Setup is as follows
Forest A
Forest B(trust between A and B is present)
-Separate tree domain(Bt) in forest B
In my application, I am using AdsOpenObject(path, username, password,...) to get list of all groups.
When I am calling it by setting "path" to local domain or forest(A) it works fine.
It also works fine for trusted forest(B).
But when I call AdsOpenObject() for path of separate tree in trusted forest(Bt) it is failing with error as "domain not found".
I am able to logon(LogonUser) using user of that tree domain(Bt).
Anybody have any idea about this behaviour
Thanks in advance
Related
Our organization stores signing certificates in Active Directory. We are using anonymous bind to search for them at a base DN (e.g. OU=MY ORG,dc=mydc,dc=org). I have been trying to use the Spring LdapTemplate to look them up, but no matter what method I use, I get the cryptic InterruptedNamingException.
Assuming a cert subject of cn=mycert.myorg.com
My code looks like this
LdapContextSource contextSource = new LdapContextSource();
contextSource.setUrl(String.format(LDAP_URL_FORMAT, ldapCertStoreParameters.getServerName(),
ldapCertStoreParameters.getPort()));
contextSource.setBase(ldapCertStoreParameters.getBaseDn());
contextSource.setAnonymousReadOnly(true);
contextSource.afterPropertiesSet();
LdapTemplate ldapTemplate = new LdapTemplate(contextSource);
ldapTemplate.setIgnorePartialResultException(true);
ldapTemplate.afterPropertiesSet();
X500Principal principal = x509CertSelector.getSubject();
Object obj = ldapTemplate.lookup(new LdapName(principal.getName()));
The X500 principal's name is the whole dn. cn=mycert.myorg.com,OU=MY ORG,dc=mydc,dc=org
I have also tried the search using just the cn.
We have verified that the DN exists on the server using Apache Directory Studio.
• I would suggest you to please remove the call altogether or set the ‘userSearchBase’ either to an empty String (“”) as per the given example in the below community thread: -
Configure Spring security for Ldap connection
As in the ‘AbstractContextSource’, set the base suffix from which all operations should origin. If a base suffix is set, you will not have to (and, indeed, must not) specify the full distinguished names in any operations performed. Since you specified the full DN for the userDN/filter, you must not specify the base.
AD servers are apparently unable to handle referrals automatically, which causes a ‘PartialResultException’ to be thrown whenever a referral is encountered in a search. To avoid this, set the ‘ignorePartialResultException’ property to true. There is currently no way of manually handling these referrals in the form of ‘ReferralException’, i.e., either you get the exception (and your results are lost) or all referrals are ignored (if the server is unable to handle them properly). Neither is there any simple way to get notified that a ‘PartialResultException’ has been ignored.
For more details regarding the LDAP template search for Active Directory stored certificates, kindly refer to the link below: -
https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/core/LdapTemplate.html
• Also, please try to refer to the below documentation for configuration of Springboot LDAP template configuration through certificates stored in Active Directory: -
https://www.baeldung.com/x-509-authentication-in-spring-security
I have a webform with a file field configured to private files. When I'm logged in as a superuser (uid=1) and trying to download the file, I get access denied.
I was trying to debug this, and this is what I noticed.
All private files served by the file_download() function that is called in the system.module. This function validates if the file exists and request the file headers using file_download_headers() function that triggers hook_file_download().
In the webform_file_download() function the module determines whether the file was a webform upload and grant or deny file access based on access to the submission. It validates access permission by calling webform_submission_access(). When I run dpm($account) in this function, I get an anonymous user when I'm trying to access the private file. When I browse recent log messages I have the entry below:
access denied 06/02/2015 - 11:23 system/files/webform/cv-uploads/cv.pdf Anonymous
When I change the URL to file that doesn't exist, I get this:
page not found 06/02/2015 - 11:26 system/files/webform/cv-uploads/cv.FDP admin
As you can see for some reasons when the module is trying to get access to the file that does exist, I get access denied and the user is anonymous. When the file doesn't exist, I get page not found and the user is a logged in user.
Any ideas why this happens?
UPDATE
I've added the following code to my index.php but I still get anonymous user when I'm trying to access the file.
define('DRUPAL_ROOT', getcwd());
require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
+ global $user;
+ watchdog('user', '<pre>'. print_r($user, TRUE) . '</pre>');
menu_execute_active_handler();
I've copied over the whole site including database and files to my local machine, and I'm not experiencing this issue. There's should be some settings that does this on the live site.
UPDATE 2
I've noticed that on the live site we have a list of disabled functions that I'm not aware of. Maybe it will help somehow.
disable_functions = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, xmlrpc_entity_decode, parse_ini_file,show_source,shell_exec
The problem was caused by the Varnish on the server. Below is the settings for Varnish.
