Samba4/LDAP authentication and nginx - authentication

Before i start with my problem:
I've got a website which is protected by a reverse proxy (nginx). So the client is not allowed to connect directly to the website. It must connect to nginx and nginx shows then the content of the website.
Now i wanted to add more "security" features. I installed samba4 as it is usable as a AD DC and wanted to use LDAP (which is included in samba4?) to authenticate the clients which are trying to reach the website.
So before a client can actually see the website it must connect to nginx and then authenticate itself (with LDAP credentials) and then it can view the websites content.
I configured nginx with the module ldap_http_authentication (see configuration below) and it is working. When the client tries to view the website i need to login with some LDAP Credentials, but when i try to authenticate the client it just doesn't work. it says that the LDAP credentials are wrong.
How can i add LDAP users when LDAP comes with samba? I just don't know which credentials to use. I added some users to samba like "test" and tried to use their credentials to authenticate, but they don't work as well.
So which credentials do i have to use for "binddn" and "binddn_passwd"? Where do I have to create them or get them?
My nginx ldap configuration:
ldap_server adds {
url "ldap://192.168.50.131/dc=test,dc=dom?sAMAccountName?sub?";
binddn "TEST\\USERNAME";
binddn_passwd "password";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
require valid_user;
satisfy any;
}
Thanks!
edit:
i tried to add some users with the command:
ldapadd -x -D cn=admin,dc=test,dc=dom -W -f add_user.ldif
but it just returns:
"Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required."
Btw: I've never set an LDAP Password, i just installed samba4. That's all!

By default samba4 require start_tls.
For a start you should try to switch the url to ldaps://
Then you need:
if you don't have a certified certificate
ssl_check_cert off
a certificate for the tls transaction
ssl_ca_file /etc/pki/tls/certs/whatever.crt
For ldapXXXXX commands you need the -Z switch
You also need to check that you ldap.conf file contains the URI and BASE:
URI ldaps://ldap.server.com
BASE "dc=domain,dc=example,dc=com"
You also need the 2 following:
a client certificate for the tls transaction
TLS_CACERT=/etc/pki/tls/certs/whatever.crt
What to do if certificate is not valid
TLS_REQCERT allow

Related

How do you use client certificates when authenticating using SALS External mechanism on OpenLDAP Server?

I have generated client certificates, how do I use the client certificates to authenticate the user to LDAP server just using LDAP utils ldapsearch,ldapmodify? I want a password less authentication process for the user.
The certificate and key settings are documented in the ldap.conf(5) man page. You are looking for the TLS_CERT and TLS_KEY options.
Note that these are documented as user-only options, meaning that they can be set as environment variables (respectively LDAPTLS_CERT and LDAPTLS_KEY) or in a personal ldaprc file, but not in the system-wide ldap.conf file.
With the certificate and key settings, use -Y EXTERNAL with the ldap tools. For example (using the environment variables):
LDAPTLS_CERT=user-cert.pem LDAPTLS_KEY=user-priv.key ldapwhoami -H ldap://server -ZZ -Y EXTERNAL

rails devsie_ldp how to ignore certificate verification?

I am using devise, devise_ldap_authenticatable module to do simple ldap authentication.
But if I try to authenticate on ssl (689 port), I have this error:
Net::LDAP::Error (hostname "x.x.x.x" does not match the server certificate):
So, I need to ignore this verification.
I tried to google, but I have no result :(
How I can do it?
Per the devise_ldap_authenticatable documentation
If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., /etc/openldap/ldap.conf or /etc/ldap/ldap.conf) to read TLS_REQCERT never.

Apache reverse proxy with LDAP check on client certificate cn

Apache version 2.4.29, Windows Server 2012 R2
Just started and is very new to working with Apache. I am using Apache as a forward and reverse proxy for application to application SOAP communication. I have the connection setup with SSL mutual authentication. Currently trying to setup on the reverse proxy a way to check the client certificate cn against the LDAP directory, but I am having problems getting it to work.
The C# client application that I made works in making the connection to the service behind the proxy, but once I add in the LDAP configuration changes in the httpd-ssl file, the client app returns an error: "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="ApacheProxy"'."
Below is the configuration I'm using. Maybe there is something I am missing or doing incorrectly? I'm not so confident this can accomplish what I am aiming for.
<Location / >
AuthName "ApacheProxy"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "my_ldap_url"
AuthLDAPBindDN "cn=mycn,ou=applications,o=myo,c=myc"
AuthLDAPBindPassword mypassword
Require ldap-dn "cn=mycn,ou=applications,o=myo,c=myc"
LDAPReferrals Off
AuthLDAPCompareDNOnServer on
</Location>
When I try to navigate from my browser to the reverse proxy, it prompts for login. When I use my LDAP credentials, nothing happens, but by Wireshark I can see that my connection to LDAP was successful. I suspect I am having issues from my client application because of the login prompt. I would like to consult the community to see if there is a solution for doing an LDAP check on the client certificate cn without being prompted to login.
To summarize and word it differently, is there a way to automatically login to LDAP to check the cn of the client certificate when an application hits the Apache reverse proxy?

Freeradius with LDAP - Cisco WLC - Authentication Failing

I am getting the following error in debug mode
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: tuser
[mschap] Client is using MS-CHAPv2 for tuser, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
I am pretty sure this is the issue. I am using OpenDJ as the backend ldap server and using freeradius with ldap. Please tell me if I would be missing anything or if there is a specific configuration I have to make. There is nothing network wise that is blocking ports. Note: I am using a Mac to authenticate.
Can you login locally on freeradius server with LDAP creds?
radtest $login $pass 127.0.0.1 10 $secret
If yes, you should probably stop freeradius service and run "freeradius -X" which show you debug from the server side.
Paste your sites-enabled/default config, do you have ms-chap uncommented there?

Enabling TLS in NiFi

I enabled TLS in NiFi by running the below command,
nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/bin/tls-toolkit.sh standalone -n "{my-ip},localhost" -C 'CN={my-ip}' -C 'CN=localhost' -o ./certs
This created the files required for TLS under the directory certs.
I moved the files under the directory certs into the conf folder of the deployment in my machine.
Installed the certificate to my machine's Keychain Access.
Now started the server using bin/nifi.sh start. My server starts, I am able to hit the server, But my request is not authorized.
I am getting the below error,
Not authorized for the requested resource. Contact the system
administrator.
Once TLS is enabled in Apache NiFi, anonymous access is no longer enabled by default. You will need to authenticate as a user in order to access the UI/API. There are three authentication mechanisms available -- client certificates, LDAP, or Kerberos. Once you configure an Initial Admin Identity in $NIFI_HOME/conf/authorizers.xml (this would be the exact CN of the client certificate you issued in the TLS Toolkit command), that user can authenticate and use the user management tools in NiFi to add additional users.
You can find more information in the NiFi Admin Guide. Bryan Bende has also written a detailed walkthrough of the process.
One note about the command you posted above -- I am not sure what your desired output is, but the command is issuing a server certificate for my-ip and another for hostname, but then two client certificates with those DNs as well. In general, you want a server certificate for hostname (possibly with a SAN entry for my-ip), and a client certificate with a DN like CN=alopresto, OU=Apache NiFi.
For example:
./bin/tls-toolkit.sh standalone
-n 'nifi.nifi.apache.org'
--subjectAlternativeNames '123.234.234.123'
-C 'CN=alopresto, OU=Apache NiFi'
-P password
-S password
-B password
-f ...conf/nifi.properties
-o ...conf/