I have been working on single sign on CAS system to connect my web apps together using CAS LDAP. But do i have to use open LDAP and configure it with my CAS server or by default CAS servers do have a built in LDAP services? If they do have I'm currently using CAS server 4.0.0 and I'm looking for LDAP configs separated below in commas.
LDAP bind DN, LDAP bind password, Base DN, Username filter attribute, Search attributes.
Does anybody knows the value must be filled for the above CAS LDAP configuration?
There is no built-in LDAP server in CAS.
Related
Relatively recently Microsoft has added support for LDAP channel binding and LDAP signing:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
Is it part of LDAPv3 protocol?
Is it supported by UnboundID LDAP SDK?
My understanding of the advisory is that these are not LDAPv3 specific, but more settings of the server and the underlying security libraries.
The support they have added is on the server side to verify that LDAP signing is enabled on the security layer before allowing Simple or SASL authentication. Most LDAP servers on the market support that. And the UnboundID LDAP SDK has support for enabling this from the client side.
LDAP Channel binding is again not fully LDAPv3 specific, but also tied to tokens generated and used by MS AD, over LDAP. I don't think there's anything specific to do on the client side, beside using TLS/SSL.
What are the differences between LDAP and Active OpenLDAP?
What are the differences between LDAP
LDAP was originally a protocol, Lightweight Directory Access Protocol, and is now a directory service specification in its own right, including all kinds of schemas and extras.
and Active OpenLDAP?
There is no such thing as 'Active OpenLDAP'. There is however OpenLDAP, which is an open-source implementation of LDAP, both server and client.
I would like to support a multi-tenant rails application with conditional support for Kerberos authentication by tenant.
The examples I've seen with mod_auth_kerb assume the apache server will reach out directly to the KDC for validating the ticket. In my case, I would like the server to have the client browser negotiate w/ the KDC and provide the appropriate ticket. I believe this is done by returning a 401 w/ www-negotiate header and the client browser will then call back with the ticket. The apache server would then just validate the ticket against the appropriate keytab. My understanding is I will need a keytab from each domain that will support Kerberos auth.
So, I think I can easily provide an "/auto_login" route that Apache then enforces Kerberos on. However, I'm not quite sure how to have Apache choose the right keytab; e.g. if I hit /auto_login?client=abc to validate against ABC's keytab.
I currently use Devise. A custom strategy: Devise ignoring custom strategy would be nice, but it seems I have the same issue in configuring the Krb5 gem (unsupported now?) to handle multiple keytabs and determine which to validate against.
How many distinct realms do you have? mod_auth_kerb works fine with multiple realms, as long as their KDCs are capable to validate trust relationship and issue cross-realm TGTs, and your krb5.conf configuration does proper mapping to those realms.
If you are able to establish cross-realm trusts between the realms, then the problem will be already solved -- just specify all accepted realms in mod_auth_kerb's configuration:
KrbAuthRealms CUSTA.COM CUSTB.COM WHATEVER.COM
I am using the LDAP Login module to secure access to the Worklight Console. The ldap:// access works. However, I need to access LDAP over SSL i.e., using ldaps://. I am trying to find out the key-store into which to provision the LDAP server side public-keys certificate. There are two possibilities, namely:
the default keystore built into the worklight war file
the keystore defined for use by Liberty Profile.
There does not appear to be any documentation on which keystore is used by the LDAP Login Module.
Any pointers?
Thanks in anticipation.
The keystore is often even lower level than you suggest and based upon the cacerts in the JRE/JVM's lib\security directory.
I have a site that is using x509 client certificates (2 way SSL) to authenticate users and an LDAP directory that contains authorization information. I would like to use one of the certificate attributes to query the directory ( SSL_CLIENT_S_DN_CN to be exact ). I see how to use mod_ssl to use the user's client certificates for authentication and I see how to use mod_auth_ldap and the like to use the username from basic or form based authentication to query the LDAP store for authorization. What I haven't seen a good example for is how to use an attribute of the user's client certificate in place of the username to query the LDAP. Any ideas?
A module exists for apache 2.2.x: modXLDAPAuth
this might help: settingcerts + mod_authnz_ldap (authldapurl)