I'm creating a Express.js REST server that can invoke and query chaincodes (similar to the JavaScript fabcar example). I'm wondering how would I register, enroll, and use a network user that is based on a username and password, so that I could allow the user to login using their username and password and can invoke chaincodes with their network user.
Please tell me if I'm going about this the wrong way, or if there are configs to achieve this.
Related
I am working om using Auth0 has authentication for services. I have the following problem. I have created a user but when I try to make a request with that user I get the following error.
Authorization server not configured with default connection
I have researched this and found I need to Configure the tenant
The Resource Owner Password Flow relies on a connection that is capable of authenticating users by username and password, so you must set the default connection for the tenant.
Go to Auth0 Dashboard > Tenant Settings, and scroll down to locate the Default Directory setting.
Enter the name of the connection you would like to use. Make sure it is capable of authenticating users by username and password.
But I have on idea what they mean by Default Directory. Is that the name of the Auth0 application I generated, since that is the service, that is supposed to authenticate users by username and password.
I have generated a SpringBoot app from the auth0 console. is that what they mean by connection.
Follow these steps.
Navigate to your dashboard - manage.auth0.com/dashboard
On the left menu, click on Setting
Scroll down to "API Authorization Settings"
Enter Username-Password-Authentication in the "Default Directory" input
Hit save - It typically takes about 30secs for changes to take effect
In Default Directory put Username-Password-Authentication
My auth0 was configured with a custom database, and when I was trying to get tokens using the Resource Owner Password API, I had the same issue Authorization server not configured with default connection .
The solution to this issue was:
Set the grant_type to http://auth0.com/oauth/grant-type/password-realm
Set the realm to the name of the custom database
For anyone else stumbling upon this question, you can also use the Realm property to define a specific Database connection instead of setting up a default one.
So far I have always been able to log in successfully via sso.
cf login -a url --sso
I need another way to log in for my pipeline script and tried the following command.
cf login [-a API_URL] [-u USERNAME] [-p PASSWORD] [-o ORG] [-s SPACE]
This command does not work with my user, nor with a technical user to whom all necessary roles have been assigned (M D A). I get the following message.
API endpoint: url
Password>
Authenticating...
Credentials were rejected, please try again.
Does anyone know how to solve this problem?
Or maybe an alternative to create a gradle task, for example, that can be executed in a jenkins pipeline.
At the end, I want to automate a deploy (to cloud) of an artifact with my Jenkins pipeline.
You provided —sso flag, so you shouldn’t see a password prompt. Instead you should be given the url to get a token.
Maybe your CF has been misconfigured and does not support SSO yet. I tried to fix the CF CLI to avoid this but it was oddly rejected https://github.com/cloudfoundry/cli/pull/1624
Try fixing your CF installation (it needs to provide some prompts), or skip the —sso flag usage.
Using --sso and -u/-p are not doing the same thing on the backend, and there's no guarantee that a user which can login through SSO is also set up to login as a user stored directly in UAA. UAA has multiple origin's from which users can be loaded, like SAML, LDAP and internal to UAA. When you use the --sso flag, you are typically logging in via a user from your company's SAML provider. When you use the -u/-p flags, it's typically LDAP or UAA, something UAA validates directly.
In order for what you are trying to do to work, you would need to have a user available with an origin in SAML (for --sso) and a user in origin LDAP or UAA (internal), and technically those would be two separate users (despite the fact that they may have the same credentials).
At any rate, if you normally login with the --sso flag and you want to automate work, what you really want is to get a UAA client that is set with the grant type of client credentials. You can then use cf auth CLIENT_ID CLIENT_SECRET --client-credentials to automate logging in.
Typically you don't want your user account to be tied to pipelines and automated scripts anyway. If you leave the company and your user get deactivated then everything breaks :) You want a service account, and that is basically a client enabled with the client credentials grant type in UAA.
I want to use LDAP user's credential in one of my Linux scripts, in which I want to take user name and password and want to test the authentication.
I have used ldapsearch command to check the user's name validation and now want to check the same for the password.
Is there any command I can use to check this?
For clarification, are you looking to take a username and password as input from the user in your script and test them against an LDAP server? If that's the case, you could try authenticating against the LDAP server with the username/password and just see if it works.
I have a private hosted registry at www.myDockerRepo.company.com:2222. To login to this repository I follow these steps
docker login www.myDockerRepo.company.com:2222
username : xxx
password : ***
email : xyz#company.com
WARNING: login credentials saved in /home/vagrant/.docker/config.json
Login Succeeded
Can these credentials be saved before hand in the config.json so that clients dont need to manually enter these credentials n every login? What is the best practice to login to private registries?
Yes, you can manually add the creds to the config. Just copy the file over from a host that you already logged in with.
As far as best practices, they depend on the setup, but most common is to use a generic system account for your registry that is only used by the hosts, and then when setting up the hosts and installing docker, drop in the config file for that system user. Then all pushes and pulls from those servers will be with that account.
If you try and reuse a user account, things will break if that user changes their password. It also allows you to have different permissions for hosts, maybe pull only access vs push, etc.
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.