squid authentication with freeipa which exported the users from AD windows - proxy

salut . I hope everything goes well for you. I'm attempting to set up a squid proxy and have a freeipa server as my identifier. Everything works properly when I perform the authentication of the users I've created in freeipa. The lab will go further; I've established a trust relationship with a Windows 2019 AD.
I exported the AD users into a group on freeipa. As a result, the user is in an external group on the system. After that, I try to connect to these users via Squid, but it does not work. It says in the logs that it cannot find the user. However, when I try to connect via ssh to the freeipa server using the AD utility, everything works perfectly. I am new in this field. Please help me.
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=domaine,dc=com" -f "uid=%s" -h ipa.domaine.com
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all
j'ai essayer de creer un sctipt qui m'authentifie en utilisant ssh mais rien . j'ai aussi essayer le script de squid basic_getpwnam_auth mais ça ne fonctionne toutjours pas

Related

How can I configure Gmail with Oracle Apex using stunnel (application express) 5.0.3

How can I setup Oracle Apex (application express) to send emails through my Gmail account without using my own SMTP ?
Background :
Apex 5.0.3 is installed with Oracle XE 11.2 installed on Centos
(linux) 6.x
SMTP is not required to be enabled on centos. We will use gmail one
directly.
Solution is based on windows implementation published by : HÅVARD KRISTIANSEN at
:
http://monkeyonoracle.blogspot.com/2009/11/plsql-and-gmail-or-utlsmtp-with-ssl.html
Will use stunnel to communicate with gmail directly.
Apex / Oracle XE installation instructions are not included.
Installation (written out of my head) :
1.Install stunnel as root :
yum install stunnel -y
2.create a conf file for stunnel using nano or vi (to install nano : yum install nano -y )
nano /etc/stunnel/stunnel.conf
3.Enter the following to new stunnel.conf created:
; Use it for client mode
client = yes
[ssmtp]
accept = 1925
connect = smtp.gmail.com:465
4.restart stunnel using whatever method, e.g kill -9 and start using the following command :
/usr/bin/stunnel
5.Log in to apex as admin : http://yourhost:port/ords/apex_admin
Go to : Manage instance -> instance settings.
6.Put the following settings :
SMTP Host Address : 127.0.0.1 (or your local)
SMTP Host Port : 1925 (as u can see in stunnel.conf above).
SMTP Authentication Username : your gmail username : etai.guday (WITHOUT #gmail.com)
SMTP Authentication Password : gmail password
Use SSL/TLS : NO
Default Email From Address : etai.guday#gmail.com (including #gmail.com)
7.Due to gmail restrictions YOU MUST enable : https://g.co/allowaccess to use the above method (with relevant gmail account).
8.Enable Oracle DB ACL by using example bellow
https://www.dropbox.com/s/2ieaawy5gme9a50/email_configuration_acl_for_apex.txt?dl=0
All above should work :-) didn't have time to test it further or refer to security issues etc

hydra target ssh does not support password authentication

I am using Hydra v8.1 downloaded and compiled from a tar file. I've managed to solve the standard problem of libssh support and now when I try to make an attack(I think it's called dictionary attack) on an SSH server, after specifying the following command:
hydra -l {username} -s {port} -P /Users/{UserName}/Desktop/{file}.txt {ip} ssh
I get the following output:
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-30 10:59:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 7 tasks per 1 server, overall 64 tasks, 7 login tries (l:1/p:7), ~0 tries per task
[DATA] attacking service ssh on port {port}
[ERROR] target ssh://{ip}:{port}/ does not support password authentication
I have enabled support for the required libraries and I am running an OS X environment.
Can someone indicate a solution to this problem? Thank you.
Note: If I manually log in with the username and password, the authentication grants access to the server.
from another board:
https://security.stackexchange.com/questions/183848/hydra-fails-with-error-target-ssh-192-168-16-12822-does-not-support-passw
SSH supports several different authentication mechanisms. The password authentication mechanism has the client send the password to the server as a password. The more-common keyboard-interactive authentication mechanism opens a channel between the client and an authentication process on the server. The client allows the user to directly interact with the authentication process, which is usually just a password prompt. This allows more complex features like multiple-factor authentication and pre-authentication warnings and checks.
So your target probably supports keyboard-interactive and not password authentication.

