dartlang and dartdap library and connection to active directory - ldap

I was looking for a good ldap library for Dart for connecting Microsoft Active Directory. I found dartdap, but I can't seem to get it working. I'm 100% shure that my CN and password is correct, because I can connect to Active directory for example with lpap browser.
The error I get is:
Uncaught Error: Invalid Credentials (49) msg=80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
The ldap.yaml looks like this (address, password and username scrambled off course)
# LDAP configuration file
# default is used if no connection name is specified
default:
port: 389
host: xxx.xx.com
bindDN: cn=testaccount
password: xxxxxxxx
And the ldaptest.dart looks like this:
void readDataFromLDAPServer() {
var ldapConfig = new LDAPConfiguration("ldap.yaml","default");
var attrs = ["dn", "cn", "objectClass"];
var filter = Filter.substring("cn=A*");
var notFilter = Filter.not(filter);
ldapConfig.getConnection().then( (LDAPConnection ldap) {
ldap.search("dc=example,dc=com", filter, attrs).
listen( (SearchEntry entry) => print('Found $entry'));
// we expect to find non A entries
ldap.search("dc=example,dc=com", notFilter, attrs)
.listen( (SearchEntry entry) {
//print("Not search = ${entry}");
// todo: test entries.
});
});
}
Any idea, what might be wrong?

I am using the code below to successfully bind to a Microsoft AD server:
var host = "ip_address";
var ssl = false;
var port = null;
var bindDN = "accountname#domain.name";
var password = "password";
var connection = new LdapConnection(host: host);
connection.setProtocol(ssl, port);
connection.setAuthentication(bindDN, password);
Please note that my binding code differs from what you are using. I am also using an_ldap client for Dart 2.

Related

The client is unable to verify that the server is Elasticsearch due to an unsuccessful product check call

I Use ElasticSearch 8.1.2
and Nest 17.7.1
var settings = new ConnectionSettings(new Uri("http://localhost:9200/"))
.CertificateFingerprint("A5:8B:07:2D:A9:E8:53:CE:GB:C0:15:CE:6E:DF:9C:65:89:A3:AC:D2:94:2C:46:BD:85:23:20:6B:F2:69:B3:88")
.BasicAuthentication("elastic", "-L-uXRg5=iOXGFgebP68")
.DeadTimeout(TimeSpan.FromSeconds(300))
.DefaultIndex("people");
var client = new ElasticClient(settings);
var person = new Person
{
Id = 1,
FirstName = "Martijn",
LastName = "Laarman"
};
var asyncIndexResponse = await client.IndexDocumentAsync(person);
return Task.CompletedTask;
But I have Error
enter image description here
error message:
Message = "The client is unable to verify that the server is Elasticsearch due to an unsuccessful product check call. Some functionality may not be compatible if the server is running an unsupported product. Call: Status code unknown from: GET /"
Enable the compatibility header in the connection settings:
settings.EnableApiVersioningHeader(); // enable ES 7.x compatibility on ES 8.x servers
Docu here under Enabling Compatibility Mode

SSL options in gocql

In my Cassandra config I have enabled user authentication and connect with cqlsh over ssl.
I'm having trouble implementing the same with gocql, following is my code:
cluster := gocql.NewCluster("127.0.0.1")
cluster.Authenticator = gocql.PasswordAuthenticator{
Username: "myuser",
Password: "mypassword",
}
cluster.SslOpts = &gocql.SslOptions {
CertPath: "/path/to/cert.pem",
}
When I try to connect I get following error:
gocql: unable to create session: connectionpool: unable to load X509 key pair: open : no such file or directory
In python I can do this with something like:
from cassandra.cluster import Cluster
from cassandra.auth import PlainTextAuthProvider
USER = 'username'
PASS = 'password'
ssl_opts = {'ca_certs': '/path/to/cert.pem',
'ssl_version': PROTOCOL_TLSv1
}
credentials = PlainTextAuthProvider(username = USER, password = PASS)
# define host, port, cqlsh protocaol version
cluster = Cluster(contact_points= HOST, protocol_version= CQLSH_PROTOCOL_VERSION, auth_provider = credentials, port = CASSANDRA_PORT)
I checked the gocql and TLS documentation here and here but I'm unsure about how to set ssl options.
You're adding a cert without a private key, which is where the "no such file or directory" error is coming from.
Your python code is adding a CA; you should do the same with the Go code:
gocql.SslOptions {
CaPath: "/path/to/cert.pem",
}

