Synchronizing laravel app password with Active Directory - windows

We have gotten a request to synchronize the passwords for a SaaS app our company produces with Active Directory for a customer.
I have straight up never even touched AD, so I have no idea where to even begin, or if it's possible.
The App is laravel 5.2 + php5.6 and not running on Azure.
Any guidance would be extremely appreciated. Please ask if you need more information, I don't even have much of an idea of what would be relevant to know here.
Thanks for anything you can give me in advance, guys.

There is no way to read anyone's password from Active Directoy, so you cannot "synchronize" passwords.
However, you could just authenticate against AD (when someone tries to log into your app, your app sends their username and password to AD to verify). There is an answer for how to do that here, but it's literally just this:
$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
// log them in!
} else {
// error message
}
Where ldap.example.com will be the AD domain name. The default is port 389, so that communication has to be allowed by firewall. If they want the traffic to be encrypted via SSL (LDAPS), then it would be over port 636 and you have to specify that:
$ldap = ldap_connect("ldap.example.com", 636);
And you would need to trust their certificate. Details on that in the comments of the documentation for ldap_connect.

Related

Laravel send mail via Gmail fails - cannot connect to server

The server, Ubuntu 16.04, with Nginx webserver.
I am running 2 virtual hosts, both have Laravel apps running. One is Laravel 5.1, the other is 5.4.
I have the same contact us form under both Laravel instances. The sendmail function on the controller is the same for both (I know I need to refactor this functionality off of the controller :-) ) Both have the same config/mail.php settings. .env is the same on both, other than the username and password. Both gmail accounts have insecure applications enabled / allowed.
The one running under Laravel 5.1 works perfectly. The one under 5.4 gives a timeout error when trying to connect to gmail.
Any ideas on what the fix should be?
The solution appears to be related to the Gmail password. The client insisted on an easily remembered password. I changed to a more complex password, and everything worked.
I did read a post that said that Google does not like automated accesses with insecure passwords. Sorry, I cannot reference that post - can't find it again.
Apparently, the solution is to use a secure password. I merely added special characters to the client's desired password.
I hope this helps someone else.

How to reset developer account password?

I have received a developer account number and extension, however I never received the email with the password. I can't reset it from the test portal either as it is asking me a security question. I tried to answer based on my actual account, but it says invalid.
Obviously, I can't do anything until I get this password. So what are my options? Create a new app and hope it works the second time? I checked my mail server and don't see any rejected emails from RC either.
Edit: Looks like the email was rejected. It failed SPF, the server doesn't have rDNS, and I guess it got knocked a point for having the From header Base64 encoded.
Anyway, how can I reset it?
Could you please create a support case at :
RingCentral Developer Support
One of the team members would be able to assist you with resetting the Developer Account password.

Laravel 4 & Sentry 2 Session issues

I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.

Website access with cached Windows credentials

I am working at a company which uses an intranet site as a portal to a bunch of other local sites. Unauthorized people in the company have been accessing it, so we want to secure it. Users, when accessing the website for the first time will have to enter a username and password. If they are on a certain group in the Active Directory, they will be given access and their credentials will be stored so that they don't need to enter their username/password again. I have looked into NTML, ASP.NET, but am not sure how to proceed.
Any thoughts/ideas are greatly appreciated.
Dump your solution. Use Integrated Windows Authentication, namely Kerberos, in IIS. It will automatically pass all credenentials to your server. Note that every participant must be part of your AD domain.

Client PC authentication in ASP.NET MVC (Advice needed)

I've have some authentication scenario that I'm not sure how to approach. I'll appreciate any advice on the subject.
Requirement:
Website will contain one section
that will be only available to
specific computers.
Website needs to be aware which PC is currently making request (I need to be able to tie this PC to other tables in Database)
We have full access to PCs that will be accessing website
Website cannot require login, user should be just presented with content pages without need for logging in.
Solution needs to be secure since, it will have to pass security audit
Assume that every PC is on different network.
My ideas so far:
use client certificates but I'm
not sure whether you can issue
different certificate per client? If
the answer is 'you don't know who is
making the request' than it's failing
requirement number 2 and therefore is
not an option.
Windows
Authentication with impersonation so
I can have different users logged in
on PC (I'm in control what will be
the user name/account logged in on
the machine)
Basic Authentication and set PC to remember username/password first time. I'm a bit afraid that this "remember me" can expire which would cause big chaos since someone would have to setup this PC(s) again...
Windows Identity
Foundation - never tried but if I can
implement this scenario here in some
nice way I appreciate if you can
point me in the right direction.
Thanks in advance for your help.
EDIT:
I would prefer not to use SSL if possible... (performance consideration)
EDIT2:
Currently I think that the best option would be to check whether PC is authenticated (whether it contains Forms Authentication cookie) and if it is not then redirect him to some https:// page that will check client certificate, set cookie if cert exists and redirect back to target page.
This shouldn't be slow since SSL will be used only in rare cases when cookie expires.
Please let me know if you see any flaws in this solution. If you know how to create server certificate and later generate different client certificates from it I would be grateful for guidelines.

Resources