I am running a ubuntu server and want to host a web application (php/mysql based) however I dont want to use usernames and passwords for authentication. I'd like to use a client certificate. The military uses similar technology using the CAC card to provide the certificate for authentication.
not sure if this would be done using the apache modules or if php would be a better place to play with this
I'm about to create a CSR and was reading this page in the Ubuntu docs: [URL] A couple of things:
* There's no date on the article. The documentation needs DATES because this information gets out of date! Check MySQL docs, for instance -- they are organized by version.
* The instructions for generating a cert only specify 2048 bits. I believe that's kind of out of date? The verisign site has big red warnings saying you need 2048 if you want your cert to last past 2013 -- and that article is 4 years old!
* The instructions are confusing when discussing the passphrase. We enter a passphrase only to remove it immediately. We need some clarity here. Why do this?
How to understand the current best practices for generating an HTTPS cert for apache and/or mail access?
I have a openldap server running on one machine (fedora10) and pam_ldap.so and nss_ldap.so running on the other machine.
I have added a new user to the LDAP server database, this user is not created on client machine.
1. Can i login to the client machine using this new user?
2. Now if i try logging with this new user I am getting error messages, the error messages are as follows at client side
Sep 2 10:34:36 localhost sshd[8484]: Invalid user kim from 10.254.194.148
Sep 2 10:34:36 localhost sshd[8485]: input_userauth_request: invalid user kim
Sep 2 10:35:16 localhost sshd[8484]: pam_ldap: error trying to bind as user "cn=min soo,ou=people,dc=samsung,dc=com" (Invalid credentials)
[Code]....
I need to build a cert from an CRT file/
View 1 Replies View RelatedI've setup OpenVPN-ALS (formerly known as Adito) on Ubuntu Server 10.04 edition. I have a security router (Untangle) in front of my internal network. I have a domain name and an SSL Certificate setup on our security router. I can access our web interface on our security router with no problems.
I've setup a portforward rule on our router to access this OpenVPN-ALS portal and I can access it, but I get an invalid certificate message. So I've bought another SSL certificate to install our our Portal, but I'm getting an error message when I enter in our information at the provider where I've bought the certificate.
Common Name does not contain fully qualified domain name. I'm not sure what the problem is. Do I use the hostname I've setup on the portal or do I use the hostname on my security router when I setup the SSL certificate on our portal?
I have a Godaddy UCC (Multiple domain) certificate for the following domains:
example.com
upload1-example.com
upload2-example.com
The rsa was generated from example.com server using example.com as CN Common name.
GoDaddy's website adds the extra names to a CSR you provide, does the checks and grants the cert.
My problem is that whilst the certificate works fine on the server example.com (from which the csr was created), it comes up with two errors when restarting apache on remote servers.
1>> Certificate common name does not match server name
2>> SSL Library error - check private key:key missmatch.
I donn't understand how these keys could ever work as no reference to the private keys of the remote servers is ever used in creating the UCC certificate.
On Ubuntu server 10.10, with a relay smtp server with authentication via postfix; I keep getting 535: Incorrect authentication data. I'm sure my username and password is correct. Heres how I set up postfix: I created a file called smarthosts.conf in my /etc/postfix/ directory that contains the following:
[Code].....
my server uses plain text authentication on port 25. I would like to use security like SSL, but this particular server is unsecured.
I have been used NX client on windows 7 connected to ubuntu with NX client/node/server with no issues. The matter started when I have formatted Ubuntu and reinstalled NX, from that NX connects but shows a key error as follows:
NX> 203 NXSSH running with pid: 4328
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
[code]....
I have configured server ubuntu 11.04. Everything works fine, but there is a need for some clients to connect local hard drive. What should I do? How and what modules are added to the ltsp-image? How to register in the fstab on the client? Maybe I'm going the wrong way?
View 1 Replies View RelatedI'm working on a work project related to Web (Client) authentication and DOD Common Access Cards. But I'm having difficult getting the details about what happens on the CAC side of things.
I familiar with the PKI system as it applies to e-mail. (Correct me if I err, of course.) If you want to sign an e-mail (i.e., so it can be authenticated by the receiver) you use your private key to add a digital signature to the message. Then, the receiver uses your published public key to determine if the digital signature is valid, i.e., was created using your private key (even though the receiver never actually has access to your private key).
So... my questions:
1) When a person with a DOD CAC visits a CAC-enabled web site, and the server grants access after the CAC is inserted, is the authentication process fundamentally the same as what happened with the e-mail authentication?
2) If the private key is used in this process (it would have to be, correct?) is the signature created on the CA Card electronics (i.e., the private key remains on the CAC)? Or is the private key copied onto the computer, which uses it to create the signature?
how to make a new Ubuntu 9.10 box use our LDAP/Samba server for user authentication. Our Red Hat and Windows machines all use it just fine. I've been trying to use the auth-client-config and libnss-ldap packages for this purpose, but I must be missing something. I'm pretty green with LDAP, so this is my first time diving in... Is there a good How-To or step-by-step read on this? All of my searches lead me to setting up Ubuntu as the server, and that isn't what I want. I've also tried the steps listed in [URL] for the LDAP Authentication section.
