Simple Active Directory Authentication Using LDAP and ASP.NET
Quick and easy Active Directory authentication using LDAP and ASP.NET
Search Results
Search found 3423 results on 137 pages for 'mod authz ldap'.
Page 14/137 | < Previous Page | 10 11 12 13 14 15 16 17 18 19 20 21 | Next Page >
-
-
Setting up RADIUS + LDAP for WPA2 on Ubuntu
- by Morten Siebuhr
I'm setting up a wireless network for ~150 users. In short, I'm looking for a guide to set RADIUS server to authenticate WPA2 against a LDAP. On Ubuntu. I got a working LDAP, but as it is not in production use, it can very easily be adapted to whatever changes this project may require. I've been looking at FreeRADIUS, but any RADIUS server will do. We got a separate physical network just for WiFi, so not too many worries about security on that front. Our AP's are HP's low end enterprise stuff - they seem to support whatever you can think of. All Ubuntu Server, baby! And the bad news: I now somebody less knowledgeable than me will eventually take over administration, so the setup has to be as "trivial" as possible. So far, our setup is based only on software from the Ubuntu repositories, with exception of our LDAP administration web application and a few small special scripts. So no "fetch package X, untar, ./configure"-things if avoidable. UPDATE 2009-08-18: While I found several useful resources, there is one serious obstacle: Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Basically the Ubuntu version of FreeRADIUS does not support SSL (bug 183840), which makes all the secure EAP-types useless. Bummer. But some useful documentation for anybody interested: http://vuksan.com/linux/dot1x/802-1x-LDAP.html http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius UPDATE 2009-08-19: I ended up compiling my own FreeRADIUS package yesterday evening - there's a really good recipe at http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html (See the comments to the post for updated instructions). I got a certificate from http://CACert.org (you should probably get a "real" cert if possible) Then I followed the instructions at http://vuksan.com/linux/dot1x/802-1x-LDAP.html. This links to http://tldp.org/HOWTO/html_single/8021X-HOWTO/, which is a very worthwhile read if you want to know how WiFi security works. UPDATE 2009-08-27: After following the above guide, I've managed to get FreeRADIUS to talk to LDAP: I've created a test user in LDAP, with the password mr2Yx36M - this gives an LDAP entry roughly of: uid: testuser sambaLMPassword: CF3D6F8A92967E0FE72C57EF50F76A05 sambaNTPassword: DA44187ECA97B7C14A22F29F52BEBD90 userPassword: {SSHA}Z0SwaKO5tuGxgxtceRDjiDGFy6bRL6ja When using radtest, I can connect fine: > radtest testuser "mr2Yx36N" sbhr.dk 0 radius-private-password Sending Access-Request of id 215 to 130.225.235.6 port 1812 User-Name = "msiebuhr" User-Password = "mr2Yx36N" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 130.225.235.6 port 1812, id=215, length=20 > But when I try through the AP, it doesn't fly - while it does confirm that it figures out the NT and LM passwords: ... rlm_ldap: sambaNTPassword -> NT-Password == 0x4441343431383745434139374237433134413232463239463532424542443930 rlm_ldap: sambaLMPassword -> LM-Password == 0x4346334436463841393239363745304645373243353745463530463736413035 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ... It is clear that the NT and LM passwords differ from the above, yet the message [ldap] user testuser authorized to use remote access - and the user is later rejected...Read the article
-
mod-rewrite to ignore the subdomain
- by amanuo
I'm using a mod-rewrite for pretty URLs, meant to run on the domain root. Working fine but now I'm trying to make it run on a subdomain and it keeps giving "500 Internal Server Error". The subdomain automatically redirects to the folder with that name on my hosting account (sub.domain.com shows the content of domain.com/sub/). Does it fail because this request is already being mod-rewritten automatically or can I simply change something in the htaccess to address the subdomain instead? Options +FollowSymLinks IndexIgnore */* RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . index.phpRead the article
-
What does sub error code 568 mean for Ldap Error 49 with Active Directory
- by Dean Povey
I am writing some Java code that authenticates to Active Directory using SASL GSSAPI. Mostly this code is working fine but for one user I am getting the response: javax.naming.AuthenticationException: [LDAP: error code 49 - 8 0090304: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 568, v1772 ] I know that 49 means this is an authentication failure, and that the relevant sub code is 568, but I am only aware of the following meanings for that data: 525 - user not found 52e - invalid credentials 530 - not permitted to logon at this time 532 - password expired 533 - account disabled 701 - account expired 773 - user must reset password So far I am unable to find an authorative source of these error codes from Microsoft (this list is pieced together from forum posts) and I can't find anything for that 568 error. Does anyone know what it means?Read the article
