AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

Welcome 2020 (Or not)!!! 

Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

Been a while I haven’t written something.

Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

  1. Create a csr request in AD
  2. Generate a crt
  3. Import the cert in AD
  4. Test Connection via ldp or IDN.

I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one

But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

Followed the guide till where v3ext.txt is being generated. But used my own as below

The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements

And modified the command to execute this file

Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛 

Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!! 

Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.

References

Comparison: Microsoft Azure B2C vs Okta Identity Cloud

Just something one of my colleagues had written up and thought was interesting to share. I don’t take credit for it nor full responsibility of accuracy of it. Feel free to rebuttal.

FeaturesMicrosoft Azure B2COkta Identity Cloud
Ability to protect other application's API using OpenID Connect and OUATH protocol/frameworkYesYes
API based enrolmentYes but can't register a phone number that will be used as a MFA factor. The reason being not able to do this is because of OpenID Connect restriction over impersonation principle. This feature might come in 2019.Yes. But Okta user management is not yet OAUTH/OpenID Connect compliant
Federated SSO based on SAML and OpenID ConnectYesYes
Force Password ChangeNo (not out of the box but can be done through customisation)Yes
Identity Lifecycle Approvals (both for self-enrolment, API triggerred enrolment)NoYes (very suitable for Okta to act as external identity onboarding tool)
MFA FactorsOTP over SMS and Voice Call (Officially). Microsoft App (Separate commercials, professional service engagement and not out of the box at the moment. Official support is expected in 2019)OTP over SMS & Voice Call, Octa Verify Mobile App TOTP and Push Notification, Security Questions, Fido U2F, RSA SecurID, FIDO2 Microsoft Hello (very good range of MFA options - a major strength)
Non federated SSONo (It's designed as not to be)Yes (a major strength)
Notification templates customisations (SMS and Email)only EmailBoth Email and SMS
Password RecoveryYes (only SMS/Voice Call/Email OTP as Identity Proofing methods)Yes (all MFA factors can be identity proofing methods)
Programming support for customisationC#. (Java Script support is expected in 2019)C#, Java, Java Script (a major strength)
Risk Scoring and Step-up MFA (Adaptive/Contextual)NoNo. Okta Threat Insight product is in beta phase now. They would be integrating with Okta Identity Platform in 2019. Currently Okta Identity Cloud support a tightly coupled MFA policy when it comes to IP/network zones, black listed countries, region/location, devices etc.
Self-activation of credential such as setting a password post enrolled through an APINo (a major drawback)Yes
Syncing from on-premise ADYesYes
User Interface Customisation and support of CORS (cross origin resource sharing)Yes (But require Custom Sign On policies for flexibility) and a separate Azure Blob storage subscription.Yes. Very flexible to host custom pages in Okta Identity Cloud tenant and also for pages hosted in remote servers.
User management API compliant with OpenID Connect and OAUTHYes (major strength on security here)No (Proprietary protocol at the moment. Quite surprising)
User to Application access mappingNoYes (pretty good on security here)
Web based self-enrolment and activationYesYes

Running Multiple Postfix Instances On Same Box To Manage Google Mail Relay & AWS SES

So

I had a requirement where we wanted to have separate postfix instances which individually handles SMTP Relay traffic to redirect to Google Mail Relay & AWS SES. But we didn’t want to get an additional server to deploy postfix separately and add more servers to the farm.

There are more than one ways to do it.. and for particular reasons we wanted to have separate dedicate instances to manage separate configurations easily.

So, basically if you have the postfix package installed on linux, you will have the folder /etc/postfix/ (Depending on Linux Flavour – I am using RHEL7). It will be using default port 25 and 465

Main files to modify are master.cf and main.cf – I am assuming you know how to configure these files.

Configure that instance as your Google Relay.

Now to setup another instance on the same box, run the following commands

 

This will create a /etc/postfix-ses/ folder which is the new separate instance

If you wish to run AWS SES then you need the “cyrus-sasl-plain” package as well in your linux system (yum / apt)

Edit /etc/postfix-ses/master.cf and do the following

The above will run this new instance on port 10025 (instead of default port 25 which /etc/postfix/ is using) and SMTPS on 10465 (instead of default 465 which /etc/postfix/ is using)

Edit /etc/postfix-ses/main.cf and comment out the following

Configure the rest of the as per AWS Guide.

Reload / Restart Postfix Service – the same command will control both instances together.

