Active Directory Authentication Not Showing Users, Groups - active-directory

I’m trying to get Active Directory authentication working with Eucalyptus, but I’m not able to login to the console with the configured credentials. I’ve the following in my .lic file:
PROPERTY authentication.ldap_integration_configuration {
"ldap-service":{
"server-url":"ldap://<ldap-server-ip>:389",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"eucalyptus#mydomain",
"auth-credentials":"{RSA/ECB/PKCS1Padding}oRv4cHzkJqBxqnT3S/w9tXAOAkrblaw/iGZtuXw4GWipcGbfthrthrDCt8U6P5G4re6eLd9hzcNYxPIdoNqEDeiWF9hfJB8Ndf1kEDV0xGXnzTHhI14F1DcaaasYMkvrqUqcefKrSmsGyg4JtcHF96kEtj3bhsdfsdfw3IpuRn0o4y2+iMoq+JkxOFogHuhGhtdMa7fsdfsdf232m0vOrFUeln5uI619yEFmoVtIsOZbF6tEJsM64GzSbtl0dOaSCdnHmOYeQ6ksfFcdmxz0/1QMOakHC+ntdGTZrO+83UQYGWue9IjKXP0dWTCpXNnp6+P6un+jY2cM25bR3uw==",
"use-ssl":"false",
"ignore-ssl-cert-validation":"true",
"krb5-conf":"/etc/krb5.conf",
},
"sync":{
"enable":"true",
"auto":"true",
"interval":"6000",
"clean-deletion":"true",
},
"accounting-groups":{
"base-dn":"OU=Eucalyptus,OU=Groups,MY_BASE_DN",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{
"filter":"(&(objectClass=group)(!(memberOf=*)))"
}
},
"groups":{
"base-dn":" OU=Sec Groups,MY_BASE_DN",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{
"filter":"(&(objectClass=group)(memberOf=*))",
}
},
"users":{
"base-dn":"MY_BASE_DN”,
"id-attribute":"cn",
"user-info-attributes":{
"displayname":"Full name"
},
"selection":{
"filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
}
},
}
And the LDAP sync status:
# euare-getldapsyncstatus
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
SyncEnabled true
InSync false
In the log files, I see the following:
Mon Dec 29 11:31:14 2014 ERROR [LdapSync:LDAP sync] User admin is reserved for Eucalyptus only. Sync will skip this user from LDAP.
I’ve an accounting group added to the accounting-groups base dn, and I see that group when I run the list command:
# euare-accountlist
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
(eucalyptus)blockstorage 886472098984
eucalyptus 144711845746
mygroup 752874470188
However, no members of that accounting group appear:
# euare-grouplistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
Groups
# euare-userlistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
arn:aws:iam::144711845746:user/admin
I’ve tried every combination of username, DOMAIN\username, username#domain that I can think of, but I still can’t login to the Eucalyptus console. Any suggestions?
Thanks,
Dan

Ok, so in answer to my own question, it appears as if it was working. After logging into the console using the admin login credentials created during the install/configure, I was able to see that the users were being created correctly. I made one small tweak to the .lic file, namely I set the id-attribute to use sAMAccountName rather than cn to meet user expectations for their login.
"users":{
"base-dn":"MY_BASE_DN”,
"id-attribute":"sAMAccountName",
"user-info-attributes":{
"displayname":"Full name"
},
"selection":{
"filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
}
Also, I failed to pass in the the account name when running the euare-userlistbypath, namely:
euare-userlistbypath --as-account mygroup
Running with the account retrieves the user list as expected.

