Configuring LDAP Authentication in Odoo - ldap

I have two servers:
1st server: Odoo 9 application hosted in Amazon EC2
2nd server: LDAP server hosted in my Synology NAS which is in a local area network
Right now, I would like to authenticate all the Odoo users by the LDAP server.
Things that I have done
I have installed the Authentication via LDAP (auth_ldap) module in Odoo
Configured LDAP Parameters in Odoo. Note: Actual IP address and domain were altered due to security issue. Need someone to check if the configuration values are entered correctly.
Open the port 389 in my office network to public and forwarded it to the LDAP server.
Tested using ldapsearch command line in Amazon EC2 to ensure that both servers can communicate.
Somehow I am still not able to login using the LDAP user login in Odoo. What did I do wrong? Is there any other way to find out if Odoo is communicating with the LDAP server?

Related

How to Setup kerberos in a load balanced message broker environment?

We have IIB 10.0.0.12 running on Windows Server 2012 R2. We are looking to setup Kerberos -Token based authentication for SOAP services that are exposed to internal/external consumers.
We have around 4 System test servers running on a Same domain. The test servers are not load balanced; can we create a Single User account (Say "IIBTestPrincipal") in Active Directory and map multiple SPN's to this user account and setup the test environments like below.
setspn -A HTTP/server3.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
setspn -A HTTP/server5.somedomain.co.uk#SOMEDOMAIN.CO.UK IIBADPrincipal
Can somebody please advice/ guide on process for setting the same in load balanced environment.?
We have 4 broker servers load balanced via Netscalar. Can the load balancer perform a kerberos passthrough and broker perform all the kerberos authentication work ? If so should we be creating a SPN on Load balancer Host name and map all the prod servers as alias to that SPN ?
Couldn't find much info from Info center,Any thoughts on the above are much appreciated.
Netscaler supports Kerberos impersonation and Kerberos contrained delegation. I'm not that familiar with Kerberos, take a look in their documentation
https://support.citrix.com/article/CTX222453

Ldap certificates expired on a WebSphere application server initially configured with ldap

We are running WebSphere Application Server v8.5 on AIX 7, which we configured to use ldap security. Everything is working fine, but project went halt for some time and our WAS was down. Now we see that ldap cerficates were expired, hence we are unable to connect to dmgr & admin console. Can somebody help to resolve it?
We know how to configure ldap on WAS, but dont no how to change expired ldap cerficate with new cerficates. (We received new non-expiry certificates from ldap team but dont no how to configure it on WAS).
You need to disable security, restart dmgr, replace certificates and reenable security.
To disable security:
stop/kill the dmgr
run the following from the dmgr\bin folder:
wsadmin -conntype NONE
At the wsadmin prompt, type securityoff and then type exit.
Restart your dmgr.
UPDATE
Do you have Federated or Standalone Ldap configured? You should have in LDAP configuration link to SSL configuration. There you will need to add your new certificate to the Signers store (this is very simplified description as I'm not sure which repository you are using).

CoovaChilli & FreeRadius: Apache server Authentication

What I'm using:
Ubiquiti AirRouter
CoovaChilli
AWS server with FreeRadius & Apache2
What I'm trying:
Set up a captive portal using the Ubiquiti AirRouter
Use CoovaChilli firmware to set up captive portal on Ubiquiti
Make the radius authentification with the FreeRadiusServer on AWS
Use apache2 server on AWS to create the web captive portal for the user to log in
I have the Ubiquiti AirRouter configured with the CoovaChilli firmware (no issues here). The AP generated by the router works as expected and when you try to see any page, you get redirected to the apache web server.
Where I'm stuck:
The communication between the captive portal and the router is my issue. I'm trying to use ChilliLibrary.js functions (ChilliJSON) to make the radius login but it seems I'm missing some configuration, the response I get when I'm trying to authenticate in the captive portal is:
GET http://127.0.0.1:1812/json/status?callback=chilliJSON.reply&0.2522223754785955net::ERR_CONNECTION_REFUSED
ChilliLibrary.js:531
I'm looking for information in CoovaChilli and Chilli documentation but cannot find anything helpfull here.
Anybody knows any good tutorial about this part of a captive portal ? The connection between the webserver and the router ?
Thanks in advance
GET http://127.0.0.1:1812/ and net::ERR_CONNECTION_REFUSED says it all.
Check that you have a service running on port 1812 of localhost with netstat -ntl | grep 1812 then double check your firewall is allowing traffic through port 1812.
This may be of some use if you have not come across it before.
https://help.ubuntu.com/community/WifiDocs/CoovaChilli

Authentication issue with IIS

using IIS 6
I have the default web site that works and can authenticate users to the domain when they connect.
I have created a second website, siteb, put a host (a) record into DNS, I can browse to it as long as I have use anonymous access, when I select windows authentication, it fails...
not sure what i'm missing here...
Thanks.
This goes beyond just IIS if you're using Integrated Windows Authentication. You've created "siteb" in DNS which allows your users to connect to it so this is good. However, when their browser requests a Kerberos ticket for "siteb" from Active Directory, AD is probably responding that it cannot find "siteb". You can verify this with Wireshark.
The fix is to add "siteb" (and any other permutations with which you expect users to access the site) as an additional servicePrincipalName for the server's machine account in AD. You can accomplish this with the "setspn.exe" utility. It should be available on your domain controller. If not, you can install it from the Windows 2003 Support Tools.
Some examples of adding a UPN alias with setspn on the DC are:
setspn.exe –A HTTP/siteb <server hostname>
setspn.exe –A HTTP/siteb.acme.com <server hostname>
This should take effect immediately. The final step is ensuring that the browser "trusts" the new website name. In Internet Explorer, for IWA to occur automatically, the server name should be listed in either the Trusted Sites or Intranet zone.
Of course, you could avoid all this hoopla by having the 2nd website just run on a different port under the same name, e.g.: http://sitea:81

SVN with Apache authenticate against OS user accounts

I am starting to look into configuring an SVN server using Apache2 and mod_dav_svn on Red Hat Linux. I want Apache to handle authenticating the users that access the repository. Is there a way to have Apache authenticate against the user credentials maintained by the OS? This way I can allow all of my users on the server to use the same account to access SVN and to login to the system via SSH.
Previously our SVN server was hosted on a Windows server and we were able to use AuthType SSPI to perform our authentication against the Windows Active Directory server which will no longer be available to us. (Note: this is a restriction due to our network security and is not with my control)
Ultimately the solution I found to this problem was to configure mod-authnz_external to work with pwauth. Following the instructions on those two sites seems to have resulted in a working solution.