Unable to modify openLDAP as a group user - acl

I am using LAM as an interface for openLDAP.
I am able to log in using the admin account I created in the config, but I am looking to allow other users to log in.
To this end, I am trying to create ACL's to permit a group (or even individuals!) to admin the ldap.
My current config is:
{0}to * by * break
{1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
{2}to * by dn.exact=uid=<user>,ou=People,dc=<mysite>,dc=com manage by * break
When I try, I simply get:
Was unable to add attributes to DN: uid=<user>,ou=People,dc=<mysite>,dc=com.
LDAP error, server says: Insufficient access - Insufficient access
I can log in and see the data, but I am unable to implement changes. Shouldn't the manage allow me to?
Additional:
I have set the openLDAP to use the olc as opposed to the slapd.conf.
I am accessing a php interface (LDAP Account Manager Pro) which I bind using the diradmin, but I want to allow a limited set of users (admin) to bind using their own credentials and still have manage permissions to everything in the ldap (not the cn=config).
Doing slapcat -b cn=config returns:
5d499450 could not open config file "/etc/openldap/slapd.conf":
Permission denied (13) slapcat: bad configuration file!
But this file doesn't exist right now, so I'd expect this, right?

Related

how to connect to azure database for mysql, from azure app service with wordpress docker image?

I have an azure app service, using the latest wordpress image from docker hub. The screenshot for the azure app service:
Then in the azure app service -> application setting, I added the following key/value pairs which will be used to connect Azure database for mysql:
WORDPRESS_DB_HOST
WORDPRESS_DB_NAME
WORDPRESS_DB_PASSSWORD
WORDPRESS_DB_USER
screenshot:
Inside my Azure database for mysql, I have enabled public access / allow public access from any azure service / also add my client ip and this ip range 0.0.0.0 - 255.255.255.255. I can access it from my client and create the database which will be used by azure app service. Screenshot like below:
in server parameters, I also turn off the require_secure_transport setting:
At last, I tried to launch the site, but it throws the error "Error establishing a database connection", screenshot below:
I'm new to wordpress / docker, and don't know how to fix this issue. I also reviewed some videos / docs, and didn't see any other configuration differences. Could you please guide me how to fix this issue? Thanks very much.
You received this error message.
Warning: mysqli_real_connect(): (HY000/1045)>: Access denied for user 'ivan'#'52.xx.xxx.xx' (using password: YES)
It means MySQL received, processed, and rejected your WordPress instance's attempt to connect. So you know the hostname is right and your cloud provider's firewall settings allow your WordPress instance to exchange network data with your MySQL instance.
What's wrong?
MySQL's user name / account name setup has a quirk. An account name can look like 'ivan'#'localhost' or 'ivan'#'%' (or even something like 'ivan'#'192.0.22.33').
The first of those only allows login from localhost (or via tunneling via ssh). The second allows login from '%', meaning any host. You need the second one for your WordPress instance to get access to MySQL.
When you're logged in to MySQL from your machine, do this.
SELECT host, user FROM mysql.user WHERE user='ivan';
You should see two rows, like these
host user
---- ---
% ivan
localhost ivan
It's possible the account with '%' as the host is missing. If so that means you need to create another MySQL account and give it access to your database. Do that like this.
CREATE USER 'ivan'#'%' IDENTIFIED BY 'your_password';
FLUSH PRIVILEGES;
Next, make sure the user account you just created -- the one your WordPress software will use to connect to MySQL -- has access to your database.
GRANT ALL PRIVILEGES ON wordpress.* TO 'ivan'#'%';
FLUSH PRIVILEGES;
If you still get the error message, it's possible the password on your 'ivan'#'%' account doesn't match what you put into your WordPress configuration. You can change it with
ALTER USER 'ivan'#'%' IDENTIFIED BY 'your_password';
FLUSH PRIVILEGES;
If it still gives the same error message, it's possible that your cloud vendor requires TLS to connect to MySQL. You may want to consult their support team about that.
(This is a common stumbling block setting up new WordPress instances.)
ok just to keep and make things clear. all IPs can connect to the DB but are you actually authorized to read/write date in the DB?
I.E. this might be a permission/privilege issue.
I suggest double checking user privileges and determine who can do what on your DB
Best Regards. :-)

