Is it possible to use LDAP authentication with Liquibase?
If not, how have others solved the problem of automating changes to production database schemas using Liquibase (yet still keeping the database credentials secure)?
LDAP is used for server-side authentication. Not all databases support it, for example MySQL only supports it in it's Enterprise version.
Securing the credentials, used by clients like liquibase, falls into two categories:
Protecting data in transit
Protecting credentials at rest
To protect credentials in transit, I'd recommend using a JDBC driver which supports SSL. Some JDBC drivers support this feature, for example MySQL. Another approach is to tunnel the JDBC traffic over a SSH tunnel.
Protecting credentials at rest (in configuration files) is more difficult and depends on how you plan to invoke liquibase. If you're using ANT, I'd suggest using the answer to this question on how to read encrypted property files.
Related
Looking for example using JDBC on DB2 database using Windows authentication, preferably with db2jcc4.jar driver. Seems like a common enough scenario, but I'm having a hard time finding an example.
Your original question was too vague until you clarified it with a comment asking how to connect to local Db2-databases via jdbc without a userid/password. So your real question appears to be "how do I achieve passwordless authentication to local Db2-databases on MS-Windows?", which may be a FAQ.
Db2-server delegates authentication to the underlying operating-system services on which the Db2-server is running. Keep in mind that Db2-server runs on a few quite-distinct operating systems, only one of which is MS-Windows.
Yes you can connect via-JDBC to a local Db2-database on MS-Windows without specifying a userid/password, using the IBM-supplied jdbc driver.
You can also connect to a local Db2-database on MS-Windows via CLI/ODBC and command-line without specifying a userid/password. When no userid/password is specified then the authentication-ID is that of the currently running session (either the logged on identify, or the runas identity).
If you have a local Db2-server with a local database running on MS-Windows, then all necessary software is already installed (if using defaults) to achieve the above.
It is important to understand that if the Db2-database is remote from the client then the authentication will need some form of credentials. Such credentials may be in the form of a certificate (if the Db2-database lives on Z/OS), or in the form of a userid/password, or in the form of a kerberos ticket, or in the form of a token used for cloud-based Db2 etc.
For a passwordless local jdbc connection to a Db2-database , you can use the URL format "jdbc:db2:your_database_name" .
The class com.ibm.db2.jcc.DB2Driver (as supplied in currently supported versions of db2jcc4.jar) supports passwordless connections with that URL pattern.
Example with local database-name = sample.
try
{
Connection con = DriverManager.getConnection("jdbc:db2:sample");
...
}
catch (Exception e)
{
...
}
The Db2 Knowledge-Centre gives all the details of the available jdbc properties
here
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.apdv.java.doc/src/tpc/imjcc_r0052038.html
Other pages show additional properties that are specific to Z/OS data-sources, or cloud-databases, or i-series data sources, or informix sources etc.
We are in the planning phase of configuring our soon-to-be-upgraded databases (19c) to authenticate directly against AD (no oracle proxy). I have read a handful of documents from Oracle on how to do this. Most of the documentation focuses around using passwords (password filter/verifier). The only problem is that our AD administrators are dead-set against implementing Oracle's password filter into our existing AD infrastructure. That being said, one of the security guys said we could implement the oracle authentication using Kerberos instead. From what I have read, and the documents are scattered all over the place, and nothing that detailed, to use Kerberos:
1) The client no longer uses a username/password - they connect using a wallet-style connection (e.g. /#dbname)
2) Not only does the Oracle DB need some configuration changes, but so does every client that plans on using Kerberos
I don't know anything about Kerberos, how it works, and what goes on when you implement this, but I was hoping for, at the end of this is:
1) No client changes/installs (only the oracle DB would have config changes)
The user will continue to provide credentials as before - completely transparent
2) No need for the password filter as our admins have a "beef" against it
So my question is:
If using Kerberos directly against AD on >=18c:
1) Does the client user still provide a username and password to authenticate against AD, or does the client simply get "accepted" due to the tickets/tokens/configuration that occurs on the client (i.e. the client is simply trusted)?
