AD Domain Trusts/LDAP Queries

RickP · November 4, 2015, 1:54pm

Yes we have been working with the mangle policy this morning but with no
success so far, is there a way to debug the mangle policy to see what is
being parsed out and presented as the final user lookup?

Thanks!!

cornelinux · November 4, 2015, 2:04pm

Hi Rick,

you should be able to see a log entry in loglevel DEBUG in
privacyidea.log like:

"mangling authentication data: %s"

So set loglevel to DEBUG and restart the webserver.

How does your policy look like?

Kind regards
CorneliusAm Mittwoch, den 04.11.2015, 05:54 -0800 schrieb RickP:

Yes we have been working with the mangle policy this morning but with
no success so far, is there a way to debug the mangle policy to see
what is being parsed out and presented as the final user lookup?

Thanks!!

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1d6d06c1-6991-4c81-bee1-a7861280be90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

RickP · November 5, 2015, 3:29pm

we dropped this new file prepolicy.py into place and restarted the web
services, but still are not seeing anything in the log file relating to
mangle, mangling, mangler

cornelinux · November 5, 2015, 3:54pm

Touché!

I misunderstood your setup.
I thought that you are using SSH with online authentication (OTP)
against privacyIDEA.

But indeed: The ssh KEY authentication works a bit different.

Are you using AuthorizedKeysCommand to retrieve the users keys in real
time from privacyIDEA?
…with the script privacyidea-authorizedkeys from the admin client?

github.com

privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
#  privacyIDEA
#  2018-03-16 Cornelius Kölbel <cornelius.koelbel@nektnights.it>
#             Dario Salerno <info@dariosalerno.com>
#             Make nosslcheck and hostname optional
#  2015-03-05 Cornelius Kölbel, <cornelius@privacyidea.org>
#             Adapt authitems to new version 2.1
#
#  (c) 2014-2015 Cornelius Kölbel, cornelius@privacyidea.org
#
# This code is free software; you can redistribute it and/or
# modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
# License as published by the Free Software Foundation; either
# version 3 of the License, or any later version.
#
# This code is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

This file has been truncated. show original

Kind regards
CorneliusAm Donnerstag, den 05.11.2015, 07:45 -0800 schrieb RickP:

Knowing now what “prepolicy” file was supposed to be ran, we sprinkled
log.debug msgs all thru that file, and it never writes anything to the
log.

Are we sure the mangle policy is ran with SSH key validation and not
just with the OTP components?

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9974f1f7-2a36-4248-b909-40f60358ed65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

cornelinux · November 5, 2015, 4:55pm

Hi Rick,

I added an issue

(I also already have the fix, which was one line of import and one line
of code

Well, but I think you might not have the ssh keys quite right:

The token type SSH key is assigned to a user.

But this user it is assigned to, is not necessarily the local user on
the ssh server.

e.g.

Image a domain administrator “rickp”, who has his personal ssh key token
“sshtoken1” assigned.
But this user want to login with this ssh key to a ssh server
“sshserver1” as user “root”.

This is why you can add an option to the machinetoken assignment:

"sshserver1"  <---[App: ssh]--- "sshtoken1"
                                     options: user=root

I very much like to discuss you scenario to get the ssh token
functionality improved.

I assume your ssh users are always the same username, like in
privacyIDEA, i.e.

ssh user on ssh server: DOMAIN\rickp
token owner in privacyidea: rickp

Kind regards
CorneliusAm Donnerstag, den 05.11.2015, 16:54 +0100 schrieb Cornelius Kölbel:

Touché!

I misunderstood your setup.
I thought that you are using SSH with online authentication (OTP)
against privacyIDEA.

But indeed: The ssh KEY authentication works a bit different.

Are you using AuthorizedKeysCommand to retrieve the users keys in real
time from privacyIDEA?
…with the script privacyidea-authorizedkeys from the admin client?

https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys

Kind regards
Cornelius

Am Donnerstag, den 05.11.2015, 07:45 -0800 schrieb RickP:

Knowing now what “prepolicy” file was supposed to be ran, we sprinkled
log.debug msgs all thru that file, and it never writes anything to the
log.

