I'm trying to setup gitea with an openldap authentication on a local kind cluster. I was able to get both services started and open the web ui for both. But I am stuck trying to integrate them. I initially encountered err=49 which was caused by an incorrect bind account credential. Now I feel like I have everything correct however it always comes back with the error user does not exist regardless of what I try.
I am able to login with the user on the openldap phpadmin.
Adding random charecters to the host or the bind gives a different error, so I assume this is correct.
I've tried different userFilter values using sAMAccountName=%s and cn=* but I don't know enough about ldap to really know what the value should be. none of the values I tried worked.
logs in openldap:
error in gitea:
openldap configuration:
customLdifFiles:
01-initial.ldif: |-
dn: ou=groups,dc=archbox
objectclass: organizationalUnit
objectclass: top
ou: groups
dn: cn=admins,ou=groups,dc=archbox
cn: admins
gidnumber: 500
memberuid: tuser
objectclass: posixGroup
objectclass: top
dn: cn=users,ou=groups,dc=archbox
cn: users
gidnumber: 501
objectclass: posixGroup
objectclass: top
dn: ou=users,dc=archbox
objectclass: organizationalUnit
objectclass: top
ou: users
dn: cn=test,ou=users,dc=archbox
cn: test
gidnumber: 500
givenname: test
homedirectory: /home/users/tuser
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user
uid: tuser
uidnumber: 1000
userpassword: {MD5}WcTy5IxPSAXRNZlv17HWwg==
dn: cn=gitea gitea,ou=users,dc=archbox
cn: gitea gitea
gidnumber: 501
givenname: gitea
homedirectory: /home/users/ggitea
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: gitea
uid: ggitea
uidnumber: 1001
userpassword: {MD5}WcTy5IxPSAXRNZlv17HWwg==
env:
LDAP_ORGANISATION: "ArchBox"
LDAP_DOMAIN: "archbox"
LDAP_BASE_DN: "dc=archbox"
adminPassword: adminadmin
configPassword: configconfig
replicaCount: 1
phpldapadmin:
ingress:
enabled: true
path: /
hosts:
- ldapadmin.archbox
gitea configuration:
gitea:
ldap:
enabled: true
name: "archldap"
securityProtocol: unencrypted
host: "openldap-openldap-stack-ha.default"
port: "389"
userSearchBase: ou=users,dc=archbox
userFilter: cn=%s
adminFilter: cn=admin,ou=groups,dc=archbox
emailAttribute: mail
bindDn: cn=gitea gitea,ou=users,dc=archbox
bindPassword: giteagitea
usernameAttribute: cn
The log level "debug" revealed, that (in my case) the ldap user filter was busted. I was using (objectClass=<MyCustomClass>). The user filter HAS TO contain the %s that is substituted for the username.
In your case your user filter is missing the outer brackets.
I hope I was able to help you or any one else experiencing this kind of behaviour.
Best, Rincewind
Related
I am working on ejabberd API to invite users to MUC room. I have setup OAuth for API.
I have tested oauth with get_room_occupants and its working fine.
Now, I am trying to access /api/send_direct_invitation, but as per logs, I don't have permission to access this api
I have generated oauth with command line
ejabberdctl oauth_issue_token admin#host 31540000 "ejabberd:admin"
Do I need to pass any extra permissions
Ejabberd Version: 17.11
Installed on: ubuntu 16.04
Configuered DB: mysql
Here is a ejabberd.yml file
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
- access:
- allow:
- user: admin#host
- oauth:
- scope: "ejabberd:admin"
- access:
- allow:
- user: admin#host
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
- ip: "127.0.0.1/8"
what:
- "status"
- "connected_users_number"
commands_admin_access:
- allow:
- user: "admin#host"
commands:
add_commands:
- status
- registered_users
- register
- unregister
- get_roster
- connected_users
- send_stanza_c2s
- send_stanza
- join_cluster
- send_direct_invitation
oauth_expire: 3600
oauth_access: all
I tried running this via command line and got this error
command: ejabberdctl send_direct_invitation naviteam1519 conference.xxx.yyy.com "" "You need this room!" KESH2FABDE#xxx.yyy.com
error:
Problem 'error {bad_jid,<<"KESH2FABDE#xxx.yyy.com">>}' occurred executing the command.