Related

Grafana configuration reference

I have a Kubernetes cluster with kube-prometheus-stack (which includes Grafana) deployed via Helm. I am trying to set up single sign on (SSO) to Grafana using AzureAD. I've found the Grafana configuration pages (https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-grafana and https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-security/configure-authentication/azuread/) and I think I have an initial idea of what I need to add to my Helm chart's values.yaml file.
There are some details, however, that I am not sure about. If I had access to the "schema" for this configuration, that might help me figure this out. Unfortunately, I have been unable to find anything that defines this. There are examples, but I cannot find anything that describes what the fields mean. Also, keep in mind that everything I have found shows examples for the grafana.ini file. I need to "translate" this to YAML for the values.yaml file used by the Helm chart.
Here is an example:
...
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains =
allowed_groups =
role_attribute_strict = false
I have translated this into the following YAML:
auth.azuread:
name: Azure AD
enabled: true
allow_sign_up: true
client_id: APPLICATION_ID
client_secret: CLIENT_SECRET
scopes: openid email profile
auth_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains:
allowed_groups:
role_attribute_strict: false
I suspect that scopes expects a list based on its plurality, but how can I be sure? Also, what are the valid values? Apparently openid, email and profile are valid, but what do these values represent and are there others? On a similar note, what do allowed_domains and allowed_groups expect?
I've tried to find a reference for the Grafana configuration data structure and definition, but have not had any luck. Does anyone have an idea where (if) this can be found?

IBMQProvider issue

I successfully installed and ran a couple of circuits on a backend the other day (essex).
Everything was ok, results came up, but the next day, once I wanted more QC, I could not manage to get a provider.
I have looked into my account (active), looked into the package (up-to-date), and a new file in the project. I also already disabled and enabled the account without problems, but I keep having this error.
Code
from qiskit import IBMQ
IBMQ.active_account()
IBMQ.providers()
provider = IBMQ.get_provider(hub='ibm-q', group='open', project='main')
and I get:
>~/my_environment_name/lib/python3.7/site-packages/qiskit/providers/ibmq/ibmqfactory.py in get_provider(self, hub, group, project)
425 raise IBMQProviderError('No provider matches the specified criteria: '
426 'hub = {}, group = {}, project = {}'
--> 427 .format(hub, group, project))
428 if len(providers) > 1:
429 raise IBMQProviderError('More than one provider matches the specified criteria.'
IBMQProviderError: 'No provider matches the specified criteria: hub = ibm-q, group = open, project = main'
I would like to know where I am wrong, I look forward to keep learning thru the backends efficiently.
Thank you in advance
This means that there is no provider that matches all the criteria you specified, so in that hub, group and project. This could be because your account hasn't loaded correctly, so check to see if anything is returned from IBMQ.providers(). If there isn't anything load your account using IBMQ.load_account(). The other issue could be that there are genuinely no backends that meet those criteria, so try running IBMQ.get_provider() instead.
Try to use API token to enable your IBMQ account.
from qiskit import IBMQ
provider = IBMQ.enable_account("your-api-key") # We load our account
provider.backends() # We retrieve the backends to check their status
for b in provider.backends():
print(b.status().to_dict())
Create IBM Quantum account if you don't have one, then use the API token that available in the dashboard as enable_account() method argument to resolve this issue.
For More: https://quantum-computing.ibm.com/lab/docs/iql/manage/account/ibmq
https://quantum-computing.ibm.com/
https://www.ibm.com/account/reg/us-en/signup?formid=urx-19776&target=https%3A%2F%2Flogin.ibm.com%2Foidc%2Fendpoint%2Fdefault%2Fauthorize%3FqsId%3D70b061b4-7c64-4545-a504-a8871f2d414f%26client_id%3DN2UwMWNkYmMtZjc3YS00

Changing the logon name in Active Directory 2003

I created a user in active directory 2003 , with the name mikedan as logon name later i went to the user properties and changed the logon name(for example to mikedannew) ,but when i go to the pc within the domain and try to access using the new login name (mikedannew) this is not working ! and when using the full upn name like mikedannew#domain.local this is working , also when using the sam name (domain\mikedan) which was not changed in my case , this is working too ,but typing the new logon name only not working ! .
So how can i change the user logon name only ?!
Just as Am_I_Helful said, you just changed the logon name, so you could use the new UPN(mikedannew#domain.local) to log in. And the User Logon Name(pre Windows 2000) is still the previous (domain\mikedan) not the new (domain\mikedannew). If you want to log in with the new name(user#domain.com or domain\user), you need to change both of them.