-
ldap vbscript : msExchOmaAdminWirelessEnable is randomly missing on different accounts
- by phill
In my script: Function getDescript (strname, uname) Set MyUser = GetObject ("LDAP://cn=" & uname & ",ou=" & strname & ",DC=tms-1,DC=net") getDescript = myUser.Get("msExchOmaAdminWirelessEnable") End Function uname = "Bob Gardner" strname = "bgConsultants" WScript.Echo "wireless enable: " & getDescript(strname, uname) I have noticed some users in the same OU sometimes do and sometimes don't have the msExchOmaAdminWirelessEnable attribute when I check it in sysinternals' ACtive Directory Explorer. All users are in the same OU and the exchange 2003 server has sp2 installed. Anyone might know why this is? Update: I figured out that if I disable and re-enable the Outlook Mobile Access setting for each user, the msExchOmaAdminWirelessEnable attribute shows up again for those users missing that attribute...weird..Read the article
-
Access Git Repository using Eclipse and Netbeans Plugins with LDAP Users
- by ukrania
Hello everyone! I've configure a git server. I need to use ssh because I've defined permissions using users of my domain, using LDAP. Only users with permissions could read a project. So, the links to access my repositories are like that: ssh://[email protected]@hostname/var/git/repo.git When I clone, commit or push a project using linux git commands or using tortoisegit on windows, there is no problem, everything works as expected. However, I've tried to clone a project using plugins from Eclipse (EGit) and Netbeans (NBGit), with no success. Seems that they can't recognize the host. I've accessed using a user from the server (not from the domain) and it cloned the project perfectly. Seems that the plugins assume that the host is everything after the first @. Do you know how I can solve this problem? There are any other Git plugins for those IDEs? Thanks for your answers. Best Regards, ukraniaRead the article
-
How to improve my LDAP schema?
- by asmaier
Hello, I have a OpenLDAP Database and it holds some project objects that look like dn: cn=Proj1,ou=Project,ou=ua,dc=org cn: Proj1 objectClass: top objectClass: posixGroup member: 001ag member: 002ag System: ABEL System: PCx Budget: ABEL:1000000:0.3 Budget: PCx:300000:0.3 One can see that the Budget attribute is a ":"-separated string, where the first part holds the name of the system the budget is for, the second part holds some budget (which may change every month) and the last entry is a conversion factor for the budget of that system. Seeing this, I thought this is bad database design, since attribute values should always be atomic. But how can I improve that in LDAP, so that I can do a direct ldapsearch or a direct ldapmodify of the budget of System "ABEL" instead of writing a script, that will have to parse and split the ":"-separated string?Read the article
-
Binary search of unaccesible data field in ldap from python
- by EricR
I'm interested in reproducing a particular python script. I have a friend who was accessing an ldap database, without authentication. There was a particular field of interest, we'll call it nin (an integer) for reference, and this field wasn't accessible without proper authentication. However, my friend managed to access this field through some sort of binary search (rather than just looping through integers) on the data; he would check the first digit, check if it was greater or less than the starting value, he would augment that until it returned a true value indicating existence, adding digits and continuing checking until he found the exact value of the integer nin. Any ideas on how he went about this? I've access to a similarly set up database.Read the article
-
How to use LDAP for authentication in Tomcat with Custom Authorization
- by djc4
Hello, I'm using JNDIRealm with Tomcat for authentication, which at the moment works fine. However, we do not store any roles in the LDAP, so all authenticated users are not returning any roles. This sends user's to an HTTP 401 failed authorization page. I'd like to assign an "Admin" role to any and all user's who authenticate successfully. Here is my fragment from my web.xml file. SecurityConstraint Resource Resource *.jsp GET POST Admin FORM login.jsp loginError.jsp Admin Should I be using a JAASRealm with custom LoginModule? After the realm calls the authenticate() method and returns success, should I override another method to explicitly set the RolePrincipal to "Admin" so that authorization succeeds? Please help! Thanks, AndyRead the article
