Category: Uncategorised

Just adding authentication user identification functionallity on selfhosted webportal based on local active directory

BY NO MEANS SECURE, no input is sanitized…

ref: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/

First thing that is needed. php-ldap. I noticed it was not supported by php7, so i change php version to 8.x.

# a2dismod php7.x.x

# a2enmod php8.x.x

then

# apt install php-ldap

#service apache2 restart

then created a local website in my apache folder

index.php:

Then create an auth file:

The syslogip points to the syslog recieving interface of paloalto

domain points to the domain name

replace: ad.placebodome.local with your ADs FQDN.

The php-ldap function then tries to bind to the domain using the userprovided username and password. If binding fails the user is not authenticated.

If the binding is successfull a logger command is run to send a syslog message to the Paloalto firewall with username of user and the ipaddress for the requester/user.

As the previouse example: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/ using the syslog parser:

Voila, the user is populated in the same way as the original

The idiotic way to implement user identification when everything else fails.

You need:

GPO to push automaticly run powershell

A webserver, for example Apache

A syslog forwarder, for example rsyslog

And setup the Paloalto firewall as a User ID agent with syslog listener.

Plain and simple. Absolutely not secure, but until I bother with integrating user certificates as authentication for the requests this will do.

Powershell which runs every hour or minute on the clients

The webserver, a simple apache server hosted on an ubuntu box without any content

Install rsyslog if not installed

put the following in /etc/rsyslog.d/02-apache2.conf

Validate the config:

systemctl restart rsyslogd

On the paloalto, enable user-id syslog on the interface and lock the permitted address to the webserver sending the syslogs

add the uid profile to the interface:

Add the following syslog parser:

Setup the server monitor:

and the syslog parser profile.

And you’re good to go. Not secure, but it works as a simple solution

Tok en tur til Herdla og så på nordlyset med en kompis. Dette ble resultatet:

Took a sponatious trip to Bølgekraftverket located in Toft, Rong. https://www.google.com/maps/place/B%C3%B8lgekraftverket/@60.4699557,4.9247579,15z/data=!4m2!3m1!1s0x0:0x9092354b5b6cc1c0?sa=X&ved=2ahUKEwiG3YrHms_xAhXql4sKHTVsDIYQ_BIwGHoECEAQBQ

Took a few photos. Fun to take photos again.

• 

• 

• 

• 

• 

• 

• 

Pictures taken 5th of january 2021

All panoramas were taken by Dji Spark Drone with the 180* panorama function. Stiched together with Microsofts Image Composer Editor (ICE)

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

Drone foto

 

Nikon d610