Active directory authentication on tomcat by JNDIRealm referrals problem - authentication

I'm trying to look on on the root of a AD server for users with tomcat5.5 and JNDIRealm, but it seems that there are several referrals to other locations in the whole AD structure and one of the referrals give a "connection refused" . With LDAP you can use the option referrals="ignore" but this doesn't work if you use AD so you must use referrals=follow otherwise you get a Unprocessed Continuation Reference(s) exception
Is there a way that I can ignore all referrals to other servers?
current config in a server.xml file:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="CN=root_user,OU= foo,OU= bar ,dc=example,dc=com"
connectionPassword="hideMe!"
connectionURL="ldap://****:389"
userBase="DC=example,DC=com"
userSearch="(&(objectClass=user)(sAMAccountName={0}))"
userSubtree="true"
roleBase="OU=rolles,dc=example,dc=com"
roleName="CN"
roleSearch="(member={0})"
roleSubtree="false"
/>
Exception:

It seems that the active directory was corrupt. There where broken referal links. So be sure that the servers are all up and running

Related

Client certificate based authentication HAProxy and a general questions

I want to add to a Tomcat servlet (which is behind a HAProxy server) client based authentication so what I did was
I've updated Tomcat configuration by adding
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/cert/server-keystore.jks"
keystorePass="changeit"
truststoreFile="conf/cert/server-truststore.jks"
truststorePass="changeit" />
P.S more info on https://docs.bmc.com/docs/rsso1908/configuring-the-tomcat-server-for-certificate-based-authentication-907302408.html
I also updated my HAProxy configuration by updating several lines, i.e
listen VIP
bind 172.16.200.85:443 transparent ssl crt /etc/haproxy/cert/server.pem ca-file /etc/haproxy/cert/ca.crt verify required crl-file /etc/haproxy/cert/root_crl.pem
P.S more info on https://www.loadbalancer.org/blog/client-certificate-authentication-with-haproxy/
and when I navigate to a page I get prompted for a certificate immediately, and I don't want that. What I want is a specific path, i.e /login/me to prompt for a certificate to choose. Basically, I want the same solution for client certificate authentication as on
https://secure.login.gov/
--> select "Sign in with your government employee ID"
--> click on the button "Insert your PIV/CAC" [you get a certificate list to choose from]
My questions:
How they are able to to accomplish client certificate based authentication via (it seems) a path "/login/piv_cac"?
I'm asking this, because I've found answers on a stackoverflow configure tomcat for client authentication only for specific URL patterns that this is not possible to accomplish. I've also tried my self, but I get always prompted for a client certificate upon connecting to a Tomcat instance (before navigating to an authentication url)
Is it doable with two Tomcat instances behind a HAProxy?
If so, what would be a general HAProxy configuration [or steps] for this?
If not, what do I need to make it happen?
Do I need one Tomcat instance for "casual" human beings and other Tomcat instance for "certified" human beings?

NiFi: LDAP Authentication Multiple DN Issue

I Installed nifi-1.13.2
and I need to authenticate with LDAP
but there is some issue
when I want to use multiple account in different "OU"
I get this error
"Unable to validate the supplied credentials. Please contact the system administrator."
this is my login-identity-providers.xml:
login-identity-providers.xml
this is my LDAP Server table:
LDAP
I found The Solution
you should change ldap port to 3268
like this
<property name="Url">ldap://10.1.21.2:3268</property>
<property name="User Search Base">DC=COM</property>
this port is for Global catalog and mostly use for authentication

How to set up membrane reverse proxy for 2 hosts with common authenication?

I have the following requirement. Please advise on how to set up the proxies.xml properly.
localhost/... user authentication is required from root level down (basically user needs to be authenticated once to access the whole website, which includes the 2 subsystems below)
localhost/subsys1/... all requests under this url should go to host1:8081
localhost/subsys2/... all requests under this url should go to host2:8082
I tried to set up the proxies.xml this way, but it doesn't seem to work.
<router>
<serviceProxy port="80">
<path>/</path>
<basicAuthentication>
<user name="guest" password="guest"/>
</basicAuthentication>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys1</path>
<target host="host1" port="8081"/>
</serviceProxy>
<serviceProxy port="80">
<path>/subsys2</path>
<target host="host2" port="8082"/>
</serviceProxy>
</router>
Thanks,
Denny
I think the basic auth should be placed on the two proxied service as it will do the auth part.If u are trying to do it globally i havent tried it that way and i am not sure that it can be configured as such.
http://www.membrane-soa.org/service-proxy-doc/4.2/interceptors/examples.htm .What i also found usefull is that membrane service proxy is built on spring :-)

