We have a requirement to get information from specific users on an LDAP directory based on a Smartcard being presented. The application is already running under an AD user account, but using that users access to LDAP will not have sufficient access to the specific users data.
We have stumbled through a few parts of LDAP APIs and not had much luck finding info on how to make an LDAP bind call without username/password and more specifically with auth from a smartcard. Some of the MS LDAP appears to allow the option of using the current user token.
The best we have come up with is to use the SC to login then while impersonating the user create the ldap connecton using the current user token. Similar in idea to this MDSN blog .
Is there a better way?
The problem we are having with the impersonation is that the logged in user has to have certain rights for logging on other users to do the impersonation. Also while impersonating we need to limit other interactions, accessing the file system or registry as the alternate user is not desirable.
Related
I have successfully added ldap-ad to Alfresco. Now when i am creating a user in AD, it is synchronized with Alfresco and i got an Alfresco user. The question is, if a user Bob (that has been sync from AD) changes his password (in Alfresco interface), in which authentication system the password will be changed, Alfresco or AD?
If the password will be changed in AD, then i have no other querstion, but as far as i know, there is only one direction sync, from AD to Alfresco, so Alfresco cant access the AD passwords and change them. Does this mean, that Alfresco will create a password for Bob and store it in its own authentication system and now Bob can loggin with alfresco and AD passwords (new and old)? And most important question: How to avoid that? Thanks in advance.
Alfresco uses an authentication chain concept. That means you can configure more than 1 system for the authentication and if a user tries to authenticate Alfresco steps thru the configured chain and tries one system after the other until the user has been authenticated successfully or if the auth fails on the last chain member the auth attempt is assumed as failed.
Alfresco brings it's own authentication subsystem to create and store users locally in the repo db with passwords. Locally created users like admin are stored in the local subsystem alfrescoNtlm which you could find in the node browser in the user://alfrescoUserStore/ store. That store is for the authentication of internal users only.
"users" you see and manage in the Alfresco UI are of type cm:person stored in the main store workspace://SpacesStore (/sys:system/sys:people/) but do not contain any password at all.
The ldap sync only creates users in the workspace://SpacesStore under /sys:system/sys:people/and once a user tries to login Alfresco walks thru the authentication.chain which may look like in production:
kerberos1:kerberos,ldap-ad2:ldap-ad,alfrescoNtlm1:alfrescoNtlm.
Alfresco Share only provides the user a "Change Password" dialog if the user is found in the local alfrescoUserStore. Alfresco does never change a password in any other system.
To test whether you have understood everything: What happens if a user max exists in the AD and in the local alfrescoUserStore and changes it's password in the Alfresco UI? ;-)
If you were using LDAP for authentication, then the passwords will never store in Alfresco. Passwords will be stored in LDAP and and it will be linked with Alfresco by their email or usernames.
I want to know if it's possible to create an Active Directory user account that confers no access or privileges to that user.. simply to authenticate a set of credentials..
As we are hybridised AD/Azure organisation, I want this 'account' to replicate to Azure through the connector.
The reason for this is that:
We manage all our users through AD so I don't want some accounts managed only in Azure.. it would be very confusing. Centralised managemnent and support is good!
The account would ONLY be used for authenticating users into Zoom via SAML2, or any another cloud service for that matter that can use Azure as an authentication service.
No capacity to access anything within our firewall.
Your ideas would be greatly appreciated.
Gus
It depends how you define "access". By default, the Authenticated Users group is able to read everything in AD, but not write. If you're ok with that, then you're done. Just create a user and don't add any access to it.
If you don't want it to read anything on the domain, then you'll have trouble. The Authenticated Users group is described as:
A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Since there is no way to not have a user be part of Authenticated Users, then you would have to modify the permissions on your domain to exclude Authenticated Users. But that may cause other issues for other users.
As far as I know, the most basic permissions that any user is created can also view other users or groups in AAD. If you want to turn off this basic permission, just set Restrict access to Azure AD administration portal to Yes, then the user will not have any access rights.
Go to azure portal->click Azure Active Direcotory->User settings
If multiple systems join ldap authentication, then any administrator of any one of them can get the password of any user's account.right?
