Opendaylight integration with IDP/LDAP for authn/authz - sdn

Is it possible to integrate Opendaylight(AAA) with IDP (or) LDAP for authn/authz ? Or is this part of ODL future roadmap ?
I could see some reference documents stating about the above ones.
Does anyone tried it, if so could you please share me the steps/configuration details.
Thanks

You have to edit this file {KARAF_HOME}/etc/shiro.ini
ODL provides a few LDAP implementations that are disabled out of the box. ODLJndiLdapRealm includes authorization functionality based on LDAP elements that are extracted through an LDAP search. This requires a bit of knowledge about how your LDAP system is setup.
ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=<PEOPLE>,dc=<DOMAIN>,dc=<TLD>
ldapRealm.contextFactory.url = ldap://<URL>:<PORT>
ldapRealm.searchBase = dc=<DOMAIN>,dc=<TLD>
ldapRealm.ldapAttributeForComparison = <OBJECTCLASS>
...
Stacked realm configuration; realms are round-robbined until authentication succeeds or realm sources are exhausted.
The $ldapRealm is only required if you are enabling LDAP. securityManager.realms = $tokenAuthRealm, $ldapRealm

Related

Using CKAN with the Cosign SSO system and LDAP

I'm using CKAN with Apache and an SSO system called Cosign. Cosign works as an authenticator in Apache and ends up setting REMOTE_USER before the python code fires up. What I'm trying to do is use LDAP user lookup based on that preset REMOTE_USER. Can I do that with the CKAN ldap plugin (http://extensions.ckan.org/extension/ldap/)? Any advice greatly appreciated - I'm a Python and CKAN novice.
The short answer is that ckanext-ldap doesn't do that. What it does is provide a custom login form (username and password) that authenticates the credentials via LDAP. It then creates a session for the corresponding CKAN user, creating a user account first if required. Having it do anything else would require customisation of the extension although there are a number of options documented in its readme that alter the behaviour in small ways.
Whether ckanext-ldap would be a suitable extension to build upon to achieve what you want depends on what you want to do, which isn't clear from your question.

Symfony 3.1: configuration of ldap component as service

I'm writing my first Symfony app and and I need authenticate users over LDAP/AD, but I run out of documentation...
I found many solutions for use LdapClient, but it tagged as deprecated. So, i check for use the new one Ldap class as recommended, but I not found documentation for use it. The documentation of Ldap component for the current version (3.1) suggest to use LdapClient yet! It isn't updated yet?
I don't know how to do: must we create an adapter for add a Ldap service? If so, how to proceed?
Any help will be appreciated, thanks!
Check out this cookbook article for configuring LDAP authentication using the builtin Symfony component:
http://symfony.com/doc/current/cookbook/security/ldap.html
I also have a bundle I maintain that includes LDAP authentication that works well with AD called LdapToolsBundle. It has documentation on the main page for the app/config/config.yml entries needed to configure your domain for use in the bundle, and also some details on configuring authentication in app/config/security.yml here.
The bundle above provides a LDAP service called ldap_tools.ldap_manager that can be used to query/create/modify different types AD objects.
take a look at my Blog:
https://alvinbunk.wordpress.com/2016/03/25/symfony-ad-integration/
This requires FOSUserBundle and FR3DLdapBundle, but I think if you go through all that documentation you should be able to get LDAP/AD integration with Symfony3 working.
EDIT #2
Below is a second easier solution:
https://alvinbunk.wordpress.com/2017/09/07/symfony-ldap-component-ad-authentication/

How to configure SSO and LDAP authentication in Maarch Courrier 1.5

I've installed a DMS called Maarch Courrier, an opensource alternative to SharePoint and Alfresco. I successfully configured my Active Directory to work with it.
But on the first connexion, the software asks AD users to provide a new password to be used in Maarch. So, I'd like to setup Single Sign On with LDAP in the Maarch Courrier DMS. Following this tutorial : http://wiki.maarch.org/Socle_Technique_/_How_to_connect_a_SSO, I tried to configure it but failed. Can anyone help ?
You need to configure the configuration file. You can find it in the ldap module

