I am studying LDAP server(ADLDS)
I figured out that extended operation is implemented in ldap server.
For example, oid(1.3.6.1.4.1.4203.1.11.3) stands for whoami command.
If I give 1.3.6.1.4.1.4203.1.11.3 to ldap server, server would respond who the user is.
In this situation, I hope to make my own command with new oid.
How can I make this possible?
Thank you.
Some LDAP directory servers will allow you to extend them and define your own extended operation. This needs code and some expertise in the internals of the server.
I would strongly recommend that you consider open source directory servers, if you want to pursue that route, as getting full access to the code will make things easier.
Related
I'm currently working on a bot for some anarchy servers, and it's a lot more reliable for it to read the log than just plain chat. I need a way to access that, but I don't know how. Is there even a way to do this without admin access?
No there is actually no way to view this. Because it's a file located on the server you can only view it if you have (direct) file access to the server. The only way to get the latest.log file is to contact the server owner, but I think that no server owner of e.g Hypixel will give you this log file.
You can make a Minecraft plugin in Java that acts as an API server, you can then make it read the file and return it. Of course, you would want to protect it with some type of authorization. You can use an HTTP server, an example would be this, it allows commands to be executed but you could easily work off that.
As MCTzOCK mentioned you can't view it without asking for permission from the server owner.
I have a CentOS VM with an ready installed Pingaccess Server Testenvironment with access to the Pingaccess Admin UI.
Now I would need to set up an Agent-Authentification on the system but sadly have no experience configuring Pingaccess sofar. I also find it dificult to find documentation to complete my task.
I would appreciate any hints and pointers in right direction or information on how this kind of setup can be configured and what else I might need? Is it even possible to set it up in a local VM?
Here a slightly more detailed description of the scenario:
An application that itself is not able to use a corresponding protocol (Oauth, SAML2, ...) (e.g. a small PHP script or something similar) that cannot do anything other than output a user name that it reads from the HTTP headers.
Set up an Agent that extends the header attributes and e.g. something like Header-UserName. The application can then access the web server variables and use these values without having to worry about how the authentication works. The agent, on the other hand, can do the protocols and handle authentication via the server (here PingAccess).
Thanks a lot in advance.
I have a file (or set of files under a directory) published on my web server. Each of this resource needs to be access-protected based on the user's credentials and authority.
The authorization details are stored in a DB, so I need to make a call to the Java code in application server to determine the access.
Everytime the user hits this particular path in the webserver, I need to ensure s/he has access to the requested resource by, ensuring he is logged in and has the necessary priveleges to access this resource.
The webserver is apache - Can you please point me to the settings in apache that allows me to secure resource access using the above logic?
Thanks for the suggestions to correct the Tag and the Question!:
My Web Server is Apache HTTPD
Agree that this is not a Java Question: The only reason why I am bringing the Java perspective, is that I am most likely going to use some Java POJOs to go and check for user authorization for a particular directory that is stored in the DB - That is unless there is a trick in the apache httpd configuration that goes and checks the DB automatically - something similar to the one that is pointed out here...At the end of the it, I need to check if a particular user (authenticated previously by the Single Sign On Server (Sun access manager)) has access to a particular directory (user mapping to directory stored in the DB) and protect the resources under the directory accordingly.
Please let me know if that clarifies.
i am not sure why this is tagged with java - unless your db structure is VERY sepcific, you might able to get it done with apache authz and authn:
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
or, for an ovierview:
http://httpd.apache.org/docs/2.2/howto/auth.html
OpenDS provides command-line access to many necessary account functions via its manage-account utility. For example, to disable an account:
manage-account set-account-is-disabled --operationValue true
--baseDN uid=someuser,ou=People,dc=example,dc=com" --hostname hostname --port 389
--bindDN "cn=Directory Manager" --bindPassword password
This is fine and dandy is you have a sysadmin to administer your ldap server but in a scenario where you have 1000s of users all over the globe this becomes a problem (imagine a user locked out of their account in Japan while the sysadmin is asleep in the US). We'd like to be able to programmatically tie into some of these manage-account functions so we can provide local admins/managers the ability to manage their own users.
Can anybody provide any insight on if this is possible and if so how? We are writing this in C# and I can't find any examples on it. Looking at the .NET API docs I thought System.DirectoryServices.Protocols.ExtendedRequest looked promising but cannot figure out how to use it.
Any help would be greatly appreciated, thanks!
The Manage-Account tool uses an LDAP extended operation, which code is in opends/src/server/org/opends/server/extensions/PasswordPolicyStateExtendedOperation.java.
Alternately, you can check the OpenDJ LDAP SDK, which has support for the extended operation, and will allow you to quickly write a client application.
OpenDJ LDAP SDK is documented at http://opendj.forgerock.org/opendj-ldap-sdk/ (and the doc is in the developer's guide : http://opendj.forgerock.org/doc/dev-guide/OpenDJ-Dev-Guide.html).
Regards,
Ludovic
The source code for manage-account is available, one can re-create the encodings from there. Also, one could set up a directory server, run manage-account, record the steps the tool takes from the access log, then write code to re-create those steps.
I have this problem, I can create a setup for my app/database but everyone can open the backend file which is an MS Access database. I want it so we can only access the database using the frontend app. Please help me ...
You will need to create a separate front end app that accesses the database, and keep the database file somewhere secure where direct access to it is limited/restricted. You should also password-protect the file in case someone does manage to get it See tip #10 here: https://web.archive.org/web/1/http://blogs.techrepublic%2ecom%2ecom/10things/?p=552 for info about password protection (though you might find the other tips useful as well).
Whatever you do, don't rely on Access password protection. It can be cracked in minutes by tools freely available on the internet.
I would get Garry Robinson's book Real World Microsoft Access Database Protection and Security
It is the most comprehensive guide to securing an Access database that there is.
A first step, however, would be to put the backend file in a restricted folder.