Research for managing Windows clients #7

Open
opened 2022-07-29 12:09:10 +02:00 by nik · 11 comments
nik commented 2022-07-29 12:09:10 +02:00 (Migrated from edugit.org)

Scope of this issue

This issue is supposed to be a collection of research into the question of how to use AlekSIS as a management tool for Windows client machines. It will not get a concrete implementation; such an implementation will later be drafted in separate issues.

Background

The ultimate goal of AlekSIS-App-Kompjuter is to achieve feature parity (to some important extent) with Debian Edu 10, which used GOSa and Samba to provide an NT-style domain for Windows clients. Debian Edu also uses OpenLDAP and Kerberos to provide user authentication and, to some extent, client management to its own Debian Edu workstation clients.

With AlekSIS-App-Kompjuter, fai-webapi and system-auth-webapi, we are trying to simplify and decentralise client management for Debian Edu (and generally all kinds of clients) by leveraging the benefits of Web APIs (only HTTP necessary, which is stateless, relatively easy to load-balance and to move off-site). We already have:

  • an NSS module loading users and groups from a REST API, with accomapnying backend in AlekSIS
  • a PAM module authenticating users using OAuth2, with accompanying backend in AlekSIS
  • a dynamic FAI configspace generator with accompanying support in FAI

At this point, we can fully deploy and manage client systems and authenticate users without ever talking to anything more complex than AlekSIS' REST API.

Debian Edu, on the other hand, has basically dropped Windows client support together with Samba 3. Samba 4, which is a drop-in replacement for Microsoft Active Directory, now enforces its own internal LDAP server and cannot work with an external directory anymore.

Goals for Windows support

While overhauling the management of Debian clients leveraging AlekSIS and web APIs, we want to re-introduce support for Windows clients. To do this, there is one obvious solution: We could provide a way to deploy a Samba 4 server, and let AlekSIS replicate user and host information into it. This is what other solutions, like Linuxmuster, seem to do. We will look into this as one option.

However, we would lose some benefits of using only web APIs doing so, so we need to look into other options. We also need to figure out how to do software deployment and configuration.

More concisely, the goals are (ordered by priority):

  • Users shall be able to login to Windows clients using the same credentials as in AlekSIS
  • Admins shall be able to configure software to be deployed on Windows clients
  • Admins shall be able to configure Windows clients (like with group policies, etc.)

Research topics

The following topics should be researched as options for implementing the above goals, or as background knowledge. The topics have no defined order, they can be researched in any order that seems to make sense.

What APIs does Samba offer?

If it should turn out that we need to orchestrate Samba 4, we sholud know how to do it. What APIs (REST? RPC? Command-line tools?) does it offer to manage users, hosts, credentials,…?

Can we simply talk OpenLDAP, and everything works? One point to watch out for is changing passwords, which in turn has to cover two scenarios:

  • A user changes their password, providing their old and a new password
  • An administrator changes a user's password, without knowing their old password (this is the same scenario as password resets)

OpenLDAP implements the Password Modify Extended Operation (in contrast to simply changing the attribute holding the password), and allows hooking into it. So, in OpenLDAP, we can catch a password change, and in turn run code to update NTLM hashes or Kerberos principals.

Does Samba also offer the Password Modify Extended Operation? If yes, is it enough to really update a user's cerdentials, so they work everywhere after that? In short: Can we just talk LDAP, and be done with that scenario?

How does Microsoft Azure AD handle authentication and password changes?

Microsoft has started their own efforts in moving user and client management out of the basements of their customers and into their Azure cloud, called Azure AD. Azure AD offers web-based APIs for user management, and it seems they also offer OAuth for users to authenticate against it.

The main question here is: Does Windows use these APIs? Traditionally, Windows AD uses Microsoft's versions of LDAP and Kerberos/GSSAPI. Did this change, and for the cloud-based Azure AD, Windows now uses web APIs? Or does it still talk LDAP and Kerberos to the Azure Cloud?

How does Microsoft Azure AD handle system configuration, GPOs,…?

This question is the same as the previous one, but for everything related to system configuration, which is GPO in traditional AD.

What APIs does Windows offer to modify the login process?

Another approach would be to modify the Windows logon process. Do we even have to use the AD mechanisms? Or can we write some kind of plugin that handles authentication for us, and we can then simply port system-auth-webapi to Windows?

Prior to Vista and Server 2003, Windows had a pluggable system called GINA that officially supported overriding the logon process by replacing GINA's DLL file. Does such a mechanism still exist in Windows 10 or 11?

If so, is there documentaiton or prior art (existing projects) that leverage this?

Can we orchestrate some Windows package manager for software deployment?

There are two well-known package managers for Windows, opsi and WAPT. @sunweaver seems to prefer WAPT, and as it seems they have already a repository of pre-packaged software.

Can we orchestrate these platforms, so that the packages to be installed per host could be configured in AlekSIS?

How does Linuxmuster orchestrate Windows?

Linuxmuster can manage Windows and Linux clients. We should collect information on how it does that, and how the "Schulkonsole" interacts with all the ooling around it (especially Samba and Opsi).

How does Microsoft's device management fit in?

Microsoft also uses its APIs for (mobile) device management, under Microsoft Intune. How does this fit in? What happens when we login to a device using an Azure AD device?

How do other third-party MDMs integrate with Azure?

Expected results

Results for the research should collect, per topic:

  • A summary of the findings, primarily answering the questions listed here
  • Links to documentation and prior art (existing projects and solutions)
  • If possible, a conclusion of the benefits and downsides
  • A list of open questions or issues, and follow-up questions and research topics
  • If possible with not too much effort, an example installation (please ask @nik for Windows/Linux/whatever VMs for testing)
## Scope of this issue This issue is supposed to be a collection of research into the question of how to use AlekSIS as a management tool for Windows client machines. It will not get a concrete implementation; such an implementation will later be drafted in separate issues. ## Background The ultimate goal of AlekSIS-App-Kompjuter is to achieve feature parity (to some important extent) with Debian Edu 10, which used GOSa and Samba to provide an NT-style domain for Windows clients. Debian Edu also uses OpenLDAP and Kerberos to provide user authentication and, to some extent, client management to its own Debian Edu workstation clients. With AlekSIS-App-Kompjuter, [fai-webapi](https://edugit.org/AlekSIS/libs/fai-webapi) and [system-auth-webapi](https://edugit.org/AlekSIS/libs/system-auth-webapi), we are trying to simplify and decentralise client management for Debian Edu (and generally all kinds of clients) by leveraging the benefits of Web APIs (only HTTP necessary, which is stateless, relatively easy to load-balance and to move off-site). We already have: * an NSS module loading users and groups from a REST API, with accomapnying backend in AlekSIS * a PAM module authenticating users using OAuth2, with accompanying backend in AlekSIS * a dynamic FAI configspace generator with accompanying support in FAI At this point, we can fully deploy and manage client systems and authenticate users without ever talking to anything more complex than AlekSIS' REST API. Debian Edu, on the other hand, has basically dropped Windows client support together with Samba 3. Samba 4, which is a drop-in replacement for Microsoft Active Directory, now enforces its own internal LDAP server and cannot work with an external directory anymore. ## Goals for Windows support While overhauling the management of Debian clients leveraging AlekSIS and web APIs, we want to re-introduce support for Windows clients. To do this, there is one obvious solution: We could provide a way to deploy a Samba 4 server, and let AlekSIS replicate user and host information into it. This is what other solutions, like [Linuxmuster](https://www.linuxmuster.net/), seem to do. We will look into this as one option. However, we would lose some benefits of using only web APIs doing so, so we need to look into other options. We also need to figure out how to do software deployment and configuration. More concisely, the goals are (ordered by priority): * Users shall be able to login to Windows clients using the same credentials as in AlekSIS * Admins shall be able to configure software to be deployed on Windows clients * Admins shall be able to configure Windows clients (like with group policies, etc.) ## Research topics The following topics should be researched as options for implementing the above goals, or as background knowledge. The topics have no defined order, they can be researched in any order that seems to make sense. ### What APIs does Samba offer? If it should turn out that we need to orchestrate Samba 4, we sholud know how to do it. What APIs (REST? RPC? Command-line tools?) does it offer to manage users, hosts, credentials,…? Can we simply talk OpenLDAP, and everything works? One point to watch out for is changing passwords, which in turn has to cover two scenarios: * A user changes their password, providing their old and a new password * An administrator changes a user's password, without knowing their old password (this is the same scenario as password resets) OpenLDAP implements the [Password Modify Extended Operation](https://ldapwiki.com/wiki/Password%20Modify%20Extended%20Operation) (in contrast to simply changing the attribute holding the password), and allows hooking into it. So, in OpenLDAP, we can catch a password change, and in turn run code to update NTLM hashes or Kerberos principals. Does Samba also offer the Password Modify Extended Operation? If yes, is it enough to really update a user's cerdentials, so they work everywhere after that? In short: Can we just talk LDAP, and be done with that scenario? ### How does Microsoft Azure AD handle authentication and password changes? Microsoft has started their own efforts in moving user and client management out of the basements of their customers and into their Azure cloud, called [Azure AD](https://azure.microsoft.com/en-us/services/active-directory/). Azure AD offers web-based APIs for user management, and it seems they also offer OAuth for users to authenticate against it. The main question here is: Does Windows use these APIs? Traditionally, Windows AD uses Microsoft's versions of LDAP and Kerberos/GSSAPI. Did this change, and for the cloud-based Azure AD, Windows now uses web APIs? Or does it still talk LDAP and Kerberos to the Azure Cloud? ### How does Microsoft Azure AD handle system configuration, GPOs,…? This question is the same as the previous one, but for everything related to system configuration, which is GPO in traditional AD. ### What APIs does Windows offer to modify the login process? Another approach would be to modify the Windows logon process. Do we even have to use the AD mechanisms? Or can we write some kind of plugin that handles authentication for us, and we can then simply port system-auth-webapi to Windows? Prior to Vista and Server 2003, Windows had a pluggable system called [GINA](https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina) that officially supported overriding the logon process by replacing GINA's DLL file. Does such a mechanism still exist in Windows 10 or 11? If so, is there documentaiton or prior art (existing projects) that leverage this? ### Can we orchestrate some Windows package manager for software deployment? There are two well-known package managers for Windows, [opsi](https://www.opsi.org/) and [WAPT](https://wapt.tranquil.it/). @sunweaver seems to prefer WAPT, and as it seems they have already a repository of pre-packaged software. Can we orchestrate these platforms, so that the packages to be installed per host could be configured in AlekSIS? ## How does Linuxmuster orchestrate Windows? Linuxmuster can manage Windows and Linux clients. We should collect information on how it does that, and how the "Schulkonsole" interacts with all the ooling around it (especially Samba and Opsi). ## How does Microsoft's device management fit in? Microsoft also uses its APIs for (mobile) device management, under [Microsoft Intune](https://docs.microsoft.com/de-de/mem/intune/fundamentals/what-is-intune). How does this fit in? What happens when we login to a device using an Azure AD device? ## How do other third-party MDMs integrate with Azure? ## Expected results Results for the research should collect, per topic: * A summary of the findings, primarily answering the questions listed here * Links to documentation and prior art (existing projects and solutions) * If possible, a conclusion of the benefits and downsides * A list of open questions or issues, and follow-up questions and research topics * If possible with not too much effort, an example installation (please ask @nik for Windows/Linux/whatever VMs for testing)
nik commented 2022-07-29 12:12:26 +02:00 (Migrated from edugit.org)

