Where are some real directions on how to use this thing?

[Jon Leszczynski]

I've deployed and configured the VMWare appliance

I then successfully tested a user I created for two factor using Google Authenticate on my phone and having it email my gmail account.

I then configured the servers.xml and the webadm.conf files and successfully connect to my 2012 domain controller.  I was able to login to the web console with the Active Directory account identified in the webadm.conf file (using the fully distinguished name at first) and extend the AD schema and get the other items to show as green.  From there I was able to login using the short version of that earlier mentioned account, using the DEFAULT domain and using the password which is in Active Directory.  I am able to browse the LDAP structure of AD but now am stuck.  Not only can I not login using other AD accounts  (accounts that the WebADM LDAP sees as being super admins) (and I tried moving the accounts into the same container as the default admin account), but I cannot even figure out how to get the second factor stuff going on the one admin account that does work.

Where is a good document or video (and the WebADM Admin guide does NOT qualify for this) that shows how to actually USE this thing now?

Thanks, in advance.

[Terence Agius]

I have exactly same issue. Everything appears to work, but no practical docs of how to use it in a real live environment and I have been trying for months now

[Administrators]

WebADM Admin console is ONLY for Admins.

Ie. LDAP/AD account with LDAP admin privileges.
The admin account should be (ex. Domain Admins) and part of the super_admin or other_admin groups (defined in webadm.conf).

Then (by using these admin accounts), you can 'activate' other users to make them usable with OpenOTP.

-> Edit another user in WebADM, click 'activate'. 

At this point new menus and optionals (action boxes) appear when you edit the 'activate' users.

You can Enrol/test Tokens etc... 

Then you can implement come integrations like VPN integration with RADIUS (explained in RadiusBrige manual).

Note that WebADM usage is explained in the WebADM Admin Guide.

[cwbarton99]

Joe - did you give up on this product or where you able to find a source for (GOOD) installation, setup and usage instructions?  I would like to deploy dual-factor to my Win7 desktops in a Active Directory domain.

Thank in advance for any solid advice from anyone.

[Spyridon Gouliarmis (RCDevs)]

We are working on a series of written tutorials that describe the necessary steps to get some common features working. I'm just finishing the formatting on one for PAM integration, and we'll be starting the next one soon, probably on just getting WebADM installed. We'll start on some videos in the future, probably after a well-needed site re-design.

In the meantime, what's wrong with the WebADM installation manual? We know our documentation is far from perfect, but some vague variation of "it sucks" won't help us improve it. Ideally, we would like what steps you have taken (including what parts of our documentation you have read) and where you got stuck, so we can remove that roadblock.

Note that you can also post any issue you have here. If a question pops up too often, we will find a way to fix that, if only to lessen our work load.

[Craig Barton]

Good morning Spyridon.  First my apologies. Typically there are multiple resources in the "Open Source" world where others have documented their experience which I have found extremely helpful. I have been successful at standing up several open source products and moving them into production using this method.  I am simply having difficulty understanding first, is this the product I can use for this project and second, how to install and configure it (and what exactly is "it" - I'm thinking I need Webadm with OpenOTC with Windows RADIUS in an 2003 Active Directory environment).

It was not my intent to "trash talk" your existing documentation - but to look for additional resources to supplement what is available on your site. 

To that end let's start again.  I am looking to deploy two-factor authentication at the desktop logon process for about 30-40 Windows 7 workstations.  We are currently running Active Directory (Server 2003).  If this pilot works we may then add an additional 150 workstations.

Based on what I've read I need to deploy Webadm, get it functional in our AD environment, then add OpenOTP ... Is this correct?

If yes, then my intention is to stand up a CentOS 6.4 stand alone server and install Webadm and OpenOTP. I am also running Windows RADIUS server which appears to be required.

Thank you kindly for your assistance.

--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

Then what you want is probably our credential provider (Look for "OpenOTP Plugin for Windows Login" in https://www.rcdevs.com/downloads/index.php?id=Integration+Plugins), which contains an .msi you will have to install on your test workstations, and a .pdf documenting it. Some of the configuration features of the provider will only make sense after you have played a bit with WebADM.

You should, basically,

- install WebADM (with "apps") and a MySQL instance (CentOS' package should do) on a 6.6 CentOS machine,

(if you don't want to muck around with AD schema changes before you are sure you want the software, choose "without schema extension" during the install)

- configure WebADM through webadm.conf and servers.xml, then configure the OpenOTP app specifically once logged in WebADM's GUI,

- "activate" a test user account in WebADM and register a token for it,

- install the credential provider on one of your workstations and test it with your account and token.

