I'm attempting to integrate phpBB with CAS so that I can utilise the single sign on across a host of websites. So far I have tried a few things but none have pulled off yet. The closest I have come is with the following MOD:
https://sourcesup.cru.fr/projects/casldapauthbb/
However after installing it when I add my CAS details to CAS server name, CAS server port, CAS uri, and leave the LDAP fields blank, I get the error, could not connect to LDAP server.
If anyone knows how to fix this, that would be cool.
I'm also open to alternative solutions.
There doesn't appear to be a way to do this without rewriting large parts of the phpBB framework. So I'm going to run phpBB separately and link accounts through a common library.
Related
I have been working to link my AD to G-Suit and have an auto sync established. The reason I put this here because I have had hard time to figure out everything. I am still not at the end of this procedure and I would appreciate if the skilled people would contribute to help me and I guess many others as well, on this topic.
I downloaded GCDS tool (4.5.7) and installed on a member server. Tried to go through the steps and failed, except to the first one to authenticate to Google.
Learnt: It is a Java (Sun) based product and when it come to authentication or SSL it will through errors that need to be sorted.
Step 1, Google Auth - done and very simple as long as you can logon to your GAE account
Step 2, LPAD config... this was tricky
I created a service account to use
Learnt:
You need to have the SAMS account matching with the displayname and name as well; only this way I could authenticate.
In most cases you don't need any admin rights, a domain user should be able to read the DN structure from LDAP.
I have the OU structure, but I need LDAP working on the DC (this works somehow)
Learnt:
Simple connection through port 389;
SSL would use port 636;
in most cases
GCDS only uses Simple authentication!
Learnt:
With port 389
Domain group policy needed to changed to non LDAP auth required (Domain controller: LDAP server signing requirements changed to none!) to be able to logon - this one is working and good for DEVSERV
Question: Should I use it for PRODSERV or I need to aim to use SSL?
Learnt:
With port 636 (SSL) you need a certificate
Question: I tried to add self cert based on the following article, added to the trusted cert root but Google cannot see it?
BASE DN can be read out through LDP.EXE (built in LDAP browser by MS)
Learnt:
You can add your OU you wanted doesn't have to be the root of the tree
Question: does it mean you have implemented extra security?
Step 3,Defining what data I can collect. OU and person I picked.
Learnt
Profile will collect extra information to Google, such as job title, phone etc. I only wanted them for the company signature... Well that is still not clear if this can be done. If that is not possible, I can't see the reason why I should disclose unwanted information to store on another server.
Question: Can job description be included to the Google Mail signature?
I am keep adding my finding to it as I am working through but would appreciate any input from people who managed to set it up.
Step 4, Searching in the Organisation Unit - confusing again but it is done. (More to follow.)
I've just started my linux security classes and my task is to set up an apache2 server (nginx is allowed aswell but chose the first one) with configuration listed below:
There is one domain (localhost) with different subfolders:
/ssl (any user can access, force redirect to https)
/ssl/user_1 (access with certificate "user_1")
/ssl/user_2 (access with certificate "user_2")
/ssl/any (access with any certificate (user_1, user_2))
/no_ssl (access without certificate)
I don't have much experience with apache2 but succesfully managed to set it up and configured basic ssl. However, I managed to set just one certificate for all folders/subfolders - I've been digging through whole Google (I have three pages of results marked already as visited..) but could not find a proper solution, tutorial or docs how to set up few different certificates, each for a different folder. I found few but it's often the case that the code was written few years ago and does not work anymore in the new version.
I'm not asking for a full solution but I'd appreciate if someone could point me in the right direction or provide some good tutorials/docs about the matter. Some configuration snippets would be awesome aswell of course!
Thank you so much in advance,
F.
I don't think I'm giving too much away when I say you are misunderstanding that part of the question. You are assuming that user_1 and user_2 are server certificates.
This is about client certificates - otherwise options 1 and 4 are the same. Also I think this is implied with the certs being user_1 and user_2 rather than server_1 and server_2. So go read up about client certificates.
Saying that I still don't know how to do this simply for options 2 and 3 so it's still a tricky question. Let us know how this is done after the assignment is finished for my own curiosity and good luck figuring it out yourself!
My client owns "domain.com". We need to give various applications friendly names for internal and external access. The applications are WCF web services and MVC web applications with varying levels of authentication (Windows auth within and across AD domains and plain text authentication). It looks a little like this:
UAT Environment
service1.uat.services.domain.com
service2.uat.services.domain.com
service3.uat.services.domain.com
service4.uat.services.domain.com
application1.uat.apps.domain.com
application2.uat.apps.domain.com
Production Environment
service1.services.domain.com
service2.services.domain.com
service3.services.domain.com
service4.services.domain.com
application1.apps.domain.com
application2.apps.domain.com
We're likely to have a LOT more sub domains, and everything needs to be secured with SSL.