I'm able to login on phpMyAdmin with root, even it's restricted to localhost

I'm able to login on phpMyAdmin with a root user and other users, even though I have restricted login to localhost. How can I fix this problem and restrict access to only one specified user remotely. Every other user account shouldn't be accessible remotely, especially root.
phpMyAdmin user accounts
As #Matt Clark points out, the MySQL user privileges consider the connection between MySQL and the web server. In order to restrict users from connecting to phpMyAdmin, you'll have to either configure your webserver to be more restrictive or use some of the protections included with phpMyAdmin.
Luuk mentioned that the AllowRoot directive can allow you to restrict root from connecting, but you might want to look at the allow/deny rules instead (or in addition): https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_rules. These go in your phpMyAdmin configuration file, config.inc.php, in the server-specific section. If you don't already have a config.inc.php file, you can create one in the same directory as the main phpMyAdmin installation, with this content, then put any additional directives at the end.
<?php
$i=0;
$i++;
If you'll always connect from the same IP address or range, something like this might be to your liking, adjusted of course for the proper username and addresses:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow jan from 192.168.74.[0-255]');
Or, to allow access from any IP address,
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow jan from any');
By the way, as two other common security measures, phpMyAdmin also has support for two-factor authentication and can log failed login attempts such that a tool like fail2ban can be used.

couchbase cbc failed to bootstrap instance

running below command
cbc n1ql 'SELECT * FROM `travel-sample`'
Throws exception below
Failed to bootstrap instance. libcouchbase error: Authentication failed. You may have provided an invalid username/password combination (0x2)
I am referring to documentation located at
https://docs.couchbase.com/server/5.5/sdk/development-intro.html
You need to supply a username/password to get access to use the travel-sample bucket. Try using your admin user to get started. Later, you can create a user with specific permissions on travel-sample.
If you just enter "cbc" it should dump the set of valid options, letting you find the options to use to supply the username and password.

guacamole LDAP user but no mysql connection parameters

I am currently struggling on LDAP authorization towards MS AD (Server 2012) and MySQL as connection database. Once I log into guacamole using an AD account (sAMAccountName) I am not able to add any connections.
Is there anything I might have missed? Generally speaking I do not really want to modify the scheme of our AD.
Maybe you could let me know which settings the guacamole.properties file should have then. I am on 0.9.9 as well. Both mechanisms, LDAP and MySQL are working themselves but no functional combination has been established.
Thank you for your help in advance
For a user to have access to connection data within MySQL (or to have the ability to create and manage connections within MySQL), they must be granted permission to do so within MySQL. As Guacamole uses the username to represent identity, there are two ways to accomplish this:
Create an account within LDAP having the same username as an existing administrative user in MySQL (such as the default guacadmin), and log in as that user when managing things.
Log in as an administrative user in MySQL and create a new administrative account having the same username as your account within LDAP. After logging out and logging back in as that user, you will have admin permissions.
The relevant section is in the chapter of the manual covering LDAP:
Associating LDAP with a database
If you install both the LDAP authentication as well as support for MySQL or PostgreSQL (following the instructions in Chapter 6, Database authentication), Guacamole will automatically attempt to authenticate against both systems whenever a user attempts to log in. That user will have access to any data associated with them via the database, as well as any visible objects within the LDAP directory. The LDAP account will be considered equivalent to the database user if the username is identical.
Data can be manually associated with LDAP users by creating corresponding user accounts within the database which each have the same usernames as valid LDAP users. As long as the username is identical, a successful login attempt against LDAP will be trusted by the database authentication, and that user's associated data will be visible.
If an administrator account (such as the default guacadmin user provided with the database authentication) has a corresponding user in the LDAP directory with permission to list and read other LDAP users, the Guacamole administrative interface will include LDAP users in the overall user list presented to the administrator, and allow connections from the database to be associated with those users directly.
(emphasis added)

Preventing WAN access to a Database

How do I prevent WAN access to a particular database in SQLyog? I am able to grant full access to particular DB's, but not able to prevent them. I have a Web APP that runs on an internal server and accesses MySQL on the same server. I have created a SQL user with my workstations IP, but I am receiving access denied from dbconnect when I run the APP from my workstation.
Thanks,
Tony Cripps
MySQL does not allow connections from anything other than what you've specified. If you want to disallow access from a particular IP or network, then that mean that you've already gone and granted access to them.
Review the CREATE USER syntax, particularly the section on specifying hostnames.
Review the user accounts that you've already created:
SELECT user, host, password FROM mysql.user;
And then re-create them as necessary.
Other than than that, if you want to completely disallow WAN access then you should be looking at your firewall settings, not MySQL.