Yup, that's complicated. Our product is an "enterprise" solution, in the sense that we'll add features big clients want at the cost of making it a bit ugly and unwieldy. But we are aware of that, and if something seems to take too much time, don't try to muscle through the nonsense; contact us at _sup...@rcdevs.com and we'll walk you through the set up. We are actually very proud of our support and will gladly show why.

On Wednesday, March 25, 2015 at 1:56:47 PM UTC+1, cwbarton99 wrote:

Good morning Spyridon.  First my apologies.

That's cool. We know how hard it is to get started with our product and we are working on it.

 

Typically there are multiple resources in the "Open Source" world where others have documented their experience which I have found extremely helpful. I have been successful at standing up several open source products and moving them into production using this method.

OpenOTP, as the name implies, was open-source at some point, and RCDevs was set up to offer services around it. I will let you guess how well that worked out.

Most of the value of our software comes from all the unsexy integration between antiquated protocols, badly-designed/misbehaving software and such, not from implementing some OTP standard (our implementation of TOTP is less than a hundred lines). I would not expect anyone to do that work for free.

[Craig Barton]

Thank you once again for your assistance.  I have begun the process of installing Webadm on my CentOs server and am getting an error when trying to start:

[root@drs-rcdev-otp /]# /opt/webadm/bin/webadm start
Stopping WebADM Session server... Ok
Stopping WebADM PKI server... Ok

Checking system architecture... Ok
Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)
Contact sa...@rcdevs.com for commercial information

Starting WebADM PKI server... Ok
Starting WebADM Session server... Ok
Starting WebADM HTTP server...AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
 Failed

I have searched the Google/Groups forum but no luck there.

So from the top:

I downloaded webadm from your site as well as the installation .pdf document and followed the instructions as closely as possible.

I setup a MySQL Db called webadm with a webadm username and password

Made sure our Domain controller has CA installed

Edited servers.conf and added the AD administrator name and password as well as our domain name in the locations directed in the documentation.

Copied the webadm.conf and the objects.xml to the conf folder ...

Ran the startup command with the results you see above.

I also edited the SELinux file and set to disable ...

Is the something obvious I missed?

Again, thanks in advance!

[Administrators]

Hi,

It looks like another process is already listening on the port 80.

Could you type the following command and tell us what you get:

    netstat -lnpt |grep ':80'

Thanks

To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technical+unsubscribe@googlegroups.com.
To post to this group, send email to rcdevs-technical@googlegroups.com.

Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Craig Barton]

[root@drs-rcdev-otp /]# netstat -lnpt|grep ':80'
tcp        0      0 :::80                       :::*                        LISTEN      3180/httpd    

Thanks.

Craig.

[Administrators]

httpd is already listening and that's why WebADM couldn't start.

Unless you're using httpd for other stuff, you can first stop it:

    service http stop

I guess it's configured to start automatically during boot. You can verify it with the following command:

    chkconfig --list |grep httpd

If you get something like:

    httpd        0:off    1:off    2:on    3:on    4:on    5:on    6:off

Then you can prevent it to start at any run level (1-6) and grab the port:

   chkconfig http off

At this point, you should get:

    chkconfig --list |grep httpd    ==>>  httpd        0:off    1:off    2:off    3:off    4:off    5:off    6:off

And finally WebADM should start without any glitch...

[Administrators]

httpd is already listening and that's why WebADM couldn't start.

Unless you're using httpd for other stuff, you can first stop it:

    service httpd stop

I guess it's configured to start automatically during boot. You can verify it with the following command:

    chkconfig --list |grep httpd

If you get something like:

    httpd        0:off    1:off    2:on    3:on    4:on    5:on    6:off

Then you can prevent it to start at any run level (1-6) and grab the port:

   chkconfig httpd off

At this point, you should get:

    chkconfig --list |grep httpd    ==>>  httpd        0:off    1:off    2:off    3:off    4:off    5:off    6:off

And finally WebADM should start without any glitch...

Le jeudi 26 mars 2015 13:47:28 UTC+1, cwbarton99 a écrit :

[Craig Barton]

Okay - we are now past that issue - on to the next.

Once I stopped the httpd servive I logged into the Webadm server as  root and launch my web browser - and opened https://<server Ip>  and got an error "Cannot find any available LDAP servers".

I went back to the documentation (WebAdm Installation Guide). Under 5.4.4 is says "Follow the procedure provided to setup an Enterprise CA."

I opened RDP to my Domain Controller and launched CA - but not sure what to do there.

I am assuming there should be some type of setup here for connection to the WebAdm server ??

Thanks again for your assistance.

