Can we enable both authentication method LDAP and External User in owncloud ?
we have two types of user internal and external.
for internal users we want to configure LDAP and
for external user we want to configure External User IMAP.
Please reply can we do this.
Related
I have synchronization between OpenLDAP and Keycloak via user federation, everything works fine(import from LDAP, authentication, etc).
I need to have a possibility to disable Keycloak user from LDAP. I know that it is possible to disable a user from Keycloak, but is there a way to do the same from LDAP? Maybe add some attribute to LDAP record which will be mapped to Keycloak record and user will be disabled.
My goal is: disable authentication for a particular user using LDAP.
I managed to make it work with fedora 389.
I created an "enabled" attribute as String and created the corresponding mapper in the federation configuration as "user-attribute-ldap-mapper".
Now when I change the "enabled" switch in keycloak the change is propagated to ldap
Let's say I want to have keycloak synced with the LDAP and use it as the source for authentication. (I've managed to do this already)
But is there a way to let the keycloak be itself the identity provider if, for some reason, the LDAP connection is down?
First you should avoid ldap going down, by setting HA, using HAproxy and keepalived for example, as for Keycloak, you can disable "Sync Registrations" in your keycloak LDAP IDP, and create users using the admin interface, these users are stored in your local database of keycloak, and not on the LDAP so even if its goes down those users can stil get access to Keyclaok.
Refer to https://www.janua.fr/understanding-keycloak-user-federation/ for more details.
I managed to create a custom LDAP Storage Provider to do this.
check How to create a custom UserStorageSPI on Keycloak
Our system is using a LDAP server (OUD) and we're bringing Zimbra to the system. However, Zimbra use its default LDAP server (OpenLDAP). That's is paintul with 2 LDAP servers which store same user information.
Is there any way that Zimbra store its users in an external LDAP server?
Many thanks
Nope, zimbra needs his own internal LDAP server. Zimbra LDAP server stores user accounts, Class of Services, global settings and servers configuration.
The best practice is to manage user accounts in an external LDAP server (OpenLdap, Active Directory...) and then sync data beetwen external LDAP and Zimbra internal LDAP. There are many scripts on the Internet you'll find to do that.
You can either configure "Delegated Auth", zimbra will validate user auth against you external LDAP server and not internal LDAP (unless you activate the fallback). The point is to manage user passwords in your external LDAP server, so users won't be confused.
I need to restrict access to an external site so that:
users who are in the corporate network have full access to the site's functionality,
those who are not - only limited functionality.
In the corporate network users do authenticate against a windows domain. In the network I can set up a server/service which can do the identity verification. This is secure, I have no doubt, especially when it is inside.
The external site is not a part of the domain.
What I suggest to myself is to setup a service, which will authenticated users against, create a secure token and then re-direct users to the external site. So that users will authenticate there without entering password (maybe not even login).
I'm in doubt: how this can be done? How secure this can be? How much heavy/crypto development are there?
I assume that the secure token should be time-bounded, that both external site and internal auth service should support SSL/TLS (symmetric/asymmetric keys?).
Am I missing something here? Surely, I am, but what?
Make the external site a SAML 2.0 Service Provider (SP).
Set up an internal SAML 2.0 Identity Provider (IdP) to authenticate the corporate users with SAML 2.0 ADFS. Use SP initiated SSO and have the external site configured to hand off to your IdP with HTTP-POST.
The IdP can be configured to authenticate a user logged into your ActiveDirectory domain with a browser capable of NTLM transparently. It should just authenticate them and sign an assertion to that effect and redirect them back to the external site. If they don't have NTLM they'll be promtped for their domain credentials first.
UPDATE: as noted by #Steve the external site still needs to authenticate external users. Making your external site a SAML SP doesn't solve that. You could have the external website do some built-in authentication or you could have a different SP endpoint (URL) for external users and use another IdP for them.
I am doing external authentication using LDAP. I have to authenticate a user via LDAP and allow the user to access many app servers. I want to know how to map all the ldap user ( users in ldap server Example:ldap://company1.local:389) with users in Database. I have created a external configuration object and assigned to a new http server with application level authentication. I dont want to store ldap user password in database. Do I have to create all users(same as in active directory) in database with some password and map them?
Yes, it's possible to configure ML to use external authentication via LDAP:
http://docs.marklogic.com/guide/security/external-auth