I have been working to link my AD to G-Suit and have an auto sync established. The reason I put this here because I have had hard time to figure out everything. I am still not at the end of this procedure and I would appreciate if the skilled people would contribute to help me and I guess many others as well, on this topic.
I downloaded GCDS tool (4.5.7) and installed on a member server. Tried to go through the steps and failed, except to the first one to authenticate to Google.
Learnt: It is a Java (Sun) based product and when it come to authentication or SSL it will through errors that need to be sorted.
Step 1, Google Auth - done and very simple as long as you can logon to your GAE account
Step 2, LPAD config... this was tricky
I created a service account to use
Learnt:
You need to have the SAMS account matching with the displayname and name as well; only this way I could authenticate.
In most cases you don't need any admin rights, a domain user should be able to read the DN structure from LDAP.
I have the OU structure, but I need LDAP working on the DC (this works somehow)
Learnt:
Simple connection through port 389;
SSL would use port 636;
in most cases
GCDS only uses Simple authentication!
Learnt:
With port 389
Domain group policy needed to changed to non LDAP auth required (Domain controller: LDAP server signing requirements changed to none!) to be able to logon - this one is working and good for DEVSERV
Question: Should I use it for PRODSERV or I need to aim to use SSL?
Learnt:
With port 636 (SSL) you need a certificate
Question: I tried to add self cert based on the following article, added to the trusted cert root but Google cannot see it?
BASE DN can be read out through LDP.EXE (built in LDAP browser by MS)
Learnt:
You can add your OU you wanted doesn't have to be the root of the tree
Question: does it mean you have implemented extra security?
Step 3,Defining what data I can collect. OU and person I picked.
Learnt
Profile will collect extra information to Google, such as job title, phone etc. I only wanted them for the company signature... Well that is still not clear if this can be done. If that is not possible, I can't see the reason why I should disclose unwanted information to store on another server.
Question: Can job description be included to the Google Mail signature?
I am keep adding my finding to it as I am working through but would appreciate any input from people who managed to set it up.
Step 4, Searching in the Organisation Unit - confusing again but it is done. (More to follow.)
Related
I guess that's a very simple task, but I can't manage to have SSL work on gitlab pages. Gitlab pages documentation is too vague for me.
For example, when they say "Make sure your domain doesn't have an AAAA DNS record." does that mean the subdomain (say gitlab.mysite.com) doesn't have a AAAA record. Or does it mean my whole DNS configuration shouldn't have such a record?
Also if that's the later, how can I manage to make this work?
Maybe someone has a source to a good tutorial for this because I really struggle finding simple information (not assuming any prior knowledge about SSL/gitlab).
I just went through the whole process beginning to end and set up a GitLab Pages website on a custom domain with a Let's Encrypt certificate -- it worked like a charm.
I had to:
a) set up a TXT record to verify domain ownership, and
b) add an A record to point at the GitLab Pages IP address (since my domain DNS management provider didn't allow me to set up a domain-level CNAME)
After this, GitLab went and fetched a Let's Encrypt certificate for my Pages web site.
I didn't have a AAAA record, so that didn't come into the picture.
As per GitLab Pages documentation section GitLab Pages integration with Let's Encrypt,
Caution: This feature covers only certificates for custom domains
Issue 3342 is open to add support for sub-domains.
If you are still having trouble, let me know, I'd be happy to help with this.
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
I'm attempting to integrate phpBB with CAS so that I can utilise the single sign on across a host of websites. So far I have tried a few things but none have pulled off yet. The closest I have come is with the following MOD:
https://sourcesup.cru.fr/projects/casldapauthbb/
However after installing it when I add my CAS details to CAS server name, CAS server port, CAS uri, and leave the LDAP fields blank, I get the error, could not connect to LDAP server.
If anyone knows how to fix this, that would be cool.
I'm also open to alternative solutions.
There doesn't appear to be a way to do this without rewriting large parts of the phpBB framework. So I'm going to run phpBB separately and link accounts through a common library.
I'm afraid I know the answer to this but I'll ask on the longshot chance that I'm wrong:
I've been doing some freelance work creating an iPhone application for a company. They've created their own developer account and added me as an team member with "admin" rights. That seems to be the highest assignable rights (with the only higher level being "agent" and belonging only to whoever signed up for the account). Yet, I don't have an option under the provisioning portal to create a distribution certificate or profile.