changed the description

changed the description
nik commented 2022-07-29 12:20:12 +02:00 (Migrated from edugit.org)

changed the description

changed the description
nik commented 2022-07-29 12:25:08 +02:00 (Migrated from edugit.org)

assigned to @sggua

assigned to @sggua
nik commented 2022-07-29 12:30:19 +02:00 (Migrated from edugit.org)

changed the description

changed the description
nik commented 2022-07-29 16:49:40 +02:00 (Migrated from edugit.org)

Did this change, and for the cloud-based Azure AD, Windows now uses web APIs?

The answer seems to be that Microsoft has undergone exactly the same transformation as we have scheamed for Debian Edu: https://www.varonis.com/blog/azure-active-directory

Trying out Azure AD

Logging into Azure, we automatically get a default Azure AD directory, and we can also create new tenants as new directories.

Bildschirmfoto_von_2022-07-31_17-32-05

We can manage users, which get principal names below a third-level domain under onmicrosoft.com.

Bildschirmfoto_von_2022-07-31_17-32-59

Observation: the subdomain is not DNS-resolvable

After installation, we can choose to make the device organization-managed. That let's us sign in with the Azure AD account, and automatically registers the device.

Bildschirmfoto_von_2022-07-31_18-55-46

Bildschirmfoto_von_2022-07-31_18-56-50

The accounts locally get prefixed with the domain AzureAD\.

Assorted findings

  • Azure AD supports adding a "federating IdP" using WS-Fed and SAML
> Did this change, and for the cloud-based Azure AD, Windows now uses web APIs? The answer seems to be that Microsoft has undergone exactly the same transformation as we have scheamed for Debian Edu: https://www.varonis.com/blog/azure-active-directory ## Trying out Azure AD Logging into Azure, we automatically get a default Azure AD directory, and we can also create new tenants as new directories. ![Bildschirmfoto_von_2022-07-31_17-32-05](/uploads/a66d1b4b1d57ce4f501118d5ded49762/Bildschirmfoto_von_2022-07-31_17-32-05.png) We can manage users, which get principal names below a third-level domain under `onmicrosoft.com`. ![Bildschirmfoto_von_2022-07-31_17-32-59](/uploads/991826ba2e820e2a7697e3a3cf24250c/Bildschirmfoto_von_2022-07-31_17-32-59.png) **Observation**: the subdomain is not DNS-resolvable After installation, we can choose to make the device organization-managed. That let's us sign in with the Azure AD account, and automatically registers the device. ![Bildschirmfoto_von_2022-07-31_18-55-46](/uploads/09213a10cb5c096104071857b3d01a1b/Bildschirmfoto_von_2022-07-31_18-55-46.png) ![Bildschirmfoto_von_2022-07-31_18-56-50](/uploads/d95207ef702896065d1554e2379c6828/Bildschirmfoto_von_2022-07-31_18-56-50.png) The accounts locally get prefixed with the domain `AzureAD\`. ## Assorted findings * Azure AD supports adding a "federating IdP" using WS-Fed and SAML
nik commented 2022-07-31 16:00:44 +02:00 (Migrated from edugit.org)

changed the description

changed the description
sggua commented 2022-08-31 23:18:12 +02:00 (Migrated from edugit.org)

SAMBA 4

after all preparings it work as well as usual Windows Active Directory does.

The schema was used in a testing is a QEMU libv with installed:

  1. win10pro as a client;
  2. debian 11 as a samba server
  • Domain: ALEKSIS22, 192.168.122.11
  • /etc/resolv.conf
               # Generated by NetworkManager
               search aleksis22.tmp
               nameserver 192.168.122.11
               nameserver 8.8.8.8

# samba-tool dns query 192.168.122.11 aleksis22.tmp @ ALL -U Administrator

Password for [ALEKSIS22\Administrator]:
  Name=, Records=3, Children=0
    SOA: serial=1675, refresh=900, retry=600, expire=86400, minttl=3600, ns=debian11.aleksis22.tmp., email=hostmaster.aleksis22.tmp. (flags=600000f0, serial=1675, ttl=3600)
    NS: debian11.aleksis22.tmp. (flags=600000f0, serial=1, ttl=900)
    A: 192.168.122.11 (flags=600000f0, serial=1, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=debian11, Records=1, Children=0
    A: 192.168.122.11 (flags=f0, serial=1, ttl=900)
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=win10, Records=1, Children=0
    A: 192.168.122.10 (flags=f0, serial=110, ttl=1200)
# smbd -b | grep "CONFIGFILE"
   CONFIGFILE: /etc/samba/smb.conf
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
   LOCKDIR: /run/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PRIVATE_DIR: /var/lib/samba/private
# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter ALEKSIS22\Administrator's password: 
  .                                   D        0  Wed Aug 10 14:34:55 2022
  ..                                  D        0  Wed Aug 10 14:34:57 2022

		19480400 blocks of size 1024. 13606456 blocks available
# host -t SRV _ldap._tcp.aleksis22.tmp.
_ldap._tcp.aleksis22.tmp has SRV record 0 100 389 debian11.aleksis22.tmp.

