIN_PWD} "
The user parameter was "-user" , which should have been "--user"

Web deploy 401. IIS and apppool?

Web deploy works when I publish from visual studio but fails when I call msdeploy.exe. The failure is 401 unauthorized but both ways use the same iis account to login. Both ways go via WMSVC.
This is the web deploy command
msdeploy.exe -source:package='MyZip.Api.zip' -dest:auto,computerName='https://94.236.2.239/MSDeploy.axd?site=MySitei',userName=myusername,password=mypassowrd,authtype=basic,includeAcls=false -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -setParamFile:"MySetParameters.xml" -allowUntrusted
On the target server I can see two security log failure
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon
Account: MyIISAccount Source Workstation: MyServer Error
Code: 0xC0000064
The second error
An account failed to log on.
Subject: Security ID: IIS APPPOOL.NET v4.5 Account Name: .NET
v4.5 Account Domain: IIS APPPOOL Logon ID: 0x52A7CD9
Logon Type: 8
Account For Which Logon Failed: Security ID: NULL SID Account
Name: Myiisacount Account Domain: myserver
Failure Information: Failure Reason: Unknown user name or bad
password. Status: 0xC000006D Sub Status: 0xC0000064
Process Information: Caller Process ID: 0x1900 Caller Process
Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information: Workstation Name: myserver Source Network
Address: myip Source Port: 50384
Detailed Authentication Information: Logon Process: Advapi
Authentication Package: Negotiate Transited Services: - Package
Name (NTLM only): - Key Length: 0

NULL SID probably means that the computer couldn't locate the account at all (not that the password is bad). Double-check the account spelling and try to localize the account: if it's a local account on computer COMPUTERNAME try COMPUTERNAME\ACCOUNT and if it's a domain account (e.g. on domain CONTOSO), try CONTOSO\ACCOUNT or the FQDN format account#contoso.com for the contoso.com domain.
You may also want to try the -AuthType='NTLM' from the command prompt.

SSH + Radius + LDAP

I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin

You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.