View 1 Replies View RelatedServer: Fedora 14
Client: Fedora 14
LDAP server: 389-ds
I have set up the 389 server using the default configuration. Adding user and http/pam authentication works fine. The problem I have is the client authentication. On the client machine, using "authconfig-tui" to turn on LDAP authentication it turns on sssd and use 'sss' in etc/nsswitch.conf after 'files'. I couldn't get sss working. In the end, I disabled sssd and manually changed 'sss' to 'ldap' for all configuration files including:
modify /etc/nsswitch.conf
modify /etc/pam.d/password-auth, change all sss to ldap
modify /etc/pam.d/system-auth
change /etc/sysconfig/authconfig
FORCELEGACY=yes
After these, client authentication works. I can log in to the client machine using user/password set on the LDAP server. I thought this is done but everyday the LDAP service stop functioning once or twice. I can't log in to the client machine using LDAP username/password. After restart the dirsrv on ldap server, things back to normal. I can't find any reasons from /var/log/dirsrv/ldap-xxx error file and don't know how to debug the problem.
I was trying to setup SSL Client authentication on only one virtual host. Here is a brief excerpt sample of my conf file for the virtual host:
<VirtualHost xx.xx.xx.xx:443>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "something"
SSLVerifyClient require
SSLVerifyDepth 2
</VirtualHost>
But when I try to check for syntax errors tells me SSLRequire not allowed here I do not want to add SSLRequire on the main httpd.conf because I only want it for one virtual host. The rest of the virtual hosts do not need it.
Just an FYI for anyone who may be having this particular problem. A short while back, I was trying to attach a picture to a Twitter post, and dropped my network connection. No big deal...connection came back, and things went on. Next time I launched Choqok, it popped up a message saying "Server Error: This method requires authentication". It was puzzling, and didn't appear to impact my use...until I went to send a direct message, and it would give that error and crash. After quitting Choqok, the file (/tmp/ksocket-user/klauncherXXXXXX.slave-socket file) was still present. Deleting that file manually cleared the error up. I've seen this mentioned in a couple of other forums, but none with a solution posted.
If anyone else has that error, and this method resolves it, please let us know. I'm using openSUSE 11.4, but it should apply to any version/distro of Linux using Choqok.
My client is on Ubuntu Lucid 10.04, I installed ipsec-tools and racoon from the repositories. The gateway is installed on a CentOS machine. I've configured everything to get a working roadwarrior configuration with authentication_method hybrid_rsa client and server. It's working in aggressive mode, but in main mode I can't get it working. I delivered new CA and certificates several times but I'm still stuck.
It seems that it comes from my client not supporting the certificate sent by the server. The client contains a copy of the CA, whereas server has a private key and a certificate signed by the CA.
[Code]...
I have a program to start called "pace_old".
In the command line I type it's name and get this:
What should I do ?
Distro is SuSe 11.1. Btw: I do not get this message on Suse 9.0. Pace_old runs properly there.
i found this video, and i really want to do the same. *newbie needs to learn [URL]...my question is, what need to be installed and how?
is there any specific configuration to make it works?
and will it work if i want to connect from Ubuntu to Fedora ?
i have successful secure ldap replication but i could not make ldap client to direct its authentication to slave ldap
here is my config file on ldap client (i am not sure if it is the right place though)
ip : 192.168.1.183 is master ldap
ip : 192.168.1.185 is slave ldap
pico /etc/ldap/ldap.conf
#
# LDAP Defaults
code....
My first post here. I've been using Ubuntu to run our internal mail server for a while now on Ubuntu server 9.04 and ISPconfig 2. I've read a lot of threads on poeple that have difficulty connecting to their server using SSH from outside the LAN and it is not the same problem I have. Well, not entirely the same.
My problem is that my authentication fails from outside the LAn, but I can connect to the SSH port from outside my LAN. The other threads pointed towards checking the router port forwarding etc, but I can see my SSH log in asking for my username and password. So, at this stage I know the port forwarding worked, otherwise I wouldn't even see the log in prompt.
Has anyone see this before where you can connect, but the authentication fails? I can use the correct username and password from inside the LAN, but using the same credentials from outside fails.
I try to install a server based on Ubuntu. It will provide many different services as SMTP, IMAP, Jabber, SVN(via Apache),maybe a groupware and some other web applications.I'm looking for a way of authenticating the same set of users (a user essentially has a username, a domain it is belonging to and some passwords) against all of the services.What is the most flexible and elegant way? I need a method which is not too bloated (mysql or ldap would be okay) and is easily applyable to all those services and all services which maybe will come later.