# host -t SRV _kerberos._udp.aleksis22.tmp.
_kerberos._udp.aleksis22.tmp has SRV record 0 100 88 debian11.aleksis22.tmp.

# host -t A debian11.aleksis22.tmp.
debian11.aleksis22.tmp has address 192.168.122.11

# host -t A dc1.aleksis22.tmp.
dc1.aleksis22.tmp has address 192.168.122.11

# kinit administrator
Password for administrator@ALEKSIS22.TMP: 
Warning: Your password will expire in 41 days on ср, 21-вер-2022 14:42:06 +0200

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@ALEKSIS22.TMP
Valid starting     Expires            Service principal
11.08.22 14:33:33  12.08.22 00:33:33  krbtgt/ALEKSIS22.TMP@ALEKSIS22.TMP
	renew until 12.08.22 14:33:28

# wbinfo --ping-dc
checking the NETLOGON for domain[ALEKSIS22] dc connection to "debian11.aleksis22.tmp" succeeded
# samba-tool group listmembers "Domain Users"
Administrator
krbtgt

# wbinfo --name-to-sid Administrator
S-1-5-21-2908531214-3710685835-1419898928-500 SID_USER (1)

$ sudo samba-tool user list
[sudo]  user: 
Administrator
Guest
krbtgt

What was checked and worked well enough:

  • joining pc to smb4 domain;
  • Active Directory Computers and Users management from Windows client;
  • DNS management as well;
  • GPO management after important manual fix (adding permissions to read sysvol for Domain Users and Domain Computers)
  • MSI-package installation by GPO-policy

Links are used in this research:

**SAMBA 4** after all preparings it work as well as usual Windows Active Directory does. The schema was used in a testing is a QEMU libv with installed: 1. win10pro as a client; 2. debian 11 as a samba server * Domain: ALEKSIS22, 192.168.122.11 * /etc/resolv.conf ``` # Generated by NetworkManager search aleksis22.tmp nameserver 192.168.122.11 nameserver 8.8.8.8 ``` `# samba-tool dns query 192.168.122.11 aleksis22.tmp @ ALL -U Administrator` ``` Password for [ALEKSIS22\Administrator]: Name=, Records=3, Children=0 SOA: serial=1675, refresh=900, retry=600, expire=86400, minttl=3600, ns=debian11.aleksis22.tmp., email=hostmaster.aleksis22.tmp. (flags=600000f0, serial=1675, ttl=3600) NS: debian11.aleksis22.tmp. (flags=600000f0, serial=1, ttl=900) A: 192.168.122.11 (flags=600000f0, serial=1, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=debian11, Records=1, Children=0 A: 192.168.122.11 (flags=f0, serial=1, ttl=900) Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Name=win10, Records=1, Children=0 A: 192.168.122.10 (flags=f0, serial=110, ttl=1200) ``` ``` # smbd -b | grep "CONFIGFILE" CONFIGFILE: /etc/samba/smb.conf ``` ``` # smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR" LOCKDIR: /run/samba STATEDIR: /var/lib/samba CACHEDIR: /var/cache/samba PRIVATE_DIR: /var/lib/samba/private ``` ``` # smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter ALEKSIS22\Administrator's password: . D 0 Wed Aug 10 14:34:55 2022 .. D 0 Wed Aug 10 14:34:57 2022 19480400 blocks of size 1024. 13606456 blocks available ``` ``` # host -t SRV _ldap._tcp.aleksis22.tmp. _ldap._tcp.aleksis22.tmp has SRV record 0 100 389 debian11.aleksis22.tmp. # host -t SRV _kerberos._udp.aleksis22.tmp. _kerberos._udp.aleksis22.tmp has SRV record 0 100 88 debian11.aleksis22.tmp. # host -t A debian11.aleksis22.tmp. debian11.aleksis22.tmp has address 192.168.122.11 # host -t A dc1.aleksis22.tmp. dc1.aleksis22.tmp has address 192.168.122.11 # kinit administrator Password for administrator@ALEKSIS22.TMP: Warning: Your password will expire in 41 days on ср, 21-вер-2022 14:42:06 +0200 # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@ALEKSIS22.TMP Valid starting Expires Service principal 11.08.22 14:33:33 12.08.22 00:33:33 krbtgt/ALEKSIS22.TMP@ALEKSIS22.TMP renew until 12.08.22 14:33:28 # wbinfo --ping-dc checking the NETLOGON for domain[ALEKSIS22] dc connection to "debian11.aleksis22.tmp" succeeded ``` ``` # samba-tool group listmembers "Domain Users" Administrator krbtgt # wbinfo --name-to-sid Administrator S-1-5-21-2908531214-3710685835-1419898928-500 SID_USER (1) $ sudo samba-tool user list [sudo] user: Administrator Guest krbtgt ``` What was checked and worked well enough: - joining pc to smb4 domain; - **Active Directory** Computers and Users management from Windows client; - **DNS** management as well; - **GPO** management after important manual fix (adding permissions to read **sysvol** for Domain Users and Domain Computers) - **MSI**-package installation by GPO-policy Links are used in this research: - https://habr.com/ru/post/216173/ - https://habr.com/ru/post/655685/ - https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller - https://russianblogs.com/article/6791691142/ - https://askubuntu.com/a/860250 - https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd - https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting - https://linuxconfig.org/bash-netstat-command-not-found-debian-ubuntu-linux - https://techdirectarchive.com/2020/03/21/cannot-find-kdc-for-realm-while-getting-initial-credentials-kinit-configuration-file-does-not-specify-default-realm/ - https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba - https://wiki.samba.org/index.php/User_and_Group_management - https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
sggua commented 2022-09-01 00:27:45 +02:00 (Migrated from edugit.org)

WAPT

Most important is that WAPT API v3 well described at:

You can play with WAPT by curl scripts but I didn't found how to do with API such things:

  • make a software package
  • install or delete any package
  • management of WAPT console

So, if you want see step by step, you're welcome!
It's a "very long read" so take a cola and go!

The same linux system was used (with Samba4) for this research.

  1. added srvwapt to hosts file
$ cat /etc/hosts
127.0.0.1	localhost
#127.0.1.1	debian11.aleksis22	

192.168.122.11	debian11.aleksis22.tmp #debian11
192.168.122.11	aleksis22.tmp
192.168.122.11	srvwapt #wapt
192.168.122.11	srvwapt.aleksis22.tmp #wapt
  1. added the name to hostname file
$ cat /etc/hostname 
debian11
debian11.aleksis22.tmp
srvwapt.aleksis22.tmp

$ host srvwapt
srvwapt.aleksis22.tmp has address 192.168.122.11

$ host srvwapt.aleksis22.tmp 
srvwapt.aleksis22.tmp has address 192.168.122.11
  1. see the eth-network interface and it's gateway
$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.122.1   0.0.0.0         UG        0 0          0 enp1s0
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 enp1s0

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:-------:8f brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.11/24 brd 192.168.122.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::--------:----/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
  1. make it static
add eth address to file /etc/network/interfaces

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

auto enp1s0
iface enp1s0 inet static
  address 192.168.122.11
  netmask 255.255.255.0
  gateway 192.168.122.1
  1. Installating the WAPT Server packages
# cat /etc/apt/sources.list.d/wapt.list
deb https://wapt.tranquil.it/Debian/wapt-2.2/ bullseye main

export DEBIAN_FRONTEND=noninteractive
apt update
apt install tis-waptserver tis-waptsetup -y
unset DEBIAN_FRONTEND
..
..
Installation/Upgrade of waptserver is finished.

For postconfiguration please run:
sudo /opt/wapt/waptserver/scripts/postconf.sh

This post-configuration script MUST be run as root.

Please enter the wapt server password (min. 10 characters)
wapt.111pwd

Authentication type?
(x) 1 Allow unauthenticated registration

FQDN for the WAPT Server (eg. wapt.example.com)
debian11.aleksis22.tmp

ERROR occured:

Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx

Traceback (most recent call last):
  File "/opt/wapt/waptserver/scripts/postconf.py", line 682, in main
    print(restart_nginx())
  File "/opt/wapt/waptserver/scripts/postconf.py", line 303, in restart_nginx
    return run('systemctl restart nginx')
  File "/opt/wapt/waptutils.py", line 2132, in run
    raise CalledProcessErrorOutput(proc.returncode, cmd, ''.join(output))
waptutils.CalledProcessErrorOutput: Command b'systemctl restart nginx' returned non-zero exit status 1.
Output:Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/wapt/waptserver/scripts/postconf.py", line 793, in <module>
    main()
  File "/opt/wapt/waptserver/scripts/postconf.py", line 688, in main
    'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output.decode('utf-8')
AttributeError: 'str' object has no attribute 'decode'

The problem was in used port 80 by apache2, so I disabled it. Apache was not necessary.

