I stood up OpenDJ v3.0.0 on rhel 7 server with java version 1.8.0_251. I set ssl/tls to yes with self sign cert generated and it is empty no ldap schema is imported yet only baseDN was stated.
Once install was complete, I executed service opendj status and system said Running although executing /install/path/bin/status threw java.security.cert.CertificateException: No subject alternative names present.
With assumption of ldap service is running I executed following two diff sets of ldapsearch cmds to verify whether it is handling incoming ldap request or not base on this doc: https://backstage.forgerock.com/knowledge/kb/article/a54816700
./ldapsearch --hostname foo.domain.com --port 636 --useSsl --trustAll --bindDN "cn=Directory Manager" --bindPassword password --baseDN "" --searchScope base "(objectclass=*)" 1.1
dn:
./ldapsearch --port 389 --baseDN "" --searchScope base "(&)" alive healthy
dn:
My question is with returned response as dn:, I can't tell OpenDJ is running properly or not. I'd appreciate your advice.
The first error with Status is due to changes in JDK 8 where certificates subject name much match the hostname you are trying to connect to.
The second part of the question is not an error. It's expected. Your first query is requesting no attributes (trailing argument '1.1' means to return no attributes).
The second query is requesting attributes that do not exist in the rootDSE for OpenDJ 3.0. These attributes were added to ForgeRock Directory Service version 6.5.0.
Related
I am having a Micro-Service Platform having multiple Micro-Services connected to each other, Platform uses Kerberos for authentication of Micro-Services. In One of Micro-Service Node hadoop is installed which uses separate KDC for Hadoop cluster authentication.
Lets say platform domain is "idm.com" and hadoop domain is "hadoop.com".
Resource Manager is running on one node. I have configure HTTP principal for spnego in core-site.xml using "hadoop.http.authentication.kerberos.principal" property to "HTTP/master.hadoop.com#HADOOP.COM" and nodes Hostname is "hadoopmaster.idm.com".
I do Kinit and acquire root user ticket from TGS. When I tried to do curl using "curl -k -v --negotiate -u : https://master.hadoop.com:8090/cluster" It shows GSS Exception: No valid credentials provided.
If I see klist it shows two ticket one krbtgt and second "HTTP/hadoopmaster.idm.com#HADOOP.COM"(I have added this principal in kdc database). First krbtgt i got using kinit and second HTTP one i Got it automatically after doing curl before curl the ticket was not there. Krb client acquired another for using HTTP service.
After some debugging I noticed the problem/behaviour is I got ticket for HTTP/hadoopmaster.idm.com#HADOOP.COM where I have configure hadoop to use HTTP/master.hadoop.com#HADOOP.COM. If we configure hadoop to use "HTTP/hadoopmaster.idm.com#HADOOP.COM" then ui is accessible.
I have added both FQDNs to /etc/hosts file.
It seems when I do curl using any of the FQDNs I got the HTTP ticket of the first entry in /etc/hosts file.
For example if
...
10.7.0.5 hadoopmaster.idm.com
10.7.0.5 master.hadoop.com
...
now if i do curl i will get HTTP/hadoopmaster.idm.com#HADOOP.COM in klist.
and if /etc/hosts looks like this
...
10.7.0.5 master.hadoop.com
10.7.0.5 hadoopmaster.idm.com
...
Now if i do curl i will get HTTP/master.hadoop.com in klist
In both the cases if i configure the hadoop property to the same i got using curl then UI will be accessible and other wise it will shows 403 GSSException which i guess means curl used spnego but didn't get valid credentials.
And if it matches with the hadoop's configured principal then it will work.
It looks like Hostname is causing problem is there any way to map this hostname or is there any kerberos config which can map this or any property which will give me exact ticket with exact hostname i have specified in curl despite of hadoop configurations.
According to the official ACME.SH documentation link, issuing a certificate is as simple as running the following command:
$ acme.sh --issue --alpn -d example.com
However, I am getting the following error
Error, can not get domain token entry example.com for `tls-alpn-01`
The supported validation types are `http-01` `dns-01` , but you specified: `tls-alpn-01`
I have tried switching from the default ZeroSSL.com to BuyPass.com, but that does not help. It seems that these providers do not allow tls-alpn-01 validation method, but it could be related to something that I am missing.
PS:
To preemptively answer some questions:
I have a valid domain that I replaced with "example.com"
The site is functional on a 443 port, but port 80 is blocked by ISP, hence tls-alpn-01
I am stopping Nginx, and then checking with netstat that port 443 is not bound to a service.
