A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.
However, I don't understand whether I should run the bind operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.
Thank you.
It's done in three steps:
Bind as an administrative user that has enough permission to search the directory.
Search the directory for the user. This is necessary because the user won't be providing his entire DN: he will be providing something else unique about himself such as his email address, a 'screen name'/moniker/alias, etc.
Bind as that user using the password credential supplied.
If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.
Related
RE: https://jfrog.com/knowledge-base/when-do-the-groups-associated-with-an-ldap-user-get-updated-in-artifactory/
The Knowledge Base article above says:
"LDAP user authentication requests using Encrypted password or plain text password will update the LDAP group association changes from the LDAP server."
We've added a user to a group, but that user still can't see the artifacts governed by that group even after he has logged in. How can we cause Artifactory to update its group membership cache?
Please ask the user to logout and log back in after being added to the groups. Artifactory will try to reach to the LDAP server for validating the creds and then get the groups associated with the user which is returned from the LDAP server.
There is a chance that LDAP cache as mentioned in here https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache might take effect the groups to be associated if the user session is not hitting the LDAP server.
We have a web app (SPA Angular app talking to a .Net Core Web API) which uses Auth0 as the authentication server.
Now, I'm not sure if this would be an "invite flow" or "invite-only flow", or something else, but basically, a user will go to our web app, and create an account on our system. Our API then creates an Auth0 account for this user using the Auth0 Management API. This user is then considered the Administrator. She can then create as many users as she wants for her staff. For each user she creates, our API creates an Auth0 user using the Management API.
Since, as far as I'm aware, a user must be assigned a password at the moment of creation (i.e. you cannot create a user without a password), the administrator must pick a password for each user she creates.
Additionally, each time a user is created, Auth0 automatically sends out an email to that user asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password.
My problem is that, unless the administrator tells them what password she picked for them, there's no way of them knowing.
My question is: is there a way to defer picking a password until the user logs in for the first time? So, when the administrator creates the user, she doesn't pick a password. Then, upon the user's first login, they pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,
Thanks
I was looking at Khan Academy and I'm wondering how their authentication works (probably many other websites have it the same).
When you login with facebook account that has email "aaa#gmail.com", you completely logout, open another anonymous window, and login with google account that has the same "aaa#gmail.com" email, you log into the previously created account.
My questions are :
Do they make association to account based on email your social account has ?
I'm sure their solution is secure, but is this common and normally doable so there won't be any possible exploitations ?
I'm using a system of Oauth2 to grant access to my app, dvouch
First you have a registered user in your website, with an unique email.
So what basically happens is:
User visits your website (website doesn't know who the user is)
User clicks to login through one of the Oauth2 providers
Your website proceeds to start a "OAuth2" handshake, it redirects the user to the provider oauth endpoint, along with some information, like what scopes you're asking for (email, personal info, public info, etc), the url to send back the user after the authentication is done, your application tokens (that are registered in the providers app dashboard), and so on.
Let's say the provider you chose was facebook. Facebook receives your request for an OAuth2 authentication. It also receives the scopes you're asking for, which url you want the user to go to after being authenticated, and your application credentials
It checks that the credentials you're sending are valid, that the callback url you're asking the user to be sent after also matches what they have registered for your app (so that someone can't simply steal your app credentials and have users redirected somewhere else) and if everything is fine and dandy, it will then present the login window to the user. This login is happening on the provider's page. Not on your website.
The user logs in (inside facebook or google not your website). The provider sends them back to the call back url you specified in the beginning of the handshake.
You (your website) receives the user back with a bunch of information, such as the email of the user who just completed the Oauth2 flow.
At this point you use the email that came in the callback and identify the user through the email. Since all emails are unique, and since your user had to be registered with that email on the provider, you are safe to assume he's the owner of the email.
(technically things might happen a bit differently)
It's basically very secure as long as the website has the regular security measures. Of course if someone has access to your Facebook(wtv) account or email they can login as if they were you, but that would happen either way they offered Oauth or not.
Then as long as you verify you're logging in the correct provider's website (like facebook's or google and not something else) you'll be fine since no one else will be able to see your login. Since a "scope" of authorizations has to be passed as well you as a user can also see what the application is asking for (email, access to your inbox, wtv) and decide if you want to grant those scopes or not, if you decide not to grant access then facebook will not pass back that information, which in turn renders the process safe.
The only way it wouldn't be safe would be if you had malicious software installed in your computer to log your activity and in this case you would be screwed either way.
I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.
i want to customize login in Liferay 6.2. I've internal liferay users and ldap users. All users have a record in liferay user_ table. The differences are: internal users must change password at first login and see password reminder question.
Ldap users make only login with their password.
Acutally Liferay ask to ldap users to change their password and set password reminder question. These users change password but at next login, login is possible by old ldap password (correct). Liferay must not write in ldap.
How can i remove password change and password reminder question for ldap user?
There's a password policy that you can set per organization. If you introduce a new organization for each of the groups (or just one might suffice as well) you can have individual password policies per organization.
In Password policies you can configure quite a lot of stuff, e.g. should passwords be changed on first login etc. You can also select the "LDAP Password Policy" in the LDAP configuration screen. I'm rarely working with password policies, thus it's hard to give detailed directions - let me know if this is sufficient or if you need more detailed pointers