# netstat -tulpn | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN      581/apache2 

# netstat -tulpn | grep :443

# netstat -tulpn | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      581/apache2   

# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-08-24 10:49:08 CEST; 3h 56min ago

# systemctl disable apache2.service
Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable apache2
Removed /etc/systemd/system/multi-user.target.wants/apache2.service.

# systemctl stop apache2.service
  1. Postconf done it's job successfully after that "trick"
# /opt/wapt/waptserver/scripts/postconf.sh
[*] Postconfiguration completed.                                        │  
│ Please connect to https://debian11.aleksis22.tmp/ to access the server.
  1. installing the WAPT Console
  As of 2022-07-20, the WAPT Console only installs on Windows.
  It is highly recommended to use the Console on a dedicated management host.
On the Windows machine win10-wapt:
Web console is ok at https://debian11.aleksis22.tmp
Downloaded and installed waptsetup 2.2.2.12388

Log into the WAPT Console with the SuperAdmin login and password.

ERROR:
_No valid license found for server https://debian11.aleksis22.tmp, switching to Wapt Discovery mode_
OK

8.You need one certificate and matching private key to be able to sign actions and configurations.

Do you want to pick or create one now in preferences?
YES
  1. waptagent.exe installer is not present on server
Do you want to build waptagent.exe installer for the deployment of Wapt on client hosts?
YES
  1. To activate the licence, use the licence.lic file provided by our sales department.
    So, no licenses for now.

  2. The path to your private key MUST NOT be in the installation path of WAPT (C:\Program Files (x86)\wapt).

  • If your key is stored in C:\Program Files (x86)\wapt, your Administrator’s private key will be deployed on your clients, ABSOLUTELY A NO GO!.
  • Finally, the wapt-private.pem file MUST NOT be stored on the WAPT Server.
  1. GPO: making a rule to setup WAPT-Agent to all PC from WAPT-Agent-PC group
WAPT Console:
 Get and uploadagent to server:
  - windows
  - debian 11 amd64
  - debian 10 amd64
  - ubuntu 20 amd64
  - ubuntu 22 amd64
  1. GPO string at Startup section:
    Computer Configuration
    - Policies
      - Software Settings
      - Windows Settings
        - Scripts (Startup/Shutdown)
          - Startup            

\\.. waptdeploy.exe --hash= --minversion=2.2.2.12388 --wait=15 --waptsetupurl=https://debian11.aleksis22.tmp/wapt/waptagent.exe

GPO worked!

After installing WAPT you can manipulate using:

  • WAPT Console GUI
  • wapt-get (part of installed waptagent)

Lets try to see get-post packages with Wireshark...

This part with wireshark is not really was needed so just main points.
Several times a minute I've got checks of licenses.. and nothing more..
"GET /licences.json HTTP/1.1" 200 0 "-" "wapt/2.2.2"

  1. Let's try curl-es with this nginx...
$ curl -v --insecure -XGET -d '/wapt-host/4AAD4688-4D01-46D2-8179-489A625C2149.wapt' 'https://debian11.aleksis22.tmp'
*   Trying 192.168.122.11:443...
* Connected to debian11.aleksis22.tmp (192.168.122.11) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=debian11.aleksis22.tmp
*  start date: Aug 24 12:20:20 2022 GMT
*  expire date: Aug 21 12:20:20 2032 GMT
*  issuer: CN=debian11.aleksis22.tmp
*  SSL certificate verify result: self signed certificate (18), continuing anyway.


        <div class="row">
            <div class="col-md-9 col-sx-12">
                <h2>WAPT server</h2>

.. and several pages of html.. it was not the result that I looked for..
Wireshark, TLS decoding, SSL MIM parsing.. and nothing interested...
only the license checks....

GET /licences.json HTTP/1.1
Host: debian11.aleksis22.tmp
Accept-Encoding: identity
cache-control: no-cache
pragma: no-cache
user-agent: wapt/2.2.2
  1. Most interested requests are in nginx logs during requests by WAPT Console.

i.e.

# grep "waptconsole" /var/log/nginx/access.log

192.168.122.17 - - [27/Aug/2022:23:10:42 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 394 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:10:59 +0200] "GET /api/v3/known_packages HTTP/1.1" 200 369 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:11:00 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 394 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:11:52 +0200] "GET /api/v3/get_all_agentrepos?pattern= HTTP/1.1" 403 92 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:11:54 +0200] "GET /ping HTTP/1.1" 200 389 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:11:54 +0200] "HEAD /wapt//Packages HTTP/1.1" 200 0 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:11:54 +0200] "HEAD /wapt//Packages HTTP/1.1" 200 0 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:12:19 +0200] "GET /api/v3/latest_installed_package_version?package= HTTP/1.1" 200 108 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:12:19 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 393 "-" "waptconsole/2.2.2.12388W"
192.168.122.17 - - [27/Aug/2022:23:12:19 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 394 "-" "waptconsole/2.2.2.12388W"

Following are requests with parts of responds.

GET /ping
$ curl --insecure -XGET -d '/ping' 'https://debian11.aleksis22.tmp'

_html trash in a responce... _

Or using the Firefox

https://debian11.aleksis22.tmp/ping
{"success": true, "msg": "WAPT Server running", "result": {"version": "2.2.2", "full_version": "2.2.2.12388-10e35aa7", "api_root": "/api/", "api_version": "v3", "uuid": "db2233e8-23a6-11ed-8ce2-525400683c8f", "date": "2022-08-27T23:33:40.974488", "application_root": "", "edition": "enterprise", "platform": "Linux", "architecture": ["64bit", "ELF"]}, "request_time": 0.0035386085510253906}

**further requests needs credentials. **
and then you could get proper JSONs as replies.

https://debian11.aleksis22.tmp/api/v3/get_ad_ou_split
{"success": true, "msg": "AD OU DN List", "result": [[["CN", "Computers", ","], ["DC", "aleksis22", ","], ["DC", "tmp", ""]]], "request_time": 0.0011339187622070312}

https://debian11.aleksis22.tmp/api/v3/get_all_agentrepos?pattern=
{"success": false, "msg": "Forbidden due to no valid enterprise licence.", "error_code": ""}
  1. API v3 well described at
    https://www.wapt.fr/en/doc/wapt-api.html?highlight=api#api-v3

  2. so we could try it in much correct way
    $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/reported_managed_hosts_count'
    {"success": true, "result": 2}

$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/get_ad_ou'
{"success": true, "msg": "AD OU DN List", "result": ["CN=Computers,DC=aleksis22,DC=tmp"], "request_time": 0.0011298656463623047}

$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping'
{"success": true, "msg": "WAPT Server running", "result": {"version": "2.2.2", "full_version": "2.2.2.12388-10e35aa7", "api_root": "/api/", "api_version": "v3", "uuid": "db2233e8-23a6-11ed-8ce2-525400683c8f", "date": "2022-08-28T00:33:12.558762", "application_root": "", "edition": "enterprise", "platform": "Linux", "architecture": ["64bit", "ELF"]}, "request_time": 0.013669729232788086}

  1. Parsing JSON responces
    get the readable JSON response.
    howto: https://stackoverflow.com/questions/27238411/display-curl-output-in-readable-json-format-in-unix-shell-script
    : add "| json_pp -json_opt pretty,canonical" to the end of command
        
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | json_pp -json_opt pretty,canonical

{
   "msg" : "2 known packages",
   "request_time" : 0.000856399536132812,
   "result" : [
      {
         "last_signature_date" : "2022-08-27T16:24:49.140581",
         "package" : "test-notepadplusplus",
         "sections" : [
            "base"
         ],
         "target_oss" : [
            "windows"
         ]
      },
      {
         "last_signature_date" : "2022-08-24T15:26:33.168285",
         "package" : "test-waptupgrade",
         "sections" : [
            "base"
         ],
         "target_oss" : [
            "windows"
         ]
      }
   ],
   "success" : true
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/packages' | jq '.result' | grep '"package"'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6532  100  6532    0     0   212k      0 --:--:-- --:--:-- --:--:--  212k
    "package": "test-waptupgrade",
    "package": "test-notepadplusplus",
  1. Getting quantity of known packages
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.msg' | awk -F ' ' '{print $1;}' | sed 's/\"//g'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   368  100   368    0     0  23000      0 --:--:-- --:--:-- --:--:-- 23000
2
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.msg' | sed 's/\"//g' |  awk -F ' ' '{print $1;}' 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   369  100   369    0     0  16772      0 --:--:-- --:--:-- --:--:-- 16772
2

