Is there any way to restrict users in freeipa like the following case
I have 1 freeipa server setup
I have 2 freeipa clients setup under the above mentioned server
I have 3 users
Now I want to only allow user 1 to be able to login on client 1 and rest of the users to be able to login to client 2 but not on client 1.
Thanks.
Related
I have a scenario where I'm building an app that is hosted on an ubuntu server. Currently I have all inbound traffic to the server blocked with only outbound being allowed. The only way to access the React/Django app on the server is either thru VPN or having an IP whitelisted. When doing the OAuth1 process (to connect with a data provider), I'm struggling to figure out how to keep my app closed from the public internet but still complete the OAuth 1 process for the end user. Given that this app's purpose is to aggregate user data (from user's who've granted permission), it's not practical for me to whitelist the IP address of every single end user.
Currently, I'm considering making a form outside of my app for users to register with and then just having my app hourly check that form for new users so that it can then start the OAuth1 process and send the end user the authorization URL needed to grant permission to the data provider. At this point though, I have it where once the user signs up with their data provider, the callback URL redirects the user back to the Django app so that the Django app can grab the necessary elements from the URL in order to formally request for the user's actual access token. Given that the app is blocked to the public, I imagine the user won't actually be redirected back to the Django app for the access token part of the process to happen.
Any recommendations for this? For production?
I have a question about the SSO flow.
Let's say we have 2 MVC applications as clients and an authentication provider
Client 1 has a cookie lifetime of 40 minutes.
Client 2 has a cookie lifetime of 10 minutes (maybe it's more strict for security reasons)
The expiration for the cookies is sliding, e.g. if a user logs in at 12:00 the cookie will expire in 12:40, however if the user makes a call to a page at 12:05 the expiration will subsequently be at 12:45
Now, what we want to do is implement SSO using Identity Server 4
User tries to login to Client A
User is redirected to Identity Server
User logs in on IS - User is redirected back to Client A with tokens
then
User tries to login on Client B
User is redirected on Identity Server
Identity Server cookie exists
User is redirected back to Client B with tokens
What is the correct approach regarding the Identity Server cookie expiration?
For example, upon logging in to the second client, the Identity Server cookie is already set to be 40 minutes long from the previous login. This is a problem due to the need of the second client for a cookie expiration time of 10 minutes.
Overview
There are two domains: domainA and domainB. I am seeking to make the configuration, so that a web server from domainB can leverage an AD service account in another domainA.
In the environment where domainB is located, I have a web server that needs to reach back to domainA to be able to query all of the users. The owners of the domainA account created a service account user that allows domainB to query the user base. We have established that the account works when testing directly from the domainB controller to the domainA controller. When we try to run a ldapsearch from the web server using the service account user, we run into some issues:
[ec2-user#hostname ~]$ ldapsearch -x -LLL -h $domainB_ipAddress -D $service_account_username -w $ad_pwd -b "OU=xxxxx,DC=xxxxx,DC=xxxxx,DC=xxxxx"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839
Note: This user is successfully authenticated from the domainB AD controller to the domainA AD controller using ldp.exe bind, so I believe the credentials are ok.
Our Current Approach
Based on the feedback I have received from my team, we should be making the request of the service account from domainB web server to the domainB controller, which will then forward this information on to the trusted domainA controller and return back the desired information back to the domainB web server.
I'm a little confused about how this forwarding is supposed to occur, but we have a requirement that we cannot reach directly into the domainA controller from any non-AD server from domainB.
Requested Feedback
Is it correct to assume that any request should be forwarded from the domainB controller to the domainA controller? If so, what needs to be in place for that to happen?
If requests cannot be forwarded, what would we need to do to get users from the trusted domainA into the domainB controller, so that the service account could reference them there?
This:
data 52e
Means:
ERROR_LOGON_FAILURE
1326 (0x52E)
The user name or password is incorrect.
You said the service account is from domainA, but you're connecting to domainB. That would only work if there is at least a one-way trust between the two domains: if domainB trusts domainA. From your description, I don't think that is the case. If you connect to domainB, you need to authenticate with a domainB account.
And the only way there would be any forwarding is if there was a trust. The term for this is a "referral". That would happen if there is a trust between the domains and you, for example, try to bind to a user in one domain while connected to the other. The server would return a "referral" telling you to go connect to the other domain.
We are using WSO2 IS 5.5.0. We are able to configure IWA using Federated Authentication (Kerberos). Users are able to login with their windows credentials.
Our application is accessible in INTRANET as well on INTERNET.
We have following requirement.
All the INTRANET users should be authenticated using IWA authentication whereas all INTERNET users should be presented with login page to enter their credentials.
Can you please let us know if this is possible through some configuration?
We tried steps concept in “Advanced Configuration” under “Local and Outbound Authentication Configuration” of Service Provider but not getting expected result.
First Steps in the sequence always gets executed whereas we want some kind of switch between step 1 and step 2.
We want all INTRANET users to follow the /iwa-kerberos authentication and want to display login page for INTERNET users.
We were able to achieve this in WSO IS 5.2.0 by having a switch in our login.jsp to redirect all the INTRANET users to following URL.
/commonauth?idp=LOCAL&authenticator= IWAAuthenticator&sessionDataKey=xxxxxxxxxxxx
In this approach we used to add only “BASIC” authenticator under Step 1 under “Advanced Configuration”
Setup
1. A LAMP web application that uses SOLELYFacebook for authent./author
(i.e. NO credentials set/asked by the web app)
2. A smartphone app that uses ONLY Facebook for authent./author.
3. A web service provided by -1- for -2- to communicate. https, of course.
4. A client-side Javascript that uses the same web service (-3-) for asynchronous CRUD
Use-Case:
A. The user signs in to - 1 - and Facebook id is saved on
server-side as well as a custom id.
B. The user signs in to - 2 - and the same happens on client-side.
C. The user enters data into - 2- which is stored locally.
D. Now comes the tricky part: 2 must send the data to 1 via 3.
E. Now even trickier: 4 must do the same.
My problem:
My problem is to find a strategy to authenticate & authorize communication in D & E. It would be easy if the user was to enter credentials. These would be stored locally and he was the trigger. And he only! However, when using solely Facebook for auth/author., authent. NEVER occurs on client-side. Thus, as far as I understand, the server has to provide some kind of legitimization. This would be, for example, a key or a token.
My question:
How is the client app -3- supposed to initially authenticate the user to the server (facebook id?)? How can I prevent someone from sending facebook id to the server service and, thus, getting access to the CRUD? Is some sort of an application key (like facebooks access token) sufficient?
If so, what about -4- the Javascript in the browser? Where to store the application key? Wouldn't it be too easy to steal that token, use it for authentication to -1- and then get access to all data of a certain facebook user?