-
ldap login form works, but need to add active-directory group access
- by Brad
I created a form that asks you to log in, then verifies the user/pass against the ldap server/active-directory, if successful, it creates a session, which will be checked on every page. Now I want to check the session, which is the username of the person who is logged in, and do a search for them using ldap_search, so I can check what group they belong to and pass that group thru a function to verify that they can view that page. Each page will accessible to a certain group or groups of users, which those groups are defined within Active Directory. I am unsure on how I can do that using ldap_search, or maybe that is just one piece of the puzzle I am trying to solve. Any help is appreciated - thank you! In the example code below, it is seeing if the user belongs to the student active-directory group (I do not know if this code works, but it should give you an idea of what I want to accomplish). $filter = "CN=StudentCN=Users,dc=domain,dc=control"; $result = ldap_search($ldapconn,$filter,$valid_session_username); if($result == TRUE) { print $valid_session_username.' does have access to this page'; } else { print $valid_session_username.' does NOT have access to this page'; }Read the article
-
How to Configure OpenLDAP on Ubuntu 10.04 Server
- by user3215
I am following the Ubuntu server guide to configure OpenLDAP on an Ubuntu 10.04 server, but can not get it to work. When I try to use sudo ldapadd -x -D cn=admin,dc=don,dc=com -W -f frontend.ldif I'm getting the following error: Enter LDAP Password: <entered 'secret' as password> adding new entry "dc=don,dc=com" ldap_add: Naming violation (64) additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry Again when I try to do the same, I'm getting the following error: root@avy-desktop:/home/avy# sudo ldapadd -x -D cn=admin,dc=don,dc=com -W -f frontend.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) Here is the backend.ldif file: # Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb # Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=don,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=don,dc=com olcRootPW: secret olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=don,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=don,dc=com" write by * read frontend.ldif file: # Create top-level object in domain dn: dc=don,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Organization dc: Example description: LDAP Example # Admin user. dn: cn=admin,dc=don,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret dn: ou=people,dc=don,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=don,dc=com objectClass: organizationalUnit ou: groups dn: uid=john,ou=people,dc=don,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: [email protected] postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD dn: cn=example,ou=groups,dc=don,dc=com objectClass: posixGroup cn: example gidNumber: 10000 Can anyone help me?Read the article
-
How to determine the Kerberos realm from an LDAP directory?
- by tstm
I have two Kerberos realms I can authenticate against. One of them I can control, and the other one is external from my point of view. I also have an internal user database in LDAP. Let's say the realms are INTERNAL.COM and EXTERNAL.COM. In ldap I have user entries like this: 1054 uid=testuser,ou=People,dc=tml,dc=hut,dc=fi shadowFlag: 0 shadowMin: -1 loginShell: /bin/bash shadowInactive: -1 displayName: User Test objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uidNumber: 1059 shadowWarning: 14 uid: testuser shadowMax: 99999 gidNumber: 1024 gecos: User Test sn: Test homeDirectory: /home/testuser mail: [email protected] givenName: User shadowLastChange: 15504 shadowExpire: 15522 cn: User.Test userPassword: {SASL}[email protected] What I would like to do, somehow, is to specify per-user basis to which authentication server / realm the user is authenticated against. Configuring kerberos to handle multiple realms is easy. But how to I configure other instances, like PAM, to handle the fact that some users are from INTERNAL.COM and some from EXTERNAL.COM? There needs to be an LDAP lookup of some kind where the realm and the authentication name is fetched from, and then the actual authentication itself. Is there a standardized way to add this information to LDAP, or look it up? Are there some other workarounds for a multi-realm user base? I might be ok with a single realm solution, too, as long as I can specify the user name - realm -combination for the user separately.Read the article
-
Can My Personal GMail Query A Remote LDAP Server?
