LDAP Authentication using CGI+TCL - ldap

How can I authenticate a user with LDAP using CGI/TCL stack?
Please provide a sample code-snippet if possible.
I am using an Apache Web Server on RHEL 5.0; AD exists on a remote Win2003 server.

Here is an example that will connect to an ldap server and retrieve all of the info ldap has about an email address:
package require ldap
set sEmailAddress "user#example.com"
set handle [::ldap::connect example.com 3268]
ldap::bind $handle
set result [::ldap::search $handle "dc=example,dc=com" "(mail=$sEmailAddress)" {sAMAccountName}]
foreach {object attributes} $result {
foreach {name val} $attributes {
puts "$name\t$val"
}
}

Here's the ldap package. You first bind using some "bind user" who can see everyone. You then search for the user based on some attribute like e-mail address or sAMAccountName. If the user exists, bind again using the given password and the full path of the user.

Related

LDAP users cannot login to Mediawiki

I have a private MediaWiki with the MediaWiki LdapAuthentication extension and the php ldap extension installed; and the following LocalSettings.php LDAP configuration:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "MYDOMAINALIAS" ); // alias name for the domain
$wgLDAPServerNames = array( "MYDOMAINALIAS" => "192.168.1.82" ); // ldap server IP or DNS
$wgLDAPSearchStrings = array( "MYDOMAINALIAS" => "uid=USER-NAME,cn=users,dc=mydomain,dc=com" );
$wgLDAPUseLocal = true; // ldap authentication only or ldap plus local mediawiki authentication
$wgLDAPBaseDNs = array("MYDOMAINALIAS" => "dc=mydomain,dc=com"); // dn base
$wgLDAPEncryptionType = array( "MYDOMAINALIAS" => "clear" ); // type of encryption clear, tls or ssl
$wgLDAPDebug = 3; // debuggin level
$wgDebugLogGroups["ldap"] = "/volume1/web/MediaWiki/debug-wiki.log" ; // the file has to exist
when I try to log in the wiki with an LDAP user I get the following error:
Incorrect username or password entered. Please try again.
The debug-wiki.log shows the following message:
2019-10-23 15:47:56 192.168.1.79 wiki-wiki_ikb_en_: 2.1.0 Entering Connect
2019-10-23 15:47:56 192.168.1.79 wiki-wiki_ikb_en_: 2.1.0 It looks like you are missing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module. If the authentication is working for you, the plugin isn't properly detecting the LDAP module, and you can safely ignore this message.
I know that the LDAP server is working because it is also serving a PGina user authentication service which is working correctly. Any ideas?
Thanks in advance
The server had installed two versions of PHP, and the one running the webserver did not have the ldap extension active. Once it was installed, it worked as expected. I am leaving the question here in case it can be of any help to someone with a similar scenario.

How to verify LDAP username and password via an authenticated connection?

Currently, I have 1 user have the permission to bind OpenDJ server. Then I need to verify the username and password from the end user. How can I do that?
This is the way I create the LDAP connection and bind successfully:
LdapConnection connection = new LdapConnection("opendj.mydn.com.vn");
//Set session options
connection.SessionOptions.SecureSocketLayer = false;
connection.AuthType = AuthType.Basic;
connection.Bind(new NetworkCredential("myuser", "mypassword"));
After that, I need to use this connection to verify the "user1" and "password1".
How can I query this action?
This is the configuration of OpenDJ:
Host_LDAP=opendj.mydn.com.vn
dn_LDAP=ou\=People,dc\=mydn,dc\=com
#uid_LDAP=uid\=webservice,ou\=People,dc\=mydn,dc\=com
uid_LDAP=webservice
admin_LDAP_verify_attr=uid
admin_LDAP_verify_dn=ou\=People,dc\=mydn,dc\=com
You've already done it. If the bind succeeded, the username and password were correct.
EDIT Your 'IT guy' is seriously misinformed. According to the OpenDJ configuration documentation #6.1.5, there is no real 'bind' permission. Instead:
Bind
Because this is used to establish the user's identity and derived authorizations, ACI is irrelevant for this operation and is not checked. To prevent authentication, disable the account instead. For details see Section 11.2, "Managing Accounts Manually".
[Emphasis added.]

