My LDAP Server is SSL , If I need to connect to the LDAPS server . Do I need to enable SSL in my server to fetch the results from the server.
Example : I'm trying to connect to Apache Ranger in HDP2.x . DO I need to enable SSL in Ranger machine to fetch the results or just enable the LDAP will work
The LDAP server has no way of knowing if the client communicating with your Ranger host is using SSL or not; the directory server requires the LDAP client (in this case your Ranger server) to use SSL when communicating with it. Configuring the LDAPS communication between your Ranger server and the LDAP directory will suffice.
That being said, it is better to encrypt both the client communication with Ranger and the Ranger communication with the directory server. Unless you're talking about a sandbox LDAP directory (i.e. no real user data in there), you are exposing user credentials to potential attackers by using clear-text communication from the client to the Ranger server.
Related
We have IIB 10.0.0.12 running on Windows Server 2012 R2. We are looking to setup Kerberos -Token based authentication for SOAP services that are exposed to internal/external consumers.
We have around 4 System test servers running on a Same domain. The test servers are not load balanced; can we create a Single User account (Say "IIBTestPrincipal") in Active Directory and map multiple SPN's to this user account and setup the test environments like below.
setspn -A HTTP/server3.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
setspn -A HTTP/server5.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
Can somebody please advice/ guide on process for setting the same in load balanced environment.?
We have 4 broker servers load balanced via Netscalar. Can the load balancer perform a kerberos passthrough and broker perform all the kerberos authentication work ? If so should we be creating a SPN on Load balancer Host name and map all the prod servers as alias to that SPN ?
Couldn't find much info from Info center,Any thoughts on the above are much appreciated.
Netscaler supports Kerberos impersonation and Kerberos contrained delegation. I'm not that familiar with Kerberos, take a look in their documentation
https://support.citrix.com/article/CTX222453
I'm trying to setup an ssl based tcp connection to memsql using Go.
The application/services are running as openshift pods and written in Go.
Can I have one-way authentication to memsql from the service?
Do I need to enable any port in memsql to listen for tls based ssl connection?
Apart from updating the DSN in my service to tls=true, what can be the alternative to customise this configuration.
Can someone suggest an efficient way to connect to memsql with ssl enabled?
I've followed the memsql documentation and inserted the certificates to memsql master and aggregator, as well as made the permission check enabled, but still I'm able to get into the memsql without giving the rootCertificate in the login.
Currently the connection is established by following code:
db, err := sql.Open("mysql", DSN) and
DSN=root:#tcp(IPAddress:3306)/riodev?interpolateParams=true&parseTime=true
Can you clarify what your question is? The SSL authentication is one-way, the client verifies the server. The server verifies the client via their login information.
No, MemSQL uses the same port for SSL and non-SSL connections.
You may also need to configure the SSL certificate, as described in https://github.com/go-sql-driver/mysql#tls.
Most client libraries support connecting with SSL.
I've followed the memsql documentation and inserted the certificates to memsql master and aggregator, as well as made the permission check enabled, but still I'm able to get into the memsql without giving the rootCertificate in the login.
Is it possible the connection is already using SSL? It may be using SSL-preferred mode without verifying the certificate.
I'm trying to implement a reverse proxy in our system, for a micro-services architecture.
The proxy server is HAProxy that works with SSL Termination and needs to proxy requests to a backend server with Https and Kerberos authentication.
I succeeded to terminate the ssl on the proxy server and pass the request to the https server (I need the termination in order to route requests by their body, to specific backend services) , but failing to authenticate with kerberos on the backend server.
Is it possible to implement Kerberos auth on the proxy server and then pass the TGT to the different backend services?
I have successfully done this and it took some work.
At the time I was using HDP so I used ambari to setup a hive server on the HAproxy node. (This was done solely for the purpose of having Ambari manage the kerberos principle. The hive server itself never ran)
Then I merged the keytab for my hive server (on the proxy) with my Hive server keytabs so that the principle could be used on the hive servers. I think I also allowed it as a principle to work with hive. I'm sure there is another path that would allow you to use delegation but this was the past of least resistance and made it so hive managed mostly managed the keytab. I did have to re-merge the keytab when they where regenerated but it wasn't as bad as manually managing keytabs.
I have two servers:
1st server: Odoo 9 application hosted in Amazon EC2
2nd server: LDAP server hosted in my Synology NAS which is in a local area network
Right now, I would like to authenticate all the Odoo users by the LDAP server.
Things that I have done
I have installed the Authentication via LDAP (auth_ldap) module in Odoo
Configured LDAP Parameters in Odoo. Note: Actual IP address and domain were altered due to security issue. Need someone to check if the configuration values are entered correctly.
Open the port 389 in my office network to public and forwarded it to the LDAP server.
Tested using ldapsearch command line in Amazon EC2 to ensure that both servers can communicate.
Somehow I am still not able to login using the LDAP user login in Odoo. What did I do wrong? Is there any other way to find out if Odoo is communicating with the LDAP server?
I have an application which can access a LDAP server with non-SSL connection. Now, the LDAP server has been configured to support only SSL.
So, now what are the new components or changes in the existing components which I have to do.
If your application really doesn't support SSL (btw it would've made things easier if you'd told us what program you're trying to use), you can try an SSL wrapper, such as stunnel that can be configured to connect to the SSL-protected LDAP service whenever your program connects to the "entrance" of the tunnel. This way, your program doesn't have to support SSL, but your connection to the LDAP server is still secured by SSL (if the SSL wrapper runs on the same host as your program).
You should only have to change ldap: to ldaps: in the client.