- by Maarx
I have a personal GMail account, from which I frequently send e-mail to a great many various users of a specific business. The corporation has been kind enough to provide me with the credentials to access their LDAP server, with which I would like my GMail web client to be able to auto-complete partial addresses or names for which that LDAP server has an entry. Is there any way I can get a personal GMail account (or it's corresponding entire Google account) account to incorporate an LDAP server into it's Contacts? If I cannot get it to query dynamically and on-demand, is there an idiot-proof way (assuming the client permits, which they may not) to query the LDAP server for it's entire database, save it, and bulk import it to GMail? Perhaps, even, something I could set to repeat periodically (weekly, perhaps), without human interaction? If I did the latter, I assume it would be trivial to import all of these contacts under a single category that could be easily manipulated from within the GMail web-based client. I have been a staunch user and supporter of the GMail web-based client since it's instantiation, but this one is kind of a deal-breaker for me. If it's impossible, what do you suggest I do?Read the article
-
mod rewrite to remove facebook query string
- by user905752
I can't get my query string to work..please help... I have the following url: http://betatest.bracknell-forest.gov.uk/help?fb_action_ids=372043216205703&fb_action_types=og.likes&fb_source=aggregation&fb_aggregation_id=288381481237582 (sorry but the page will be unavailable as it is a test internal domain link) I want the following url: http://betatest.bracknell-forest.gov.uk/help I get a browser message saying 'The system cannot find the file specified.' I know it is because I already have a mod rewrite to remove the .htm from the page name to return clean urls but I don't know what I need to do to accept a clean url and return the page. Here is the mod rewrite code I have: RewriteRule ^/([\w]+)$ /$1.htm [I,L] #Any bare URL will get rewritten to a URL with .htm appended RedirectRule ^/(.+)\.(htm)$ http://betatest.bracknell-forest.gov.uk/$1 [R=301] RewriteCond %{QUERY_STRING} ^fb_action_ids=(.)$ #if the query string contains fb_action_ids RewriteCond %{QUERY_STRING} !="" #if there is a query string RewriteRule ^(.*) $1? [R=301,L] I think it is because I am using R=301 twice but do not know what I need to use as an alternative. If I append .htm from help?fb_action_ids.... to help.htm?fb_action_ids.... this returns the required page fine but I need to return the page name for the non appended url. Many thanks for any help in advance.Read the article
-
How do I get Bugzilla to authenticate with Active Directory LDAP?
- by user65712
After reading this guide and trying a ton of permutations based on that, is there an easy way to get Bugzilla working with an AD server? I keep getting the error: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 I created an AD "bugzilla" user account with "Account Operators" permission as directed. I'm not sure if the error is saying that my login is incorrect or the system login to access LDAP is incorrect. Maybe I just missed an arcane option somewhere in the settings. You'd think all I'd need to do is specify the server name. As you might have been able to tell, I don't have a lot of LDAP experience. Also, will the Sysinternals LDAP tool help here?Read the article
-
Ldap access lists users even if user has no rights...