Stacktrace: [{jid,decode,1,[{file,"src/jid.erl"},{line,138}]},
{mod_muc_admin,'-get_users_to_invite/2-fun-1-',2,
[{file,"src/mod_muc_admin.erl"},{line,840}]},
{lists,filtermap,2,[{file,"lists.erl"},{line,1317}]},
{mod_muc_admin,send_direct_invitation,5,
[{file,"src/mod_muc_admin.erl"},{line,826}]},
{ejabberd_ctl,call_command,4,
[{file,"src/ejabberd_ctl.erl"},{line,352}]},
{ejabberd_ctl,try_call_command,4,
[{file,"src/ejabberd_ctl.erl"},{line,321}]},
{ejabberd_ctl,process2,4,
[{file,"src/ejabberd_ctl.erl"},{line,271}]},
{ejabberd_ctl,process,2,
[{file,"src/ejabberd_ctl.erl"},{line,249}]}]
You did not show us your ejabberdctl send_direct_invitation command and the logs.
My bet is that you don't have correctly formatted command:
from the send_direct_invitation api it should look like this:
POST /api/send_direct_invitation
{
"name": "room1",
"service": "muc.example.com",
"password": "",
"reason": "Check this out!",
"users": "user2#localhost:user3#example.com"
}
Then an example would look like this:
ejabberdctl send_direct_invitation aRoom conference.localhost "" "You need this room!" msg_test1#localhost
As for your ejabbered.yml file. Are you sure you have:
admin#host user? Shouldn't that be for you a admin#localhost?
Edit
Based on the comment: The OP is missing mod-client-state configuration
mod-client-state configuration:
Example configuration:
modules:
...
mod_client_state:
queue_chat_states: true
queue_pep: false
queue_presence: true
...
I am using Yandex Connect (SMTP) as a method to send emails from my Rails 5 JSON API app.
Here's the setup:
Rails.application.configure do
config.action_mailer.delivery_method = :smtp
config.action_mailer.raise_delivery_errors = true
config.action_mailer.smtp_settings = {
address: 'smtp.yandex.com',
port: 25,
domain: ENV['MAIL_DOMAIN'],
user_name: ENV['MAIL_USER'],
password: ENV['MAIL_PASSWORD'],
authentication: 'plain',
enable_starttls_auto: true
}
end
I also have config.action_mailer.default_url_options = { host: ENV['MAIL_DOMAIN'] } set in my application.rb
On heroku with the right credentials it works just fine. But when I try to run the same config localy and send an email, I get ArgumentError - SMTP-AUTH requested but missing secret phrase.
What could be wrong
1) Make sure the environment variables are really there, e.g. bundle exec rails console, puts ENV.inspect
2) Make sure the credentials are correct
3) Restart your development server after you've modified your environment. This includes spring stop.
Hi am using ejabberd version 16.04 for my chat application and am using mod_rest for creating a muc room and for sending room invitation, now what i need is to set_room_affiliation for a particular mod_muc but its says error could some one help me out please...!!!
Below is the argument am passing for each respective ejabberd commands
Creating a Team
{"key": "secret","command": "create_room","args": ["kandan_team","conference","kandan.com"]}
Team got created. Passed...!!!
For sending Room Invitation to user 1
{"key": "secret","command": "send_direct_invitation","args": ["kandan_team","conference","none", "team_inviataion", "user1#kandan.com"]}
Inviatation sent successfully..!!! Passed..!!!
For sending Room Invitation to user 2
{"key": "secret","command": "send_direct_invitation","args": ["kandan_team","conference","none", "team_inviataion", "user2#kandan.com"]}
Inviatation sent successfully..!!! Passed..!!!
For removing user1 from team
{"key":"secret","command":"set_room_affiliation","args":["kandan_team", "conference", "user1#kandan.com", "outcast"]}
Couldn't remove user1 and saying as error..! Failed..!!!
Ejabberd.yml file configuration for mod_rest
mod_restful:
api:
- path: ["admin"]
module: mod_restful_admin
params:
key: "secret"
allowed_commands: [register, unregister,status, add_rosteritem, create_room, send_direct_invitation, set_room_affiliation]
- path: ["register"]
module: mod_restful_register
params:
key: "secret"
So can someone help me out how to set_room_affiliation please ...!!!
I found the answer, i created muc with wrong service that was the issue.Instead of creating muc with below service i created in other way..!!!
{"key": "secret","command": "create_room","args": ["kandan_team","conference.kandan.com","kandan.com"]}
I created user and gave him only one role.(Member)
Currently this role doesn't have any permission with any Http verb nor path.