Answer = 2

  1. Getting the list of known applications
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.result [] .package'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   364  100   364    0     0  15166      0 --:--:-- --:--:-- --:--:-- 15166
"test-notepadplusplus"
"test-waptupgrade"
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/packages' | jq '.result [] .package'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6532  100  6532    0     0   172k      0 --:--:-- --:--:-- --:--:--  172k
"test-waptupgrade"
"test-notepadplusplus"
  1. Getting the date stamp on WAPT server
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   390  100   390    0     0  35454      0 --:--:-- --:--:-- --:--:-- 35454
"2022-08-29T15:08:31.137234"
  1. Getting only the date on WAPT server
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' | sed 's/\"//g'  | awk -F 'T' '{print $1;}'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   389  100   389    0     0  27785      0 --:--:-- --:--:-- --:--:-- 27785
2022-08-29
  1. Getting only the time on WAPT server with decimals
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' | sed 's/\"//g'  | sed 's|.*T||'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   390  100   390    0     0  26000      0 --:--:-- --:--:-- --:--:-- 26000
15:12:53.983414
  1. Getting only the time on WAPT server as HH:MM:SS
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' | sed 's/\"//g'  | sed 's|.*T||' | awk -F '.' '{print $1;}'
 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   389  100   389    0     0  18523      0 --:--:-- --:--:-- --:--:-- 18523
15:16:24
  1. trying to make new WAPT-package..
    install PyScripter x86 and x64 on w10-wapt
    install Python3 x86 and x64 on w10-wapt
w10-wapt:
    - download 7z msi
    - WAPT Console
        - Tools - Make package from setup file
        - Package wizard - Windows installer
            - choose 7z2201-x64.msi
            - continue
            - build and upload
$ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.result [] .package'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   508  100   508    0     0  29882      0 --:--:-- --:--:-- --:--:-- 31750
"test-7-zip-22.01-x64"
"test-notepadplusplus"
"test-waptupgrade"

test-7-zip-22.01-x64 is in a list

And that's probably all..
You cannot manage software by curl or manage windows console.

Links used in a research:

**WAPT** Most important is that **WAPT API v3** well described at: - https://www.wapt.fr/en/doc/wapt-api.html?highlight=api#api-v3 You can play with WAPT by curl scripts but I didn't found how to do with API such things: - make a software package - install or delete any package - management of WAPT console So, if you want see step by step, you're welcome! It's a "very long read" so take a cola and go! The same linux system was used (with Samba4) for this research. 1. added srvwapt to hosts file ``` $ cat /etc/hosts 127.0.0.1 localhost #127.0.1.1 debian11.aleksis22 192.168.122.11 debian11.aleksis22.tmp #debian11 192.168.122.11 aleksis22.tmp 192.168.122.11 srvwapt #wapt 192.168.122.11 srvwapt.aleksis22.tmp #wapt ``` 2. added the name to hostname file ``` $ cat /etc/hostname debian11 debian11.aleksis22.tmp srvwapt.aleksis22.tmp $ host srvwapt srvwapt.aleksis22.tmp has address 192.168.122.11 $ host srvwapt.aleksis22.tmp srvwapt.aleksis22.tmp has address 192.168.122.11 ``` 3. see the eth-network interface and it's gateway ``` $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.122.1 0.0.0.0 UG 0 0 0 enp1s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0 $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:-------:8f brd ff:ff:ff:ff:ff:ff inet 192.168.122.11/24 brd 192.168.122.255 scope global noprefixroute enp1s0 valid_lft forever preferred_lft forever inet6 fe80::--------:----/64 scope link noprefixroute valid_lft forever preferred_lft forever ``` 4. make it static ``` add eth address to file /etc/network/interfaces $ cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback auto enp1s0 iface enp1s0 inet static address 192.168.122.11 netmask 255.255.255.0 gateway 192.168.122.1 ``` 5. Installating the WAPT Server packages ``` # cat /etc/apt/sources.list.d/wapt.list deb https://wapt.tranquil.it/Debian/wapt-2.2/ bullseye main export DEBIAN_FRONTEND=noninteractive apt update apt install tis-waptserver tis-waptsetup -y unset DEBIAN_FRONTEND .. .. Installation/Upgrade of waptserver is finished. For postconfiguration please run: sudo /opt/wapt/waptserver/scripts/postconf.sh This post-configuration script MUST be run as root. Please enter the wapt server password (min. 10 characters) wapt.111pwd Authentication type? (x) 1 Allow unauthenticated registration FQDN for the WAPT Server (eg. wapt.example.com) debian11.aleksis22.tmp ``` **ERROR** occured: ``` Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable nginx Traceback (most recent call last): File "/opt/wapt/waptserver/scripts/postconf.py", line 682, in main print(restart_nginx()) File "/opt/wapt/waptserver/scripts/postconf.py", line 303, in restart_nginx return run('systemctl restart nginx') File "/opt/wapt/waptutils.py", line 2132, in run raise CalledProcessErrorOutput(proc.returncode, cmd, ''.join(output)) waptutils.CalledProcessErrorOutput: Command b'systemctl restart nginx' returned non-zero exit status 1. Output:Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/wapt/waptserver/scripts/postconf.py", line 793, in <module> main() File "/opt/wapt/waptserver/scripts/postconf.py", line 688, in main 'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output.decode('utf-8') AttributeError: 'str' object has no attribute 'decode' ``` The problem was in **used port 80 by apache2**, so I disabled it. Apache was not necessary. ``` # netstat -tulpn | grep :80 tcp6 0 0 :::80 :::* LISTEN 581/apache2 # netstat -tulpn | grep :443 # netstat -tulpn | grep apache2 tcp6 0 0 :::80 :::* LISTEN 581/apache2 # systemctl status apache2.service ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-08-24 10:49:08 CEST; 3h 56min ago # systemctl disable apache2.service Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable apache2 Removed /etc/systemd/system/multi-user.target.wants/apache2.service. # systemctl stop apache2.service ``` 6. Postconf done it's job successfully after that "trick" ``` # /opt/wapt/waptserver/scripts/postconf.sh [*] Postconfiguration completed. │ │ Please connect to https://debian11.aleksis22.tmp/ to access the server. ``` 7. installing the WAPT Console ``` As of 2022-07-20, the WAPT Console only installs on Windows. It is highly recommended to use the Console on a dedicated management host. On the Windows machine win10-wapt: Web console is ok at https://debian11.aleksis22.tmp Downloaded and installed waptsetup 2.2.2.12388 Log into the WAPT Console with the SuperAdmin login and password. ERROR: _No valid license found for server https://debian11.aleksis22.tmp, switching to Wapt Discovery mode_ OK ``` 8.You need one certificate and matching private key to be able to sign actions and configurations. ``` Do you want to pick or create one now in preferences? YES ``` 9. waptagent.exe installer is not present on server ``` Do you want to build waptagent.exe installer for the deployment of Wapt on client hosts? YES ``` 10. To activate the licence, use the licence.lic file provided by our sales department. So, no licenses for now. 11. The path to your private key MUST NOT be in the installation path of WAPT (C:\Program Files (x86)\wapt). - If your key is stored in C:\Program Files (x86)\wapt, your Administrator’s private key will be deployed on your clients, ABSOLUTELY A NO GO!. - Finally, the wapt-private.pem file MUST NOT be stored on the WAPT Server. 12. GPO: making a rule to setup WAPT-Agent to all PC from WAPT-Agent-PC group ``` WAPT Console: Get and uploadagent to server: - windows - debian 11 amd64 - debian 10 amd64 - ubuntu 20 amd64 - ubuntu 22 amd64 ``` 13. GPO string at Startup section: ``` Computer Configuration - Policies - Software Settings - Windows Settings - Scripts (Startup/Shutdown) - Startup \\.. waptdeploy.exe --hash= --minversion=2.2.2.12388 --wait=15 --waptsetupurl=https://debian11.aleksis22.tmp/wapt/waptagent.exe ``` GPO worked! After installing WAPT you can manipulate using: - WAPT Console GUI - wapt-get (part of installed waptagent) Lets try to see get-post packages with Wireshark... This part with wireshark is not really was needed so just main points. Several times a minute I've got checks of licenses.. and nothing more.. `"GET /licences.json HTTP/1.1" 200 0 "-" "wapt/2.2.2"` 14. Let's try curl-es with this nginx... ``` $ curl -v --insecure -XGET -d '/wapt-host/4AAD4688-4D01-46D2-8179-489A625C2149.wapt' 'https://debian11.aleksis22.tmp' * Trying 192.168.122.11:443... * Connected to debian11.aleksis22.tmp (192.168.122.11) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=debian11.aleksis22.tmp * start date: Aug 24 12:20:20 2022 GMT * expire date: Aug 21 12:20:20 2032 GMT * issuer: CN=debian11.aleksis22.tmp * SSL certificate verify result: self signed certificate (18), continuing anyway. <div class="row"> <div class="col-md-9 col-sx-12"> <h2>WAPT server</h2> ``` .. and several pages of html.. it was not the result that I looked for.. Wireshark, TLS decoding, SSL MIM parsing.. and nothing interested... only the license checks.... ``` GET /licences.json HTTP/1.1 Host: debian11.aleksis22.tmp Accept-Encoding: identity cache-control: no-cache pragma: no-cache user-agent: wapt/2.2.2 ``` 15. **Most interested requests are in nginx logs during requests by WAPT Console.** i.e. ``` # grep "waptconsole" /var/log/nginx/access.log 192.168.122.17 - - [27/Aug/2022:23:10:42 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 394 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:10:59 +0200] "GET /api/v3/known_packages HTTP/1.1" 200 369 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:11:00 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 394 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:11:52 +0200] "GET /api/v3/get_all_agentrepos?pattern= HTTP/1.1" 403 92 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:11:54 +0200] "GET /ping HTTP/1.1" 200 389 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:11:54 +0200] "HEAD /wapt//Packages HTTP/1.1" 200 0 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:11:54 +0200] "HEAD /wapt//Packages HTTP/1.1" 200 0 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:12:19 +0200] "GET /api/v3/latest_installed_package_version?package= HTTP/1.1" 200 108 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:12:19 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 393 "-" "waptconsole/2.2.2.12388W" 192.168.122.17 - - [27/Aug/2022:23:12:19 +0200] "GET /api/v3/known_packages?available_only=1 HTTP/1.1" 200 394 "-" "waptconsole/2.2.2.12388W" ``` Following are requests with parts of responds. ``` GET /ping $ curl --insecure -XGET -d '/ping' 'https://debian11.aleksis22.tmp' ``` _html trash in a responce... _ Or using the Firefox ``` https://debian11.aleksis22.tmp/ping {"success": true, "msg": "WAPT Server running", "result": {"version": "2.2.2", "full_version": "2.2.2.12388-10e35aa7", "api_root": "/api/", "api_version": "v3", "uuid": "db2233e8-23a6-11ed-8ce2-525400683c8f", "date": "2022-08-27T23:33:40.974488", "application_root": "", "edition": "enterprise", "platform": "Linux", "architecture": ["64bit", "ELF"]}, "request_time": 0.0035386085510253906} ``` **further requests needs credentials. ** and then you could get proper JSONs as replies. ``` https://debian11.aleksis22.tmp/api/v3/get_ad_ou_split {"success": true, "msg": "AD OU DN List", "result": [[["CN", "Computers", ","], ["DC", "aleksis22", ","], ["DC", "tmp", ""]]], "request_time": 0.0011339187622070312} https://debian11.aleksis22.tmp/api/v3/get_all_agentrepos?pattern= {"success": false, "msg": "Forbidden due to no valid enterprise licence.", "error_code": ""} ``` 16. API v3 well described at https://www.wapt.fr/en/doc/wapt-api.html?highlight=api#api-v3 17. so we could try it in much correct way $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/reported_managed_hosts_count' {"success": true, "result": 2} $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/get_ad_ou' {"success": true, "msg": "AD OU DN List", "result": ["CN=Computers,DC=aleksis22,DC=tmp"], "request_time": 0.0011298656463623047} $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' {"success": true, "msg": "WAPT Server running", "result": {"version": "2.2.2", "full_version": "2.2.2.12388-10e35aa7", "api_root": "/api/", "api_version": "v3", "uuid": "db2233e8-23a6-11ed-8ce2-525400683c8f", "date": "2022-08-28T00:33:12.558762", "application_root": "", "edition": "enterprise", "platform": "Linux", "architecture": ["64bit", "ELF"]}, "request_time": 0.013669729232788086} 18. Parsing JSON responces get the readable JSON response. howto: https://stackoverflow.com/questions/27238411/display-curl-output-in-readable-json-format-in-unix-shell-script ` : add "| json_pp -json_opt pretty,canonical" to the end of command` ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | json_pp -json_opt pretty,canonical { "msg" : "2 known packages", "request_time" : 0.000856399536132812, "result" : [ { "last_signature_date" : "2022-08-27T16:24:49.140581", "package" : "test-notepadplusplus", "sections" : [ "base" ], "target_oss" : [ "windows" ] }, { "last_signature_date" : "2022-08-24T15:26:33.168285", "package" : "test-waptupgrade", "sections" : [ "base" ], "target_oss" : [ "windows" ] } ], "success" : true ``` ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/packages' | jq '.result' | grep '"package"' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6532 100 6532 0 0 212k 0 --:--:-- --:--:-- --:--:-- 212k "package": "test-waptupgrade", "package": "test-notepadplusplus", ``` 19. Getting quantity of known packages ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.msg' | awk -F ' ' '{print $1;}' | sed 's/\"//g' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 368 100 368 0 0 23000 0 --:--:-- --:--:-- --:--:-- 23000 2 ``` ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.msg' | sed 's/\"//g' | awk -F ' ' '{print $1;}' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 369 100 369 0 0 16772 0 --:--:-- --:--:-- --:--:-- 16772 2 ``` Answer = 2 20. Getting the list of known applications ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.result [] .package' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 364 100 364 0 0 15166 0 --:--:-- --:--:-- --:--:-- 15166 "test-notepadplusplus" "test-waptupgrade" ``` ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/packages' | jq '.result [] .package' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6532 100 6532 0 0 172k 0 --:--:-- --:--:-- --:--:-- 172k "test-waptupgrade" "test-notepadplusplus" ``` 21. Getting the date stamp on WAPT server ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 390 100 390 0 0 35454 0 --:--:-- --:--:-- --:--:-- 35454 "2022-08-29T15:08:31.137234" ``` 22. Getting only the date on WAPT server ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' | sed 's/\"//g' | awk -F 'T' '{print $1;}' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 389 100 389 0 0 27785 0 --:--:-- --:--:-- --:--:-- 27785 2022-08-29 ``` 23. Getting only the time on WAPT server with decimals ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' | sed 's/\"//g' | sed 's|.*T||' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 390 100 390 0 0 26000 0 --:--:-- --:--:-- --:--:-- 26000 15:12:53.983414 ``` 24. Getting only the time on WAPT server as HH:MM:SS ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/ping' | jq '.result.date' | sed 's/\"//g' | sed 's|.*T||' | awk -F '.' '{print $1;}' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 389 100 389 0 0 18523 0 --:--:-- --:--:-- --:--:-- 18523 15:16:24 ``` 25. trying to make new WAPT-package.. install PyScripter x86 and x64 on w10-wapt install Python3 x86 and x64 on w10-wapt ``` w10-wapt: - download 7z msi - WAPT Console - Tools - Make package from setup file - Package wizard - Windows installer - choose 7z2201-x64.msi - continue - build and upload ``` ``` $ curl --insecure -G -u 'admin:wapt.11pwd' 'https://debian11.aleksis22.tmp/api/v3/known_packages' | jq '.result [] .package' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 508 100 508 0 0 29882 0 --:--:-- --:--:-- --:--:-- 31750 "test-7-zip-22.01-x64" "test-notepadplusplus" "test-waptupgrade" ``` test-7-zip-22.01-x64 is in a list And that's probably all.. You cannot manage software by curl or manage windows console. Links used in a research: - https://www.wapt.fr/en/doc/wapt-server-install-debian-based.html#base-debian-server-install - https://www.wapt.fr/en/doc/wapt-server-install-debian-based.html#installating-the-wapt-server-packages - https://stackoverflow.com/questions/42303401/nginx-will-not-start-address-already-in-use - https://www.wapt.fr/en/doc/wapt-configuration.html#installing-the-wapt-console - https://www.wapt.fr/en/doc/wapt-deploy-agent-windows.html - https://www.topcoder.com/thrive/articles/curl-a-request-and-response-tool - https://curlbuilder.com/ - https://www.golinuxcloud.com/wireshark-decrypt-ssl-tls-tutorial/ - https://thesecmaster.com/decoding-tls-v1-2-protocol-handshake-with-wireshark/ - https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/ - https://resources.infosecinstitute.com/topic/decrypting-ssl-tls-traffic-with-wireshark/ - https://stackoverflow.com/questions/27238411/display-curl-output-in-readable-json-format-in-unix-shell-script - https://stackoverflow.com/questions/1955505/parsing-json-with-unix-tools - https://qna.habr.com/q/309449 - https://skyserv.wordpress.com/2015/10/21/5/ - https://www.wapt.fr/en/doc/wapt-create-packages.html
sggua commented 2022-09-01 00:46:15 +02:00 (Migrated from edugit.org)

pGina 3.1.8.0
(OpenSource tool to add an ability to Windows systems to use third party logon plugins)

All testings in this research made with v.3.1.8.0

You can write own plugins for this and for forked versions:

GINA for Windows 10
https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina
http://pgina.org/
https://github.com/pgina/pgina/wiki
https://github.com/pgina/pgina/wiki/How-pGina-Works

pGina is a replacement for the default Windows Credential Provider (CP), or GINA (for XP and earlier). Through plugins, pGina allows you to configure many aspects of the login process from authentication and authorization through to logging and terminal events.

