I've set up LDAP authentication using pam_ldap on a server and it seemed to be working just fine to begin with, but now I have a problem. Whenever a user changes his password in Active directory, it syncs just fine with LDAP and therefor every system that uses LDAP authentication, except this server which still accepts the old password.
I've tried "getent passwd" and it does list every user in LDAP, and I also tried adding a new user in LDAP, which my server immediately recognized when I try "getent passwd" again.
So apparently my server is commmunicating with LDAP, just not when it comes to new passwords, those the server chooses to cache somewhere.
Google hasn't been helpful at all and some people seem to have had similar problems but their questions always go unanswered.
Hope someone can help.
You may have nscd installed. Check /etc/nscd.conf and lower the TTL.
Related
For a school I implemented eduroam two years ago and from time to time we add new students in the AD.
Five days ago I added 40 more new students but I changed the CN's (or what in New-ADUser is called "-Name") format:
from "name.surname" to "SURNAME, NAME" (quotes excluded), hence
earlier it was
CN=name.surname, OU=CLASS_A, OU=STUDENTS, DC...
now it is
CN=SURNAME, NAME, OU=CLASS_A, OU=STUDENTS, DC...
an eduroam's username normally is <string with no blanks>#<yourschool>.<tld> so that the RADIUS proxies can route the auth request based on #<yourschool>.<tld> , So I must keep such a format.
Now, the new users cannot be authenticated anymore by NPS.
All the tests I ran back my thesis (i.e. that NPS uses CN to authenticate) but I cannot find any Microsoft document that states that.
Could anybody share the link to such doc?
is it a way to change the check from CN (if proved by answer of point 1)) to another user's recor like sAMAccountNAme or UPN?
I'm sure I'm touching something deep in AD but I hope somebody has tripped into this issue and has found a answer.
TIA
P.S. I guess the alternative would be to use FreeRADIUS but I would rather explore the options to still make within NPS/AD
• Please check the Windows Server event security log for more details on the issue for NPS authentication because that might shed some more light on the actual issue that you might be facing. Till then, please clear the cache and temporary files from the server and restart the whole infrastructure regarding NPS, i.e., domain controller, NPS Server, Access points and other related devices through which users can login through NPS.
• Once restarted, please try to authenticate any allowed user through NPS once again and check. Also, as you are using NPS as a radius server proxy, please check for the attribute manipulation rules for message forwarding since the CNs are changed in their order/format in your AD. Specifically, regarding the username which is provided by the access client and is included by the NAS in the Radius access-request message. The value of this attribute is a character string that typically contains a realm name and a user account name.
• To correctly replace or convert realm names in the username of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy.
Also, find the below links regarding your query whether which attribute you can use to authenticate in case of NPS. In it, it clearly stated that user principal name should be used as an attribute as a best practice: -
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices#performance-tuning-nps
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices#using-nps-in-large-organizations
Please check the below documentation link for your condition: -
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy#key-steps-3
"Issue description copied..."
I'm building a partner connector, which relies on a user name and password to connect to database (very similar to the existing Postgres / MySQL connectors provided by Google). In order to verify the credentials, I also need the database host information to be present in addition to username and password and this is the base of my problem.
The Google build connectors conveniently are allowed to collect user credentials and the database related information at the same time. Unfortunately, that doesn't seem to be the case for partner connectors as stated in the requirements
Point 5 "Use appropriate authentication method in getAuthType(). Do not request credentials via getConfig()."
The authentication itself happens before any other configuration details are known (there is just a dialog for username and password) and there doesn't seem to be a way to request additional information on the authentication screen itself. Once the credentials have been entered, the verification also happens immediately, before the configuration is being shown in the next step.
Once credentials are validated successfully, Datastudio then assumes the schema and data can be requested.This excludes the option of a dummy confirmation, because there doesn't seem to be a way to tell credentials are invalid and need to be changed after checking the other configuration details on the next screen.
That makes me unsure, how to determine valid credentials in my use case as I need to know the variable endpoint to authenticate against. I definitely want to avoid storing any user credentials myself in an external database, because this opens up another can of worms.
Has anyone successfully solved a similar issue before and can provide guidance here?
This is a known limitation of the authentication methods for Community Connectors.
A workaround would be to use authtype NONE and then request the credentials and database information in the config. This is, however, not a recommended approach.