Problems with accessing private files uploaded via file field in a webform with Varnish running on the server

I have a webform with a file field configured to private files. When I'm logged in as a superuser (uid=1) and trying to download the file, I get access denied.
I was trying to debug this, and this is what I noticed.
All private files served by the file_download() function that is called in the system.module. This function validates if the file exists and request the file headers using file_download_headers() function that triggers hook_file_download().
In the webform_file_download() function the module determines whether the file was a webform upload and grant or deny file access based on access to the submission. It validates access permission by calling webform_submission_access(). When I run dpm($account) in this function, I get an anonymous user when I'm trying to access the private file. When I browse recent log messages I have the entry below:
access denied 06/02/2015 - 11:23 system/files/webform/cv-uploads/cv.pdf Anonymous
When I change the URL to file that doesn't exist, I get this:
page not found 06/02/2015 - 11:26 system/files/webform/cv-uploads/cv.FDP admin
As you can see for some reasons when the module is trying to get access to the file that does exist, I get access denied and the user is anonymous. When the file doesn't exist, I get page not found and the user is a logged in user.
Any ideas why this happens?
UPDATE
I've added the following code to my index.php but I still get anonymous user when I'm trying to access the file.
define('DRUPAL_ROOT', getcwd());
require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
+ global $user;
+ watchdog('user', '<pre>'. print_r($user, TRUE) . '</pre>');
menu_execute_active_handler();
I've copied over the whole site including database and files to my local machine, and I'm not experiencing this issue. There's should be some settings that does this on the live site.
UPDATE 2
I've noticed that on the live site we have a list of disabled functions that I'm not aware of. Maybe it will help somehow.
disable_functions = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, xmlrpc_entity_decode, parse_ini_file,show_source,shell_exec
The problem was caused by the Varnish on the server. Below is the settings for Varnish.
# Always cache the following file types for all users. This list of extensions
# appears twice, once here and again in vcl_fetch so make sure you edit both
# and keep them equal.
if (req.url ~ "(?i)\.(pdf|asc|dat|txt|doc|xls|ppt|tgz|csv|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
unset req.http.Cookie;
}

What "domain" should I specify in JNDI login to an Active Directory Server?

I'm wondering what "principal" I should specify to login in to an Active Directory server. Should the principal be a user inside the AD I try to log into? Or it can be a user in the domain I specify as long as the user has privileges to access the AD?
I tried both with credentials error 49. But I can log in to the AD with ldp.exe by using the Administrator account of the server that AD is installed on.
Here is my code. Many thanks for any prompt help.
Hashtable env= new Hashtable(11);
env.put(Context.SECURITY_AUTHENTICATION,"simple"); // Also tried none w/ the same error
// What principal should I use??
env.put(Context.SECURITY_PRINCIPAL,"CN=Ross,OU=Eng,DC=RossInc");//User
//env.put(Context.SECURITY_PRINCIPAL, user + "#" + domain); // Tried w/ the same error
env.put(Context.SECURITY_CREDENTIALS, "ross");//Password
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://myserver:389/DC=RossInc");
DirContext ctx = new InitialDirContext(env); <-- Fails with AuthenticationException: [LDAP: error code 49 - 8009030C
You either can provide:
NT-style login name
Kerberos UPN (implicit UPN)
explicit UPN (if additional UPN suffices have been defined)
More over, NEVER ever perform a simple bind! Either Digest or GSS-API.
According to the following example from Oracle site, the security Principal is a distinguished name.
Here is some code working for me from a computer inside the domain :
Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://societe.fr:389");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrateur,cn=users,dc=societe,dc=fr");
ldapEnv.put(Context.SECURITY_CREDENTIALS, "test.2011");
ldapContext = new InitialDirContext(ldapEnv);
The principal can be a user inside the AD as long as he has privileges to access the AD.

Resources