I am trying to build a simple web based directory navigation/administration application.
Application requirements:
An Active Directory (or another directory service) domain user access
this web application and log in with the same domain user/password
credentials.
Then the user can navigate the directory tree, create/edit entries,
edit an entry's attribute, etc..
I'm using perl Net::LDAP for the ldap operations, as in:
#!/usr/bin/perl -wT
use Net::LDAP;
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
my $ssl = 1;
my $srv = '192.168.56.110';
my $uri = $ssl ? 'ldaps://' : 'ldap://';
my $c = Net::LDAP->new($uri . $srv) or
die "Unable to connect to server: $#\n";
# !!! This is a temporary workaround !!!
my $binddn = "cn=Administrator,cn=users,dc=example,dc=com";
my $passwd = "password";
my $mesg = $c->bind($binddn, password => $passwd);
die 'Unable to bind: ' . $mesg->error . "\n" if $mesg->code;
# DN to be deleted
my $dn = param('DN');
$mesg = $c->delete($dn);
die 'Error in delete: '. $mesg->error() ."\n" if $mesg->code();
$c->unbind;
I can call this cgi script with a HTML form, as in:
<form action="/cgi-bin/del.cgi" method="post">
<br>Peter Parker
<input type="radio" name="DN"
value="cn=peter parker,cn=users,dc=example,dc=com">
<br>Clark Kent
<input type="radio" name="DN"
value="cn=clark kent,cn=users,dc=example,dc=com">
<br>
<input type="submit" value="Delete User">
</form>
The problem with this code is that the ldap operations are using administrative credentials, not the credentials of the user running the web application. I'm using this workaround because I can't ask the user for his/her credentials every time.. and I don't know how to keep a user permanently authenticated.
My web application authenticate the user via ldap, asking he's credentials and issuing a bind request to the directory service, as in:
...
# read user supplied credentials
my $user_id = param('user_id');
my $password = param('password');
# now find the DN of user_id in directory
my $ssl = 1;
my $srv = '192.168.56.110';
my $uri = $ssl ? 'ldaps://' : 'ldap://';
my $c = Net::LDAP->new($uri . $srv) or
die "Unable to connect to server: $#";
# admin credentials are needed here to find the user DN
my $rootdn = "cn=Administrator,cn=users,dc=example,dc=com";
my $rootpw = "secret";
my $mesg = $c->bind($rootdn, password => $rootpw);
die "Unable to bind: ". $mesg->error if $mesg->code;
$mesg = $c->search(
base => 'dc=example,dc=com',
scope => 'sub',
filter => "(&(objectClass=user)(sAMAccountName=$user_id))",
attrs => ['sAMAccountName'],
);
die "Bad search: ". $mesg->error() if $mesg->code();
my ($entry) = $mesg->entries;
die "User not found: $user_id\n" unless $entry;
my $dn = $entry->dn;
# User DN found.. now check the credentials
$mesg = $c->bind($dn, password => $password);
die "Unable to bind: ". $mesg->error if $mesg->code;
$c->unbind();
# credentials validated!
print header, start_html('Welcome!'), h1('Hello, YOU!'), end_html;
After that, a cookie is sent to the user browser initiating a web session.
I could keep the user credentials in a database and then pass it to del.cgi (and other similar script) any time I needed.. but I don't think it's good security practice.
What can I do to keep a permanent ldap authenticated session as long as the web session is active?
There is no session. When an LDAP client connects to the directory server, the connection is unauthenticated. The bind request, should it be successful, establishes the authorization state of the connection. The connection remains in that authorization state until the next bind request, client disconnect, or server disconnect. Depending on the local setup, it may be possible to keep the connection open indefinitely with keep-alives or something similar. or the client can transmit another bind request periodically. Modern, professional-quality directory servers support disconnecting idle clients, or disconnecting clients after a certain period of time has passed, or after a set number of LDAP operations have been transmitted. Note that network administrators may disallow permanent connections for reasons of their own.
LDAP clients should check for response controls after the LDAP requests. Failure to check for response controls will result in the client missing important information from the server.
LDAP clients must be aware that the server can send an unsolicited notification in the form of an extended result. Failure to be handle the unsolicited notification can result in a badly behaved LDAP client. Most notifications are disconnect notifications, meaning the server is disconnecting the client for whatever reason.
Please see "LDAP: programming Practices" for more information.
Out of curiosity, why code such a thing? Apache Directory Studio is an excellent LDAP client.