PingAccess issues with proxying target sites with HTTP/HTTPS mix

I'm trying to get PingAccess set up as a proxy (let's call the PA host
pagateway) for a couple of applications that share a Web Session. I want all access to come via the PA pagateway and use HTTPS, but the back end systems are not HTTPS.
I have two sites defined, app1:8080 and app2:8080. Both are set to "secure" = no and "use target host header" = yes.
I have listeners defined on ports 5000 and 5001 that are both set to "secure" = yes.
The first problem I found is that when I access either app in this way (e.g. going to https://pagateway:5000), after successfully authenticating with PingFederate I end up getting redirected to the actual underlying host name (e.g. http://app1:8080), meaning any subsequent interactions with the app are not via PingAccess. For users outside the network they wouldn't even be able to do that because the app1 host wouldn't even be visible or accessible.
I thought maybe I needed to turn off "Use target host header" to false but Chrome prompts me to download a file that contains NAK, ETX, ETX, NUL, STX, STX codes, and in the PA logs I get an SSL error:
2015-11-20 11:13:33,718 DEBUG [6a5KYac2dnnY0ZpIl-3GNA] com.pingidentity.pa.core.transport.http.HttpServerHandler:180 - IOException reading sourceSocket
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
...
I'm unsure exactly which part of the process the SSL error is coming from (between browser and pagateway, or pagateway and app1). I'm guessing maybe app1 is having trouble with the unexpected host header...
In another variation I turned off SSL on the PA listener (I also had to change the PingAccess call-back URL in the PingFederate client settings to be http). But when I accessed it via http://pagateway:5000 I got a generic PingFederate error message in the browser and a different error in the PA logs:
2015-11-20 11:37:25,764 DEBUG [DBxHnFjViCgLYgYb-IrfqQ] com.pingidentity.pa.core.interceptor.flow.InterceptorFlowController:148 - Invoking request handler: Scheme Validation for Request to [pagateway:5000] [/]
2015-11-20 11:37:25,764 DEBUG [DBxHnFjViCgLYgYb-IrfqQ] com.pingidentity.pa.core.interceptor.flow.InterceptorFlowController:200 - Exception caught. Invoking abort handlers
com.pingidentity.pa.sdk.policy.AccessException: Invalid request protocol.
at com.pingidentity.pa.core.interceptor.SchemeValidationInterceptor.handleRequest(SchemeValidationInterceptor.java:61)
Does anyone have any idea what I'm doing wrong? I'm kind of surprised about the redirection to the actual server name, to be honest, but after that I'm stumped about where to go from here.
Any help would be appreciated.
Have you contacted our support on this? It's sounding like something that will need to be dug into a bit deeper - but some high level suggestions I can make:
Take a look at a browser trace to determine when the redirect is happening to the backend site. Usually this is because there's a Location header in a redirect from the backend web server that (by nature) is an absolute URL but pointing to it instead of the externally facing hostname.
A common solution to this is setting Target Host Header to False - so it will receive the request unmodified from the browser, and the backend server should know to represent itself as that (if it behaves nicely behind a proxy).
If the backend server can't do that (which it sounds like it can't) - you should look at assigning rewriting rules to that application. More details on them are available here: https://support.pingidentity.com/s/document-item?bundleId=pingaccess-52&topicId=reference%2Fui%2Fpa_c_Rewrite_Rules_Overview.html. The "Rewrite Response Header Rule" in particular will rewrite Location headers in HTTP redirects.
FYI - The "Invalid request protocol." error you're seeing at bottom of your description could be due to a "Require HTTPS" flag on your defined Application.
Do you have the same issue if you add a trailing slash at the end (https://pagateway:5000/webapp/)? Your application server will rewrite the URL based on what it thinks is the true host. This is to get around some security related issues around directory listing.
Which application server are you using? All app servers are unique, but I'll provide instructions on how to resolve this with Tomcat.
Add a global rule that forces the application server to use the external facing host name. Here is a sample Groovy script:
def header = exc?.request?.header;
header?.setHost("pf.pingdemo.com:443");
anything();
In Tomcat's server.xml, add scheme="https" to the connection:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" scheme="https" />
Cheers,
Tam

Restrict access to specific URL (Apache Tomcat)

How can I restrict access to a specific URL (it is a Tomcat Application Server)? e.g. http://localhost:8081/application cannot be accessed by an user except a specified IP (that is the calling service)
Quote:
The Remote Address filter, org.apache.catalina.valves.RemoteAddrValve, allows you to compare the IP address of the requesting client against one or more regular expressions to either allow or prevent the request from continuing based on the results of this comparison. A Remote Address filter can be associated with a Tomcat Engine, Host, or Context container.
org.apache.catalina.valves.RemoteAddrValve.
http://www.oxxus.net/tutorials/tomcat/tomcat-valve.htm
So, you'd need something along the lines of
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="<your-ip-here>"/>
For possible values, see
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter
You should be able to set this in the WEB-INF/web.xml for your application, see
http://oreilly.com/java/archive/tomcat.html
Goto following path: C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\Catalina\localhost\
Under this path you find "manager.xml" file.
Edit "manager.xml" file, with following content:
<Context path="/manager" debug="0" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,10.100.1.2"/>
<!-- Link to the user database we will get roles from
<ResourceLink name="users" global="UserDatabase" type="org.apache.catalina.UserDatabase"/>
-->
</Context>
Save and run server. You got it.
NOTE :
127.0.0.1 MEANS YOUR SYSTEM IP
10.100.1.2 -THIS IS YOUR FRIENDS IP.