How to send email using tibco mail activity

I am a beginner is TIBCO.I want to send email using tibco mail activity.Following are my configuration of send mail activity
host: smtp.gmail.com:587
selected the authenticate check box
then in username field entered my gmail username and in password entered my gmail password.
and in the input tab provided the valid to address,subject and body.When I run then I get the following error
BW-MAIL-100019 Job-10000 Error in [Sender.process/Send Mail]
Error sending mail message. Cause: com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.0 Must issue a STARTTLS command first. nx12sm74930440pab.6 - gsmtp
I have also checked by changing the host like this smtp.gmail.com:25 but still the same error.Can any body please tell me what wrong am I doing?
Follow these instructions to use the Send Mail activity over TLS (port 587):
First, retrieve the full certificate chain of the SMTP server. To do so, download an OpenSSL client (e.g. GnuWin32's implementation if you are on Windows), then type:
openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp
A list of PEM-formatted certs should show up. Copy each of them in a separate file (or all of them in a single file) with extension .cert and add those files to any folder in your BW project. Please note that the root CA certificate is missing from the chain; you can download it here and add it to the certs folder. You can also use an external folder if you want the certs to be managed outside your project by using the BW_GLOBAL_TRUSTED_CA_STORE global variable (see BW documentation).
On the Send Mail activity, set the Host field to smtp.gmail.com:587.
If using BW 5.8 or below, add the following Java properties to the TRA of your application:
java.property.mail.smtp.starttls.enable=true
java.property.mail.smtp.starttls.required=true
If using BW 5.10 or above, check the SSL box and make the Trusted Certificates Folder point to your certs folder.
Check the Authenticate box and set the User Name (xxxx#gmail.com) and Password fields with your Google credentials.

In SVN how do I override automatic Windows domain authentication

I have a build server that is not part of a Windows domain trying to connect to a VisualSVN server running HTTPS via apache with domain login via Active Directory. When I try to connect to the server using specifying a domain username I observe a client hang:
svn ls --username=domainuser https://subversion.mydomain/svn/repo1/
The logs on the server show Windows authentication failures using the login-name for the build-machine, and the build-machine's hostname in the Domain name field. The username provided on the command-line is completely ignored.
SVN Client: TortoiseSVN commandline tools: svn, version 1.8.1 (r1503906)
On a separate machine (on the domain) - I found that the --username would not be ignored if I used the cygwin svn instead.
The solution I found was to disable the http-auth-type 'negotiate'. This prevents Windows credentials being automatically shared.
I verified this using a command-line override, it asked for password for the user on the command-line:
svn ls --username=domainuser --config-option servers:global:http-auth-types=basic;digest https://subversion.mydomain/svn/repo1/
Authentication realm: <https://subversion.mydomain/svn/repo1/> VisualSVN Server
Password for 'domainuser':
(Note for Cygwin users: If you use SVN under Windows via Cygwin then you will need to add quotes to your command like this: $ svn ls --username=domainuser --config-option "servers:global:http-auth-types=basic;digest" https://subversion.mydomain/svn/repo1/ -- Otherwise the semicolon will be treated as a command delimiter.)
To configure this more permanently you can make a servers config file entry for all matching servers. For Win7 that's C:\Users\<User>\AppData\Roaming\Subversion\servers.
[groups]
mydomain = *.mydomain
[mydomain]
http-auth-types=basic;digest
Instead of disabling negotiate in client's config, I'd suggest using Windows Credential Manager to store the other account's credentials for Single Sign-On.
The following instruction shows how to put other domain credentials to access VisualSVN Server into Windows Credential Manager:
Start | Control Panel | Credential Manager,
Click 'Add a Windows Credential',
As 'Internet or network address' enter the FQDN of VisualSVN
Server's machine,
As 'Username' enter the <DOMAIN>\<username> of user account that
exists in domain and has access rights to VisualSVN Server,
Complete the password field and click OK,
Verify that you can authenticate to VisualSVN Server under the selected user account after completing the above steps.

how can I login anonymously with ftp (/usr/bin/ftp)?