Craig.

[Spyridon Gouliarmis (RCDevs)]

The whole CA business is so that your domain controller allows access to LDAP clients (such as WebADM) over SSL/TLS. As the manual section you point out says, domain controllers allow LDAP clients to do sensitive operations only over the secure channel that SSL provides, so eventually, do do serious administration through WebADM's interface you are going to need some CA somewhere to give an SSL certificate to your domain controller. But for now let us just get the basic stuff working.

Check the /opt/webadm/conf/servers.xml file on WebADM's host. There should be a section telling WebADM what LDAP server to connect to. It should be your domain controller, so it would look like this:

<LdapServer name="LDAP Server"

        host="your.domain.controllers.name"

        port="389"

        encryption="NONE"

        cert_file=""

        key_file="" />

After any change to servers.xml, you need to restart WebADM (in CentOS, "service restart webbed" should do). Then try to connect again to the web interface.

[Spyridon Gouliarmis (RCDevs)]

I meant "service webadm restart". Thank you, Apple spell checker.

We can arrange a call over TeamViewer before the end of the week, if you want, and we'll guide you through the basics so you have a functioning system to play with.

[Craig Barton]

Spyridon and Team,

Once again, thanks for you assistance thus far.

I have now launched the Webadm site and logged in with the cn=admin,cn=Users, dc= ... etc and password

I then ran through the Setup option - which appeared to complete. The only failure I noted is below.

Creating WebADM option sets container cn=OptionSets,cn=WebADM,dc=drs,dc=local... Success
Creating optionset for cn=Users,dc=drs,dc=local... Failed
Creating WebADM WebApps container cn=WebApps,cn=WebADM,dc=drs,dc=local... Success
Creating WebADM WebSrvs container cn=WebSrvs,cn=WebADM,dc=drs,dc=local... Success
Creating WebADM Domains container cn=Domains,cn=WebADM,dc=drs,dc=local... Success
Creating domain for cn=Users,dc=drs,dc=local... Failed
Creating WebADM Clients container cn=Clients,cn=WebADM,dc=drs,dc=local... Success
Creating WebADM mount points container cn=Mountpoints,cn=WebADM,dc=drs,dc=local... Success

It still requires me to use the  cn=admin,cn=Users, dc= ... etc.  However once I log in I am now presented with what appears to be the HOME page with many options, but it's not clear what the next step should be.

Craig.

[Spyridon Gouliarmis (RCDevs)]

That's a curious one. When the WebADM GUI complains it fails to do something, the first thing to look at for clues is /opt/webadm/logs/httpd.log . It's also available in the GUI in the "Database" menu. Can you post the last lines of that log here?

[Craig Barton]

Here are the last lines of the log file:

[2015-03-26 12:31:55] [192.168.168.78] [Admin_E625F784] Login success for 'cn=drsadmin,cn=Users,dc=drs,dc=local' (super admin)
[2015-03-26 12:36:55] [192.168.168.78] [Admin_E625F784] Could not read LDAP object 'cn=drs.local,cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-03-26 12:37:04] [192.168.168.78] [Admin_E625F784] Could not read LDAP object 'cn=drs.local,cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-03-26 12:37:04] [192.168.168.78] [Admin_E625F784] Could not create LDAP object 'cn=drs.local,cn=Domains,cn=WebADM,dc=drs,dc=local' (Server is unwilling to perform)
[2015-03-26 12:59:12] [192.168.168.78] [Admin_E625F784] Could not read LDAP object 'cn=cn\\=Domains\\,cn\\=Users\\,dc\\=drs\\,dc\\=local,cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-03-26 12:59:20] [192.168.168.78] [Admin_E625F784] Could not read LDAP object 'cn=cn\\=Domains\\,cn\\=Users\\,dc\\=drs\\,dc\\=local,cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-03-26 12:59:20] [192.168.168.78] [Admin_E625F784] Could not create LDAP object 'cn=cn\\=Domains\\,cn\\=Users\\,dc\\=drs\\,dc\\=local,cn=Domains,cn=WebADM,dc=drs,dc=local' (Server is unwilling to perform)
[2015-03-26 13:00:32] [192.168.168.78] [Admin_E625F784] Could not read LDAP object 'cn=cn\\=drs\\,cd\\=Users\\,dc\\=drs\\,dc\\=local,cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-03-26 13:00:34] [192.168.168.78] [Admin_E625F784] Could not read LDAP object 'cn=cn\\=drs\\,cd\\=Users\\,dc\\=drs\\,dc\\=local,cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-03-26 13:00:34] [192.168.168.78] [Admin_E625F784] Could not create LDAP object 'cn=cn\\=drs\\,cd\\=Users\\,dc\\=drs\\,dc\\=local,cn=Domains,cn=WebADM,dc=drs,dc=local' (Server is unwilling to perform)

[Spyridon Gouliarmis (RCDevs)]

Could be something in your webadm.conf . Can you post the contents of /opt/webadm/conf/webadm.conf?

