Am trying to configure Single sign-on using FreeRadius.
Scenario:
I have a fully configured LDAP (389 DS) Version-2.1 with few users and groups (in CentOS6).
I have installed FreeRadius (latest stable version) (in CentOS 6).
Configured FreeRadius to listen the above LDAP server.
I have made a client system (CentOS6) as radius client using pam_radius module. Now, am able to login to NAS with the LDAP credentials and getting logs correctly in FreeRadius.
Now, I want to implement single sign-on in this setup since I want to added some other devices like Firewall(Sonicwall) to authenticate.
I couldn't find any good docs to configure this.
Can someone please suggest me how to configure Single sign-on in the above setup?
For firewalls most people just use the accounting data to start and stop sessions as appropriate. This is usually triggering a script from within the accounting {} section of the freeradius server, creating the session on Acct-Status-Type == Start and destroying it on Acct-Status-Type == Stop.
If the PAM module sends Interim-Updates, you can record those in a database, and also set a 'lastupdated' timestamp. You then have a cronjob to check for rows where NOW() - lastupdated > (interim-interval * 2), and for those rows, delete the session on the firewall and close out the session in the database.
There is no proper SSO mechanism I know of which runs purely over RADIUS, the Project Moonshot guys were trying to get something working with SAML and a special EAP method, but it's probably too complex for what you want here, and not supported by PAM anyway.
Related
I have running mosquitto and I want to do that only one client can connect to topic as publisher (maybe with password or something) others can only conncet as subscriber.
Defining topic and user access rights at conf file is the way that. But in my application topics are created dynamically at run time.
How can I achieve this?
Thanks
See mosquitto-auth-plug
... plugin can perform authentication (check username / password) and
authorization (ACL).
You may need to modify one of the backends suited for you if you want to have a dynamic behavior on topic authorization. See be_jwt_aclcheck functions.
Good day.
I am developing a program that will be used in a corporate environment by the end users. The application will automatically fix certain errors as soon as the user selects the application name, chooses the symptom or error message and clicking on the fix button.
The idea behind is to decrease the amount of calls we receive at the IT Service Desk (The company's personal Call Centre for IT Issues) and at the same time assist the end user by resolving the issue within a minute (versus waiting on the phone for up to 15 minutes or more).
I've am not yet allowed to upload an image of the application, but imagine a small'ish windows form with 2 columns; Aplication name and Synptom. The user will choose the application's name, click on the error message and click on the FIX button. This basically automates whatever we has IT Techs would manually.
The problem I'm facing is that some of the code is supposed to be executed with adminsitartor rights, eg. Stop and Start a given service, adding regsitry entries for Local Machine, etc.
Given the fact that none of the users will be allowed to have elevated rights and the fact that they need to use this application as a sort of "self-help" alternative without the need to call the IT Service Desk, is there a way to give a set of code "administrator permissions"? The application should NOT request the user to enter ANY passwords.
Regards,
Willem
No way, AFAIK: the model in common operating systems is process-centric, so that the process is given permissions that are then inherited by its code. You can elevate such privileges at some point, but that will be for the whole future life of the process (or as long as the authentication token for it ceases to be valid).
In windows the right way to do that is to employ a back-end service: at boot, you start the service called IT_Auto_Fixer_Back_End with high permissions (try to avoid Administrator, NetworkService or LocalService could be enough for you). When the app IT_Auto_Fixer_Front_End is started with USER privileges, it operates until it needs something with high privileges. At that point it sends a request to the service, that will do it.
If you choose this way, some important advices:
The IT_Auto_Fixer_Back_End must not become a backdoor! If you use TCP as form of communication with IT_Auto_Fixer_Front_End, make it listen localhost only and use SSL (yes!) to encrypt local traffic
It must not be possible to invoke arbitrary commands using IT_Auto_Fixer_Back_End. You need to enumerate the possible requests that could be made (i.e. a command like stop_mysql_service rather than accepting directly the string net stop mysql - the application logic will translate your string into the real OS command)
Every input from the user could be used to perform command injection. To prevent this, use the Windows API that requires an array for the command - this way if the user adds options to a command (i.e. the name of the service in net stop) they won't be interpreted as another command (common scenario: when accepting the name of the service as a parameter, a malicious user that tries to execute something like net start mysql ; net user /add hacker t00E4sy). Authentication and encryption will not help you against this, you must escape any user input that goes inside the command.
Sanitize your ENVIRONMENT by using the API that executes commands setting the PATH (and other relevant variables), so that the user will not be able to taint the PATH, executing C:\temp\net.exe instead of C:\Windows\System32\Net.exe
IT_Auto_Fixer_Back_End service should be authenticated: it should check every time if the request comes form the user by checking if the Kerberos token is valid (Windows => you get a very nice Kerberos environment for free!). This will prevent someone else to break into the machine, use SSL to connect to the localhost port and elevate privileges through your service
The above (authentication) still stands when something else (i.e. shared memory, windows sockets, a file, etc...) is used as communication channel between IT_Auto_Fixer_Back_End and IT_Auto_Fixer_Front_End
Life gets harder when you want to properly implement something dealing with multiple level of permissions...