I am checking SonarQube 5.4 and the latest LDAP plugin 1.5.1. There are however a couple of issues.
First. My AD account is majcicam. If I log in with it, it is correctly shown in the users list. However if I login with MajcicaM (note capital letters) another additional user is added to the list:
As you can see from the attached image. For every login that I do make, seems it is treated as case sensitive and thinks of it as a different user.
Second thing. Once I assign a group to my user, on the next login those settings are gone. Seems that they are not persisted.
Am I doing something wrong? Is this a bug? Are my settings messed up?
Thanks
Mario
No bugs here, just some subtleties about LDAP Plugin configuration and behaviour. :)
Case-insensitive login
Set sonar.authenticator.downcase to true when delegating authentication to an LDAP/AD server which is case-insensitive.
Group mapping behaviour
When group mapping is configured (i.e. you manually configured ldap.group.* or you use the windows authentication mode with lightweight AD config), membership in LDAP/AD will override any membership locally configured in SonarQube. LDAP/AD becomes the one and only place to manage group membership (and the info is fetched each time the user logs in).
I've been tasked with maintaining a DNN site that has been running for a while, so I copied it to my local development environment to get up to speed on the setup. I have the site up and running locally, and I can browse all (I think) of the pages. It seems to display correctly and yesterday, the DNN login worked correctly. However, today, when I try to login to manage changes, I enter my username and password on the login page, but it does not actually log in. On screen, all that seems to happen is that the password field clears. No error message displays. In my Firebug console, the only error message that appears is "Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen." Again, yesterday, I was able to log in and get to all of the DNN management features -- I changed skins, modified CSS, changed code, etc. I've tried multiple logins (host, superuser, and regular user) -- all have the same result.
I don't see anything in the database EventLog, except for a startup record.
I saw a couple of other SO posts tangentially related to failed DNN logins on development environment, and checked that Form Authentication is Enabled in IIS and the security for the site folders are set correctly and the folder is not read-only.
I generally use Firefox for development, but I also tried IE. I'm certain I'm missing sometime obvious, but it has me stumped. Ideas? I'm new to DNN, so I'm not up to speed yet on the best practices for debugging. Any other suggestions would be welcome.
Some details: Live site is SQL Server 2008; Dev is SQL Server 2012. Both sites use IIS 7. Dev is DNN 7.2.2. Locally, I'm using VS 2010 for development.
Couple of things to check.
1) Check to make sure your database connection strings (2 of them) in the web.config are both pointing to your local database.
2) Check to make sure the MachineKey values in the web.config still match the values in the production web.config
3) You might turn off SSL on the site, though you'll have to do that in the database as you can't get logged in. I believe you can likely just set Secure to 0 on all of the Tabs table records, but you might need to track down a HOST setting as well to make this work (hostsettings table)
An update. I was able to get this to work by using a different user account. I'm still not sure what the root of the problem was, but I believe it was related to specific settings on my particular user account. I used a generic 'admin' account, and was able to make it work.
Im experiencing the same issue, I think its something to do with the the .dotnetnuke cookie
I recently tried to work with WindowsPrincipal but I am getting really confused. I use this code snippet:
WindowsPrincipal principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
MessageBox.Show(Thread.CurrentPrincipal.IsInRole("MyDomain\\Users").ToString());
It returns True so it's OK. But I thought that this "IsInRole" check works against Active Directory. But when I unplug the network cable it still returns true. How come? Is there any easy way to check whether logged user is in specific domain against AD?
Active Directory credentials can be cached on the local system, including role membership (to support Group Policy enforcement). You can turn off the credential cache as described in the MSDN KB Cached Domain Logon Information, but I'm not sure that will clear the cache. While I cannot confirm (as I'm not currently on a system with cached credentials), I believe they are stored as hashes under the registry key HKEY_LOCAL_MACHINE\SECURITY\CACHE\ in values labeled "NLx" where x is an integer.
your code is fine, Windows is a bit smarter than what we think and is caching the user group membership even when you disconnect the network cable, in fact if you are in a AD domain you can also unplug the cable and still log-in because everything is cached locally.
If you want to check really how it works try to unplug the cable, check for another group membership while disconnected and it will be false, then add your user to another group on the server and this check will pass only after you connect your machine to the network again and do a log-off / log-in.