[Craig Barton]

[root@drs-rcdev-otp conf]# cat ./webadm.conf
#
# WebADM Server Configuration
#

# WebADM login mode
# - PKI: Requires client certificate and login password.
# - UID: Requires domain name, login name and password.
# - DN: Requires login DN and password.
# Using certificates is the most secure login method. To use certificate login,
# you must login WebADM and create a login certificate for your administrators.
# The UID mode requires a WebADM domain to exist and have its User Search Base
# set to the subtree where are located the administrator users. When using UID
# and if there is no domain existing in WebADM, the login mode is automatically
# forced to DN. You will also need to login with the the full user DN and setup
# a WebADM domain to be able to use the UID login mode.
auth_mode UID
# Show the registered domain list when auth_mode is set to UID.
list_domains Yes
# Set a default admin login domain when auth_mode is set to UID.
#default_domain "Default"

# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users / groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user     "cn=drsadmin,cn=Users,dc=drs,dc=local"
proxy_password "Pyr0-m@n"

# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets do not apply to super admins.
# You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample
# super_admins group on the second line with an existing security group.
super_admins "cn=drsadmin,cn=Users,dc=drs,dc=local", \
         "cn=Domain Admins,cn=Users,dc=drs,dc=local"

# Any other WebADM administrator must be defined in the other_admins to be able
# to login. You can set access restrictions for other admins in WebADM OptionSets.
# You can set a list of individual LDAP users or LDAP groups.
# You can comment the setting not to use other administrators.
# With ActiveDirectory, you can use another existing security group here.
# other_admins "cn=Other Admins,cn=Users,dc=mydomain,dc=com"

# LDAP objectclasses
container_oclasses      "container", "organizationalUnit", "organization", "domain", "locality", "country", \
                        "openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses           "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses          "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup", "posixGroup"
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "bootabledevice"
webadm_group_oclasses   "bootabledevice"
webadm_config_oclasses  "device"

# LDAP attributes
certificate_attrs       "userCertificate"
password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs               "uid", "samAccountName", "userPrincipalName"
member_attrs            "member", "uniqueMember"
memberof_attrs          "memberOf", "groupMembership"
memberuid_attrs         "memberUid"
language_attrs          "preferredLanguage"
mobile_attrs            "mobile"
mail_attrs              "mail"
webadm_data_attrs       "bootFile"
webadm_settings_attrs   "bootParameter"
webadm_type_attrs       "serialNumber"

# ignore some AD attributes
ignored_attrs "ntsecuritydescriptor", "objectcategory", "objectsid", "badpasswordtime", \
              "badpwdcount", "lastlogoff", "lastlogon", "logoncount", "lastlogontimestamp", \
              "pwdlastset", "primarygroupid", "samaccounttype"

# Find below the LDAP containers required by WebADM.
# Change the container's DN to fit your ldap tree base.
# WebADM Optionsets container
optionsets_container "cn=OptionSets,cn=WebADM,dc=drs,dc=local"
# WebApp configurations container
webapps_container "cn=WebApps,cn=WebADM,dc=drs,dc=local"
# WebSrv configurations container
websrvs_container "cn=WebSrvs,cn=WebADM,dc=drs,dc=local"
# Mount points container
mountpoints_container "cn=Mountpoints,cn=WebADM,dc=drs,dc=local"
# Domain and Trusts container
domains_container "cn=Domains,cn=WebADM,dc=drs,dc=local"
# Clients container
clients_container "cn=Clients,cn=WebADM,dc=drs,dc=local"

# You can set here the timeout (in seconds) of a WebADM session.
# Web sessions will be closed after this period of inactivity.
# The Manager Interface cookie-based sessions are disabled by default.
admin_session 900
manager_session 0
webapps_session 600

# You can set here the WebADM internal cache timeout. A normal value is one hour.
cache_timeout 3600

# Time zone
# Look at the docs/timezones.txt for the list of time zones.
time_zone "America/New_York"

# Application languages
languages "EN","FR","DE","ES","IT","FI"

# WebADM encrypts LDAP user data, sensitive configurations and user sessions with
# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.
# Use the command 'openssl rand -base64 32' to generate a new encryption key.
# Warning: If you change the encryption key, any encrypted data will become invalid!
# You can set several encryption keys for key rollout. All the defined keys are used
# for decrypting data. And the first defined key is used to (re-)encrypt data.
# Two encryption modes are supported:
# Standard: AES-256-CBC (default)
# Advanced: AES-256-CBC with per-object encryption (stronger)
encrypt_data Yes
encrypt_mode Standard
encrypt_key  "yv6kY4CMngOWJTt4V8BdrIK5LWc3cvoOnQqmSTT9zko="