I'm trying to configure LDAP authentication for teamcity but can't get it to work. I already configured some other services on this server to authenticate using LDAP and had no problems (so it's not fault of the DC).
Following describes my config file:
java.naming.provider.url=ldap://192.168.0.123:389/DC=server,DC=example,DC=com
java.naming.security.principal=ldap-user
java.naming.security.credentials=jE&4i.%$lpDr3#?
java.naming.security.authentication=simple
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=server,DC=example,DC=com))
teamcity.users.username=sAMAccountName
teamcity.auth.loginFilter=[^/\\\\#]+
teamcity.options.users.synchronize=false
teamcity.options.groups.synchronize=false
When I set authentication to 'none' it works (but I can't restrict access to a specific group). I also tried using the full user name (incl. domain; i.e. DOMAIN\ldap-user) and also tried to use full DN instead, but it didn't change anything.
In log i see that the ldap server returns error code 49, which means that the binding failed. Like mentioned before I already configured other services on this server to authenticate with the same ldap server and the same binding user and had no problems.
Does anybody know how to solve this issue?
Thanks in advance!
This is my configuration and It working fine. The synchronization is allowed so information like email and name there are no available but enable the login with NT Id and Credentials
java.naming.provider.url=ldap://amer.xxxx.com:389/DC=amer,DC=xxxx,DC=com
java.naming.security.principal=CN=SRVAMR-xxx,OU=CMAPPS,OU=Service,OU=Accounts,DC=amer,DC=xxxx,DC=com
java.naming.security.credentials=Pf867955
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=AMR-GENOME-L,OU=GMA,OU=Security,OU=Groups,DC=amer,DC=xxxx,DC=com))teamcity.users.username=sAMAccountName
I Hope help you
I am trying to figure out what is going on. Here is our setup:
We have four SQL servers that are in replication with each other.
We add a new user to Windows Active Directory and add them to a group that is in SQL Server that we have been using for ages.
The new user, when trying to authenticate using Windows authenication returns that error in the subject line. But, any users that were previously in Active directory work fine.
At one point I had gotten SQL Server "caught up" becauuse we had a group of users that could not log in because of this error. I did some changes to the SPNs and ended up making it so no one could log in. Then I realized how the SPNs were supposed to look and fixed it. Then I guess some magic happened and those users were able to authenticate. I thought it was fixed, but it is obviously not as we had to add one new user and they cannot authenticate.
What is interesting is that the user can authenticate with three out of the four SQL Servers. It is only this one server that is working incorrectly. I set up two SPNs for the SQl Service on this sql server.
They look like -
MSSQLSvc/[servername].[domain].local:1433
MSSQLSvc/[servername]:1433
These are actually registered to the Service account that we use for the SQL Servers. What is interesting is that I can't find the SPNs for the servers that are working anywhere.
Any help would be appreciated!
Edit: Also, another point to note is that if I try to add the user directly as a login into SQL server. I right click Logins and click Add Login then click search. I then type in [Domain]\[Username] and click check names. It validates the name as being correct. Then I click OK. And then OK again, and it gives the Error Windows NT user or group '[Domain]\[Username]' not found. Check the name Again.
I thought it was fixed, but it is obviously not as we had to add one
new user and they cannot authenticate.
The user has to relogin in order to pick up the new group. Otherwise, it's kerberos ticket is still using the old group membership information in its PAC
These are actually registered to the Service account that we use for
the SQL Servers. What is interesting is that I can't find the SPNs for
the servers that are working anywhere.
I think what happen is that you have one SQL Server with SPN setup properly while the other three SQL Servers with no SPN setup at all. So, you are going to use Kerberos on this particular server while NTLM on the other three.
As mentioned before, when you are using Kerberos, you have to either purge the ticket using some tools or you have to relogin in order to pick up the new group membership. You can also try to lock the screen and then unlock it. If I remember correctly, this should also refresh the ticket.
Unlike Kerberos, NTLM doesn't carry the group memberhsip data. After SQL Server authenticated the user using NTLM, it will find the authenticated user's group membership, including the new group you just added.
I setup a little server and have it authenticating with ldap.. is there a way to restrict which ldap user can login via ssh without adding an account to the opensuse box?
1 - Create a group on LDAP using YaST's User and Group Management, for instance "serveradmins".
This will create a entry on your LDAP server under the group OU.
2 - Add the allowed users to this group, also using YaST
3 - On the servers you want to restrict the access, edit the /etc/ldap.conf, making sure the following instructions are present (uncommented), mind changing the DC= parts to your configuration:
pam_groupdn cn=serveradmins,ou=group,dc=example,dc=com
pam_member_attribute member
Let me know if this worked well for you. I have this working on OpenSUSE and Ubuntu machines.