I have a windows c++ application which uses libpq to work with PostgreSQL.
My code is:
std::string conninfo = "host=localhost port=5432 dbname=test connect_timeout=10";
_connectionHandlerPtr = PQconnectdb(conninfo.c_str());
Now I need to use MIT Kerberos for authentication.
I installed MIT Kerberos.
What I need to do in my code?
What I need to change in PostgreSQL config?
I don't think you need to change anything in your code. A quick look at psql suggests that all the Kerberos support is handled via libpq, so psql doesn't have to care; the same should be true of your app.
If your system is set up for Kerberos auth and has a ticket, you should just need to set krbsrvname in your libpq connection string. See the libpq parameters. On Windows you may also need to set gsslib to gssapi if you want to use MIT Kerberos instead of SSPI.
Related
I need some guides or keywords I can use for my additional research.
Assume there are client and server apps written in C++. There is a possibility to pass blobs from client to server and vise versa. On windows, we can introduce Kerberos utilization, generating, processing such blobs, accepting it, impersonating threads, etc. There are some examples on msdn. It's not so simple, but I've managed to make it work.
But what if my client runs on linux machine? The simplest and unsecured way of authentication is to pass username/domain/password of user in raw format via blobs. But if I want to use Kerberos? So, the questions are:
What preconditions do I need to have on client linux machine? My first thoughts were about some kind of samba/winbind things installed there. I heard samba authenticates to windows AD via Kerberos.
Is there any good examples of performing Kerberos handshake on linux? I know there are some examples on MIT website. Should I use these ones? I guess it's not so easy to make it work in a right way and test it (actually I KNOW it from my windows experience).
The API you should investigate is GSSAPI. If the windows server application uses SSPI ( the windows version of GSSAPI ) then you should be able to write an interoperable client using GSSAPI. It really depends on exactly how the windows server uses SSPI though. See MSDN SSPI for some details.
The MIT kerberos libraries are available with most linux distributions and have all the libraries you need to do GSSAPI with kerberos.
GSSAPI is a library for wrapping data, you still need to implement the resulting protocol exchange. Depending on exactly how the windows server is written this may be quite complex.
It is possible to use Active Directory as your KDC for writing linux client/server kerberos applications. Looking at the Linux Samba code should
help you understand some of the issues involved in writing a linux client
for windows based services.
I just started my adventure with the Redmine 3.0, the project manager.
I can't Google out if there is an option to export its calendar to e.g. thunderbird-ligthning. There are some plugins, but they are not compatible with current Redmine 3.0. I couldn't find out anything relevant in the changelog, too.
Can anyone tell me from their own experience, if (and how) this feature is available?
Generally, anything that exports to the ics format can be made available to Thunderbird/Lightning, or any other calendaring program. The other option is to make use of the caldav protocol, which is also standardized.
I have heard reports that this fork of the redmime ics export plugin works for 3.x, but I haven't tested it myself. Maybe you can give it a try.
If you would like to create your own, I'd suggest adapting sabreDAV to use redmime as a backend. As an example for how to write a custom sabre frontend for a different service, check out this work.
I have a Django web app that provides a download facility for a private user dropbox by issuing HTTP requests to a lighttpd server using the x-send-file header. I would like to extend this functionality to allow WebDav access from third party clients. Is this possible? The only examples I can see have statically defined WebDav folders.
The only example of a per-user dynamic WebDAV confir I can find is this solution using the Apache LA-U look-ahead feature.
I'd love to extend my Django app for this but the key requirement is to be able to generate a dynamic config. Integration with a third party solution would be OK.
Any suggestions?
Michela
I wanted to do the same thing. I also wanted to use other parts of Django with WebDAV, so I started the django-webdav project.
http://code.google.com/p/django-webdav/
At this point it is working (passes litmus basic + movecopy tests) and I can use it with Windows and Linux (DAVfs2).
Check it out and help out if you think it suits your needs.
Can anyone recommend how to implement SecurID authentication in Linux C++ based application? I I was thinking of the following options:
An apache module for SecurID (we're using Apache on the front-end)
PAM
Some combination of SecurID through Radius that I've heard about but don't understand
Using something like ace-radius together with a RADIUS server seems to me like the easiest solution.
If I recall right RSA provides a RADIUS server in the ACE/SecurID distribution, so this should be easy to setup.
The simplest, fastest way to integrate with SecurID is the SecurID apache module (http://www.emc.com/security/rsa-securid/rsa-authentication-agents/apache-7-1.htm).
Using the RSA SecurID PAM module (http://www.emc.com/security/rsa-securid/rsa-authentication-agents/pam-7-0.htm) is another option, that has the advantage that it'd also provide OS-level OS-level authentication.
The 3rd option would be to integrate RADIUS in your app and have it talk to Authentication Manger, but it's probably as simple if not simpler to use SecurID SDK directly (in C in your case) so that your app talks directly to the Authentication Manager server.
Hope this helps
We currently have an application that runs an embedded jetty 6.1.14 server to which we need to add authentication via Kerberos. I'm new to Kerberos, which makes the task about 100x harder that maybe it should be. I've scoured the internet and have found conflicting reports as to whether or not it is even possible but nothing much to provides guidance as to how to proceed.
I've managed to have the server basically be able to authenticate the users via kerberos but can't find away to have the client automatically send its kerberos ticket: I have to use the from auth-method, though there are hints that this may be using filters, which are very poorly documented.
My question - and I apologize for it being a bit vague, I've not been this exasperated in quite a long time - is to request some guidance for plugging in kerberos authentication without login forms in Jetty 6? Or am I just out of luck? Has anyone added this type of authentication to jetty 6?
If Jetty supports Servlet Filters (JSR-53), then this open source project http://spnego.sourceforge.net might be what you are looking for.
You have to prepare your domain environment first. Make sure that your server if part of your domain (joined it). Then you have to create an machine account and assign an SPN. If you have done that, create a keytab for that account. From now on a client will be able to search for the host in the domain and create a ticket for. Then comes Jetty into play.