I am using Laravel 4.0.10 and ccovey/ldap-auth for user authentication. On the server end I have OpenLDAP server created with Turnkey OpenLDAP. I've followed the instructions but I'm getting an error when trying to connect to server.
Error:
Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid DN syntax
My app/config/adldap.php file:
<?php
return array(
'account_suffix' => '#mreza.vpl',
'domain_controllers' => array("ldap.vpl.lan"), // An array of domains may be provided for load balancing.
'base_dn' => 'DC=mreza,DC=vpl',
'admin_username' => 'admin',
'admin_password' => 'mypassword',
'real_primary_group' => true, // Returns the primary group (an educated guess).
'use_ssl' => false, // If TLS is true this MUST be false.
'use_tls' => false, // If SSL is true this MUST be false.
'recursive_groups' => true,
);
I added this line to app/config/auth.php:
'username' => 'uid'
My OpenLDAP database looks like this:
I want to authenticate against People group
Any ideas what I am doing wrong? I've been trying to set this up for a few days now. I am new to LDAP though.
Thanks!
Change the Admin username to either cn=Admin or cn=admin,DC=mreza,DC=vpl and try to connect. You need a full DN to bind, generally.
Related
Using Adldap2 package (https://adldap2.github.io/Adldap2/#/) and to be more accurate laravel version (https://github.com/Adldap2/Adldap2-Laravel) and having some issues with add/update some attributes after creation.
To be more specific, I will try to do this
Create user
$user = Adldap::make()->user([
'cn' => 'Vlad Test7',
'samaccountname' => 'vlad_test7',
'Company' => 'Company Name',
'givenname' => 'Vlad',
]);
$user->objectclass = [
'top',
'person',
'inetOrgPerson',
];
$user->save();
This will work.
But after if I will try to set another attribute like department, doing it as below
$user->setAttribute('Department', 'Information Systems');
$user->save();
I will get this error message
ErrorException : ldap_modify_batch(): Batch Modify: Insufficient access
at PATH_TO_PROJECT_ROOT\vendor\adldap2\adldap2\src\Connections\Ldap.php:386
I asked system admin about provided accounts permissions, and he told me that I have full access within OU for test user, that they have been created for me.
I suppose, that possibly can be something wrong with my config files, I have there as admin told me.
Here how config file (ldap.php) looks like
'hosts' => explode(' ', env('LDAP_HOSTS', 'corp-dc1.corp.acme.org corp-dc2.corp.acme.org')),
'port' => env('LDAP_PORT', 389),
'timeout' => env('LDAP_TIMEOUT', 5),
'base_dn' => env('LDAP_BASE_DN', 'dc=corp,dc=acme,dc=org'),
'username' => env('LDAP_USERNAME', 'username'),
'password' => env('LDAP_PASSWORD', 'secret'),
Based on my search result, possibly error message on update can be related with dn (distinguished name), as I have something like that as base_dn
base_dn=OU=TEST USER,OU=xxxxxx1,OU=xxxxxx2,OU=xxxxxx3,OU=xxxxxx3,DC=domain,DC=local
and when I'm creating a user, for new created user I'm getting new generated dn which is like below
dn=CN=Vlad Test7,OU=TEST USER,OU=xxxxxx1,OU=xxxxxx2,OU=xxxxxx3,OU=xxxxxx3,DC=domain,DC=local
not sure, is this correct or not? Thinking also about possibility, that I can't perform operations using generated distinguished names,when I'm creating a new record, at least impression is that I have added CN=Vlad Test7 to base_dn, which is causing the error.
Any suggestions or thoughts about this issue?
Thanks
Answer is simple, it was a permission issue of the AD user, which I'm using here, as error message describes, insufficient access, so nothing related with coding here.
I've implemented in my backend Cognito with Signup and Login, MFA activation and inactivation, but now I want to implement the remember devices, to reduce SMS confirmation.
For that, I've adjusted the InitiateAuth Function to the following code:
$client->initiateAuth([
'AuthFlow' => 'USER_SRP_AUTH', // REQUIRED
'AuthParameters' => [
"USERNAME" => $email,
"PASSWORD" => $password,
"SRP_A" => $bigA,
],
'ClientId' => $this->getClientId(), // REQUIRED
]);
This function runs properly, and returns the code in following image:
https://i.gyazo.com/a439e48e2de85a094f56ed4cfee10f83.png
Then, I continue generating SRP Values, and call in the function respondToAuthChallenge, with the following code:
$client->respondToAuthChallenge([
'ChallengeName' => 'DEVICE_SRP_AUTH',
'ChallengeResponses' => [
'USERNAME' => $username,
'SRP_A' => $bigA,
],
'ClientId' => $this->getClientId(),
]);
Yet, It returns me an error saying: 'Missing required parameter DEVICE_KEY'.
If I put a DEVICE_KEY key inside ChallengeResponses it starts returning me the error 'Device does not exist.'
I've searched a lot and cannot find a way to generate the DEVICE_KEY. I've tried with unique ID and sending it in both initiateAuthand respondToAuthChallenge but the error is the same.
Any clue how can I do it? I Believe that SRP code is not 100% yet, as still understanding the concept, yet, cannot understand the DEVICE_KEY part.
Thanks
It looks like you have to use Server Side Authentication Flow
For server-side apps, user pool authentication is similar to that for client-side apps, except:
The server-side app calls the AdminInitiateAuth API (instead of InitiateAuth). This method requires AWS admin credentials. This method returns the authentication parameters.
Once it has the authentication parameters, the app calls the AdminRespondToAuthChallenge API (instead of RespondToAuthChallenge), which also requires AWS admin credentials.
The AdminInitiateAuth returns among other stuff the device key.