I've read some documentation about sasl, mysql-authentication, ldap-authentication, pam, cyrus, apache, ... and i'm somewhat confused now about the proper way.For now I suspect MySQL to be the best method for that, but i'm not sure about the flexibility for embedding it into all the services.
i am currently working in a windows server 2003 domain environment and i want to install and configure a ubuntu server 9.10 as a samba file server and i want to allow windows domain users to access the samba shares with windows authentication from the AD , so they can use their windows user names and passwords to access samba shares.i followed the wiki docs and configured kerb5.conf , smb.conf and winbind but i am unable to add the samba pc to the windows domain
View 9 Replies View RelatedI've just installed Ubuntu Server for the first time with the goal as setting it up as a proxy server for our Apple computers here since I can get neither ISA of OS X Server's firewall to play properly. So far I have the machine authenticating against our OS X OpenLDAP server and multiple NIC's setup ready to be connected to the outside world. My question is does anyone have a preference on what proxy I should be using? So far my search efforts seem to of turned up Squid Proxy as a favorite among Ubuntu users but I can't seem to work out how to get it authenticating against my OpenLDAP server.
View 5 Replies View RelatedI have set up an apache 2 server, but can't seem to get authentication to work properly. I have set up this in my apache2.conf:
Code:
<Directory /var/www>
AllowOverride AuthConfig
</Directory>
<Directory /var/www>
AuthType Basic
[Code]...
I have created the passwords file with htpasswd and defiantly have the right password for bob. However, when I try to log in the box just comes up over and over again and never authenticates. What am I doing wrong? I'm a newbie, so please bear with me if I've missed something really stupid.
I have set up a Ubuntu server to handle Dan's Guardian for protection of the children. I need next to set up a centralized file server and some kind of authentication method.
We are dual booting the computers just now since we need to use "Rosetta Stone" language software and they will not release a certain plugin for Linux according to our assigned help person. We also use pure Windows XP in some classrooms for now, and will do so until the school's children gets used to Ubuntu.
So, what is the best authentication method for a mixed environment? Where might I find a Ubuntu "howto" on the method?
What is the best way to set up a file server? Howto? Can the box running Dan's Guardian also be the authentication box and file server? (it is our newest box, only 2 years old and has a large hard drive)
To begin, this is the thread that I always use to set up my Ubuntu boxes for AD authentication:
[URL]
I've had this 10.04 server running for about three months with AD authentication running on it perfect. I have multiple Samba shares that authenticate from AD as well. For some reason, this week it decided to completely stop accepting any authentication from AD.
I checked all of my config files, they are all untouched. I have restarted the machine multiple times. I have unjoined and rejoined the domain on the Ubuntu server. I have no audit failures in my security logs on the domain controller.
Output of /var/log/auth.log whenever I try to log on via an AD user:
Code:
Nov 4 11:58:50 caribbean sshd[1869]: Invalid user justin from 10.3.17.12
Nov 4 11:58:50 caribbean sshd[1869]: Failed none for invalid user justin from 10.3.17.12 port 54738 ssh2
Nov 4 11:58:51 caribbean sshd[1869]: pam_winbind(sshd:auth): getting password
[Code].....
i am taking another stab at this. The last time i attempted it, it seemed like everyone had a different way to do it, but nobody could give me an answer on how to do it...
I currently have a Domain Controller Running sme server and a domain controller, using ldap as a backend. I have two file servers runing ubuntu 10.04. My overall goal is to have it so when i create a username on the domain controller, it is then automatically copied over to the fileservers. This way everyone will have their own username and password to access the fileservers and ill be able to track what people do on the fileservers.
The next necessity is for me to be able to apply permissions to the folders on the fileserver based on the users that are created on the domain controller.
LDAP Authentication for Web Access I am trying to build a LDAP server to allow access to the wireless network in conjunction with Meraki wireless access points. I am using Ubuntu 10.10 and trying to install OpenLDAP from their documentation but I keep running into the error "configure: error: MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)" I have OpenSSL installed but I also got these when I ran ./configure
checking openssl/ssl.h usability... no
checking openssl/ssl.h presence... no
checking for openssl/ssl.h... no
checking gnutls/gnutls.h usability... no
[code]....
I'm trying to access a Verisign signed site [URL] and getting a certificate not known error when I do. Do I really need to import Verisign? If so, how?
View 6 Replies View RelatedI would like to configure Squid and DansGuardian that way, that it's a Proxy with Authentication via Website. That means: A new Notebook gets about DHCP the Network-Information like IP-Adress etc.. When he now tries to open a Internet connection it should check if he's authenticated and if not he should get (if this try is from a browser) a login screen in http. It should also not be possible to have internetconnection without being logged in. The clients are Windoze, Mac and Linux. My question now. What programms/deamons are there for doing this authentication. Would you decide for another Programm instead of Squid?
View 2 Replies View RelatedJust installed Alfresco 3.2 using the Canonical repo in Karmic. Unable to find proper guide to enable Active Directory authentication.
View 3 Replies View Related