When I run the script with --debug 2 parameter, I get the following value for _authorizations_map variable
_authorizations_map='example.com,{"identifier":{"type":"dns","value":"example.com"},"status":"pending","expires":"2021-08-18T22:53:50Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/wYehJ8kQjUDiDadBJ12qKw", "status":"pending","token":"Sfga2N2KwV-2hg3wo1gYAoyFvqV87dRvG2sHw4I6ups"},{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/CkrMQdEJthf-TmWvllW-Bg", "status":"pending","token":"_AlgMGzIfSQs7673Su-njnpieba_zLpSYxiUdXDEFnz"}]}'
Same problem, I switched from ZeroSSL to Let's encrypt CA and now it works without problems.
https://community.letsencrypt.org/t/the-acme-sh-will-change-default-ca-to-zerossl-on-august-1st-2021/144052
Edit: oops, sorry.
To tell acme.sh to use Let's encrypt CA
use:
acme.sh --set-default-ca --server letsencrypt
and then try to issue again the certificate in tls-alpn-01 mode
I builded MariaDB 10.4 using GitHub source on CentOS 8.
(https://mariadb.com/kb/en/get-build-and-test-latest-mariadb-the-lazy-way/)
But mariadb-secure-installation is not working.
There is no error when running it. But nothing works. For example, changing the root password or deleting an anonymous account does not work.
What should I check?
thank you.
I figured out why.
https://serverfault.com/a/897341
https://mariadb.com/kb/en/authentication-plugin-unix-socket/
In MariaDB 10.4.3 and later, the unix_socket authentication plugin is installed by default, so if you do not want it to be available by default on those versions, then you will need to disable it.
there are two solutions.
disable unix_socket authentication
# /etc/my.cnf.d/server.cnf
[mariadb]
...
unix_socket=OFF
# or
disable_unix_socket
...
set client to use TCP protocol
# /etc/my.cnf.d/client.cnf
[client]
protocol=tcp
or using '-h' option
# mysql -h 127.0.0.1 -u root -p
I have an access to a preconfigured Windows XP 32-bit workstation.
It's under firewall and to get outside it uses http proxy server.
To get proxy settings I need host, port, username and password.
http: // username : password # server : port
I'm able to find the proxy url and port (from PAC - automatic config file),
but I don't know how to get username/password. Is there a way to read it somehow? At least username? I might get the admin rights.
Do you know any tool that can help?
I only found these MS docs about some methods to get proxy config connection, but I don't know how to determinate what's the provided credentials:
WinHttpGetIEProxyConfigForCurrentUser function
WINHTTP_CURRENT_USER_IE_PROXY_CONFIG structure
WinHttpGetProxyForUrl function
I've also found this lib, but it's rather for parsing PAC:
http://code.google.com/p/pacparser/
In windows you cannot get password.
To get connect throw a proxy you have to use SSPI, check libcurl, you can get a connected socket throw proxy, build it with enable-sspi and openssl.
Iterating on Fernando Sanchez's answer and Robert's comment, you need to authenticate via SSPI. In my case I've connected using NTLM using this link
With curl using ntlm :
curl.exe --proxy <proxy_name>:<proxy_port> --proxy-ntlm -U : https://www.google.com
Also to partially answer your question the -U : means from curl man page :
If you use a Windows SSPI-enabled curl binary and do either Negotiate
or NTLM authentication then you can tell curl to select the user name
and password from your environment by specifying a single colon with
this option: "-U :".
You can get the proxy name and port from the windows registry (regedit). Quote from Robert's comment:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
It can be present either in a manual way using REG_SZ ProxyServer or using an autoconfiguration script using REG_SZ AutoConfigURL = https://<configuration_url>
If the curl command above fails with Failure when receiving data from the peer maybe you have a curl release without NTLM, SSPI or OpenSSL. Try with the latest curl release
I am trying to setup a basic ldap server/client scenario. I downloaded openldap for windows and installed it. I am starting the server successfully with the command,
slapd -d 1
I tried to use various clients (commandline, LDAP Browser, phpLDAPadmin) to connect and do a search, it works with 'anonymous access' but it fails every time I try the same with root user/password and says 'failed to connect to ldap://localhost:389'. Same thing works if i connect anonymously.
What could be the problem ?
Here's my slapd.conf
ucdata-path ./ucdata
include ./schema/core.schema
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
database bdb
suffix "dc=guessant,dc=org"
rootdn "cn=Manager,dc=guessant,dc=org"
rootpw secret
directory ./data
I am using Login DN as "cn=Manager,dc=guessant,dc=org" and password as "secret"
It has been fixed now .. problem was with PHP mcrypt and phpLdapAdmin. Apparantly there's an issue with PHP 5.2. and figured out that upgrading to 5.3 + or removing mcrypt usage, would fix it. I chose the later, for the timebeing atleast