Access to manage-account commands in OpenDS - ldap

OpenDS provides command-line access to many necessary account functions via its manage-account utility. For example, to disable an account:
manage-account set-account-is-disabled --operationValue true
--baseDN uid=someuser,ou=People,dc=example,dc=com" --hostname hostname --port 389
--bindDN "cn=Directory Manager" --bindPassword password
This is fine and dandy is you have a sysadmin to administer your ldap server but in a scenario where you have 1000s of users all over the globe this becomes a problem (imagine a user locked out of their account in Japan while the sysadmin is asleep in the US). We'd like to be able to programmatically tie into some of these manage-account functions so we can provide local admins/managers the ability to manage their own users.
Can anybody provide any insight on if this is possible and if so how? We are writing this in C# and I can't find any examples on it. Looking at the .NET API docs I thought System.DirectoryServices.Protocols.ExtendedRequest looked promising but cannot figure out how to use it.
Any help would be greatly appreciated, thanks!

The Manage-Account tool uses an LDAP extended operation, which code is in opends/src/server/org/opends/server/extensions/PasswordPolicyStateExtendedOperation.java.
Alternately, you can check the OpenDJ LDAP SDK, which has support for the extended operation, and will allow you to quickly write a client application.
OpenDJ LDAP SDK is documented at http://opendj.forgerock.org/opendj-ldap-sdk/ (and the doc is in the developer's guide : http://opendj.forgerock.org/doc/dev-guide/OpenDJ-Dev-Guide.html).
Regards,
Ludovic

The source code for manage-account is available, one can re-create the encodings from there. Also, one could set up a directory server, run manage-account, record the steps the tool takes from the access log, then write code to re-create those steps.

Related

Setting up an agent authentification with Pingaccess

I have a CentOS VM with an ready installed Pingaccess Server Testenvironment with access to the Pingaccess Admin UI.
Now I would need to set up an Agent-Authentification on the system but sadly have no experience configuring Pingaccess sofar. I also find it dificult to find documentation to complete my task.
I would appreciate any hints and pointers in right direction or information on how this kind of setup can be configured and what else I might need? Is it even possible to set it up in a local VM?
Here a slightly more detailed description of the scenario:
An application that itself is not able to use a corresponding protocol (Oauth, SAML2, ...) (e.g. a small PHP script or something similar) that cannot do anything other than output a user name that it reads from the HTTP headers.
Set up an Agent that extends the header attributes and e.g. something like Header-UserName. The application can then access the web server variables and use these values without having to worry about how the authentication works. The agent, on the other hand, can do the protocols and handle authentication via the server (here PingAccess).
Thanks a lot in advance.

Hi, I have one for any DBA's out there about the superuser account.

Is there any database that comes with NO default superuser account, or is there a way to have no superuser at all. I have extensively researched this for the past week and I can find nothing on this topic. My manager is keen on having no superuser by the time the system I'm working on is in deployment, however I feel this is not possible?
With MS SQL Server you can install it to use windows accounts. So you set up superuser tied to windows account. After deployment just disable this account in Windows and you are good to go.
To make sure it works properly you enable audit on user enabling, so you know when someone tries to enable the user account and use it to access DB.
It is bad idea to remove sysadmin completely because you might run into lot of troubles in the future.
Just yesterday our intern set up SQLServer and didn't add a database administrator at the relevant step in the setup, so it installed but was rather useless..
Questions like this are from a similar side of the fence:
https://dba.stackexchange.com/questions/11299/how-to-add-sysadmin-to-user-in-sql-server-2008-when-no-sysadmin-accounts-exist

I hope to give LDAP server new OID object

I am studying LDAP server(ADLDS)
I figured out that extended operation is implemented in ldap server.
For example, oid(1.3.6.1.4.1.4203.1.11.3) stands for whoami command.
If I give 1.3.6.1.4.1.4203.1.11.3 to ldap server, server would respond who the user is.
In this situation, I hope to make my own command with new oid.
How can I make this possible?
Thank you.
Some LDAP directory servers will allow you to extend them and define your own extended operation. This needs code and some expertise in the internals of the server.
I would strongly recommend that you consider open source directory servers, if you want to pursue that route, as getting full access to the code will make things easier.