Related
UPDATE / SUMMARY:
I created a blog article here about the process I went through and my config file has changed slightly from below:
https://medium.com/#silverbackdan/installing-couchdb-2-0-nosql-with-centos-7-and-certbot-lets-encrypt-f412198c3051#.216m9mk1m
Main issues with HTTPS:
If running HTTP and HTTPS, shard dbs appear on HTTPS
Fauxton features lacking over HTTPS (admin user management, config management, setup wizard, Mango indexing/querying)
Not sure if they should be, but databases over HTTP and HTTPS are not the same
I hope I'm just missing something really obvious
ORIGINAL POST:
I'm trying to configure HTTPS (SSL) with CouchDB 2.0. I'm compiling a guide for others to be able to follow as well but have come across some issues.
I think over HTTPS, I don't have the same permissions as when I enable HTTP and use that instead. In Fauxton over HTTP I can see the configuration and I can run the setup procedure. With HTTPS I'm getting errors where it says I cannot create a database (which it tries to do automatically) because they start with an underscore. Most databases get set up but there's a few which show errors such as "_cluster_setup" when I visit the Configuration page.
Additionally I get repeating error messages which does not stop CouchDB, but it says the database "_users" does not exist (database_does_not_exist). It doesn't exist when I enable and connect over HTTP, but it does exist when I connect over HTTPS. If I enable both HTTP and HTTPS then with my HTTPS connection I end up having a lot of shard databases (I'm new to NoSQL and CouchDB so I'm not sure what that's about, but they appear when errors show up similar to the above - creating databases starting with underscores). Either way, I see those shard databases when logged in via HTTPS but not HTTP (Fauxton shows them as "unable to load, and then I am just deleting them from the data directory at the moment)
There are also issues with accessing Fauxton over HTTPS using Chrome, but I think that's a known bug and it's OK to use Firefox or Safari at the moment.
Can anybody tell me if there are any settings which mean that a connection over port 6984 using HTTPS can have the same administrative rights as 5984 of HTTP? ...Or what the permissions issues there may be that results in the HTTPS connection bringing up these errors about underscores at the beginning of table names as I think that could basically resolve my main issues.
Here's my local.ini file which may be of some use (I have also commented out ";httpd={couch_httpd, start_link, []}" in default.ini as it says to here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146
; CouchDB Configuration Settings
; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.
[couchdb]
;max_document_size = 4294967296 ; bytes
;os_process_timeout = 5000
uuid = **REMOVED**
[couch_peruser]
; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
;enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
;delete_dbs = true
[chttpd]
;port = 5984
;bind_address = 0.0.0.0
; Options for the MochiWeb HTTP server.
;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
[httpd]
; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
WWW-Authenticate = Basic realm="administrator"
bind_address = 0.0.0.0
; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
[query_servers]
;nodejs = /usr/local/bin/couchjs-node /path/to/couchdb/share/server/main.js
[httpd_global_handlers]
;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
[couch_httpd_auth]
; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
require_valid_user = true
secret = **REMOVED**
[os_daemons]
; For any commands listed here, CouchDB will attempt to ensure that
; the process remains alive. Daemons should monitor their environment
; to know when to exit. This can most easily be accomplished by exiting
; when stdin is closed.
;foo = /path/to/command -with args
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /home/couchdb/couchdb/certs/cert.pem
key_file = /home/couchdb/couchdb/certs/privkey.pem
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
cacert_file = /home/couchdb/couchdb/certs/chain.pem
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
ssl_certificate_max_depth = 1
;
; Reject renegotiations that do not live up to RFC 5746.
secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
ciphers = undefined
; The SSL/TLS versions to support
tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]
REMOVEDDOMAIN.COM:* = ./database
[update_notification]
;unique notifier name=/full/path/to/exe -with "cmd line arg"
; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
;admin = mysecretpassword
**REMOVED** = **REMOVED**
[cors]
origins = *
credentials = true
headers = accept, authorization, content-type, origin, referer
methods = GET, PUT, POST, HEAD, DELETE
I've been in touch with the CouchDB team via a chat. CouchDB has been well tested using haproxy, so I've been advised to simply use haproxy instead as erlang can be very difficult to configure for SSL. I'll update the article I've written with complete instructions using haproxy once I've got everything working.
I tried to connect to a particular RabbitMq machine using following code using MassTransit
var bus = ServiceBusFactory.New(x =>
{
x.UseRabbitMq();
x.ReceiveFrom("rabbitmq://admin:admin#<IP Address>/somequeue");
moreInitialization(x);
});
I have create a user as admin in vhost "\" with administrator privileges.
cmd:> rabbitmqctl list_permissions
Listing permissions in vhost "/" ...
admin .* .* .*
I have removed the "guest" user. Even though I user the below code, I can see in rabbitmq log as below
=ERROR REPORT==== 21-Jun-2015::12:19:22 ===
closing AMQP connection <0.391.0> (192.168.6.1:7000 -> 192.168.6.131:5672):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'guest' - invalid credentials",
'connection.start_ok'}}
At application side I am getting the below error
Exception:Thrown: "ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile." (RabbitMQ.Client.Exceptions.AuthenticationFailureException)
A RabbitMQ.Client.Exceptions.AuthenticationFailureException was thrown: "ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile."