2) Is there client config changes that need to occur, or does the client reach out to the DB and the DB, with its config changes, does all the legwork to authenticate against AD based off of client info being passed
3) Does any additional manual component need to occur on occasion (periodically retrieving a ticket/token/something) (because, say, it expires)
So in the end, we want to have complete transparency with every client and using something other than the password verifier with AD.
Thanks in advance.
-Jim
It sounds like you want to authenticate Windows clients against an Oracle database over a network using Active Directory without making any client changes.
This is pretty open-ended and complex StackOverflow question.
Probably you've been reading the docs about Third Party Network Authentication using Oracle Advanced Security. You can use Kerberos, SSL, RADIUS, PKI, etc. For most of these options, you need to do some setup on the client, because both the Oracle client and server need to authenticate or verify with the third-party system.
I think you need Enterprise User Security (using Oracle Internet Directory). Assuming you go with password-based authentication, you don't need client changes. In this scenario, Oracle Internet Directory can synchronize its user directory with AD, so your users can use their same username/password. However, when they change their AD password, they'll need to change their Oracle password separately.
On a different note, you may be able to alleviate your AD admins' fears about Oracle password complexity requirements, since you can change or remove those to fit your AD requirements.
For stormpath to work, is the internet a must?
I want to implement user management on my springboot server hosted for LAN, where the internet might not be available at times.
If this is not possible, what are the other options possible?
Yes, a connection is required, as user info is stored by Stormpath. If your connection is intermittent, enabling caching could help.
For my use case, where I was avoiding cloud based user authentication, I used Spring MVC with JPA, Spring Security with user details stored in my local mysql database.
Following link is one of the best tutorial I could find on the same topic.
https://medium.com/#gustavo.ponce.ch/spring-boot-spring-mvc-spring-security-mysql-a5d8545d837d#.gwxd1jdkj
I have an existing Datastax Cassandra setup that is working. We just added authentication to the system and now we can log in with our AD accounts. This is very nice and certainly works. However applications need to use a hard-coded username/password in order to connect.
In SQL Server we were able to setup a user to run the service as and then it would connect and work through AD. However in Cassandra it is not the same.
If I don't want to include usernames and especially passwords in my app.config files what are my options?
You can use authentication via LDAP with DSE (Datastax Enterprise), so the authentication stage is done with LDAP instead of the internal authentication in DSE which you're using at the moment. Note that my comments here apply to DSE5.0 onwards but you can use LDAP auth with earlier versions of DSE from 4.6 onwards.
The documentation (link below) covers this. The basic steps are as follows:
Configure your authenticator in the cassandra.yaml to use the DSE authenticator
authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
Create an internal role in cassandra to map to the LDAP group(s) in your LDAP server using the CREATE ROLE command
Ensure all the users you need to use map to the relevant LDAP group (part of your LDAP config)
Configure your dse.yaml to have the correct settings for your LDAP server
Restart the DSE process for the settings to take effect
The following documentation gives some good examples and background information:
https://docs.datastax.com/en/latest-dse/datastax_enterprise/unifiedAuth/unifiedAuthConfig.html
https://docs.datastax.com/en/latest-dse/datastax_enterprise/sec/authLdapConfig.html
Note: when configuring the dse.yaml note the comment in the docs regarding user_search_filter:
When using Active Directory set the filter to (sAMAccountName={0})
I have an oracle database where I'm using proxy authentication and windows authentication. This allows me to authenticate the user against AD servers and yet allows pooled connections.
I understand that I can use the oracle data provider for dot net. However, I would prefer to use an orm such as nHibernate. Is it possible to use the nHibernate and use oracle proxy authentication?
All nhibernate needs to know is how to create a connection to your oracle databae right? This is all done by the connection string where you pass in the proxy user's name/pw or you could use Integrated Security in Oracle 8i release 3 or later.
This means this has nothing to do with nhibernate I would say. So yes, it should work.