SSH on windows without storing password in clear

What I would do is using Putty (or other solution) on Windows to connect to a SAN switch and get results from a command with ssh.
I use Powershell as scripting language and it could be done easily but i don't want to save the password in the script.
I'm looking for a solution to use Putty from command line and set the password not stored in clear in the script.
What I thought is to launch the script with \RUNAS (through a Scheduled task) and pass the actual credentials directly to Putty. (The switch would have the same password as the account used with the Runas). Is that possible?
Or is there any solution using putty with a certificate or something like this?
You may want to consider using key authentication as opposed to a password.
People will say use a password in addition to the key, but if your alternative is storing the password on your PC in a file anyway, someone with access to your machine owns you in either case.. So you just need to generate the keys. The requirement is: no-one but you has access to that key file.
http://www.linuxproblem.org/art_9.html
I'm in the same boat, have to use Windows, but for me www.mingw.org which gives you a shell, and the basic *nix tools - extremely useful for SSH, connect to remote Linux VPS, etc.. Cygwin, of course which is similar, and has an easier tool (setup.exe if I recall) to install new apps. I actually use git-bash with is mingw with git. No-GUIs. I've found this easy to just drop to the mingw shell when I need to use ssh openssl cut awk etc..
So running any remote command using SSH from the command line without third-party programs like Putty, or those with GUIs, etc.. Using the key authentication and offing password auth completely in ssh on the remote device (at least on devices where you have control) is some additional lockdown for the remote device, especially if you're the only one need access it.
Which leaves, scheduling the script. There should be a way to do that via batch file and Windows or within the command line environment.
I'll suggest following options:
use password authentication. Store the text file with password in a file with limited access (some service account) and launch your script under this account's credentials
same as above, but instead of text file use certificate file
write a small program (C#) which uses DPAPI to store the certificate or password in service account-specific store.
combine any of the above with the use of BitLocker/EFS
No options are can protect you from an attacker having admin access to the server, but implementing them will give an increasing (in order of number) headache to someone who will be trying to break it.
The script will be a weak spot in any case, though.
This is probably not the answer you're looking for, but I wouldn't use Putty for this, and would rather communicate with the SSH server directly using SSH.NET library. It's available in both source and binary form, and you could use it from PowerShell too if you like.
Examples: http://sshnet.codeplex.com/wikipage?title=Draft%20for%20Documentation%20page.
Then you'd have a lot of options to store your login credentials securely.
I recommend setting up 2-factor authentication on the ssh machine that you have to communicate with IF you can't use key authentication.
Google's 2 factor authentication can be implemented for ssh and is relatively easy to set up as long as SE linux is disabled...if it isn't disabled, you can add an exception and that would essentially help reduce the risk of compromise and increase security.

Does using "chmod 666" on specific directories creates any vulnerability? (installing Kohana)

Obviously I am very new, so please bear with me.
I installed Kohana Framework in my localhost. To do is so we have to set two specific folders with write permissions to all. "chmod 666" is suggested. (here)
The remaining directories are set to 755.
My question is more directed to Apache.
Will the use of "chmod 666" create a vulnerability in a webserver?
What exacly means "write access for everyone"?
Many thanks in advance!
666 is almost always a really bad idea. The web site where you read that needs a good flogging.
"Write access for everyone" means that anyone with a user account on your system can write to that directory.
These rights are only for your current server, so if you are the only one with access to a user account on your machine you should be pretty safe. Write access for everyone means everyone with a user account on your machine has the right to write. Please note that 3rd party software (like apache) can have it's own user as well and this could be compromised if there's a exploit in that software. This way someone from the outside could gain access to that folder. It's a common practice to only give rights to users that really need access.
Note: On a normal Windows machine (don't know if this is still true with Windows 7 though) everyone has access to everyone's files. So this is just another security measure.