I've set up a jitsi-meet instance for test purposes and I use the ldap-related modules for user authentication configured in /etc/prosody/conf.d/ldap.cfn.lua. Here is my working ldap.cfn.lua (I removed usernames and passwords and replaced them with *):
-- Authentication configuration --
authentication = 'ldap2'
ldap = {
hostname = 'my.ldap.server.org',
--use_tls = true,
bind_dn = 'CN=ldap,OU=user,OU=my,DC=company,DC=org',
bind_password = '***',
user = {
basedn = 'ou=workers,ou=location1,dc=my,dc=company,dc=org',
filter = 'sAMAccountName=*',
usernamefield = 'sAMAccountName',
namefield = 'cn',
},
}
I have several locations within my AD (evolved historically) and I need to query them too. How can I specify more than one basedn parameter? Here is what I tried so far without positive results (mere guesses).
user = {
basedn = 'ou=workers,ou=location1,dc=my,dc=company,dc=org',
'ou=workers,ou=location2,dc=my,dc=company,dc=org',
filter = ...
...
},
user = {
basedn = '(ou=workers,ou=location1,dc=my,dc=company,dc=org,ou=workers,ou=location2,dc=my,dc=company,dc=org)',
filter = ...
...
},
Thanks!
Luckily I've figered out another solution in the meantime:
In my case it's not neccessary to query multiple OU within the AD. It's sufficient to query the very root of my AD and filter for every Domain User.
This site gave valuable hints: https://ldapwiki.com/wiki/Domain%20Users
Here is my working config:
authentication = 'ldap2'
ldap = {
hostname = 'my.ldap.server.org',
--use_tls = true,
bind_dn = 'CN=ldap,OU=user,OU=my,DC=company,DC=org',
bind_password = '***',
user = {
basedn = 'dc=my,dc=company,dc=org',
filter = '(primaryGroupID=513)',
usernamefield = 'sAMAccountName',
namefield = 'cn',
},
}
Related
On making a SAML request the port number (443) is being stripped out of the Destination. I understand this is default behaviour of the URI object. However the SAML identity provider requires the destination includes the port number for validation.
How can I get the SAML builder to include the port? 443 is being stripped from https://sit-api.eat.xxxxxx.xxxx.xx:443/samlsso (see below)
Saml2Configuration samlconfig = GetSAMLConfig();
var samlRequest = new Saml2AuthnRequest(samlconfig);
samlRequest.AssertionConsumerServiceUrl = new Uri(_appConfiguration["Saml2:AssertionConsumerServiceUrl"]);
samlRequest.Destination = new Uri(_appConfiguration["Saml2:SingleSignOnDestination"]); // https://sit-api.eat.xxxxxx.xxxx.xx:443/samlsso
samlRequest.NameIdPolicy = new NameIdPolicy()
{
AllowCreate = false,
Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
SPNameQualifier = _appConfiguration["Saml2:SPNameQualifier"]
};
samlRequest.Conditions = new Condition();
samlRequest.Conditions.Items = new List<ITfoxtec.Identity.Saml2.Schemas.Conditions.ICondition>();
samlRequest.Conditions.Items.Add(new ITfoxtec.Identity.Saml2.Schemas.Conditions.AudienceRestriction() { Audiences = new List<Audience>() { new Audience() { Uri = _appConfiguration["Saml2:AllowedAudienceUris"] } } });
var bnd = binding.Bind(samlRequest);
It is possible to change the destination URL after the ToActionResult method has been called if you are using a Saml2RedirectBinding. And thereby overriding the default behavior.
Like this:
var action = binding.ToActionResult() as RedirectResult;
action.Url = action.Url.Replace("https://sit-api.eat.xxxxxx.xxxx.xx/samlsso", "https://sit-api.eat.xxxxxx.xxxx.xx:443/samlsso");
return action;
My web application created using Grails 2.4.4 with shiro:1.2.1 and it's working fine. In my application I've created one user with limited permissions called xyzUser.
Now I've a domain, username, password of the active directory. And my requirement is to allow the request from the same and bypass login page and provide all the access of xyzUser.
For that I've tried
org.grails.plugins:ldap:0.8.2
plugins and add following configuration in config.groovy (https://grails.org/plugin/ldap)
ldap {
directories {
directory1 {
url = "ldap://demo.myDomain.in"
base = "ou=demo,dc=myDomain.in"
userDn = "uid=Username,ou=demo,dc=myDomain.in"
password = "Password"
searchControls {
countLimit = 40
timeLimit = 600
searchScope = "subtree"
}
}
}
typemappings = [
my.app.MyTypeMappings
]
}
Now I can't understand that what to do next to fulfill my requirements...
We have a mvc 5 project set up with adfs (ws-federation) authentication. Now, we want to add a custom claim to the user if a flag is true in the db. Where would be the correct place to do this?
This blog entry got us in the right direction. The claims need to be injected at the last minute after the user is validated.
Startup.Auth.cs should look something like this:
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
//NameClaimType = "User-Principal-Name",
//SaveSigninToken = true
},
//Inject custom claims from Database
Provider = new OAuthBearerAuthenticationProvider()
{
OnValidateIdentity = async context =>
{
string UPN = context.Ticket.Identity.FindFirst(ClaimTypes.Upn).Value;
UPN = UPN.Remove(UPN.Length - 12);
User user = new User();
//user = GetUserData("user#domain.com");
user = GetUserData(UPN); //Get user data from your DB
context.Ticket.Identity.AddClaim(
new Claim("UserName", user.UserName.ToString(), ClaimValueTypes.String, "LOCAL AUTHORITY"));
}
}
});
The easiest way is to set up a SQL attribute store and then write a custom rule to query the store.