Do I need to change any configuration in rabbitmq.config file? I am using RabbitMq Server version 3.5.3
Thanks for helping
To specify credentials, you need to configure the host explicitly. The # syntax is no longer supported, due to leakage of security credentials.
For example:
var bus = ServiceBusFactory.New(sbc =>
{
sbc.UseRabbitMq(r => r.ConfigureHost(new Uri("rabbitmq://actual-server-name/queue-name"), h =>
{
h.SetUsername("username");
h.SetPassword("password");
}));
sbc.ReceiveFrom("rabbitmq://actual-server-name/queue-name");
});
I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin
You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.
I'm trting to send a simple mail script in PHP. It doesn't work and I have no error in mail log or error log.
Here's my php.ini config
SMTP = relais.videotron.ca
smtp_port = 25
sendmail_from = xxxx#xxxx.com (Of cours it's my ISP email there :D)
sendmail_path = /usr/sbin/sendmail -i -t
and my simple mail() test
mail("xxxx#xxxx.com","test","test");
Nothing's work. What could it be?
The built-in PHP mail command doesn't allow you to authenticate to an SMTP server. Your ISP SMTP server requires authentication and so is refusing the connection.
The info provided by your ISP confirms this;
SMTP server is accessible from an external network by using clear text
authentication using your code "VL" or alias for your mail Example:
customer#videotron.ca
Your options are either use an SMTP server that allows anonymous connections or (as Eamorr says) use a mailer class.
I use SwiftMailer:
require_once('../lib/swiftMailer/lib/swift_required.php');
...
function sendEmail(){
//Sendmail
$transport = Swift_SendmailTransport::newInstance('/usr/sbin/sendmail -bs');
//Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);
$body="Dear $fname,\n\nYour job application was successful. \n\nYours,\n\nEamorr\n\n\n\n\n\n\n";
//Create a message
$message = Swift_Message::newInstance('Subject goes here')
->setFrom(array($email => "no-reply#yourdomain.com"))
->setTo(array($email => "$fname $lname"))
->setBody($body);
//Send the message
$result = $mailer->send($message);
}
You can send both plaintext and html email with ease.
I have set up an ldap authentication using the following configuration. I just need to user to authenticate to the LDAP data store, then have their session get an authentication token. From reading the docs, this is what I am thinking is supposed to happen:
Authenticate as the manager, find the users full dn based on search criteria
Attempt to bind as the user (using their full dn) and the provided password
The logs dont seem to give enough information as to why this is failing. It just says invalid credentials - when I know they are valid. My thoughts are one of the following is happening:
The users full DN is not being found, and they are just being authenticated with the username
It is trying to do a password compare, vs actually trying to bind to the directory
Configuration:
<ldap-server
url="ldap://adapps.company.com:389/dc=company,dc=com"
manager-dn="cn=fulluserdn,dc=company,dc=com"
manager-password="password"/>
<ldap-user-service user-search-base="" user-search-filter="(samaccountname={0})"/>
<authentication-manager>
<ldap-authentication-provider user-search-filter="(samaccountname={0})" user-search-base="dc=company,dc=com"/>
</authentication-manager>
Error logs:
[DEBUG,FilterBasedLdapUserSearch] Searching for user 'test', with user search [ searchFilter: '(samaccountname={0})', searchBase: 'dc=company,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
[DEBUG,AbstractContextSource] Got Ldap context on server 'ldap://adapps.company.com:389/dc=company,dc=com'
[INFO,SpringSecurityLdapTemplate] Ignoring PartialResultException
[DEBUG,XmlWebApplicationContext] Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken#488b5f0b: Principal: test; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 0718B7EED3F930C63C03DA97C4344CBD; Not granted any authorities]
[DEBUG,UsernamePasswordAuthenticationFilter] Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG,UsernamePasswordAuthenticationFilter] Updated SecurityContextHolder to contain null Authentication
[DEBUG,UsernamePasswordAuthenticationFilter] Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#395158
[DEBUG,TokenBasedRememberMeServices] Interactive login attempt was unsuccessful.
[DEBUG,TokenBasedRememberMeServices] Cancelling cookie
The problem was teat the LDAP server was running on a different port, but the normal port was still open.