Is there any way to create these myself without having to ask my client for their primary login? They're not particulary tech savy so it would be difficult to walk them through the process to create the necessary certificates (and would require me giving them a certificate request from my computer, etc. etc.). But it seems like there should be some way to create a distribution build without "agent" rights, right? Could Apple seriously expect only one person from a company to do all the building and uploading of apps to the store?
You are right. Only the agent can create a distribution profile and a distribution certificate. There is no way around that. The easiest thing to do is work with him/her to create the key and certificate for distribution and install a copy of both on your machine as well. They are also the only one who can submit the binary on iTunes Connect.
It is annoying, but that's the way the final build must work - done by the team agent. I ended up getting my boss's login info. Switching team agents is also hard. IIRC, you can't be the team agent on two separate accounts.
Having an issue with random individuals trying to access an intranet site with a security certificate. Most users are able to simply select their Smartcard/CAC certificate, enter the pin number and then are granted access to the site's pages.
However, random individuals enter their pin and then are immediately re-prompted by the IE alert dialogue to enter their domain username and password. If they don't enter their network domain username and MS password, then they receive a 401.1 Unauthorized.
I am confused as to why these certain users (who are selecting the same certificates as the successful ones) are being prompted for their domain name/pwd. Furthermore, they're able to access other sites which require a CAC to get past the security certificate.
Possible that a user token is unable to be established via a CAC card for the particular site, but not sure why. Since these users are getting a 401.1, then somehow their identity associated with their CAC credentials is not validating.
In IIS:
Anonymous users are not allowed (unchecked).
128-bit encryption is required with SSL.
Integrated Windows Authentication is checked.
Accepting client certificates
In the site's web.config file all users are allowed and only anonymous are denied.
The exact same setup is present on the development box without any issues at all, indicating to me that the problem resides on the production server's ability to properly receive/handle CAC information from those individuals or that something funky is going on with the way the security certificate is relating to the client's CAC x.509 certificate.
A little more information that may be of use: the browser prompt that initially asks for the CAC has nothing to do with the code of the site, but rather is enabled by applying the security certificate to a site in IIS; thus indicating to me that there is something written into the certificate that looks for client certificates tied to the ActivClient agent via the browser???
Then again, I probably have no idea what i'm talking about, just throwing a bone here to see if anyone has had the same issue or has any ideas.
Thanks in advance for any input, questions, or ideas.
The problem was a stinking DLL that serves to help parse long URL's with many aliases (dots). The faulty DLL had been written into many people's re-image of their computers. The violating computer re-freshes contained an old version of a DLL used by Internet Explorer called URLMON.dll. The version of the DLL you need should end in '21073', but the one included on the faulty images listed above ends in '19.....'.
You can confirm this by going into IE7 and clicking on Help > About Internet Explorer > System Information (btn on bottom) > Internet Settings > Internet Explorer > File Versions > urlmon.dll
Updating this DLL has shown to fix the issue with secure SSL sites having problems validating CAC/pin entry that have long DNS entries (such as https://something.something.something.something.something.something).
There is an IE7 hotfix for this, but it will only install if you don't have ServicePack 3. If you do have SP3, , you cannot run the needed Hotfix, b/c it assumes that SP3 has already put into place the correct DLL.
1. Uninstall SP3
2. Reboot
3. Install the IE7 Hotfix
4. Reboot
5. Run Microsoft Updates via the Window MS updates website
Sucks, but that's what you get with crappy software like IE run on a deficient operating system, then coupled with software that's limited in it's abilities to truly talk to the operating system.
Check the functioning of the card with other applications.
Also check that the certificates are valid (not expired) and otherwise similar - same issuer, PIN not locked etc.
I understand your development environment works as you want and that your production environment is not.
Have you tried to reproduce the error in another environment to confirm which behavior is consistent?
Had a very similar problem that was solved by bypassing the proxy server. Try adding it to the exemption list.
In IE, go to:
Tools | Internet Options | Connections | Lan Settings | Advanced
Add site to exemptions list.
May not work for you, but could be worth a try. Like I said, it worked for me with a very similar issue.