- by Patkos Csaba
I am trying to set up a more complex Active Directory structure for some testing purposes. What I did so far: set up 2 windows (one 2008 and one 2003) to control the same domain set up an Organizational Unit (ou): Developers set up 2 child OUs: "one" and "two" each OU has it's admin: adminOne and adminTwo I denied all access to OU "two" by removing on the Security tab all the groups I don't want to access it. now, when I log in as adminOne and I try to click on OU "two" it says I don't have permissions to see the users and properties of "two" - this is perfect, it's what I want Here comes my problem: I do a LDAP query with the adminOne user on the "Developers" What I expect to happen: I expect to retrieve the users from Developer - One I expect to NOT be able to retrieve the users from Developers - Two What actually happens: ldap shows all the users, both from Developers - One and Developers - Two, even if the user should not have permissions to Developers - Two And now my question: is there any specific settings on Windows 2003 or 2008 Active Directory servers which allow or deny access over LDAP? I could not find any.Read the article
-
Apache mod php and script invocation
- by Abhi
Say I am running a PHP script, foo.php, inside apache configured with mod php, then, say I invoke the script from my browser(or any other means), does apache spawn off a new process in which the script gets executed? How does it work? Can someone pls point me to some good article on this?Read the article
-
mod rewritten directory shorten
- by Joseph
I can only find mod rewrite examples/tutorials for query's, so can someone help me with this. I would like this http://website.tld/Folder1/Folder2/Folder3/Folder4/Folder5/File.exten to be transformed into http://website.tld/Folder4/File.exten Folder4 and Folder5 are multiple directories, while Folder 1-3 stay the same. Also File.exten also should be changeable in the rewrite. thanks.Read the article
-
Mod Rewriting Image Location Not Working Very Well
- by Belgin Fish
Hey, I'm trying to mod rewrite the image locations on my site, I'm just using this : rewriteRule ^thumbs/(.*)$ http://site2.com/images/$1 [L] so that I can redirect all image requests going from http://site1.com/thumbs/something to http://site2.com/thumbs/something But only some of the images are loading, and not all of them. Thanks!Read the article
-
Simple Mod-Rewrite rule - single rule - file exists
- by Andy Gee
I have a very simple mod rewrite rule Options FollowSymLinks RewriteEngine On RewriteRule ^hosted/essws/([^/]*)/$ /hosted/essws/?key=$1 [L] I would like this rewrite to activate even if the file or directory exists. For example: The URL: http://localhost/hosted/essws/candy-sweets-buffet/ Will load: http://localhost/hosted/essws/index.php?key=candy-sweets-buffet Even though the directory /hosted/essws/candy-sweets-buffet/ exists. Any help would be much appreciated.Read the article
-
Mod rewrite urls with
- by Andrew
Hey Guys, I'm at my wits end here , I normally like to work things out on my own but this has me well and truly beaten here.. I'm trying to mod rewrite my urls that contain pluses... /search.php?q=can+be+any+length to /can-be-any-length.html Any help would be really appreciated becaus rewriting the + php is not an optionRead the article
-
Spring security custom ldap authentication provider
- by wuntee
I currently have my ldap authentication context set up like this: <ldap-server url="ldap://host/dn" manager-dn="cn=someuser" manager-password="somepass" /> <authentication-manager> <ldap-authentication-provider user-search-filter="(samaccountname={0})"/> </authentication-manager> Now, I need to be able to set up a custom authorities mapper (it uses a different ldap server) - so I am assuming I need to set up my ldap-server similar to (http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ldap.html): <bean id="ldapAuthProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg ref="contextSource"/> <property name="userDnPatterns"> <list><value>uid={0},ou=people</value></list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="contextSource"/> <constructor-arg value="ou=groups"/> <property name="groupRoleAttribute" value="ou"/> </bean> </constructor-arg> </bean> But, how do I reference that 'ldapAuthProvider' to the ldap-server in the security context? I am also using spring-security 3, so '' does not exist...Read the article
-
How do I use LDAP proxy user authentication from .net?
- by DN
I have a .net web application that uses simple bind to query the LDAP. The application uses integrated windows authentication. Do you have any recommendations on which option to use to authenticate against the LDAP: 1. simple LDAP bind using the logged in user's credentials 2. simple LDAP bind using a service account created for the application's use 3. LDAP proxy user authentication - I dont have enough info about this, so i'd be grateful if someone could explain it's benefit, recommended use and sample .net code to do the query.Read the article
-
How can I figure out my LDAP connection string?
- by Allen
We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we can go about finding it? The only thing we know is the domain that we're on.Read the article
-
Can Oracle Label Security be configured with an alternative LDAP server?
- by Joshua
Oracle mentions the ability to connect to their LDAP server - the Oracle Internet Directory http://download.oracle.com/docs/cd/B19306_01/network.102/b14267/olsoid.htm. Can Oracle Label Security be configured with an alternative LDAP server such as Active Directory?Read the article
