I am using F5 IControl 11.5.1,i have integrated ldap and working fine but i need to access F5 using icontrol rest service.
is there any rest end point available in 11.5.1?
what are parameters and how to pass for ldap?
iControlRest is available in 11.5.1. It was introduced in 11.4 as an early access feature and fully implemented in 11.5. The documentation for iControlRest can be found here. You can find the endpoints and examples for how to use them there. Here's another link to the PDF of the user manual for the 11.5.0 version.
The format for using iControlRest is https://BIGIP/mgmt/tm/ltm/pool. The endpoints use Basic authentication so you'll need to make sure to that the basic Authorization header. Also, you'll need to use an account that has admin permissions to the box.
There is no way to bypass LDAP/TACACS or remote authentication as of this time in any version. I recently opened a case for the same issue. The service account you use must exist in LDAP or you have to use the "admin" account.
Recently, F5 came up with a concept of Role Based Access Control (RBAC), — create a local user a/c but here you can be able to just add Username and Role. No password entry is available. Make sure you use Username that is not listed in the remote role groups on the remote authentication server (Active Directory - ldap).
Related
I have setup a Linked Service in Azure Data Factory to use in a Copy Activity to access Graph APIs, which require use of the OAuth protocol, which works fine. I now want to extend that to use the same Linked Service with a Web Activity. But in tests, it is returning "Empty Token"; Am I missing a (simple) config. option, or am I misunderstanding something?
Earlier, I used explicit Token fetch, which also works fine, but as my queries will - in Production - take longer than the (default) Token TTL, I did not want to have to implement Token refresh, at least not if the Linked Service will handle it for me.
I'm grateful to https://learn.microsoft.com/answers/users/7986441/carlzhao-msft.html for pointing out that I need also to specify, in the Web Services Settings Tab, the Authentication as Managed Identity, with the accompanying Resource as https://graph.microsoft.com/, for my Use Case
I've got Artifactory set up to allow SSO via an OIDC client in Keycloak. Keycloak talks to Active Directory in the background. I've also got the same Active Directory configured within Artifactory. I've also configured Keycloak to provide user groups in the userinfo structure.
What I'm trying to do is to get OAuth users to automatically be added to the imported LDAP groups within Artifactory. I don't mind if this is done via the userinfo structure or via a separate LDAP lookup when a user logs in. However I can't seem to figure out how to achieve this.
I know that Artifactory provides a plugin called synchronizeLdapGroups.groovy, which seems to advertise doing what I need, however it seems like the plugin is not actually taking effect. That is to say, users do not end up with the permissions that being in the LDAP groups would provide.
I've attempted to write a plugin myself to do what I need, but when I make the API call to add the groups to the user, the plugin crashes. It's unclear why at this point.
It seems like others have used the SCIM feature in Artifactory for something akin to this (mostly via SAML rather than OIDC though), however Keycloak doesn't support SCIM out of the box and the SCIM plugin I've tried using has similarly given me no results.
Has anyone done something similar to this, and has a working solution I could follow?
If it's a specific group you want all users to be in you could try:
Under Security - OAuth SSO settings tab - check "Auto Create Users"
Under Identity and Access - Groups - select the specific group and check "Automatically Join New Users To The Group"
I'm guessing you want to automatically sync user-group association between Keycloak and Artifactory. SCIM is what you're looking for but there's a known issue specifically with Keycloak SCIM plugin.
We're looking into the SCIM plugin for Keycloak (can't commit on a specific timeline for a fix but it should be sometime this quarter).
If you only need the association in the UI you could try SAML with "Auto associate groups" set. It won't apply the groups association for APIKey/Token calls but it would work for the UI.
EDIT:
after further investigation github.com/Captain-P-Goldfish/scim-for-keycloak isn't relevant here - it makes keycloak a SCIM client, not a SCIM server. There's no official support of SCIM in keycloak, see issues.redhat.com/browse/KEYCLOAK-2537 . and there's no working plugin for keycloak that makes it a SCIM server that I could find (tried a few, all broken). For now Artifactory can't support SCIM with Keycloak
I'm curious what is the "best practice" for authenticating against a restful-api that is protected by Google IAP.