This is my user:
{
organizations: [1]
0: {
website: ""
description: "AREAS"
roles: [1]
0: {
name: "Member"
id: "09dc1bdba42c48de9e15e88816284cbc"
}-
-
enabled: true
id: "363ac390cfc94aa293e02547afa78256"
domain_id: "default"
name: "AREAS"
}-
-
displayName: "root"
roles: [0]
app_id: "aea8f4a70b87422cb48068db9f0c6aea"
email: "root"
id: "root"
}
Now, when i try to do GET request on address: http://localhost/parameters/search_tables/
for which this user don't have permission,
it allows me access and redirects me nonetheless.
This is log from pep proxy:
2015-11-13 14:55:53.446 - INFO: IDM-Client - Checking token with IDM...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking auth with AZF...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking authorization
to roles [ '09dc1bdba42c48de9e15e88816284cbc' ] to do GET
on parameters/search_tables/ and app aea8f4a70b87422cb48068db9f0c6aea
2015-11-13 14:55:53.508 - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "cookie"
My config file regarding authorization is:
config.azf = {
enabled: true,
host: '192.168.4.180',
port: 8080,
path: '/authzforce/domains/afb096b2-8951-11e5-980f-6bf3c4dac98a/pdp'
};
config.public_paths = [];
config.tokens_engine = 'oauth2';
My Pap policy is:
<PolicySet PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-
algorithm:ordered-permit-overrides">
<Target />
<Policy PolicyId="permit-all" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-
algorithm:ordered-permit-overrides">
<Target />
<Rule RuleId="permit-all" Effect="Permit" />
</Policy>
</PolicySet>
How should i formulate my PAP policy to enable authorization level2, to use only http verb and resource path for authorization?
By default, Authzforce PAP permits all when no policy is added. Check if your PAP has the right information:
GET
/domains/{domainId}/pap/policySet
Edit 1:
In order to be able to connect with Authzforce, you need to configure some Authzforce parameters into your IdM instance:
ACCESS_CONTROL_URL at fiware-idm/horizon/openstack_dashboard/local/local_settings.py
and
ACCESS_CONTROL_MAGIC_KEY at fiware-idm/horizon/openstack_dashboard/local/local_settings.py
Then, just go to IdM, and check that the permissions and roles are well configured. Sometimes, you have to 'trigger' the policy generation in IdM by going to your application -> manage roles and just click 'save' to trigger the XACML generation.
I am trying to crytp using gpg2 the mails sent by Nagios3. For that, I have create this custom command on /etc/nagios3/commands.cfg :
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
Some points:
The e-mail is sent but it is "empty":
Sep 19 14:35:25 tutu nagios3: Finished daemonizing... (New PID=4313)
Sep 19 14:36:15 tutu nagios3: SERVICE ALERT:
tete_vm;HTTP;OK;HARD;4;HTTP OK: HTTP/1.1 200 OK - 347 bytes in 0.441
second response time Sep 19 14:36:15 tutu nagios3: SERVICE
NOTIFICATION: tata;tete_vm;HTTP;OK;notify-service-by-email;HTTP OK:
HTTP/1.1 200 OK - 347 bytes in 0.441 second response time
The command:
/usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$</code>
works very well on command line
I have tested this command:
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com >> /tmp/toto.txt
The file /tmp/toto.txt is created but "empty".
So, it seems to be a problem using /usr/bin/gpg2 on this file, but I cannot find why!
The most common mistake when encrypting from within services using GnuPG is that the recipient's key was imported by another (system) user than the one the service is running under, for example imported by root, but the service runs as nagios.
GnuPG maintains per-user "GnuPG home directories" (usually ~/.gnupg) with per-user keyrings in them. If you imported as root, other service accounts don't know anything about the keys in there.
The first step for debugging the issue would be to redirect gpg's stderr to a file, so you can read the error message by adding 2>>/tmp/gpg-error.log to the GnuPG call:
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com 2>>/tmp/gpg-error.log | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
If the issue is something like "key not found" or similar, you've got two possibilities to resolve the issue:
Import to the service's user account. Switch to the service's user, and import the key again.
Hard-code the GnuPG home directory to somewhere else using the --homedir [directory] option, for example in a place you also store your Nagios plugins.
Be aware of using appropriate, restrictive permissions. GnuPG is very picky if other users than the owner are allowed to read the files!