Now you will have two instances of postfix running on the same box using different ports and thus clients can be told to use them accordingly.

All the logs are in the single file: /var/log/maillog

Logs are tagged with <date> <time> <hostname> <instancename> format so you can grep for different instances.

Done!!!

Note: This site has documented some commands on how to run various commands with multi-instances in Postfix

Passwords: Evil Necessity to be Protected!!!

I had missed posting this on the World Password Day but forgot to hit publish (my bad 😛 )

You know your passport – Your very physical identity which you put in a locker or in a safe place. Or while you are travelling you keep it with you at all times and don’t leave it someone insecure.

Well, your digital identity is the same (I think more important tbh in this day and age). You post your life on Facebook, rant on twitter, upload ur food likes on Instagram and wierd faces on snapchat, music preference on Apple Music or Spotify, look for a job in Linkedin and so much more.

In our ever-growing presence of our online footprint, we mostly use a password to login to each service we consume. In some instance, you might use OpenID to log in to a new service using an existing account on facebook/google/LinkedIn etc. Depending on your circumstances you might choose either – a new standalone account to the service or an OpenID connection to that service.

If you go password, I see people tend to use a known password in their brain (easy to repeat) for multiple services. They might even add a number like 123 to “make different passwords” for the same composition – BAD IDEA!!!

We are humans after all and it’s in our nature to do repetitive tasks easily and thus passwords are no different. If you use the same password and any of those services are hacked or compromised, the hacker has probably your username/email and your password which he will definitely try to exploit and use on various other services. They’ve hit a jackpot.

To remove the human element in the password creation and remembering, I would say use a Password Manager. There are many online/ offline/hybrid password managers out there.

I really don’t know any password of the services I use expect the Master Password of my Password Manager and my main/recovery email account – you know just in case I need to login to recover the master password or other sites.

I would basically try to list some practices I have used for years and ways of securing yourself online

  1. Register yourself and your family to sites like https://haveibeenpwned.com/: Sites like these notify you if your email address has been found in any PUBLIC data breaches. Of course, many breaches are not made public so you don’t know what you don’t know.
  2. Get yourself a password manager and randomize all your services password. Rule of thumb – You SHOULD NOT remember the password for most of the services you use. If you do, it’s probably easy(ier) to crack. Some good password managers I have used are
    • LastPass: It has some nice features like Security Score which audits the security level of your passwords and tells you which ones to harden and which services have been compromised. You should run that and try to score high. It also has a feature to auto change password for many popular services like facebook/twitter etc where it itself logs in and performs a password change so you don’t have to do the steps or remember the new passwords. There are plugins for all major browsers which it can autofill to log in to the service. LastPass free is good enough for individual accounts and don’t really need paid service. But for a family account, you might want to and it’s not expensive.
    • 1Password: Mac lovers love this. Among features mentioned on top it also has Watchtower which notifies you of breaches and tells you to same password (LastPass has similar feature) and Travel Mode which allows you to remove your password vault from your computer if you are travelling into a country where you think you might not want them to have access to your passwords on a forced check on entry. It’s costly subscription model but it’s much better looking and sleek to say.
    • There are others like DashLane and BitWarden which I haven’t used but highly regarded in the community
  3. Now the Master Password to your Password Manager – Obvious to say, DON’T USE AN EASY ONE. But you need to remember this password obviously. One way of doing it is Diceware logic. Basically using that logic you throw a dice 5 times to generate a number which then corresponds to a letter in a list. Then you can do this 5-6 times to generate a long list of random words. This helps you to remember the word. And then further you can replace characters with symbols or special characters. How this helps is that now you have rolled the dice 5 times for a word x 6 times for 6 words = 6 x 5 letter words = 30 characters and then further replace few characters with its resembling special character or symbol or capitalize (like 1 for l, $ for s and so on). This will help you generate a secure 30 character password which is easy to remember (like d0ggyl1f3$d1c3dt00myc@d3T) – I can remember that. Don’t try it.. not my password 😛
  4. ENABLE MFA on your password manager – If it doesn’t have it.. DON’T BUY IT.

In the end, I would like to say that you and your family and your colleagues and anyone who is even a bit concerned about their online security and presence, should implement strong password regime. Use a secure password manager, randomize all passwords such that you don’t remember them and that they are unique to each service, use some logic of your own or Diceware such that your master password is super lengthy and secure and of course enable MFA on your password managers as well.

Some of the practices I have used for sometime… What do you think? Be strong!!! Be safe!!!