Applications authenticating against an LDAP directory are not going to be able to access all of the user passwords en mass provided you do not not permit direct read access to the attribute or you do not store your passwords in clear text (if you use something like ldapsearch to dump an entry and have userpassword:: followed by a bunch of random looking 'stuff', that's an easily decoded clear text password). App I allow to access my LDAP server aren't given access to read all of the userPassword values to attempt reversing them out to clear text (and I'm using a decent encryption mechanism to store userPassword value). I restrict the application service account to reading contact-type attributes (phone number, address) and group objects. The only way they get the user's password is by asking the user for it and binding against my directory with those credentials. Can an app admin grab credentials for those who use the application? Sure, they could.
On an out of the box application, I could attach a debugger and access the username/password values as they transit the application. With custom-written applications, it's even easier to grab the credentials. The application takes the username and password as user input and binds to the LDAP server to validate the username and password. As an LDAP server admin, there's nothing I can do to prevent the application developer from making calls and doing other things with that username and password. "Other things" may be legit -- I've handled LDAP directory migrations by authenticating against the old system and, on success, creating the user in the new directory LDAP with the password the old directory just accepted. It was an ugly way to migrate directories, but it worked. "Other things" may be malicious. Is it likely to encounter an app admin or developer who is siphoning off credentials? Depends on who authenticating through your LDAP directory.
This isn't a unique failing of LDAP -- any authentication back-end that you let other people use directly suffers from the same problem. If you don't want the app admins/developers intercepting user credentials, look into federated identify management (FIM) -- an authentication mechanisms where the app (service provider, in FIM terminology) doesn't have access to the username and password but rather validates a token of some sort that was created after a trusted "identity provider" authenticated the username and password.
We are developing a self registration app.
Our app allows users to register for web apps and is deployed on a weblogic 10.3.5 app server. The weblogic is connected to a local ldap system.
Once the user registeres with our app we call corporate servces to generate a user id. password activation, authentication is all handled by the corporate servcies. which also has a corporate ldap that contains all users in the company.
The approach works fine for 'new users' ie users that are not present in the corporate ldap or the local ldap: users enter their details and are issued a user id which we then copy into the local ldap once the user activates their account.
The use case we're grappling with at the moment is how to handle 'existing' users that wish to register. These are users that are currently in the corporate ldap and wish to 'register' with our applications. They get rejected during the normal registration process as they already exist in the coroporate ldap.
What i'd like to do is force them to login (simply so they don't register on behalf of somone else) and once they're logged in simply copy their data into the local ldap.
The problem is even if they are successfully authenticated by the corporate service, they don't (yet exist) as far as the weblogic server is concerned. is there a way to obtain the user id that comes with the authentication token ?
The authentication method is SAML 1.1
The application is a standard Java EE servlet based webapp using the struts2 framework.
Any ideas would be much appreciated.
Within WebLogic, you can define multiple authentication providers and set them up in the order you would like the system to use. Since you are copying data over, you would have to programmatically check for the existence of the account before attempting to create it on the LDAP server.
It would be a lot simpler if you use the external LDAP server directly instead of copying the data to the internal LDAP server, letting you attempt logging the user in and creating the account only while catching the appropriate exception.
I am writing a WPF application, and one feature I want to implement is the ability to display a list of computers in the domain. I have found some useful Active Directory code here:
http://www.codeproject.com/Articles/90142/Everything-in-Active-Directory-via-Csharp-NET-3-5-.aspx
Typically code examples dealing with AD seem to require the user's credentials to make requests. But it occurs to me that if you are running the application from a computer that is part of the domain, the user has already provided user credentials sufficient to access AD on that domain controller, when logging on to the system.
Is there some way that the user can access AD via my application without the app having to ask the user to reenter the same credentials again? I mean is there some kind of token that I can forward that indicates the user is already authenticated? I am concerned about the risks of having to store and transmit credentials securely when I don't have to.
Thanks for any advice.
I later discovered that if you are logged on to the domain, that is sufficient for you to access the active directory store, without having to supply further credentials or impersonate an admin. And in some cases you can also access it without being logged in at all.