# Hardware Cryptographic Module
# Only Yubico YubiHSM is currently supported for WebADM hardware encryption.
# Up to 8 HSM modules can be concurrently attached to the server.
#hsm_model YubiHSM
#hsm_keyid 1

# The group mode defines how WebADM will handle LDAP groups.
# - Direct mode: WebADM finds user groups using the memberof_attrs defined above.
#   In this case, the group membership is defined in the LDAP user objects.
# - Indirect mode: WebADM finds user groups by searching group objects which contain
#   the user DN as part of the member_attrs.
# - Auto: Both direct and indirect groups and used.
# - Disabled: All LDAP group features are disabled in WebADM.
# By default (when group_mode is not specified) WebADM handles both group modes.
group_mode Auto

# LDAP cache increases a lot performances under high server loads. The cache limits
# the number of LDAP requests by storing resolved user DN and group settings. When
# enabled, results are cached for 300 secs.
ldap_cache Yes

# You can optionally disable some features if you run multiple WebADM server with
# different purposes. For example, if you dont want to provide admin portal on an
# Internet-exposed WebApps and WebSrvs server.
# By default, all the functionalities are enabled.
enable_admin Yes
enable_manager Yes
enable_webapps Yes
enable_websrvs Yes

# Enable extended logging to the httpd.log and soapd.log files (enabled by default).
# Records all WebApps and Web Service events to the httpd.log and soapd.log files.
log_webapps Yes
log_websrvs Yes

# Enable syslog reporting (disabled by default). When enable, system logs are sent
# to both the WebADM log files and syslog.
log_syslog No
#syslog_facility LOG_USER

# Alerts are always recorded to the SQL Alert log. Additionally, when alert_email
# is defined, the alerts are also sent by email to the configured recipient(s).
#alert_email "m...@mydomain.com"

# If your WebADM server is used behind a reverse proxy or load-balancer, you can set
# the IP address if the the reverse proxy server(s).
# Your proxy MUST create the HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers.
#reverse_proxies "192.168.0.100", "192.168.0.101"

# Check for new versions on RCDevs' website (requires HTTP connectivity).
check_versions Yes

# WebApps theme
# Comment the following line to disable the default theme.
webapps_theme "default"

# Misc options
#treeview_width 300
#treeview_items 1500
#default_portal Admin
#case_sensitive No
[root@drs-rcdev-otp conf]#

[Spyridon Gouliarmis (RCDevs)]

The general feeling at the office is that you may have found a bug in our product when connecting to AD 2003. We've started installing a 2003 server to try and replicate your problem. We should have something running by tomorrow and we will then have a better idea of what to try next.

By the way, in your webadm.conf, can you replace

webadm_account_oclasses "bootabledevice"
webadm_group_oclasses   "bootabledevice"

with

webadm_account_oclasses "bootabledevice", "user"
webadm_group_oclasses   "bootabledevice", "group"

and then restart WebADM?

...

[Spyridon Gouliarmis (RCDevs)]

Actually, definitely add the "user" and "group" in webadm.conf, it's a hint for WebADM to adapt its LDAP requests to AD 2003. The devs here didn't even think anyone would still use Windows 2003 with our product! It requires special treatment and the code for it was left in the product just in case.

...

[Craig Barton]

Done - and understand - server 2003 is very close to end of life (Jul 14, 2015)  -  yet another project running my down.

When I log in what is the first thing I should attempt to do? Create a local Wedabm domain?

If yes,

I assume "Create > WebADM LDAP Domain > Proceed "  .... Continuing - again if I'm on the right path .... what details should go in the first two fields?

Container defaults to cn=Domains,cn=WebADM,dc=drs,dc=local ... but Common is empty ...

Craig ...

[Jit Kilambi]

If you are going to want to usetwo factor, you are going to need to enable the OpenOTP application. Based on if you want to enable it for all users or just a select, you will need to configure the default auth settings in OpenOTP then segregate it based on a single group/groups. Easiest approach I found was apply settings of a group to an application rather than group in a policy applying to the application.

Configure your clients.conf file for the ip/secret, then configure your citrix gateway/device to pass auth to your RCDev box. 