Are we sure the mangle policy is ran with SSH key validation and not
just with the OTP components?

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9974f1f7-2a36-4248-b909-40f60358ed65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

cornelinux · November 5, 2015, 6:07pm

I created a branch with a tiny patch in privacyidea-authorizedkeys.
At the moment this seems to be simpler, than pushing the changes in the
server.

But you need to set the “user” option for the ssh machine assignment.

Kind regards
CorneliusAm Donnerstag, den 05.11.2015, 09:54 -0800 schrieb RickP:

Exactly what we are doing, pulling ssh keys via

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/865878a5-6d9b-492e-8454-05550e10b77a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

RickP · November 5, 2015, 3:45pm

Knowing now what “prepolicy” file was supposed to be ran, we sprinkled
log.debug msgs all thru that file, and it never writes anything to the log.

Are we sure the mangle policy is ran with SSH key validation and not just
with the OTP components?

RickP · November 5, 2015, 5:54pm

Exactly what we are doing, pulling ssh keys via

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

cornelinux · December 14, 2015, 4:19pm

Hi Rick,

I think that you changed your directory structure, so you do not need
domain trust anymore.
Nevertheless there was a movement in the trusted domain topic.

github.com/cannatag/ldap3

referrals to trusting domains

opened 05:50PM - 29 Oct 15 UTC

closed 08:17AM - 10 Mar 16 UTC

cornelinux

I have two active directory domains trusted.com and trusting.com There is a one …way trust: trusting.com is trusting the users from trusted.com Thus the administrator@trusted.com can view and manage the users in trusting.com. I am running such a script, to perform a search for users in the trusting domain: ``` LDAPURI = "ldap://domain2.trusted.com" LDAPBASE = "cn=users,dc=trusting,dc=com" BINDDN = "cn=administrator,cn=users,dc=trusted,dc=com" BINDPW = "password" import ldap3 FILTER = "(sAMAccountName=*)" ATTRIBUTES = ["sAMAccountName"] server = ldap3.Server(LDAPURI, port=389, use_ssl=False, connect_timeout=5) l = ldap3.Connection(server, user=BINDDN, password=BINDPW, auto_bind=True, auto_referrals=True, authentication=ldap3.SIMPLE, raise_exceptions=True) l.open() if not l.bind(): raise Exception("Wrong credentials") l.search(search_base=LDAPBASE, search_scope=ldap3.SUBTREE, search_filter=FILTER, attributes=ATTRIBUTES) r = l.response for entry in r: print entry.get("dn") print("%s entries found." % len(r)) l.unbind() ``` I get 0 entries. Doing a tcpdump on the ldap port, just shows me, that a referral is returned:: ``` 0?...`:....+cn=administrator,cn=users,dc=trusted,dc=com..password0........a..... ......0S...cN..cn=users,dc=trusting,dc=com .. .............sAMAccountName0...sAMAccountName0........e..... . ...Q0000202B: RefErr: DSID-0310082F, data 0, 1 access points .ref 1: 'trusting.com' ......1./ldap://trusting.com/cn=users,dc=trusting,dc=com0....B. ``` What is the recommended way to deal with referrals in such a case? Thanks a lot

So changes are good, that domain trust will work with the unterlying
LDAP library.
…just to let you know.

Kind regards
CorneliusAm Donnerstag, den 05.11.2015, 09:54 -0800 schrieb RickP:

Exactly what we are doing, pulling ssh keys via

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/865878a5-6d9b-492e-8454-05550e10b77a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

AD Domain Trusts/LDAP Queries

Are we sure the mangle policy is ran with SSH key validation and not just with the OTP components?

Are we sure the mangle policy is ran with SSH key validation and not just with the OTP components?

Are we sure the mangle policy is ran with SSH key validation and not
just with the OTP components?

Are we sure the mangle policy is ran with SSH key validation and not
just with the OTP components?