Authenticating Domino REST Service Requests

I have installed "Domino Sample REST Service Feature" from 901v00_11.20141217-1000 version of XPages Extension Library. OpenNtfSample service (com.ibm.domino.services.sample.service.SampleService) works as it should in general and the only problem with it that it completely ignores authentication settings of the server.
I have tried both Basic and Session Authentication as described in Authenticating Domino REST Service Requests and the result I get is the following - the service returns data always and does not ask for any user name and password.
The server is configured with Session Authentication now and I get password prompt when I try to access
{my_server}/api/data
but does not get it when I open
{my_server}/api/sample
After I had added this Web Site Rule
Description: DAS service
Type of rule: Override Session Authentication
Incoming URL pattern: /api/
the server changed password prompt for
{my_server}/api/data
but
{my_server}/api/sample
remained open.
Has anybody experienced this kind of error? Can anybody help me password protect this sample service so that I could start developing my own once based this example?
The /api/sample resource is wide open on purpose. That just returns a link to the contacts resource -- /xpagesext.nsf/api/sample/contacts.
If you really want to prevent anonymous access to the /api/sample resource, there are two possible solutions: 1) Disable anonymous access for all HTTP requests, or 2) Make a change to the RootResource class. The first solution is a server config change. I'm sure you can find details about that elsewhere. Since this is StackOverflow, I'll focus on the second solution.
As you have already noticed, we don't allow anonymous access to the /api/data resource. You can mimic that behavior in the /api/sample resource with a simple change to RootResource.getLinks(). Near the top of the method, just add these lines of code:
boolean authenticated = false;
Session session = ContextInfo.getUserSession();
if ( session != null ) {
String userName = session.getEffectiveUserName();
if ( userName != null && !userName.equals("Anonymous")) {
authenticated = true;
}
}
if ( !authenticated ) {
throw new NoAccessSignal("Need user context");
}
By the way, you won't need to make the same change to the contacts resource class (ContactsListResource.java). Because the contacts resource URL includes a database name (xpagesext.nsf), the web server will attempt to open the database before forwarding the request to the REST service. You can prevent anonymous access to the contacts resource by changing the ACL of xpagesext.nsf. Just make sure the default access is "No access".

How to test a usename and password whether present in LDAP?

I am basically using Datapower AAA policy and in that I have configured 'using LDAP to bind DN' as authenticate mechanism.
Now i have made rules and configured host and LDAP port
I have a user and Password to test whether it exist or not
How to test
Is there any gateway present to test(like MCCP)?
You need to attach this AAA Policy with some top level service objects [Web Service proxy, Multi Protocol Gateway, XML Firewall etc]. After that test the service to see if authentication is working fine or not? If you already did that, can you specify what is the exact problem you are facing?
You can extract the user name and password and u can send over to LDAP server .
This you can achieve using an xsl to connect to LDAP and check the authentication.
We have pre-defined functions for LDAP search and authentication.
search : dp:ldap-search(address, port, bindDN, bindPassword, targetDN, attributeName, filter, scope, sslProxyProfile, ldapLBGroup, ldapVersion, ldapReadTimeout)
Auth : dp:ldap-authen(bindDN, bindPassword, serverAddress, sslProxyProfileName, ldapLBGroup, "", ldapVersion, ldapReadTimeout)

Same Session ID on Same IP Address but Different Ports

I am running my website (exactly same source code, even user login detail) on two different computers, each have their own apache.
Users can access both websites via my port fwd setting.
For example, 10.10.10.10:81 to access website on computer A and 10.10.10.10:82 to access website on computer B.
User have no problem to access either one of them. Until user wanna access both of them at the same time using the same internet browser.
Login to website on computer B will log him/her out from website on computer A.
Why this happen?
Because same IP Address will auto generate the same Session ID?
Different ports won't have different Session ID?
How to avoid this? Manually generate Session ID will do? Any other solution for this issue?
Thank you.
Cookies are not specific to a port.
It means if a server that runs on 10.10.10.10:81 sets a cookie sessionId=123455 the same cookie will be sent to a server that runs on 10.10.10.10:80 . It leads to the scenario you described
A user goes to server 10.10.10.10:81
10.10.10.10:81 server establishes a session for that user and sets the cookie.
The user logs in into the server and now can use the session to browse around.
User then goes to 10.10.10.10:80 and the browser sends the session cookie set by 10.10.10.10:81
Because 10.10.10.10:80 knows nothing about the session on 10.10.10.10:81 it establishes a new session and sets the new session cookie overwriting the old one
The new session cookie is only valid on 10.10.10.10:80 and thus the user is logged out on 10.10.10.10:81
Solutions
(Prefered) Configure different names for session cookies
OR
Configure the server to pass the port parameter when setting the session cookie header. This will make the cookie specific to domain+port combination. Avoid this solution if possible because not all the browsers deal with this parameter correctly.
You've not given a lot of information, but if sessions are being maintained using cookies, and the same domain name is being used to obtain access to both sites, then the cookies will apply to requests to both sites.
When the user switches from site A to site B (using the same browser instance), the session cookie will be sent, but won't match an existing session ID - so a new session ID will be generated by site B and set as "the" session cookie.
Two general approaches to solving this - either use two different domain names for the two sites, or distinguish the session cookies in some other manner. You might be able to do this by configuring a different name to use for the session cookies in site A and site B. The specifics of doing this depend on the technology being used to create sites A and B - which you haven't told us about.
This is the example to solve it:
127.0.0.1:110
session_start();
$_SESSION['ss'] = 'll';
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
127.0.0.1:111
session_start();
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
After change session 's path
127.0.0.1:110
session_save_path('/tmp/sess');//This line must be wrote before session_start(),
session_start();
$_SESSION['ss'] = 'll';
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}
127.0.0.1:111
session_start();
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(0) {
}
127.0.0.1:111
session_save_path('/tmp/sess');
session_start();
$_SESSION['ss'] = 'll';
echo '<pre>';
var_dump( $_SESSION);
ouput:
array(1) {
["ss"]=>
string(2) "ll"
}