I'm trying to learn about AD schema extensions, and I've encountered those 2.
what exactly is the difference ? are they contained in each other ?
thanks.
RFC2307 are the standard attributes and classes used generically in LDAP complaint systems.
Identity Management for Unix implies some services and other bits on Active Directory. I think you also get an MMC extension that shows some of them.
RFC2307(bis) is, at its heart, a schema developed by Sun and others, most notably PADL, in an attempt to use LDAP as a network information service, not to be confused with NIS or NIS+.
Related
A little bit of context, I'm currently working on a school project, and I have to set up a "Centrex" style Asterisk server, preparing and tunning thing to reach a production ready installation.
So far I've found informations about coupling your Asterisk to 1 LDAP/AD, with an LDIF file and some configuration of the Asterisk server.
But is it even feasible to use multiple distinct LDAP/AD ? Or are you supposed to connect to only one LDAP/AD per Asterisk server ?
If possible, how much of an hassle would it be to set up ?
I am running CentOS 7.7 with a fresh install of Asterisk 16.
Asterisk is opensource soft. Since almost nobody need connect 2 or more AD to server, this feature have no implementation.
There is 2 possible solution for this
1) read and modifiy ldap driver in asterisk. Just copy/paste to make second with other name. Require c/c++ programming experience
2) read openldap documentation and do do changes in it. Like make sub-trees etc. Require openldap/AD administration experience.
Both seams like require advanced experience.
I would say that typically, LDAP-aware applications only connect to one LDAP tree at a time. This has to do with differences in search locations, schema, etc.
Looking at the Asterisk LDAP integration docs, it looks like it follows the same pattern: it can integrate with one LDAP tree.
If you really want to link multiple ADs / LDAP directory trees, you might be able to use LDAP referrals but that requires quite a lot of knowledge.
I am developping one server service using the Kerberos and got the ticket from client, I can deciphered the ticket with the predefined keytab, now my question is how to use the PAC information in the ticket. Previously I use the LDAP procedure to query the user's group membership to get the authorization information.
Now the PAC's logon information include the membership, but it is group ID, but I need "DN" text based format (CN=xxx,OU=xxx, DC=xxx...).
I would like to know in general, how to use this authorization data in the ticket in the service server. Thanks!
If your application service is not running on Windows, you will not be able to read the PAC without jumping through some serious hoops. The PAC is built using Microsoft proprietary code, which is something Microsoft introduced into their flavor of Kerberos IAW RFC 1510 but their words, "slightly modified". Shortly after the release of Windows 2000 [Active Directory], Microsoft received some negative press attention because of the proprietary way they used the PAC field in a Kerberos ticket. [Microsoft] explicitly forbids the creation of software that implements the PAC as described in the specifications.
I spent a long time trying to find something open source and reliable which could read the PAC anyway, and I found that JAASLounge does this. It's an old article though (from 2010). Be aware that, it appears, based on my interpretation based on Microsoft's statement, to be a violation of their terms and conditions.
Anyway, I've also bookmarked two threads from right here in this forum by people who claim to have gotten JAASLounge this working, and some of the troubles they had to work through.
Decrypt kerberos ticket using Spnego
Malformed PAC logon info on new KerberosToken
In case you don't want to go down this route, and want to bypass the PAC to determine the AD user's group memberships, then you will have to resort to making an LDAP call back to the AD domain controller.
I'll close by saying that if you're running on a Windows-based application server such as IIS or SharePoint, Kerberos decoding of the PAC takes place automatically, so no special code, configuration, or keytab file is ever required.
I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.
What am I missing here...? Please advise! Many thanks in advance!
Their is no overhead for another server. Active Directory combines all necessary services in one product.
Kerberos has tremendous benenfits:
One login for all systems
Transparent subsequent login
Ciphered ticket exchange, even full transport encryption is possible
Delegation of credential is supported out of the box
Implemented and well documented in Unix and Windows for almost two decades
I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.
I am currently in the process of coming up with a PKCS#11 library with minimal functions such that my legacy HSM is able to support the Oracle database 11g transparent data encryption (TDE). I do not want to come up with the complete PKCS#11 library with all the functions since all I need is to support Oracle database. In addition, coding all functions will take too long a development effort and it would be an overkill in doing so.
Does anybody have any ideas as to which PKCS#11 functions does "Oracle Database 11g Release 2 (11.2)" makes use of for supporting TDE with HSM?
Most probably at least the following:
C_GetFunctionList
C_Initialize
C_GetSlotList
C_OpenSession
C_Login
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
C_EncryptInit
C_Encrypt or
C_EncryptUpdate
C_EncryptFinal
C_DecryptInit
C_Decrypt or
C_DecryptUpdate
C_DecryptFinal
You can use OpenSC pkcs11-spy to sniff on Oracle to see which functions it actually uses and with what kind of parameters.
The following answer is as quoted from Oracle Forum:
I checked the 11.2 code and you need to implement these functions for use with TDE:
C_Initialize
C_GetFunctionList
C_GetInfo
C_GetSlotList
C_OpenSession
C_Login
C_CloseSession
C_Finalize
C_GenerateKey
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
C_EncryptInit
C_Encrypt
C_DecryptInit
C_Decrypt
C_CloseSession
It is also recommended to implement C_GenerateKeyPair so it can be used by wallet manager to create a certificate request
I used OpenSC's pkcs11-spy, and find out that Oracle 11g R2 Wallet Manager would also call:
C_GenerateKeyPairs, C_SignInit, and C_Sign during the certificate request process.
Oscar
I've written a web applciation for a client in which authentication/authorization is done by spring security based on the 'internal' database. Now, the client has asked to switch to using their Active Directory instead. I'm a green as can be where LDAP is concerned but looking at the sample code and such it doesn't seem too difficult.
I do have a more general question concerning LDAP. As I gather this is a network protocol for which several implementations are available (among those Active Directory). Now, installing AD on my PC doesn't realy appeal to me (if it is even possible?). However, if all implementations follow the LDAP protocol I would assume that I could simply install Apache Directory on my PC, write the 'code' and then deploy this on a environment with Active Directory and (apart from some config changes) this should work.
Can any one confirm/deny this?
Thanks,
Stijn
It would be lovely if the LDAP standard was implemented the same on all major platforms, but while true in general, there are sufficient differences that you should plan on working against the target LDAP server instance in development.
For Active Directory you could run a Domain Controller in a VM on your workstation (since you cannot install AD on a workstation). You could install ADAM which is a standalone'ish AD like service. But even that is not a 100% match.
Usually the core issues are related to authentication but the generic functionality for querying with filters and so on are the same cross backend server.