Facing issues while integrating Mobilefirst CLI 7.1 with ldap

I am using mobile first CLI 7.1 and trying to integrate with the LDAP.
I am following this document to implement. I am getting 401 error (Failed to load resource: the server responded with a status of 401 (Unauthorized)) when loading the application for first time in the browser. I am getting 500 error(POST http://localhost:10080/Project/apps/services/j_security_check 500 (Internal Server Error)) when I try to logging in. I have uncommented wl.client.connect and gone through the following conversations at stackoverflow. Link1, link2 and link3
Server Logs
[ERROR ] SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/admin.
[ERROR ] SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/admin.
[ERROR ] SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/admin.
[ERROR ] SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:BasicRegistry/admin.
What is my scenario?
User is initially taken to login page and later when he clicks on login I will collect the details and automatically set to j_secutity_form when it throws challenge and submit. I am getting 401 when I open the application and getting 500 when I click on login. which calls
var reqURL = '/j_security_check';
var options = {};
options.parameters = {
j_username : loginData.email,
j_password : loginData.password
};
options.headers = {};
ldapRealmChallengeHandler.submitLoginForm(reqURL, options,ldapRealmChallengeHandler.submitLoginFormCallback);
I have following questions:
1) Is the documentation that I am following is complete or it needs some additions thing that need to be done ?
2) What is the cause for getting blocked with the above errors
And here is my code:
var ldapRealmChallengeHandler = WL.Client.createChallengeHandler("LDAPRealm");
ldapRealmChallengeHandler.isCustomResponse = function(response) {
if (!response || response.responseText === null) {
return false;
}
var indicatorIdx = response.responseText.search('j_security_check');
if (indicatorIdx >= 0){
return true;
}
return false;
};
ldapRealmChallengeHandler.handleChallenge = function(response){
};
ldapRealmChallengeHandler.submitLoginFormCallback = function(response) {
var isLoginFormResponse = ldapRealmChallengeHandler.isCustomResponse(response);
if (isLoginFormResponse){
ldapRealmChallengeHandler.handleChallenge(response);
}
else {
ldapRealmChallengeHandler.submitSuccess();
}
};
logout = function(){
WL.Client.logout('LDAPRealm',{});
}
I think this might be related to session independence mode which is turned ON by default as of MFP 7.1. I think this might explain why you are getting the SESN0008E error. Here is a link to an article that explains how to disable session independence.
There is more information on the SESN0008E error here.
Please let me know how you get on.