# Always cache the following file types for all users. This list of extensions
# appears twice, once here and again in vcl_fetch so make sure you edit both
# and keep them equal.
if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
unset req.http.Cookie;
}
I am trying to read an msExchMailboxSecurityDescriptor, to find whether it contains a Full Access to another person. The access control entries contain the trustees in the netbios format (DOMAIN\Username).
SecurityDescriptor secDesc = (SecurityDescriptor)userDirectoryEntry.Properties["msExchMailboxSecurityDescriptor"].Value;
AccessControlList usrAcl = (AccessControlList)secDesc.DiscretionaryAcl;
foreach (AccessControlEntry ace in (IEnumerable)usrAcl)
{
var netbiosDn = ace.Trustee.Split('\\')[0];
var netbiosUser = ace.Trustee.Split('\\')[1];
// now, the problem:
UserPrincipal user = UserPrincipal.FindByIdentity(
new PrincipalContext(ContextType.Domain, netbiosDn),
netbiosUser
);
This works until the last line, where I have to connect to the correct AD server and get some user info. Obviously, this fails when there is no server available for that domain, like any of the "NT AUTHORITY" or "BUILTIN" "domains". It does not only fail, it needs quite some time until it does.
How on earth would I distinguish which ones are AD domains, where I can connect to the AD server, and which ones aren't?
Some example users I may find in the Security Descriptor, just for you to get a feel for the problem:
CONTOSO\Alex
CONTOSO\Michael
SUBDOMAIN\Kirk
TRUSTED\George
NTPD\ChiefBrown
NT AUTHORITY\SELF
NT INSTANS\INTERAKTIV
BUILTIN\Администраторы
BUILDING2\Владимир
VORDEFINERT\Administrator
Take a look at SecurityIdentifier.IsWellKnown
You can pass various values, including WellKnownSidType.NTAuthoritySid to determine what kind of SID you have.
(See also this PowerShell code on translating into readable names.)
Do some of u guys have some experience with authentication in zabbix using lotus domino? Im not quite sure what to enter there. I know i made some authentication for IBM WebSphere but i cant get it working in zabbix. Can someone give me some tutorial? or explanations? :)
There is :
LDAP HOST : mydomino.local.address
Port : 389
Base DN : ???What is this???
Search attribute : cn;
Bind DN : ???my 'sudo'user / binduser???
Bind password : binduser.password
Ok so I tried it. Also i can easily telnet "mydomino.local.address" on 389 port. So there is nothing bad with connection. Maybe Base DN. Is this something special - unique for each LDAP server like "mycompany DomainName?" or can it be something universal? Alsosearch attribute. I know cn; or uid; or mail; works in WAS.
I would be really glad if someone could just help me with this.
In Domino there are different "Base DNs". For a user search the Base DN typically is o=YourOrganizer, so if your Notesnames look like CN=MartinFric/OU1=IT/O=YourCompany, then the base DN would be o=YourCompany.
Groups do NOT have a Base- DN. If you search for groups, then the Base DN has to be empty.
Bind- DN depends on the configuration of your Domino. Your mail- address will always work as well as your CN- name. So this might be "Martin Fric" or "martin.fric#yourcompany.com". Other variations might work as well. The bind password is the Internet- Password of the bind user (HTTP Password in person document in domino directory).
Usually one creates a specific LDAPBind user in the directory with an internet password to not expose user- passwords to any external program.
The search- attributes depend on what you want to achieve.
Open the Lotus- Notes- Program- Directory of any installed Lotus Notes client in a CMD and type the following:
ldapsearch.exe -h mydomino.local.address -p 389 -D "Martin Fric"
-w YourInternetPassword "(CN=Martin Fric)"
In this query the parameters are:
-h = LDAP HOST
-p = Port
-D = Bind DN
-w = Bind Password
"(cn=Martin Fric)" = Query that sais: Search in (Search attribute) cn for an entry with value "Martin Fric"
If this query succeeeds and the query returns values, then the parameters for zabbix are correct. In that case someone knowing zabbix has to help you further in debugging that.
If this query does NOT succeed, then you need to fix your domino -> Come back with the error mmessage you get for help.
I'd like to get preferred domain controller name/adress on Mac, joined to Active Directory (MS Windows Server with Domain Controller) programmatically with C/Objective-C. The better solution for now is parsing output of dsconfigad -show commandline utility where are such lines:
Advanced Options - Administrative
Preferred Domain controller = 192.168.XXX.XXX
I already tried Open Directory API, as adviced here, but it fails to access nodes far than full name of domain:
// domainNode: "/Active Directory/MYDOMAIN/mydomain.local"
NSArray *domainSubNodes = [domainNode subnodeNamesAndReturnError:&err];
[domainSubNodes count]; // count is 0
Do I need to perform some kind of authorization to access subnodes of domain and how to perform it?
Is there any posix/BSD functions that can obtain domain controller name from pure C code?