I am trying to configure Apache Brooklyn to use the LDAPSecurityProvider against a Windows Active Directory.
I am testing the connection with Apache Directory Studio and it works with the provided credentials.
Screenshot of Apache Directory Studio and the LDAP tree
But when I Configure Apache Brooklyn to use LDAP against the AD it does not work and creates no error logs.
My brooklyn property file is here:
brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.LdapSecurityProvider
brooklyn.webconsole.security.ldap.url=ldap://10.0.20.10:389/????X-BIND-USER=uid=StackAdmin%2cou=users,X-BIND-PASSWORD=Password123,X-COUNT-LIMIT=1000
brooklyn.webconsole.security.ldap.realm=example.com
The LDAP support is documented at http://brooklyn.apache.org/v/latest/ops/brooklyn_properties.html#ldap - your example configuration looks good (very similar to that).
However, the docs say it will then construct something like:
LDAP://cn=John Smith,ou=Users,dc=example,dc=com
(With the "ou" value being configurable).
Looking at your screenshot, it seems you'd need something like that below (though it isn't expanded to see a full user example):
LDAP://cn=John Smith,cn=Users,dc=example,dc=com
Unfortunately that isn't currently supported in Brooklyn.
The workaround would be store your users under "ou" intead.
The LDAP integration code is pretty simple (and low on logging):
https://github.com/apache/incubator-brooklyn/blob/master/brooklyn-server/rest/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
It would be reasonably easy to update the Java to support your use-case.
Do you want to either have a go at creating a pull request for that (https://github.com/apache/incubator-brooklyn/), or opening a jira issue at https://issues.apache.org/jira/browse/BROOKLYN to describe the requirements and someone can take a look?
I had the same problem and solved it by creating my own LdapSecurityProvider for ActiveDirectory. Create a new Class which extends the org.apache.brooklyn.rest.security.provider.LdapSecurityProvider and override the getUserDN Method.
Brooklyn uses the com.sun.jndi.ldap.LdapCtxFactory so you can find a detailed documentation under http://docs.oracle.com/javase/7/docs/technotes/guides/jndi/jndi-ldap.html
Related
I don't know much about this topic, is the first time when I need to do this.
I have a platform (an e-commerce website) with the LDAP extension added, I must test to see if LDAP is working.
I understood that I need an active directory…but I really don’t understand or I don’t know how to search to get something that can be useful.
I need some test users to see if LDAP protocol is working...
Do you have any tutorials or documentation about this? Like, for dummies :)
Thank you
There's a public test LDAP server detailed at https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
That's not Active Directory, so no good if you have a specific requirement to test Active Directory LDAP. I doubt you'd find a public Active Directory for testing -- you may be able to use a free trial of Windows Server 2019 (or free trial in MS's Azure cloud) to set up a Windows server on which you create a AD test domain.
I started learning Openldap 2.4, but I faced some concepts that I couldn’t understand well based on official administration guide. So I’m addressing those questions to the community in hope to find some good explanations.
The first question is what the difference between backbends and databases in Openldap? Also in documentation I found something very confusing, for example in the backbends section, I tried to create an ldap backend with those instructions.
database ldap
suffix "dc=suretecsystems,dc=com"
rootdn "cn=slapd-ldap"
uri ldap://localhost/ ldap://remotehost ldap://remotehost2
After altering my configuration directory, I found olcDatabase={1}ldap.ldif file created in cn=config folder, and no back-ldap module has been created.
Another question, is about multiple databases definition in Openldap server, if I created two databases (for example an hdb and mdb database). How a query from Ldap client is handled by the server? The data are fetched from the both databases defined with an specific order, or there is a way to chooses which database we want to interact with?
And finally, why in official administration guide we still find slapd.conf configuration style while it is deprecated? Is there any updated guide?
Thanks!!
We have multiple projects in svn repo.And for each project there are many users.As number of users is large so its troublesome to manage their commit rights using "Auth file".
I have read somewhere that we can delegate user's rights to their managers by creating a text file.But i am not sure how to achieve this and perhaps hOOKS need to be configured for this .As i am new to SVN so need your expert advice.Please guide me how to achieve this and if you have hook already confgiured p,kindly provide.
How to setup access control in SVN?
I have seen this link and answer by VonC is great and perfect for me.But i dont know how to start .. can anybody help me out here as i am not pro in svn and unix .
Thanks in advance
Preface
Using single repository for multiple projects is Bad Idea (tm): one repo - one project
Forget immediately about old as mammoth's shit SVN 1.5 - use at least 1.6 on client and server (1.8 may be best choice)
Face
Simplified user-management for SVN-users can be reached using LDAP-based authentication instead of ordinary file (in case of "repository per project" <location> from answer will be location of each repo with SVNPath, in case of old structure <location> must be linked to every root of project) and having different groups for different repositories in Require ldap-group directive - read also Apache 2.2 docs in Apache Module mod_authnz_ldap part. From management POV, LDAP-auth and permissions means: each developer must be in LDAP-tree, included in one or more related to repositories groups
In case of additional requirement for Path-Based Authorization within repositories and using groups inside authz-file, you may find useful LDAP Groups to Subversion Authz Groups Bridge, which allow you to regenerate authz-groups from LDAP-data
As result, most (if not all) SVN-related ACLs can be managed in LDAP-side only
Sorry for the strange title, I can't find better description to my question.
I'm building some websites with a team of 4 persons - 2 developers and 2 testers. The developers build the page on a local apache/mysql server. Every now and then they upload a snapshot of what they have done to a dedicated server, that serves the files with htaccess basic authentification to the testers.
Are there better solutions for this workflow? I would like to have more security for this whole thing. The snapshots of the website often show debug-/development info, that shouldn't be seen by public eyes.
Something like a different port of the apache server... ? Any suggestions?
I think other way is to use Git or some other versioning system for deployment, so only new code will be added and you can disable showing of these debug informations permanently in some file which will not be overwritten.
OR
You can use some cloud service like getpantheon.com (for Drupal). It could provide you good environment for testing.
I was wondering if it is possible to use groups specified in e.g., an apache authgroup file in allow_read and/or allow_push etc.
So basically what I do is I am using apache with an authfile and authgroup file to authenticate users.
Now I want to restrict some repositories using allow_read from being shown to users in a specific group specified in the authgroup file.
Let's say I have sam, frodo and sauron in my auth file and I have a group hobbits containing sam and frodo in the authgroup file.
So instead of writing:
allow_read = frodo, sam
I tried
allow_read = #hobbits
but that does not seem to work. Does anybody know whether this is actually supported? The idea is if I have say 10 Repositories only readable for hobbits and I add a hobbit I only have to change the authgroup and auth file and not each repository hgrc file.
Thanks in advance
Mercurial does not have any builtin support for groups. There is a patch from a user that adds group support, but the coders seemed hesitant to include it by default, they want the contributor to make a plugin out of it instead. As of April 2013 they seem to have accepted it, but I still see no trace of it in the version currently shipped with Ubuntu (2.7).
Controlling groups in Apache, as suggested by Joel, doesn't give you any fine granular control when you have more than one repository, so it's no use (at least not for me).
I ended up using the open source tool SCM-Manager for it. SCM-Manager acts as a frontend for SVN, Git and Mercurial and has support for various user directories (including LDAP and Crowd) as well as its own user directory.
I'm using mod_proxy to integrate it in my Apache configuration and it works quite well.
It appears you'll need to do your group controlling in Apache rather than in hgrc files, as the documentation for hgrc mentions only user names.
You'll want to have a read of Configuring Apache on the Publishing Repositories page. Section 7.4 seems to contain the information you'll need to set up what you want.