I have 2 sites on the same domain (example.com, site2.example.com) and I am trying to make them both reference the same user tables etc from the main site (example.com) in order to have single sign on through both.
I have 2 DBs set up - one for each - and have set up a user which can access both with all the required permissions. I have altered my settings.php in the second site as below (and numerous variations of):
$databases['default']['default'] = array(
'driver' => 'mysql',
'database' => 'database_site2',
'username' => 'multi_username',
'password' => 'multi_password',
'host' => 'localhost',
'prefix' => array(
'default' => 'database_site2.',
'users' => 'database_main_site.',
'sessions' => 'database_main_site.',
'role' => 'database_main_site.',
'authmap' => 'database_main_site.',
),
);
Unfortunately when then trying to access site2 after making this change, I get the following error message:
Uncaught exception thrown in shutdown function.
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in >your SQL syntax; check the manual that corresponds to your MySQL server version for the >right syntax to use near '-amalga-01.semaphore WHERE (value = >'1471293032527ac89955a330.73110726')' at line 1: DELETE FROM {semaphore} >WHERE (value = :db_condition_placeholder_0) ; Array ( [:db_condition_placeholder_0] => >1471293032527ac89955a330.73110726 ) in lock_release_all() (line 269 of >/home/sites/amalgamart.co.uk/public_html/exampletown/includes/lock.inc).
If someone is able to help me with this I would be forever grateful!
Thanks!
The "prefix" part of Drupal's db configuration refers to a string that is prepended to the table name within a single database, whereas you are trying to use two different databases. I don't think that this is possible in Drupal. Please read this, or you can try and see if Domain Access module could be suitable to your needs.
I'm hosting a Yii app on shared-host with some my friend, and keep database in private MySQL server. As you knew, database info can be found so very easy in protected\config\main.php by another host owner (my friend and more):
'db'=>array(
'connectionString' => 'mysql:host=211.113.2.45;dbname=FamilyBook',
'emulatePrepare' => true,
'username' => root,
'password' => 'xcute445',
'charset' => 'utf8',
),
Is there any solution to conceal connection information as IP mySQL server, username, password?
May MySQL server provide RSA mechanism to protect database info?
Example, any people can see as below but cannot understand or use:
'db'=>array(
'connectionString' => '57bf064b2166366a5ea61109006b8d5c',
'emulatePrepare' => true,
'username' => '63a9f0ea7bb98050796b649e85481845',
'password' => 'e04ccf211208f8c97e4a36e584926e60',
'charset' => 'utf8',
), // value by MD5 function, example only
No, you cannot conceal the credentials from someone who has access to your source as long as you are using native MySql authentication. That's because your code needs to pass the credentials as cleartext¹ to the server, so it needs to be able to "decrypt" them before connecting. Someone who has access to your source can follow the same procedure and decrypt them as well.
You could secure your system by relying on some type of PAM authentication instead of user-supplied credentials, but Yii does not support such.
¹note: This is not actually true. The client passes a hash to the server, but it needs to have access to the original password in order to hash it. This means that for the purposes of this discussion it makes no difference (it would make a difference for someone who is listening on the network).
Using Yii 1.x I did it using below method.
create a class, DbConnection inside protected/components extending from CDbConnection
class DbConnection extends CDbConnection
{
public function createPdoInstance()
{
// Decrypt the password used in config file
// e.g.: $this->password = mydecrypt($this->password);
return parent::createPdoInstance();
}
}
Adjust the config file (protected/config/main.php)
'db' => array(
'class' => 'DbConnection', // Use above classname
'password' => 'encryptedpassword',
),
I am looking to automate the creation of a MySQL database via a json api call. To list dbs, I can just use something like:
https://example.com:2083/json-api/cpanel?user=username&cpanel_jsonapi_module=MysqlFE&cpanel_jsonapi_func=listdbs&cpanel_jsonapi_version=2
This is successful via HTTP Sockets and CURL. Is there any equivalent call for adddb?
https://example.com:2083/json-api/cpanel?user=username&cpanel_jsonapi_module=Mysql&cpanel_jsonapi_func=adddb&dbname=aa1&cpanel_jsonapi_version=1
This doesn't work. I get the following error:
“username_†is an invalid database name. It contains invalid characters.
Any ideas?
UPDATE:
I am running this via an HTTP Socket connection in CakePHP with the following code:
$query = 'cpanel_jsonapi_module=MysqlFE&cpanel_jsonapi_func=adddb&dbname=aa1&cpanel_jsonapi_version=2';
$request = array(
'auth' => array(
'user' => $queryData['conditions']['username'],
'pass' => $queryData['conditions']['password'],
'method' => 'Basic',
),
'uri' => array(
'scheme' => 'https',
'host' => $queryData['conditions']['host'],
'port' => '2083',
'user' => $queryData['conditions']['username'],
'path' => 'json-api/cpanel',
'query' => $query,
),
);
$result = json_decode($this->connection->request($request), true);
http://docs.cpanel.net/twiki/bin/view/ApiDocs/Api1/ApiMysql#Mysql::adddb
You've got dbname in the url twice but I don't know if that matters...
I'm not sure how the url API works, you could try ..._jsonapi_func=adddb(thedbname) but I have no clue if that would work.
Found the solution. In order to create / delete a DB through the cPanel API, it must be processed through API 1. The API access is a little bit different.
You must first get the theme your cPanel account is using (StatsBar:stat (theme):
https://example.com:2083/json-api/cpanel?user=USERNAME&cpanel_jsonapi_module=StatsBar&cpanel_jsonapi_func=stat&display=theme&cpanel_jsonapi_version=2
Then you plug that theme into another request:
https://example.com:2083/frontend/THEME/sql/addb.html?db=aa1
Of course, you must have the Authentication in the HTTP Socket (or CURL). Works like a charm!