Note that the Credential Provider framework is supported in Windows 7/Vista and higher. Prior versions of Windows used a framework called GINA. For much of this guide, we'll simply refer to it as a Credential Provider or CP.

Let's try pGina on a new cloned win10-pgina

Install pGina
https://github.com/pgina/pgina/wiki/Install#installing-pgina

LDAP Server on Ubuntu Server 17.04 and Windows 10 Client (pGina)
https://www.youtube.com/watch?v=6ls6kRvGkrU

He used on server side:
    - salpd, ldap-utils
    - phpldapadmin
on client side:
    - win 10 with pGina 3.1.8 (actual version)
    - pGina plugins: 
        \- LDAP (authent, author, gateway)
            \- manually configured LDAP host:port address
    - plugin order: LDAP is first

So this schema can work but you should be sure that a client can see a server in a network environment.

There are several available plugins to use with pGina for logon:

  • LDAP
  • MySQL
  • Email (POP/IMAP, inc.SSL - authentication only)
  • RADIUS (authentication, notification)

Let's try:

  • IMAP+SSL:993 (-----imap.-----.de)
    \ - user se----@----.de
    • webportal password
  • LDAP (samba at debian11.aleksis22.tmp)
    \ - LDAP host: debian11.aleksis22.tmp
    • Search DN: cn=usr1,dc=aleksis22, dc=tmp
    • Search pw: -----
    • Group DN Pattern: cn=%g,ou=Group,dc=aleksis22,dc=tmp
    • User DN Pattern: OFF
    • Search for DN: YES
      \ - Search Filter: uid=%u
      • Search Context(s): dc=aleksis22,dc=tmp
  • Plugin order:
    \ - Email, LDAP, Local machine

Simulation1 (IMAP):

    username: se----@----.de
    password: -----
    result: LDAP error
    fix: disable LDAP plugin

Simulation2 (IMAP):

    username: se----@----.de
    password: -----
    result: SUCCESS

result: SUCCESS

Simulation3 (IMAP):

    fix: enable LDAP, disable Email; pl.order LDAP first
    username: support
    password: -----
    result: False
    fix: 
        \ - Search DN: cn=usr1,cn=Users, dc=aleksis22, dc=tmp
          - Group DN Pattern: cn=%g,dc=aleksis22,dc=tmp
    hm... 
doesn't work yet.. .

https://superuser.com/questions/1042701/openldap-and-pgina-vs-active-directory-using-samba4-domain-controller
OpenLDAP and pGina vs Active Directory (Using Samba4 Domain Controller)

pGina fork

http://mutonufoai.github.io/pgina/index.html
http://mutonufoai.github.io/pgina/documentation.html

this fork has extra plugins:

Going ahead..
Re-configured original (not forked) pGina:

 - plugin order: Email, LDAP, Local, Modificate username(GW)
 - Email: ------.de
 - LDAP : 192.168.122.11 (doesn't work with smb4.. )
 - Modificate: replace '@' with '.' in a username after authentication to make directories without '@' (not must)
 

Simulation works only with Email authentication.
Char '@' replaced with '.' in username.
Going to check it in real login case.

First test was unsuccessful..
Disabled plugins: LDAP, Modificate username.
Enabled only Email plugin.

Test successuful!
Access granted! (Email only...)
scr-220831-213719
scr-220831-213536

**pGina** 3.1.8.0 _(OpenSource tool to add an ability to Windows systems to use third party logon plugins)_ - orig: https://github.com/pgina/ - fork: http://mutonufoai.github.io/pgina/ All testings in this research made with v.3.1.8.0 You can write own plugins for this and for forked versions: - https://github.com/pgina/pgina/wiki/Plugin-Tutorial - http://mutonufoai.github.io/pgina/documentation/core/plugins.html GINA for Windows 10 https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina http://pgina.org/ https://github.com/pgina/pgina/wiki https://github.com/pgina/pgina/wiki/How-pGina-Works pGina is a replacement for the default Windows Credential Provider (CP), or GINA (for XP and earlier). Through plugins, pGina allows you to configure many aspects of the login process from authentication and authorization through to logging and terminal events. Note that the Credential Provider framework is supported in Windows 7/Vista and higher. Prior versions of Windows used a framework called GINA. For much of this guide, we'll simply refer to it as a Credential Provider or CP. Let's try pGina on a new cloned win10-pgina **Install** pGina https://github.com/pgina/pgina/wiki/Install#installing-pgina LDAP Server on Ubuntu Server 17.04 and Windows 10 Client (pGina) https://www.youtube.com/watch?v=6ls6kRvGkrU ``` He used on server side: - salpd, ldap-utils - phpldapadmin on client side: - win 10 with pGina 3.1.8 (actual version) - pGina plugins: \- LDAP (authent, author, gateway) \- manually configured LDAP host:port address - plugin order: LDAP is first ``` So this schema can work but you should be sure that a **client can see a server in a network environment**. There are several available plugins to use with pGina for logon: - LDAP - MySQL - Email (POP/IMAP, inc.SSL - authentication only) - RADIUS (authentication, notification) Let's try: - IMAP+SSL:993 (-----imap.-----.de) \ - user se----@----.de - webportal password - LDAP (samba at debian11.aleksis22.tmp) \ - LDAP host: debian11.aleksis22.tmp - Search DN: cn=usr1,dc=aleksis22, dc=tmp - Search pw: ----- - Group DN Pattern: cn=%g,ou=Group,dc=aleksis22,dc=tmp - User DN Pattern: OFF - Search for DN: YES \ - Search Filter: uid=%u - Search Context(s): dc=aleksis22,dc=tmp - Plugin order: \ - Email, LDAP, Local machine Simulation1 (**IMAP**): ``` username: se----@----.de password: ----- result: LDAP error fix: disable LDAP plugin ``` Simulation2 (**IMAP**): ``` username: se----@----.de password: ----- result: SUCCESS ``` result: **SUCCESS** Simulation3 (**IMAP**): ``` fix: enable LDAP, disable Email; pl.order LDAP first username: support password: ----- result: False fix: \ - Search DN: cn=usr1,cn=Users, dc=aleksis22, dc=tmp - Group DN Pattern: cn=%g,dc=aleksis22,dc=tmp hm... ``` doesn't work yet.. . https://superuser.com/questions/1042701/openldap-and-pgina-vs-active-directory-using-samba4-domain-controller OpenLDAP and pGina vs Active Directory (Using Samba4 Domain Controller) **pGina fork** http://mutonufoai.github.io/pgina/index.html http://mutonufoai.github.io/pgina/documentation.html this fork has extra plugins: - Multi Email Auth http://mutonufoai.github.io/pgina/documentation/plugins/multiemail.html - HTTP Auth http://mutonufoai.github.io/pgina/documentation/plugins/httpauth.html - LDAP with extra settings http://mutonufoai.github.io/pgina/documentation/plugins/ldap.html - SSHAuth http://mutonufoai.github.io/pgina/documentation/plugins/sshauth.html Going ahead.. Re-configured original (not forked) pGina: ``` - plugin order: Email, LDAP, Local, Modificate username(GW) - Email: ------.de - LDAP : 192.168.122.11 (doesn't work with smb4.. ) - Modificate: replace '@' with '.' in a username after authentication to make directories without '@' (not must) ``` Simulation works only with Email authentication. Char '@' replaced with '.' in username. Going to check it in real login case. First test was unsuccessful.. Disabled plugins: LDAP, Modificate username. Enabled only Email plugin. Test successuful! Access granted! (Email only...) ![scr-220831-213719](/uploads/8643c710e242a275aa55153749652ca2/scr-220831-213719.png) ![scr-220831-213536](/uploads/906e5a48d086e7b81c5aab82d4a4e7b3/scr-220831-213536.png)
sggua commented 2022-09-02 17:36:58 +02:00 (Migrated from edugit.org)