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
I know "52e" code is when username is valid, but password is invalid. I am using the same user name and password in my apache studio, I was able to establish the connection succesfully to LDAP.
Here is my java code
String userName = "*******";
String password = "********";
String base ="DC=PSLTESTDOMAIN,DC=LOCAL";
String dn = "cn=" + userName + "," + base;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://******");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, password);
LDAPAuthenticationService ldap = new LDAPAuthenticationService();
// LdapContext ctx;
DirContext ctx = null;
try {
ctx = new InitialDirContext(env);
My error is on this line: ctx = new InitialDirContext(env);
I do not know what exactly is causing this error.
data 52e - Returns when username is valid but password/credential is invalid.
You probably need something like
String dn = "cn=" + userName + "," + "CN=Users," + base;
For me the issue resolved when I set the principal section like this:
env.put(Context.SECURITY_PRINCIPAL, userId#domainWithoutProtocolAndPortNo);
52e 1326 ERROR_LOGON_FAILURE Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
http://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
In my case I have to use something like <username>#<domain> to successfully login.
sample_user#sample_domain
When you use Context.SECURITY_AUTHENTICATION as "simple", you need to supply the userPrincipalName attribute value (user#domain_base).
I had a similar issue when using AD on CAS , i.e. 52e error, In my case application accepts the Full Name when in the form of CN= instead of the actual username.
For example, if you had a user who's full name is Ross Butler and their login username is rbutler --you would normally put something like, cn=rbutler,ou=Users,dc=domain,dc=com but ours failed everytime. By changing this to cn=Ross Butler,ou=Users,dc=domain,dc=com it passed!!
For me the issue is resolved by adding domain name in user name as follow:
string userName="yourUserName";
string password="passowrd";
string hostName="LdapServerHostName";
string domain="yourDomain";
System.DirectoryServices.AuthenticationTypes option = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
string userNameWithDomain = string.Format("{0}#{1}",userName , domain);
DirectoryEntry directoryOU = new DirectoryEntry("LDAP://" + hostName, userNameWithDomain, password, option);
if you debug and loook at ctx=null,maybe your username hava proble ,you shoud write like
"ac\administrator"(double "\") or "administrator#ac"
For me the cause of the issue was that the format of username was incorrect. It was earlierly specified as "mydomain\user". I removed the domain part and the error was gone.
PS I was using ServerBind authentication.
LDAP is trying to authenticate with AD when sending a transaction to another server DB. This authentication fails because the user has recently changed her password, although this transaction was generated using the previous credentials. This authentication will keep failing until ... unless you change the transaction status to Complete or Cancel in which case LDAP will stop sending these transactions.
For me issue is resolved by changing envs like this:
env.put("LDAP_BASEDN", base)
env.put(Context.SECURITY_PRINCIPAL,"user#domain")
Using domain Name may solve the problem (get domain name using powershell: $env:userdomain):
Hashtable<String, Object> env = new Hashtable<String, Object>();
String principalName = "domainName\\userName";
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://URL:389/OU=ou-xx,DC=fr,DC=XXXXXX,DC=com");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principalName);
env.put(Context.SECURITY_CREDENTIALS, "Your Password");
try {
DirContext authContext = new InitialDirContext(env);
// user is authenticated
System.out.println("USER IS AUTHETICATED");
} catch (AuthenticationException ex) {
// Authentication failed
System.out.println("AUTH FAILED : " + ex);
} catch (NamingException ex) {
ex.printStackTrace();
}
I've tested three diferent approaches and them all worked:
env.put(Context.SECURITY_PRINCIPAL, "user");
env.put(Context.SECURITY_PRINCIPAL, "user#domain.com");
env.put(Context.SECURITY_PRINCIPAL, "CN=user,OU=one,OU=two,DC=domain,DC=com");
If you use the last one, don't forget to set all the OU's where the user belongs to. Otherwise it won't work.
In my case I misconfigured email credentials then I corrected
var passport = require('passport'),
WindowsStrategy = require('passport-windowsauth'),
User = require('mongoose').model('User');
module.exports = function () {
passport.use(new WindowsStrategy({ldap: {
url: 'ldap://corp.company.com:389/DC=corp,DC=company,DC=com',
base: 'DC=corp,DC=company,DC=com',
bindDN: 'myid#corp.company.com',
bindCredentials:'password',
tlsOptions: {
ca: [fs.readFileSync("./cert.pem")],
},
}, integrated: false},
function(profile, done) {
console.log('Windows');
console.log(profile);
User.findOrCreate({
username: profile.id
}, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
return done(null, false, {
message: 'Unknown user'
});
}
if (!user.authenticate(password)) {
return done(null, false, {
message: 'Invalid password'
});
}
return done(null, user);
});
}));
};
Please remove domain from the username "mydomain\user". please put "user" only. do not put domain and backslash .
You do not use ldaps://examplehost:8080(do not use s with ldaps coz cert is required), use ldap://examplehost:8080 then use non-TLS port number. it worked for me.

worklight http adapter authentication issue with apache

I'm working on a mobile prof-of-concept using IBM's Worklight (6.1) to retrieve info via HTTP server (Apache) running on a mainframe (z/OS). I'm using the HTTP adapter procedure to log-on and retrieve data but I so far no success logging on via Worklight HTTP adapter. If I open a browser and provide the 'user:password' headers, the log-in is successful but if I try it via Worklight procedure, the '401 authorization required' error is returned. The HTTP server error log shows:
.. (139)EDC5139I Operation not permitted. (errno2=0x0BE800DB): SAF
authentication failure for "/cgi-bin/itil_v11_main.sh": SAFRunAs
failure on switching SAF UID from Authorization header using
%%CLIENT%% .. user (\xe1\xcb: authentication failure for
"/cgi-bin/itil_v11_main.sh": Password Mismatch
That 'password mismatch' may suggest the 'headers' are not correct? Here's the procedure:
var user_id = 'userid';
var user_psw = 'userpassword';
var loginstring ;
var base64= new com.worklight.customcode.Base64Encoding();
function getITIL() {
loginstring = base64.encode(user_id+':'+user_psw);
var path = '/cgi-bin/itil_v11_main.sh';
var input = {
method : 'get',
headers : {
'Authorization' : 'Basic ' + loginstring
},
returnedContentType : 'html',
path : path
};
return WL.Server.invokeHttp(input);
}
It seems like you've implemented it correctly, however the complaint is on the password, which in your case originates from var base64= new com.worklight.customcode.Base64Encoding();.
Because you do not supply the code that you are using in said class, it's difficult to say what the error is, but that is where you should look at for the cause of your error.
You'll need to provide the class's implementation in order to further debug the question.