SuperAdmins should be able to login to the console, but you can also check with your logged in account to see what the "other admins" are able to do with WebAdm create tab.

 

 

[Spyridon Gouliarmis (RCDevs)]

I assume the problem from before is solved?

Anyway, you already have domain "Default", which will do for now. (But you can fill "Common Name" with a name and click "Create" if you want, and you will then get an idea of what WebADM domains are for.)

Click on "Applications" and "REGISTER" "OTP and U2F Authentication Server". Click on "Apply", after perhaps reading through the default configuration (make sure that the login mode is LDAPOTP and the OTP mode is token). Click on your chosen test user on the left panel and click on "Activate Now". You can now see a list of "Application Actions" appear. In that list, click on the "OTP" entry. You can then register a token for your user and test logging in with it.

After that, install the credential provider on your workstation for testing.

...

[Craig Barton]

Well - not sure if the errors will cause issues - but it appears I can log in and move around okay.

I will continue with setting up OTP and see how it goes ... (tomorrow).

I appreciate you quick responses and am thankful for your support. 

Thanks,

Craig.

[DHS]

I gave up on the product.  I am sure it actually works, but the documentation lacks all the steps and information necessary to make it work.  RCDevs should hire two outside contractors and have them try to install the product in the pre-existing domain environments the contractors already have existing (or a VMWare copy of such).  These contractors should do so WITHOUT any guidance from the RCDevs folks and only after they have failed should the RCDevs folks get involved and figure out just where they are missing all their info.

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/JWqnqdW2mRc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.

To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

A democracy cannot exist as a permanent form of government. It can only exist until a majority of voters discover that they can vote themselves largess out of the public treasury. Alexander Tytler
 
A liberal is someone who feels a great debt to his fellow man, which debt he proposes to pay off with your money.  G. Gordon Liddy

I believe that every individual is naturally entitled to do as he pleases with himself and the fruits of his labor, so far as it in no way interferes with any other men’s rights.  Abraham Lincoln

It is dangerous to be right when the government is wrong.  Voltaire

[DHS]

Out of curiousity, where was such information when I was having problems with this product 9 months ago???  I certainly could have used a direct contact email address that would actually be answered instead of the totally lacking support that was provided (admittedly on a free product, so I didn't really expect much, but figured that someday you'd want this to be commercially viable and at that point you'd like to actually have the product capable of working in the environments where you believe it should work.)

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/JWqnqdW2mRc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.

To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

[Spyridon Gouliarmis (RCDevs)]

I just deleted my post because of the company names mentioned. (Can't edit, apparently.)

Long story short: our company actually is doing very fine financially, thanks, and we now have time for any issue you have, so let us help you, damn it.

[Craig Barton]

Spyridon and team,

After dealing with other tasks the last few days I am now back to testing OpenOTP ...

1. First - a minor issue ... When logging into WebAdm I am still required to enter cn=myname,cn=Users,dc=drs,dc=local ...  can this be changed to a normal login name?

2. Second - the main issue  ...  I have successfully registered OTC "OTP & U2F Authentication Server: Ok (v1.2.0-2)"  However, whenever I try to add my test user I get an error like "Could not Update WebAdm settings" or trying to register a token I get "Could not register TOPT token".

The account I am logging in with is a Domain Admin account ... ?  But it seems I remember reading something about needing root privileges on the Linux side ... ??

thanks again.

Craig.

[Spyridon Gouliarmis (RCDevs)]

Those are both due to the setup not being complete yet. Have you run the setup wizard when logging in to WebADM?

But before that, concerning the "Could not read LDAP object" errors, have you added the "group" and "user" bits to webadm.conf then restarted the service?

...

[Craig Barton]

Hmmm ... yes sir - on the first log in I ran setup - and yes I added Users and groups as you advised earlier ...

Section below cut from webadm.conf ...

# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.

webadm_account_oclasses "bootabledevice","user"
webadm_group_oclasses   "bootabledevice","group"

webadm_config_oclasses  "device"

Craig.

For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

From the errors you mentioned, I am assumed the set up was not complete. Do you have a warning in red when you log in to WebADM that tells you it is not yet complete?

If so, run the wizard and note what part does not work, with the relevant part of http.log (under "Database").

...

[Craig Barton]

You might be right - but there are no warnings or messages in RED ...  and the web pages appears to open onto a normal page. And I do not see "Setup" to re-run (as the first time I logged in).

The main screen has Menu items across the top (Home, Admin, Create,Search, Import, Database, Applications, About, Logout).

And in the middle of the screen:

Hello Drsadmin (cn=drsadmin,cn=Users,dc=d...)

