I have currently installed OID (Oracle Internet Directory) and created some roles and users in them. I intend to access them using LDAP commands.
$ldapbind -p <port_number> -h <ip> -D "cn=orcladmin"
bind sucessful
$ ldapsearch -h <port_number> -p <ip> "dc=<name>"
ldap_search: Inappropriate authentication
ldap_search: additional info: Server is Configured to Deny Anonymous Binds
Is there something I am missing ?
On your ldapsearch command, add the -D "cn=orcladmin" for who you are binding as, -w "Password" or -W to prompt at run time. Probably you want a -b "ou=Base,dc=DNtoSearch" and then your filter as you have it.
You need to bind each time.
Related
I know that this question has been proposed several times (https://superuser.com/questions/606252/how-to-use-sshpass-for-chained-connection and https://unix.stackexchange.com/questions/320412/how-to-use-sshpass-to-supply-a-password-on-the-second-ssh-hop) but all the solutions that I've found until know are not working.
I'm tryng to access a third machine (third#machine) by using sshpass in order to not be prompted to insert a password. However,it is mandatory to use a bridge machine (bridge#machine) before entering the final one.
Each time I need to enter the passwords for the bridge#machine and for the third#machine, so my workflow is:
ssh bridge#machine
insert password:
ssh third#machine
insert password
Until now, I was able to avoid the first password by using sshpass in the proxycommand inside the ~.ssh/config file as follow:
vi ~.ssh/config :
Host *.reference
User example_user
ProxyCommand sshpass -p $bridge_machine_password$ ssh -o StrictHostKeyChecking=no bridge#machine "nc -w 60 `basename %h .reference` %p"
and contemporary I've define an alias named "curie" in the .bashrc file which is:
alias curie='ssh third#machine.reference'
So if run the alias curie I'm able to avoid the first password but I'm still prompted for the password of the third#machine.
For this reason I've tried to use sshpass to access the third#machine in the following manner:
>sshpass -p 'third_machine_password' ssh -oProxyCommand="ssh -W %h:%p bridge#machine" third#machine
Unfortunately, this gives back :
Permission denied, please try again.
Could be a restriction imposed by the third#machine or I'm doing something wrong?
if your password contains special characters such as $...
eg abcd#1234$$ then use \ with the special character....add this \ before each $$....it worked for me
Find a solution:
created firstly in the config file the proxy command
Host *.reference
User bridge
ProxyCommand sshpass -p passwd_bridge_machine2 ssh -o StrictHostKeyChecking=no bridge#machine2 "nc -w 60 `basename %h .ciment` %p"
after this command set in the config I created the alias in the .bashrc file:
alias curie='sshpass -p passw_third#machine3 ssh third#machine3.reference'
It is important to add the .reference line because it will firstly call the proxycommand in the config file and then use the sshpass in the alias. Once everything is settled it is only necessary to run the alias in the terminal to open the third machine withou any password.
Hope it helped someone else
I would like to use ldapsearch for an authentication test to a remote Windows server from a Linux instance (Amazon Linux OS). Kerberos bind is working via GSS-API installed from package cyrus-sasl-gssapi, is there an equivalent package that can be used for GSS-SPNEGO? I would like the ability to fall back to NTLM authentication in case Kerberos is not working.
The server supports both GSSAPI and GSS-SPNEGO but from the client side it appears that GSS-SPNEGO is not available. Output from ldapsearch is shown below:
ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y GSS-SPNEGO
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Using cyrus-sasl-ntlm did not work because it appears the server does not support this:
ldapsearch -H "ldap://$HOST_NAME" -b "" -s base -Y NTLM
SASL/NTLM authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: 00002027: LdapErr: DSID-0C0905ED, comment: Invalid Authentication method, data 0, v2580
Is it possible to use SPNEGO bind with ldapsearch? Or is there another way to authenticate over NTLM?
#Grant,
You need to change the -Y option to "-Y GSSAPI"
For example:
ldapsearch -H ldap://example.com -b 'DC=example,DC=com' -Y GSSAPI
Here is my LDAP ORG Structure:
I created user with first, last name with password. But it is not working when am trying to connect using jdbc. Error says invalid credentials. Then I tried ldapsearch as follows:
I followed this process for users and group creation:
root#ip:/home# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
root#ip:/# ldapsearch -x -LLL -h ip -D username -w password -b"cn=admin,dc=ivhdev,dc=local" -s sub "(objectClass=*)" "givenName=username*"
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Please suggest/correct me, if am passing the right info in DN syntax. I am unable to validate the user credentials with their name and password.