Two authentication modes in Testlink

I've just installed Testlink and am trying to get familiar with it.
I've even managed to configure authentication using LDAP (Microsoft AD).
But strangely, as soon as I set LDAP as default authentication method, my local test users cannot log on anymore.
If I change back to DB authentication as default auth method, my LDAP users cannot log in anymore.
I've the following set in the configuration file:
$tlCfg->authentication['domain'] = array('DB','LDAP');
$tlCfg->authentication['method'] = 'LDAP';
It seems as if both authentication modes are enabled and LDAP is used as the default.
When editing the user settings of a user, I have a dropdown box named "Authentication method"
It has three entries. One is "Default", the other is "0" and the third is "1".
This led me to the assumption, that I can select the type of authentication used for this account.
But strangely, regardless of which option I choose, the behavior is identical to what I mentioned above.
Is anyone experienced in Testlink?
Does anyone use two authentication modes in parallel with Testlink?
Did anyone see the same issue before? What did you do to solve this issue?
Thanks for your help in advance!
Best regards,
Tom
You can use testlink DB authentication as well as LDAP authentication. You have to set this option when you create user
Dropdown box named "Authentication method" has three entries. One is "Default (LDAP)", the other is "DB" and the third is "LDAP". If you see different options then something is messed up with your TestLink installation. I'm using v1.9.14 on MySQL.

Grails Spring Security X509 for Authentication and LDAP for Authorities

Some pointers more than anything required here.
I'm trying to get both X509 and LDAP working in my application. I want users to be authenticated using their PKI certs and then for the APP to get their authorities from our LDAP server.
I have LDAP working with a customer userDetailsContextMapper at the moment however how to add the x509 properly stumps me a little.
I think what I want is a PreAuthenticatedAuthenticationProvider that uses an injected ldapUserDetails service.
How can I do that? Do I need a UserDetailsByNameServiceWrapper to wrap the LdapUserDetailsService up to be used within the pre-authentication provider?
I ask because unfortunately the testing platform and the development environment at the moment is detached, and I don't have local LDAP or PKI set up to test against so its about a 6 hour process getting a new war onto the dev environment... Restrictive I know... So I want to get it right first time.
Cheers!
NOTE: THE FOLLOWING WORKS WITH Spring-Security-Core v1.2.7.3, Configuration names are different in 2.0RC2
Following a few different ideas, this is what I came up with. This assumes you already have LDAP working with a custom and UserDetailsContextMapper (see: ldap documentation):
Ensure both the LDAP and a PreAuthenticatedAuthentication Provider are in the provider list:
grails.plugins.springsecurity.providerNames = [
'preAuthenticatedAutehnticationProvider',
'ldapAuthProvider',
'daoAutehnticationProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider']
Then in your spring resources (grails-app/conf/spring/resources.groovy) configure the following beans:
ldapUserDetailsService(org.springframework.security.ldap.userdetails.LdapUserDetailsService,
ref('ldapUserSearch'),
ref('ldapAuthoritiesPopulator')) {
userDetailsMapper = ref('ldapUserDetailsMapper')
}
userDetailsByNameServiceWrapper(org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper) {
userDetailsService = ref('ldapUserDetailsService')
}
preAuthenticatedAuthenticationProvider(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider) {
preAuthenticatedUserDetailsService = ref('userDetailsByNameServiceWrapper')
}
And bobs your uncle and you have some aunts!
For reference the pages I used to come up with this solution are:
No AuthenticationProvider found using spring security
Wrap your LdapUserDetailsService in a UserDetailsByNameServiceWrapper
Instead of the LdapAuthenticationProvider configure a PreAuthenticatedAuthenticationProvider that will be able to process the PreAuthenticatedAuthenticationToken issued by your CustomX509AuthenticationFilter.
Inject the wrapped LdapUserDetailsService into the PreAuthenticatedAuthenticationProvider.
http://blog.serindu.com/2011/05/26/grails-spring-security-using-preauthenticated-authentication-provider/
Covers how to wire up a preAuthenticationAuthenticationProvider in grails
http://forum.spring.io/forum/spring-projects/security/108467-combine-pre-authentication-with-ldap-for-user-details-and-authorities
there's an LdapUserDetailsService that does all the good things the LdapAuthenticationProvider does - except for authentication
http://pwu-developer.blogspot.co.uk/2012/02/grails-security-with-cas-and-ldap.html more on how to wire up that ldapUserDetailsService
Hope this helps someone else!