Connected as Super Administrator to drs-rcdev-otp

Application Status

OpenID & SAML Provider: Not Registered

LDAP Password Reset: Not Registered

User Self Service Desk: Not Registered

Token Self-Registration: Not Registered

OTP & U2F Authentication Server: Ok (v1.2.0-2)

Single Sign-On Server: Not Registered

SMS Hub Server: Not Registered

QR Login & Signing Server: Not Registered

LDAP Configurations

Domains: 0 Local, 0 Trusts

LDAP MountPoints: 0

LDAP OptionSets: 0

Client Policies: 0

Administrative Options

Login Context: cn=Users,dc=drs,dc=local (Details)

Certificate Signing Method: Rsign

Administrative Level: Not Defined

Decrypted User Data: Disabled

Treebase Context: Auto

Allowed SQL Tables: Any

The only thing in RED is at the login screen:

WebADM Administrator Portal
Provided by RCDevs

No Domain defined - Use DN login
User DN:
Password:

Craig..

--

You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

Hmm, looking back a an earlier post of yours, it seems you commented out the default_domain directive:

#default_domain "Default"

Uncomment it, restart the service and tell us if anything changes. (You can use other domains, but after you have created them in WebADM, which works only after the initial set up is done).

...

[Craig Barton]

Done. Nothing changed ... Is there a way to restart the setup process - without rebuilding from scratch ... ?

--

You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

The set up at that point mainly consists of creating the containers you see listed in webadm.conf :

# WebADM Optionsets container
optionsets_container "cn=OptionSets,cn=WebADM,dc=drs,dc=local"
# WebApp configurations container
webapps_container "cn=WebApps,cn=WebADM,dc=drs,dc=local"
# WebSrv configurations container
websrvs_container "cn=WebSrvs,cn=WebADM,dc=drs,dc=local"
# Mount points container
mountpoints_container "cn=Mountpoints,cn=WebADM,dc=drs,dc=local"
# Domain and Trusts container
domains_container "cn=Domains,cn=WebADM,dc=drs,dc=local"
# Clients container
clients_container "cn=Clients,cn=WebADM,dc=drs,dc=local"

Those basically contain WebADM's configuration for any function beyond browsing the LDAP tree and logging. You can create them by hand (see the drop-down menu choice after clicking on "Create"), but WebADM is supposed to notice when any of those containers does not exist, and complain then propose a wizard to do the creation bit for you.

Can you confirm that those containers exist? If not, which would be rather weird, we should probably have a conf call where we try to see what's wrong for ourselves.

...

[Craig Barton]

Your last request was if I could confirm these containers existed .... please explain further ...  do they exist as a folder? Should i see them in the Web interface? Or would they have been created in my OU domain structure?

thanks.

Craig.

--

You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

Yup, I meant created in your LDAP directory. Things like cn=WebApps,cn=WebADM,dc=drs,dc=local. My guess is that those exist, so WebADM does not see the need for the wizard, but their (essential) content is not there (as you showed a log explaining exactly that).

...

[Craig Barton]

Yes. you are correct - they are there ... I suppose the next step is to add a user and test.... so following the instructions in OpenOTP Quickstart - section 4 - Creating a new user called testy with a password of Testing! - I get the following error : Could not create object 'cn=Testy,CN=Users,DC=DRS,DC=local' 

--

You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

Mmh, we have a few problems right now:

- Concerning the failed user creation, can you post the relevant lines from httpd.log here?

- your webadm containers may be there, but they probably do not contain anything, which is bad. You want to delete them and re-run the wizard (by logging in again after deletion), and make sure it completes fully.

It might be the same problem that makes it impossible to create a user and makes the wizard fail in the middle of creating WebADM's stuff.

By the way, I can do this all day long and never get tired, but if you want we can do this over TeamViewer or some equivalent. It's not like you will pay for it or we will try to push our product on you.

...

[Craig Barton]

Ok.  I have removed the objects under WebAdm from LDAP - logged out of the web interface - restarted the service - and then logged in ... at which point I was prompted to run setup ... setup finished - i logged out - again restarted services and this time was able to log in with log in name and password (as opposed to using the cn=xxxxx,cn=Users, etc  .... )

I then had to Register OTP & U2F  -  it now reports as follows.  (OTP & U2F Authentication Server: Ok (v1.2.0-2))

I then attempted to create a test user but i failed as before (error : Could not create object 'cn=Testy,CN=Users,DC=DRS,DC=local' )

Thus - If everything is setup correctly - I am lost as to what the steps are to creating a test user or using an existing LDAP user for testing.

