I'm trying to setup LDAP authentication with Gitlab v.4.0 with Apache Directory 2.0-M11 - the configuration of the Gitlab installation is done as per documentation and I see that it tries to hit LDAP. However I'm getting the following errors on LDAP end:
http://pastebin.com/SkmtqE7W
Gitlab LDAP config (gitlab.yml):
http://pastebin.com/quJ9kzJR
is there's any way to friend Gitlab and Apache Directory with minimum effort or minimum code customizations?
Thanks,
Vladimir.
Check that the base object is correct. Is base: 'dc=example,dc=com,ou=Users really what is intended, that is, dc=com is an immediate subordinate of ou=users? The normal convention would be ou=users,dc=example,dc=com.
Related
I am doing performance testing for restricted websites using jmeter, so I made changes in Krb5.conf , jass.conf files and now I am able to record and replay the applications but for one application during replay 401 unauthorized error is coming. Need your suggestions please
Without knowing your domain/KDC configuration it is not possible to come up with the HTTP Authorization Manager and associated files setup instructions.
First of all enable Kerberos debugging in Java, it can be done my adding the next line to system.properties file (lives in "bin" folder of your JMeter installation)
sun.security.krb5.debug=true
JMeter restart will be required to pick the property up.
Once you will get more information regarding what exactly fails and where - you will be able to amend JMeter configuration accordingly.
References:
Introduction to JAAS and Java GSS-API Tutorials
Kerberos Throubleshooting
Windows Authentication with Apache JMeter
The IT dept. in the company where I work uses OpenAM to manage web access over the intranet (SSO solution).
As I'm using Glassfish 4.1, which is a container not supported by OpenAM, is there some workaround that I could use OpenAM, without replacing Glassfish? If so, how can I do it?
Thanks in advance.
When using OpenAM 13.5.0 for example, it is possible to deploy OpenAM to Payara 4.1.2.172 for example with a bit of a compromise.
DISCLAIMER: the following steps allows one to deploy OpenAM to GlassFish/Payara, but this does not mean that this kind of deployment is actually supported by anyone.
So the steps are:
in the WAR file within the WEB-INF/lib/openam-radius-server-13.5.0.jar you'll need to remove the META-INF/INDEX.LIST file
you'll need to edit the WEB-INF/web.xml file and remove both the ws and federationrest servlets and their mappings
to deploy the WAR you'll need to execute this command:
bin/asadmin deploy --name openam --contextroot /openam --property implicitCdiEnabled=false OpenAM-13.5.0.war
It seems that OpenAM cannot be deployed on Payara (Glassfish). Please refer to the blog and the last comment of this issue.
So you may have to use another container, for example, Tomcat.
I am trying to allow authentication against my ldap server, but everytime when I turn on the LDAP extension I got following error
LDAP err: PHP LDAP extension not found. [auth.php:34] User
authentication is temporarily unavailable. If this situation persists,
please inform your Wiki Admin.
I have set up everything necessary in Configuration Manager.
Any suggestions that can help?
Thanks.
you need the PHP LDAP extension. You can probably install it via your distribution's package manager. Eg. apt-get install php5-ldap
We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(
Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server
I can configure Jenkins so it limits access to users on my ldap server by setting the Server and Root DN without a problem.
Now I want to tie down access a little more and only allow access to members of the groupOfNames cn=MyProject,ou=Group,dc=bogus,dc=biz, but I don't see how to do that in Jenkins.
Can someone explain how they configured Jenkins or Hudson to handle something like this ?
Thanks !
NOTE: I'm not sure if this would work for LDAP (we use active directory)
In the project configuration page, check Matrix-based security.
Remove all access for anonymous
Add your 'groupOfNames' to the "user/group to add" and give them the rights you want to.
Any user in that group should get the rights you assign. This is how we did it.
Old thread, I know. I got it working by installing the memberof and refint overlays on the OpenLDAP server (2.4.31) and setting the User Search Base on Jenkins to filter the result, i.e.
(&(uid={0})(memberOf=cn=MyGroupName,ou=group,dc=mydomain,dc=com))