Allow me to break it down step by step to elucidate what I am trying to achieve:
Go to my dev environment's url: dev.blah.com. Here, I am prompted by IAP to log-in. I log in. I now have access to my SPA.
I am browsing my SPA. But! I'm unable to talk to my API, because it is ALSO protected by IAP.
I've read that I can do programmatic authentication in the documentation but I'm unsure if my particular use case is suited for programmatic authentication, or if it will even be SECURE.
So, am I correct in that I will have to implement a client-side programmatic-authentication workflow in order to access my API?
Or is there an alternative way to say "Once I'm authenticated to access THIS IAP-protected resource, i can log into these other resources as well." I cannot simply copy the token because it is http-only and the cookie is restricted to my current domain.
Some additional information:
My services are running in a Google Kubernetes Engine cluster and have automatically created load balancers based off of ingress objects I declare.
Each IAP-protected environment gets it's own OAuth credentials, and I configure the load-balancers to use IAP using: gcloud compute backend-services update [backend-service] --global --iap=enabled,oauth2-client-id=[the_id],oauth2-client-secret=[the_secret]
let me make sure I understand what you're trying to do. It sounds like you want to call your API from JavaScript inside the web browser, is that correct?
If so, and:
All backend services are configured to use the same OAuth client ID.
The API and the SPA are serving off the same domain.
then I think things will just work, because the JavaScript-generated HTTP requests will be sent with the IAP session cookie. ... Which must not be your setup, or things would just be working which clearly they aren't. :>
If you're not able to arrange for your API calls to use the IAP session cookie generated when you authenticate to the SPA, this will be tricky. You wouldn't want to use service account authentication from the browser, since that would give all end-users access to the service account.
Hm, it looks like there is a way to do Google OAuth from JavaScript: https://developers.google.com/api-client-library/javascript/features/authentication -- I haven't tried it, but if you're able to get that working, you ought to be able to use a flow like https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_desktop_app . If you want to go that route, let me know how it goes and I'd love to help you get unstuck and then get that approach added to our documentation!
--Matthew, Google Cloud IAP engineering
I have currently set up a web-based application, to which I have added an authentication method using oauth2_proxy (with gitlab as authentication provider). What I need to know is if there's way that I can restrict the access to this app using a Gitlab group or something like that? Because as of now - oauth is configured to allow access to any user on gitlab which has a #foor.bar email domain (-email-domain=foo.bar directive on oauth config). However I'm looking to control this method in a more restricted manner, so for instance I will create a group on Gitlab, to which I will add only relevant users & other groups to which access should be granted. Is there a way to do it?
Not sure if it's what you're looking for but regards documentation you could use --authenticated-emails-file param to provide authenticated emails list.
I have ejabberd set up using external_auth to authenticate against the user database of my web application. What I would like is to be able to create a MUC (chat room) for site moderators, and automatically add those users to the chat, to the exclusion of all other users.
Eventually I would also like to be able to map my site's groups functionality to MUC's in ejabberd also.
The external authentication API for ejabberd doesn't seem to provide for fine-grained access control, basically only allowing you to query whether a user is registered and whether a username / password combination successfully authenticates a user.
The only reference I've seen to acl's for MUC's is here:
http://www.ejabberd.im/aclpopulate
But that seems to require setting privileges through the webadmin interface.
Is there no way to do this automatically from external auth?
To answer my own question, it doesn't seem possible to do what I need by using external auth.
I ended up integrating ejabberd commands into the user / group lifecycle of my web app, which was quicker than I had anticipated, and has the added bonus of being a zillion times faster than using external auth (I use ejabberd's internal user database, using ejabberdctl to create users, update passwords, add and remove from shared rosters and create muc's).
To help with that process I created a PHP wrapper for ejabberdctl which is freely available on github:
https://github.com/tomlancaster/Ejabberd-Wrapper-PHP
Please feel free to use and abuse it as you wish.
If you have your own authentication module, in that case you can redirect the authentication process of ejabberd. In ejabberd_auth.erl file redirect authentication by modifying check_password_with_authmodule/3 and check_password_with_authmodule/5 two function. From your authentication module return back the term as these two functions return.
If you authentication module is in deferent machine, make a socket connection to communicate with your authentication module and get the result and give the result back to check_password_with_authmodul function.
After this changes rebuild ejabberd and start.