The -D option takes the DN for logging in to your LDAP server.
The -b option takes the search base in your LDAP tree where you want to search for the user's given name.
So, your ldapsearch command becomes:
ldapsearch -x -LLL -h ip -D 'cn=admin,dc=ivhdev,dc=local' -w password -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=username*'
If you use the Apache Directory Studio (http://directory.apache.org/studio/) you can see the actual ldapsearch commands used by the application. Maybe this is useful for anyone.
I am on artifactory version 4.6 and have the following requirement on the docker registry.
Allow anonymous pulls on docker repository
Force authentication on the SAME docker repository
I know this is avaliable out of the box on the later versions of artifactory. However upgrading isnt an option for us for a while.
Does the following work around work?
Create a virtual docker repository on port 8443 and don't force authentication , call it docker-virtual
Create a local docker repository and force authentication, call it docker-local on port 8444
Configure 'docker-virtual' with the default deployment directory as 'docker-local'
docker pull docker-virtual should work
docker push docker-virtual should ask for credentials
Upon failure , I should be able to docker login docker-virtual
and docker push docker-virtual/myImage
Not sure about the artifactory side, but perhaps the following Docker advice helps.
You can start run two registries, one RW with authentication, and a second RO without any authentication, in Docker:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=My Registry" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
docker run -d -p 5001:5000 --restart=always --name registry-ro \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry:ro \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
Note the volume settings for /var/lib/registry in each container. Then to pull from the anonymous registry, you'd just need to change the port. Since the filesystem is RO, any attempt to push to 5001 will fail.
The closest thing you can achieve is failing on docker push without credentials (while succeeding with pull).
No idea if this works with artifactory sorry.... you could try this handy project for docker registry auth.
Configure the registry to use this https://hub.docker.com/r/cesanta/docker_auth/
# registry config.yml
...
auth:
token:
# can be the same as your docker registry if you use nginx to proxy /auth to docker_auth
# https://docs.docker.com/registry/recipes/nginx/
realm: "example.com:5001/auth"
service: "Docker registry"
issuer: "Docker Registry auth server"
rootcertbundle: /certs/domain.crt
And allow anonymous with the corresponding ACL
# cesanta/docker_auth auth_config.yml
...
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"": {} # Allow anonymous (no "docker login") access.
ldap_auth:
# See: https://github.com/cesanta/docker_auth/blob/master/examples/ldap_auth.yml
acl:
# See https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml#L178
- match: {account: "/.+/"}
actions: ["*"]
comment: "Logged in users do anything."
- match: {account: ""}
actions: ["pull"]
comment: "Anonymous users can pull anything."
# Access is denied by default.
I am providing -w "LDAP server password" in commandline but i am getting error . ldap_bind: Invalid credentials (49).
So basically I am trying to achieve this - A user can reset its password by running a small script but i don't want to expose LDAP password to him . so storing it in script only .
A very simple script -
uid="$USER"
echo "Welcome" $uid ;
ldappasswd -x -S -D "cn=xxx,dc=xxxxx,dc=xxx" -W -h 'IP address of LDap server' "uid=".$USER.",ou=xxxx,dc=xxx,dc=xxxx" -w "LDAP server password"
Please let me know if there is any other way to achieve this .
Thanks,
Use either -w <newpassword> to provide the password on the command line, or -W to get prompted, but not both. Also, you need to put options in front of arguments. Try ldappasswd -x -w "LDAP server password" -S -D "cn=xxx,dc=xxxxx,dc=xxx" -h 'IP address of LDap server' "uid=$USER,ou=xxxx,dc=xxx,dc=xxxx". Note i removed the dots from around $USER, you need them in perl but not in the shell.
But note that if you put this in a script, your users will need read permission on the script, or the shell won't execute it. Which means they will be able to cat the script and see the password. One workaround would be to make the script rx to the root user only, and allow sudo <yourscript> without password. Also, noone will prevent a user from changing his $USER variable, so your script is easy to hack - better parse the output of the id command, and make sure you don't use root if you do the sudo workaround.