We've changed our minds on how to configure this a number of times, but now we've hit a possible restriction. We thought a wildcard SSL certificate might work, but apparently they only work to a single level of subdomain i.e. *.services.domain.com.
Because of budget, we'd like to register a single wildcard SSL certificate and apply it to multiple servers (belonging to multiple AD Domains, and also a few servers in our DMZ).
This morning I had an idea, but I don't know enough about this stuff to make a definite decision. Do any of you foresee any restrictions on using the following naming convention instead of the above?
service1-uat-services.domain.com
service2-uat-services.domain.com
service3-uat-services.domain.com
service4-uat-services.domain.com
application1-uat-apps.domain.com
application2-uat-apps.domain.com
service1-services.domain.com
service2-services.domain.com
service3-services.domain.com
service4-services.domain.com
application1-apps.domain.com
application2-apps.domain.com
That way, we can register a wildcard for *.domain.com and use a single level subdomain for each application / service, but still allow us to keep everything logically separate. Are there any technical issues anyone can identify using this set up?
There shouldn't be any problem with that.
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.
Having an issue with random individuals trying to access an intranet site with a security certificate. Most users are able to simply select their Smartcard/CAC certificate, enter the pin number and then are granted access to the site's pages.
However, random individuals enter their pin and then are immediately re-prompted by the IE alert dialogue to enter their domain username and password. If they don't enter their network domain username and MS password, then they receive a 401.1 Unauthorized.
I am confused as to why these certain users (who are selecting the same certificates as the successful ones) are being prompted for their domain name/pwd. Furthermore, they're able to access other sites which require a CAC to get past the security certificate.
Possible that a user token is unable to be established via a CAC card for the particular site, but not sure why. Since these users are getting a 401.1, then somehow their identity associated with their CAC credentials is not validating.
In IIS:
Anonymous users are not allowed (unchecked).
128-bit encryption is required with SSL.
Integrated Windows Authentication is checked.
Accepting client certificates
In the site's web.config file all users are allowed and only anonymous are denied.
The exact same setup is present on the development box without any issues at all, indicating to me that the problem resides on the production server's ability to properly receive/handle CAC information from those individuals or that something funky is going on with the way the security certificate is relating to the client's CAC x.509 certificate.
A little more information that may be of use: the browser prompt that initially asks for the CAC has nothing to do with the code of the site, but rather is enabled by applying the security certificate to a site in IIS; thus indicating to me that there is something written into the certificate that looks for client certificates tied to the ActivClient agent via the browser???
Then again, I probably have no idea what i'm talking about, just throwing a bone here to see if anyone has had the same issue or has any ideas.
Thanks in advance for any input, questions, or ideas.
The problem was a stinking DLL that serves to help parse long URL's with many aliases (dots). The faulty DLL had been written into many people's re-image of their computers. The violating computer re-freshes contained an old version of a DLL used by Internet Explorer called URLMON.dll. The version of the DLL you need should end in '21073', but the one included on the faulty images listed above ends in '19.....'.
You can confirm this by going into IE7 and clicking on Help > About Internet Explorer > System Information (btn on bottom) > Internet Settings > Internet Explorer > File Versions > urlmon.dll
Updating this DLL has shown to fix the issue with secure SSL sites having problems validating CAC/pin entry that have long DNS entries (such as https://something.something.something.something.something.something).
There is an IE7 hotfix for this, but it will only install if you don't have ServicePack 3. If you do have SP3, , you cannot run the needed Hotfix, b/c it assumes that SP3 has already put into place the correct DLL.
1. Uninstall SP3
2. Reboot
3. Install the IE7 Hotfix
4. Reboot
5. Run Microsoft Updates via the Window MS updates website
Sucks, but that's what you get with crappy software like IE run on a deficient operating system, then coupled with software that's limited in it's abilities to truly talk to the operating system.
Check the functioning of the card with other applications.
Also check that the certificates are valid (not expired) and otherwise similar - same issuer, PIN not locked etc.
I understand your development environment works as you want and that your production environment is not.
Have you tried to reproduce the error in another environment to confirm which behavior is consistent?
Had a very similar problem that was solved by bypassing the proxy server. Try adding it to the exemption list.
In IE, go to:
Tools | Internet Options | Connections | Lan Settings | Advanced
Add site to exemptions list.
May not work for you, but could be worth a try. Like I said, it worked for me with a very similar issue.