I'm trying to connect to an FTP server which allows anonymous access, I don't know how to specify the appropriate username/password required to do this though.
I've tried using anonymous/anonymous as the user/pass with no luck, as well the empty string and various combinations of the two, etc.
It's gotta be something simple that I'm missing, I can use connect just fine with curl ftp://server/
Using python:
stu#sente ~ $ cat - | python
import ftplib
ftp = ftplib.FTP("ftp.server")
ftp.set_debuglevel(2)
ftp.connect()
ftp.login()
list = ftp.nlst()
ftp.close()
print "\n", " ".join(list)
^D
*get* '220 ftp.server NcFTPd Server (licensed copy) ready.\r\n'
*resp* '220 ftp.server NcFTPd Server (licensed copy) ready.'
*cmd* 'USER anonymous'
*put* 'USER anonymous\r\n'
*get* '331 Guest login ok, send your complete e-mail address as password.\r\n'
*resp* '331 Guest login ok, send your complete e-mail address as password.'
*cmd* 'PASS **********'
*put* 'PASS **********\r\n'
*get* '230 Logged in anonymously.\r\n'
*resp* '230 Logged in anonymously.'
*cmd* 'TYPE A'
*put* 'TYPE A\r\n'
*get* '200 Type okay.\r\n'
*resp* '200 Type okay.'
*cmd* 'PASV'
*put* 'PASV\r\n'
*get* '227 Entering Passive Mode (12,161,242,12,128,138)\r\n'
*resp* '227 Entering Passive Mode (12,161,242,12,128,138)'
*cmd* 'NLST'
*put* 'NLST\r\n'
*get* '150 Data connection accepted from 208.118.225.99:38451; transfer starting.\r\n'
*resp* '150 Data connection accepted from 208.118.225.99:38451; transfer starting.'
*get* '226 Listing completed.\r\n'
*resp* '226 Listing completed.'
Obin bin pub public sci_tech_med
Anonymous ftp logins are usually the username 'anonymous' with the user's email address as the password. Some servers parse the password to ensure it looks like an email address.
User: anonymous
Password: anonymous#domain.com
Anonymous FTP usage is covered by RFC 1635: How to Use Anonymous FTP:
What is Anonymous FTP?
Anonymous FTP is a means by which archive sites allow general access
to their archives of information. These sites create a special
account called "anonymous".
…
Traditionally, this special anonymous user account accepts any string
as a password, although it is common to use either the password
"guest" or one's electronic mail (e-mail) address. Some archive
sites now explicitly ask for the user's e-mail address and will not
allow login with the "guest" password. Providing an e-mail address
is a courtesy that allows archive site operators to get some idea of
who is using their services.
These are general recommendations, though. Each FTP server may have its own guidelines.
For sample use of the ftp command on anonymous FTP access, see appendix A:
atlas.arc.nasa.gov% ftp naic.nasa.gov
Connected to naic.nasa.gov.
220 naic.nasa.gov FTP server (Wed May 4 12:15:15 PDT 1994) ready.
Name (naic.nasa.gov:amarine): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-----------------------------------------------------------------
230-Welcome to the NASA Network Applications and Info Center Archive
230-
230- Access to NAIC's online services is also available through:
230-
230- Gopher - naic.nasa.gov (port 70)
230- World-Wide-Web - http://naic.nasa.gov/naic/naic-home.html
230-
230- If you experience any problems please send email to
230-
230- naic#nasa.gov
230-
230- or call +1 (800) 858-9947
230-----------------------------------------------------------------
230-
230-Please read the file README
230- it was last modified on Fri Dec 10 13:06:33 1993 - 165 days ago
230 Guest login ok, access restrictions apply.
ftp> cd files/rfc
250-Please read the file README.rfc
250- it was last modified on Fri Jul 30 16:47:29 1993 - 298 days ago
250 CWD command successful.
ftp> get rfc959.txt
200 PORT command successful.
150 Opening ASCII mode data connection for rfc959.txt (147316 bytes).
226 Transfer complete.
local: rfc959.txt remote: rfc959.txt
151249 bytes received in 0.9 seconds (1.6e+02 Kbytes/s)
ftp> quit
221 Goodbye.
atlas.arc.nasa.gov%
See also the example session at the University of Edinburgh site.
As others point out, the user name is usually anonymous, and the password is usually your e-mail address, but this is not universally true, and has been found not to work for certain anonymous FTP sites. For example, at least some cPanel sites seem to deviate from the norm, and if given the traditional user name without domain, one of various errors may result:
If the server uses Pure-FTP as the FTP server:
421 Can't change directory to /var/ftp/ error message.
If the server uses ProFTP as the FTP server:
530 Login Authentication Failed error message.
When one of the aforementioned errors occurs when attempting anonymous access, try including a domain with the username. For example, where example.com is the domain used in your e-mail address:
User name: anonymous#example.com
In the specific case of a cPanel site, the password value is unimportant, and may be left blank, but there is no harm in providing a "traditional" anonymous password formatted as an e-mail address.
For reference, this answer is based on content found on a documentation.cpanel.net Anonymous FTP page. At the time of this writing, it stated:
When users log in to FTP anonymously, they must format usernames
as anonymous#example.com, where example.com represents the user's
domain name. This requirement directs your server to the correct
public_ftp directory.

Resources