Below is the most recent text from the httpd.log file:

[2015-04-07 13:33:59] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=OptionSets,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:33:59] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=WebApps,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:33:59] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=WebSrvs,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:33:59] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:33:59] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=Clients,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:33:59] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=Mountpoints,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM Domains
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM Trusts
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=Clients,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM Clients
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=Mountpoints,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM MountPoints
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=OptionSets,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM OptionSets
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=WebApps,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM WebApps
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not search LDAP objects in 'cn=WebSrvs,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin] Could not get WebADM WebSrvs
[2015-04-07 13:34:11] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=OptionSets,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:11] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:13] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=WebApps,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:14] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=WebSrvs,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:15] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=Domains,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:15] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=Clients,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:15] [192.168.168.78] [Admin_DAEC5364] Could not read LDAP object 'cn=Mountpoints,cn=WebADM,dc=drs,dc=local' (No such object)
[2015-04-07 13:34:29] [192.168.168.78] [Admin_DAEC5364] Session stopped for 'cn=drsadmin,cn=Users,dc=drs,dc=local'
[2015-04-07 13:34:47] [192.168.168.78] [Admin] Login failed for 'CN=drsadmin,CN=Users,DC=DRS,DC=local' (invalid username or password)
[2015-04-07 13:35:01] [192.168.168.78] [Admin_2E3633FA] Login success for 'CN=drsadmin,CN=Users,DC=DRS,DC=local' (super admin)
[2015-04-07 13:38:28] [192.168.168.78] [OpenOTP] Could not modify LDAP object 'CN=agent97,CN=Users,DC=DRS,DC=local' (Object class violation)
[2015-04-07 13:38:28] [192.168.168.78] [OpenOTP] Could not set user data for 'CN=agent97,CN=Users,DC=DRS,DC=local'
[2015-04-07 13:42:54] [192.168.168.78] [Admin_2E3633FA] Could not read LDAP object 'cn=testy,CN=WebADM,DC=DRS,DC=local' (No such object)
[2015-04-07 13:42:57] [192.168.168.78] [Admin_2E3633FA] Could not read LDAP object 'cn=testy,CN=WebADM,DC=DRS,DC=local' (No such object)
[2015-04-07 13:42:58] [192.168.168.78] [Admin_2E3633FA] Could not create LDAP object 'cn=testy,CN=WebADM,DC=DRS,DC=local' (Server is unwilling to perform)
[2015-04-07 13:54:25] [192.168.168.78] [Admin_2E3633FA] Could not modify LDAP object 'CN=agent97,CN=Users,DC=DRS,DC=local' (Object class violation)

Thanks,

Craig.

--

You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

Seems like the end of the tunnel is near, then. You cannot create users through WebADM as it is because creating a user account object involves manipulating a password attribute. Manipulating a password attribute in any way is forbidden by AD if it is done over an insecure channel (you need to set up a PKI on the Windows side to be able to access AD through a secure channel, i.e. LDAPS). The log hints at that ("Server is unwilling to perform").

So, to create users or change their passwords, you need to go through Microsoft's tools for now.

Activating a user in WebADM should work though, so I'm a bit worried about that last line in the log. What did you try on agent97?

...

[Craig Barton]

Agent97 is the user I selected as an existing account to test with.  In the Webadm Interface - in the LDAP tree on the left I selected Agent97 - I then selected (under application Actions) OTP & U2F Authentication Server ... from there i selected Register/Un-register OTP Tokens - at this point I tried multiple settings but no success.

Thanks again for all your help!!

Craig.

--

You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

--

Cheers,

Craig.

[Spyridon Gouliarmis (RCDevs)]

My bad -- bootabledevice and device do not seem to exist in AD 2003. WebADM won't be able to use those classes, so it's back to the "normal" way of doing things: extend AD's schema to include the WebADM classes. If you change webadm.conf to have those settings:

webadm_account_oclasses "webadmAccount"

webadm_group_oclasses   "webadmGroup"

webadm_config_oclasses   "webadmConfig"

[...]

webadm_data_attrs       "webadmData"

webadm_settings_attrs   "webadmSettings"

webadm_type_attrs       "webadmType"

WebADM should display the wizard on the next login, offering to change the schema.

Note that at this point, if this was an AD 2008+ installation, you would be done with this part. Since you will have to upgrade AD soon anyway, are you sure you don't want to try WebADM again in a few days with your new set up?

...

[Spyridon Gouliarmis (RCDevs)]

Even just having one of your DCs be a 2008 server, with the functional level of your forest staying at 2003, would help. Later versions of Windows behave better LDAP-wise.

...