OpenID / OAuth 2.0 and Windows login.
OIDC

for Azure AD:

ADSelfService Plus:

Ivanti:

Certified OpenID services and libraries:

Several non-proprietary OpenID-certified services:

AuthMachine 4.0.7 https://authmachine.com/

  • AuthMachine is a software platform that can be setup in minutes and delivers powerful, pain-free Identity and Access Management (IAM) within your private cloud. In addition to conforming to all six OpenID Connect profiles (Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP and Form Post OP) AuthMachine also provides functionality such as adaptive authentication to prevent phishing attacks, multi-factor authentication, Single Log Out (SLO), registration/sign-up, self-service password resets.
  • Target Environment: Core application: Python — Admin Console: Javascript/ReactJS — Deployment environment: Docker-based software appliance that can be run on a single server, or easily configured to run in a high-availability architecture on AWS or other clouds
  • License: AuthMachine Community License
  • Certified By: AuthMachine
  • Conformance Profiles: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP

Gluu Server 4.0.0 http://www.gluu.org/

  • The Gluu Server is a free open source identity and access management platform for single sign-on, mobile authentication, and API access management that includes a comprehensive implementation of an OpenID Connect Provider and Relying Party.
  • Target Environment: Java
  • License: See https://gluu.org/docs/ce/4.0/#license
  • Certified By: Michael Schwartz
  • Conformance Profiles: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party-Init OP

Gravitee.io Access Management 2.1.x https://gravitee.io/

  • Gravitee.io Access Management is a flexible, lightweight and blazing-fast open source OpenID Connect/OAuth 2.0 provider aims to be a bridge between applications and identity providers to authenticate, authorize and getting information about user accounts.
  • Target Environment: Java on Vert.x
  • License: Apache 2.0
  • Certified By: GraviteeSource
  • Conformance Profiles: Basic OP, Implicit OP, Hybrid OP, Config OP

Identity Server 5.4.0 https://wso2.com/identity-and-access-management

  • WSO2 Identity Server is an identity and entitlement management server that facilitates security while connecting and managing multiple identities across different applications. It enables enterprise architects and developers to improve customer experience through a secure single sign-on environment.
  • Target Environment: Java
  • License: Apache 2.0
  • Certified by: WSO2
  • Conformance Profiles: Basic OP, Implicit OP

Verify My Identity 0.1.1 http://verifymyidentity.com/

  • VerifyMyIdentity is an open source implementation of OIDC in Python/Django. It supports account management, Vectors of Trust (https://tools.ietf.org/html/rfc8485) and FIDO (https://fidoalliance.org/). It was created to support exchange of sensitive information such as health information.
  • Target Environment: Python 3 / Django 2
  • License: Apache 2.0
  • Certified By: Videntity Systems
  • Conformance Profiles: Basic OP, Config OP
**OpenID / OAuth 2.0 and Windows login.** _**OIDC**_ **for Azure AD:** - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-openid-connect-oauth-concepts --etc. **ADSelfService Plus:** - https://www.manageengine.com/products/self-service-password/help/admin-guide/Application/oauth-and-openid-connect-sso.html - Configure OAuth or OpenID Connect for custom applications: https://www.manageengine.com/products/self-service-password/help/admin-guide/Application/sso/how-to-configure-openid-connect-sso-for-customapp.html **Ivanti:** - https://help.ivanti.com/ht/help/en_US/ISM/2017.3/Content/Configure/Security/Open%20ID%20Connect%20Azure.htm **Certified OpenID services and libraries:** - https://openid.net/developers/certified/ - Certified OpenID Provider Servers and Services: https://openid.net/developers/certified/#OPServices - Certified OpenID Provider Libraries: https://openid.net/developers/certified/#OPLibs **Several non-proprietary OpenID-certified services:** AuthMachine 4.0.7 https://authmachine.com/ - AuthMachine is a software platform that can be setup in minutes and delivers powerful, pain-free Identity and Access Management (IAM) within your private cloud. In addition to conforming to all six OpenID Connect profiles (Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP and Form Post OP) AuthMachine also provides functionality such as adaptive authentication to prevent phishing attacks, multi-factor authentication, Single Log Out (SLO), registration/sign-up, self-service password resets. - Target Environment: Core application: Python — Admin Console: Javascript/ReactJS — Deployment environment: Docker-based software appliance that can be run on a single server, or easily configured to run in a high-availability architecture on AWS or other clouds - License: AuthMachine Community License - Certified By: AuthMachine - Conformance Profiles: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP Gluu Server 4.0.0 http://www.gluu.org/ - The Gluu Server is a free open source identity and access management platform for single sign-on, mobile authentication, and API access management that includes a comprehensive implementation of an OpenID Connect Provider and Relying Party. - Target Environment: Java - License: See https://gluu.org/docs/ce/4.0/#license - Certified By: Michael Schwartz - Conformance Profiles: Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party-Init OP Gravitee.io Access Management 2.1.x https://gravitee.io/ - Gravitee.io Access Management is a flexible, lightweight and blazing-fast open source OpenID Connect/OAuth 2.0 provider aims to be a bridge between applications and identity providers to authenticate, authorize and getting information about user accounts. - Target Environment: Java on Vert.x - License: Apache 2.0 - Certified By: GraviteeSource - Conformance Profiles: Basic OP, Implicit OP, Hybrid OP, Config OP Identity Server 5.4.0 https://wso2.com/identity-and-access-management - WSO2 Identity Server is an identity and entitlement management server that facilitates security while connecting and managing multiple identities across different applications. It enables enterprise architects and developers to improve customer experience through a secure single sign-on environment. - Target Environment: Java - License: Apache 2.0 - Certified by: WSO2 - Conformance Profiles: Basic OP, Implicit OP Verify My Identity 0.1.1 http://verifymyidentity.com/ - VerifyMyIdentity is an open source implementation of OIDC in Python/Django. It supports account management, Vectors of Trust (https://tools.ietf.org/html/rfc8485) and FIDO (https://fidoalliance.org/). It was created to support exchange of sensitive information such as health information. - Target Environment: Python 3 / Django 2 - License: Apache 2.0 - Certified By: Videntity Systems - Conformance Profiles: Basic OP, Config OP
sggua commented 2022-09-03 13:46:40 +02:00 (Migrated from edugit.org)

Ansible

https://en.wikipedia.org/wiki/Ansible_(software)

Probably it could help us with automated scripts?..

https://www.ansible.com/overview/how-ansible-works?hsLang=en-us

Ansible is a radically simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.

Short video: https://www.youtube.com/watch?v=VRoQLVHdNHE

https://www.tutorialspoint.com/ansible/index.htm

Quick guide: https://www.tutorialspoint.com/ansible/ansible_quick_guide.htm

Installation Process

Mainly, there are two types of machines when we talk about deployment −

  • Control machine − Machine from where we can manage other machines.
  • Remote machine − Machines which are handled/controlled by control machine.

Control Machine Requirements

Ansible can be run from any machine with Python 2 (versions 2.6 or 2.7) or Python 3 (versions 3.5 and higher) installed.

Note − Windows does not support control machine.

By default, Ansible uses ssh to manage remote machine.

Docs: https://docs.ansible.com/index.html

**Ansible** https://en.wikipedia.org/wiki/Ansible_(software) Probably it could help us with automated scripts?.. https://www.ansible.com/overview/how-ansible-works?hsLang=en-us Ansible is a radically simple **IT automation engine** that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs. Short video: https://www.youtube.com/watch?v=VRoQLVHdNHE https://www.tutorialspoint.com/ansible/index.htm **Quick guide:** https://www.tutorialspoint.com/ansible/ansible_quick_guide.htm **Installation Process** Mainly, there are two types of machines when we talk about deployment − - Control machine − Machine from where we can manage other machines. - Remote machine − Machines which are handled/controlled by control machine. **Control Machine Requirements** Ansible can be run from any machine with Python 2 (versions 2.6 or 2.7) or Python 3 (versions 3.5 and higher) installed. _Note − Windows does not support control machine._ By default, Ansible uses **ssh** to manage remote machine. **Docs:** https://docs.ansible.com/index.html
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
aleksis/AlekSIS-App-Kompjuter#7
No description provided.