I want to build or implement some sort of LDAP proxy that will intercept the LDAP response from our corporate server and tack on a jpegPhoto to each entry which will load the persons image from our intranet (i.e. http://intranet.biz/userPhoto.php?email=johnDoe#domain.com).
My first thought is to setup a Squid proxy with a rewrite filter. The OpenLDAP man pages also seems to mention that it can act as a proxy (perhaps using slapo-rwm to add jpegPhoto?). I'm not very familiar with OpenLDAP and I'm not sure how to implement this.
What's the best solution? Any examples?
You should probably look into openldap's overlays combined with the proxy backends they offer. The 'translucent' overlay might be an appropriate starting point.
Very difficult. You will have to write something that can completely parse an LDAP response and add the required attributes to it. There are various LDAP APIs available that can do that for you but it will be a slog. Have you considered bulk-moving the jpegs into the LDAP database?
Related
We have a number of EC2 instances running Solr in EC2, which we've used in the past through another application. We would like to move towards allowing users (via web browser) to directly access Solr.
Without something "in front" of Solr this results in a security risk, so we have opted to try to use ELB (specifically the Application Load Balancer) as a simple and maintenance free way of preventing certain requests from hitting SOLR (i.e. preventing the public from DELETING or otherwise modifying the documents in Solr).
This worked great, but we realize that we need to deal with the CORS issue. In other words, we need to add the appropriate headers to requests that come in from a browser. I have not yet seen a way of doing this with Application Load Balancer but am wondering if it is possible to do someway. If it is not possible, I would love as an additional recomendation the easier and least complicated way of adding these headers. We really really really hate to add something like nginx in front of Solr because then we've got additional redundancy to deal with, more servers, etc.
Thank you!
There is not much I can find on CORS for ALB either and I remember when I used Beanstalk with ELB I had to add CORS support in my java application directly.
Having said that, I can find a lot of articles on how to set up CORS for Solr.
Can it be an option for you?
I have a Elasticsearch running on my server by default it runs on port 9200 and link is public means any one can insert, update, delete anything form anywhere. How do I make it secure like phpMyadmin which can be only accessed with the help of my code and not directly from browser or postman.
Elasticsearch does not perform authentication or authorization, leaving that as an exercise for the developer. Two popular ways I have seen are
Setup your own proxy (Nginx/HAProxy) fronting elasticsearch - this way you exercise full control. You can also use the Elasticsearch-jetty plugin to have jetty level auth
Shield - If budget permits use Shield which is a paid offering from Elasticsearch - https://www.elastic.co/products/shield
Even with these in place, depending on who you are exposing this to - you may want to disable certain things like dynamic scripting, throttles for DoS etc.
You can use the Elasticsearch basic authentication plugin - https://github.com/Asquera/elasticsearch-http-basic
The README there gives a good idea on how to set it up.
If you are using Kibana3 as a frontend to elasticsearch, you can secure it using https://github.com/fangli/kibana-authentication-proxy
I have enabled a relatively simple Nginx proxy that sits between my Elasticsearch and Kibana to configure authorized access to my dashboards and charts.
Look at my post here: https://udaysagars.wordpress.com/2016/04/04/how-i-configured-authorized-access-to-kibana-dashboards/
Also, you can view my application that uses this method here: http://udaysagar2177.github.io/ec2/twitter-analytics.html
I have two applications which I cannot change:
A: provides a URL protected by HTTP basic auth.
B: needs to access this URL but does not support basic auth.
Credentials are available.
How can I make my two applications work together?
I thought a local proxy might be great which injects the authentication. E.g. using socat:
socat TCP4-LISTEN:81,reuseaddr,fork TCP:UrlToA:80,<inject-basic-auth>=user:pass
However, socat does not provide an option like < inject-basic-auth >. Anybody knows any tool that might help? Any other way out?
You must set up a HTTP reverse proxy server that does the authentication for you. No need to hack any software.
Your reverse proxy listens on some socket (e.g. proxy:8080) and forwards requests to your actual application A, inserting the headers.
client_B ----> http://proxy:8080 -----> http://server_A:80
Nginx is lightweight, high performance and easy to set up. And it's easy to find docs online for what you want.
See for example http://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy
This problem seems to be very specific. So you probably won't find a ready-to-use tool.
If you want to do it yourself, your best approach is probably to extend socat:
http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
Good luck!
Is it possible to run the LDAP protocol over HTTP or HTTPS?
If so, does anybody know of a Ruby LDAP server which can be made to run on Heroku.com?
No, it is not possible to run LDAP over HTTP(S). LDAP is a binary protocol in its own right, described in ASN.1 and transmitted in BER. However, DSML provides some functionality that may interest you. DSML represents directory services information using XML.
Yes, certainly it is possible, I have one where LDAP entities are sent as JSON objects. Let me know if you are interested in taking a look at it. But this is in Java not Ruby but might throw some light..
I would like to setup a http proxy on my work machine (no admin rights, WinXP) to only allow access to a whitelist of URLs. What would be the easiest solution? I prefer open-source software if possible.
Squid seems to be the de facto proxy. This link describes how to set it up on a windows box: http://www.ausgamers.com/features/read/2638752
Why not use the Content Advisor in IE? You can provide a list of approved sites, anything else is blocked. Or do you want pass-through functionality like a true proxy?
Content advisor will ask for authorization every time a javascript function is called. At least that's my experience right now, and that's how I landed here, after hours of googling.
You are right, however, if the sites in the whitelist don't use javascript intensively and I would suggest that that option be tried first because (and I'm an IT person), it's FAAAAAAAAR easier to set up Content Advisor than a proxy server. Google "noaccess.rat" and you'll come accross articles that tell you how to set up IE using a white-list approach.
Having said this, however, you must be fully aware that Content Advisor can be easily disabled, even without knowing the password. One of my users did it in no time. You can find this in google as well.
Alex