Django LDAP Active Directory - django

I'd like to use the existing Active Directory system for authentication of users, but there is a problem.
This works:
ldapsearch -D "LOGIN#dom.comp.local" -x -w PASSWORD -b "OU=users,OU=otdel,DC=dom,DC=comp,DC=local" -h x.x.x.x
Where should I enter the username to connect to the AD?
AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com"
AUTH_LDAP_BIND_DN = ???
AUTH_LDAP_BIND_PASSWORD = "PASSWORD"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,ou=otdel,dc=dom,dc=comp,dc=local", ldap.SCOPE_SUBTREE, "(cn=%(user)s)")

I'm on Python 3 exclusively these days, and the only package I've been able to get working with Active Directory is django-python3-ldap. While configured for OpenLDAP by default, it is a cinch to configure it for Active Directory, and even documented:
https://github.com/etianen/django-python3-ldap
Give it a look, and good luck.

In your ldapsearch string, the -D argument in the binddn. So, assuming LOGIN#dom.comp.local works, you should be able to set AUTH_LDAP_BIND_DN to that same value.

Related

Permission error when trying to connect AWS to docker using SSH authentication

Not sure why but I've been looking everywhere and tried about 20 different things today to fix it with no luck.
I'm trying to use ssh authentication to link my website (inside Docker using Django) with amazon AWS ec2.
The error is really tilting and doesn't seem to be changing no matter what I do.
This is the error (I've removed the DNS)
ssh ec2-user#ec2-[DNS]-eu-west-2.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
I've changed the SSHD config file to this: (still no luck, this was the result of 4 different tutorials all saying different things)
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /etc/ssh/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
I've truly ran out of ideas on this one, any help would be greatly appreciated as it's my final step in a 3 month personal programming project that seems to never end.

Can't backup my PostgreSQL database [ peer authentication failed for user "USER" ]

sql file that I backedup a long time ago of my website database and now I'm trying to use it but everytime I use:
psql -U <username> -d --password <dbname> -1 -f <filename>.sql
it gives me this error
peer authentication failed for user "USER"
I tried to edit the pg_hba.conf but that did nothing.
how can I do it ?
Several mistakes:
You didn't edit pg_hba.conf properly or you forgot to reload PostgreSQL.
Add your pg_hba.conf to the question for more details.
Your command line is syntactically incorrect; --password will be interpreted as argument of -d. Try
psql -U <username> -d <dbname> --password -1 -f <filename>.sql

{"error":"invalid_token","error_description":""} (Podbean api)

I am trying to use Podbean api in my Django application. As per the document provided, I am authenticating my app. I have followed all the steps but when I try to run the following code in terminal I get error:
curl -u username:password \
https://api.podbean.com/v1/oauth/debugToken \
-G -d 'access_token=t4dfcgf7eb2ba65a289a6e8a8993cb9785e877y4'
Error:
{"error":"invalid_token","error_description":""}
I have checked all my credentials and they are correct. What is the problem here?
Finally found out the mistake:
client_id = App ID
client_secert = App Secret
I was writing 'username' and 'password' for 'client_id' and 'client_secret'

scrapyd: curl error `unknown or corrupt egg`

I'am trying to update version of my spider, i wrote:
curl http://localhost:6800/addversion.json -d project=comicvn -d spider=comicvn2 -d version= 141667324 -d egg=14116674324.egg
It made error : {"status"": error,"message": "ValuesError: Unkow or corrupt egg"
What's egg paramerter ? and what should I set values for it ? Thank so much !
I created '14116674324.egg' by ussing command bdist_egg. After that, it made a 14116674324.egg file in path :C:\Python27\Scripts\eggs\comicvn2 , so i copy this file to root folder of my project like C:\Python27\Scripts\comicvn2.
curl http://localhost:6800/addversion.json -d project=comicvn -d spider=comicvn2 -d version= 141667324 -d egg=#14116674324.egg
you must be add '#'
see scrapy.cfg format at scrapy deploy doc page. change version entry to update the spider version
[deploy]
url = http://scrapyd.mydomain.com
username = john
password = secret
project = project1
version = 123

Replace username/password authentication with keypair on an existing Linux AMI

I have a ami which need username/password for login via ssh. I want to create new amis from this, in which I can login from any newly created keypairs.
Any suggestions?
I'm not sure what AMI allows username/password login, but when you create an instance from an AMI, you need to specify a key pair.
That key will be ADDED to the authorized_keys for the default user (ec2-user for Amazon Linux, ubuntu for the Ubuntu AMI, etc).
Why you don't just add the users/password to the instance and then build your AMI from there? Then you can change your /etc/ssh/sshd_config and permit username passwords with this: PasswordAuthentication yes. Btw, Username/Password authentication is not recommended for servers in the cloud because of man in the middle attacks. (use it at your own risk)
Not sure if I understand the question fully, but if you want to change the behavior of the instance when it boots up I suggest you look at fuzzing with cloud-init. The configuration in the instance is under /etc/cloud/cloud.cfg. For example on on Ubuntu the default says something like this:
user: ubuntu
disable_root: 1
preserve_hostname: False
...
If you want to change the default user you can change it there
user: <myuser>
disable_root: 1
preserve_hostname: False
...
The simplest way is to do this is by adding the following snippet in to the /etc/rc.local or its equivalent.
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
if [ ! -d /root/.ssh ] ; then
mkdir -p /root/.ssh
chmod 0700 /root/.ssh
fi
# Fetch public key using HTTP
curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/aws-key 2>/dev/null
if [ $? -eq 0 ] ; then
cat /tmp/aws-key >> /root/.ssh/authorized_keys
chmod 0600 /root/.ssh/authorized_keys
fi
rm -f /tmp/aws-key
# or fetch public key using the file in the ephemeral store:
if [ -e /mnt/openssh_id.pub ] ; then
cat /mnt/openssh_id.pub >> /root/.ssh/authorized_keys
chmod 0600 /root/.ssh/authorized_keys
fi