As per the article, something like:
c:[type == "http://contoso.com/emailaddress"]
=> issue (store = "Custom SQL Store", types = ("http://contoso.com/age", "http://contoso.com/purchasinglimit"), query = "SELECT age,purchasinglimit FROM users WHERE email={0}",param = c.value);
using Grails 2.3.8 and
plugins {
compile ':spring-security-core:2.0-RC2'
compile ':spring-security-oauth:2.0.2'
compile ':spring-security-oauth-facebook:0.1'
compile ':spring-security-oauth-google:0.1'
}
and the default providers setup:
oauth{
providers{
facebook{
api = org.scribe.builder.api.FacebookApi
key = '11111'
secret = '222222'
successUri = "http://localhost:8880/oauth/facebook/success"
failureUri = "http://localhost:8880/oauth/facebook/error"
callback = "http://localhost:8880/oauth/facebook/callback"
scope = 'email'
}
}
As I understood, I have to use the absolute URL's for callbacks. That is a problem, as my app is mapped to several domains, like myapp.com, myapp.de, myapp.ru etc.
Is it possible out of the box to provide the callback URL's for each domain?
TIA
so, I figured it out!
the solution contains a bit of ugliness, but works like charm:
in my Config I had to change the providers so, that the server name is reflected in provider name and callback-URLs:
oauth{
providers{
facebook{
api = org.scribe.builder.api.FacebookApi
key = '11111'
secret = '22222222'
scope = 'email'
}
'facebook_localhost'{
api = org.scribe.builder.api.FacebookApi
key = '111111'
secret = '222222222'
successUri = "http://localhost:8880/oauth/facebook_localhost/success"
failureUri = "http://localhost:8880/oauth/facebook_localhost/error"
callback = "http://localhost:8880/oauth/facebook_localhost/callback"
scope = 'email'
}
'facebook_wwwmysitenet'{
api = org.scribe.builder.api.FacebookApi
key = '9999999'
secret = '888888888888'
successUri = "http://www.mesite.net/oauth/facebook_wwwmesitenet/success"
failureUri = "http://www.mesite.net/oauth/facebook_wwwmesitenet/error"
callback = "http://www.mesite.net/oauth/facebook_wwwmesitenet/callback"
scope = 'email'
}
}
}
to make processing easier, I remove the dots from the server name.
The same I made for google.
I have installed Spring Security using s2-quickstart and the Spring Security CAS plugin. I have the CAS plugin set up correctly (I believe) but when I try to visit the localhost:8080/caslogin/j_spring_security_check page to force a CAS login I am redirected to the default Spring Security log in page rather than the CAS login page that our company has set up. Does anyone know what might be causing this behavior? Here is my current CAS setup in Config.groovy:
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://cas-server/cas'
grails.plugins.springsecurity.cas.key = 'grails-spring-security-cas'
grails.plugins.springsecurity.cas.filterProcessUrl = '/j_spring_security_check'
grails.plugins.springsecurity.cas.serverName = 'http://localhost:8080'
grails.plugins.springsecurity.cas.serviceUrl = 'http://localhost:8080/caslogin/j_spring_security_check'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://localhost:8080/caslogin/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
grails.plugins.springsecurity.cas.active = true
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider']
// Added by the Spring Security Core plugin:
grails.plugins.springsecurity.userLookup.userDomainClassName = 'com.mycompany.caslogin.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'com.mycompany.caslogin.UserRole'
grails.plugins.springsecurity.authority.className = 'com.mycompany.caslogin.Role'
We have successfully used CAS in a Grails application, check my Config.groovy below:
In my case, when I try to go to localhost:8080/MyApp/j_spring_cas_security_check I get an access denied 404.
grails.serverURL = "http://192.168.10.12:8080/MyApp"
plugins {
springsecurity {
active = true
rejectIfNoRule = false
password.algorithm = 'SHA-256'
securityConfigType = grails.plugins.springsecurity.SecurityConfigType.Requestmap //url permission
apf.filterProcessesUrl = '/j_spring_security_check'
auth {
forceHttps = false
loginFormUrl = '/access/login'
ajaxLoginFormUrl = '/access/login?remote=true'
}
adh {
errorPage = '/access/denied'
ajaxErrorPage = '/acesso/denied?remote=true'
}
ajaxHeader = 'X-Requested-With'
failureHandler {
ajaxAuthFailUrl = '/access/fail?remote=true'
defaultFailureUrl = '/access/fail?login_error=1' //TODO
}
successHandler {
defaultTargetUrl = '/'
alwaysUseDefault = false
}
// Configuracao do CAS
providerNames = ['casAuthenticationProvider']
cas {
serverUrlPrefix = 'https://mycompany.com.br:8443/cas'
loginUri = '/login'
proxyReceptorUrl = '/secure/receptor'
serviceUrl = "${grails.serverURL}/j_spring_cas_security_check"
proxyCallbackUrl = "${grails.serverURL}/secure/receptor"
}
logout.afterLogoutUrl = 'https://mycompany.com.br:8443/cas/logout?service=${grails.serverURL}/'
// Customizacao de Entidades
userLookup.userDomainClassName = 'br.com.mycompany.app.access.User'
userLookup.authoritiesPropertyName = 'permissions'
authority.className = 'br.com.mycompany.app.access.Permission'
requestMap.className = 'br.com.mycompany.app.access.UrlAccess'
requestMap.configAttributeField = 'ruleExpression'
}
}