Hello,I'm having some difficulty accessing the API. Following the directions shown
here:
Far away to be identical
|
| |
Far away to be identical
Identity management chaos or a development of a fun | |
|
I am trying to use the following curl commands:curl -kv -H Referer:https://$IPASERVER1/ipa
-c $COOKIEJAR -b $COOKIEJAR --negotiate -u : -X POST https://$IPASERVER1/ipa/ui
I get the following output:
Andrews-MacBook-Pro :) > curl -kv -H Referer:https://$IPASERVER1/ipa -c $COOKIEJAR -b
$COOKIEJAR --negotiate -u : -X POST https://$IPASERVER1/ipa/ui* Trying 10.1.6.250...*
TCP_NODELAY set* Connected to $IPASERVER1 (10.1.6.250) port 443 (#0)* ALPN, offering h2*
ALPN, offering http/1.1* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH* successfully set certificate
verify locations:* CAfile: /etc/ssl/cert.pem CApath: none* TLSv1.2 (OUT), TLS
handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello (2):* TLSv1.2
(IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server key exchange
(12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS handshake,
Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Client hello (1):* TLSv1.2
(OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Client hello (1):*
TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 /
ECDHE-RSA-AES256-GCM-SHA384* ALPN, server did not agree to a protocol* Server
certificate:* subject:
O=EXAMPLE.NET; CN=$IPASERVER1* start date: Mar 6 21:52:54 2018
GMT* expire date: Mar 6 21:52:54 2020 GMT* issuer:
O=EXAMPLE.NET; CN=Certificate
Authority* SSL certificate verify result: self signed certificate in certificate chain
(19), continuing anyway.> POST /ipa/ui HTTP/1.1> Host: $IPASERVER1> User-Agent:
curl/7.54.0> Accept: */*> Referer:https://$IPASERVER1/ipa>< HTTP/1.1 301 Moved
Permanently< Date: Mon, 20 Aug 2018 19:50:50 GMT< Server: Apache/2.4.6 (CentOS)
mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5* Added cookie
ipa_session="" for domain $IPASERVER1, path /ipa, expire 1534794650<
Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< X-Frame-Options:
DENY< Content-Security-Policy: frame-ancestors 'none'< Location:
https://$IPASERVER1/ipa/ui/< Cache-Control: max-age=31536000< Expires: Tue, 20 Aug
2019 19:50:50 GMT< Cache-Control: no-cache* Replaced cookie ipa_session=""
for domain $IPASERVER1, path /ipa, expire 1534794650< Set-Cookie:
ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< Content-Length: 255<
Content-Type: text/html; charset=iso-8859-1<<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN"><html><head><title>301 Moved
Permanently</title></head><body><h1>Moved
Permanently</h1><p>The document has moved <a
href="https://$IPASERVER1/ipa/ui/">here</a>.</p></body></html>*
Connection #0 to host $IPASERVER1 left intactAndrews-MacBook-Pro :) >
Then I run this:Andrews-MacBook-Pro :) > curl -kv -H referer:https://$IPASERVER1/ipa -H
"Content-Type:application/json" -H "Accept:applicaton/json" -c
$COOKIEJAR -b $COOKIEJAR -d $JSON_PAYLOAD -X POST https://$IPASERVER1/ipa/session/json*
Rebuilt URL to: POST/* Trying 104.16.143.73...* TCP_NODELAY set* Connected to POST
(104.16.143.73) port 80 (#0)> POST / HTTP/1.1> Host: POST> User-Agent:
curl/7.54.0> referer:https://$IPASERVER1/ipa> Content-Type:application/json>
Accept:applicaton/json> Content-Length: 2>* upload completely sent off: 2 out of 2
bytes< HTTP/1.1 403 Forbidden< Date: Mon, 20 Aug 2018 19:53:36 GMT< Content-Type:
text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: close* skipped
cookie with bad tailmatch domain: post< Set-Cookie:
__cfduid=d805f1a1676001cf1532cc7c25208107f1534794816; expires=Tue, 20-Aug-19 19:53:36 GMT;
path=/; domain=.post; HttpOnly< Cache-Control: max-age=15< Expires: Mon, 20 Aug 2018
19:53:51 GMT< X-Frame-Options: SAMEORIGIN< Server: cloudflare-nginx< CF-RAY:
44d76832d2d654e6-ORD<<!DOCTYPE html><!--[if lt IE 7]> <html
class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if
IE 7]> <html class="no-js ie7 oldie" lang="en-US">
<![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie"
lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html
class="no-js" lang="en-US">
<!--<![endif]--><head><title>Direct IP access not allowed |
Cloudflare</title><meta charset="UTF-8" /><meta
http-equiv="Content-Type" content="text/html; charset=UTF-8"
/><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1"
/><meta name="robots" content="noindex, nofollow" /><meta
name="viewport"
content="width=device-width,initial-scale=1,maximum-scale=1" /><link
rel="stylesheet" id="cf_styles-css"
href="/cdn-cgi/styles/cf.errors.css" type="text/css"
media="screen,projection" /><!--[if lt IE 9]><link
rel="stylesheet" id='cf_styles-ie-css'
href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css"
media="screen,projection" /><![endif]--><style
type="text/css">body{margin:0;padding:0}</style>
<!--[if gte IE 10]><!--><script type="text/javascript"
src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]--><!--[if
gte IE 10]><!--><script type="text/javascript"
src="/cdn-cgi/scripts/cf.common.js"></script><!--<![endif]-->
</head><body> <div id="cf-wrapper"> <div
class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert"
data-translate="enable_cookies">Please enable cookies.</div> <div
id="cf-error-details" class="cf-error-details-wrapper">
<div class="cf-wrapper cf-header cf-error-overview"> <h1>
<span class="cf-error-type"
data-translate="error">Error</span> <span
class="cf-error-code">1003</span> <small
class="heading-ray-id">Ray ID: 44d76832d2d654e6 • 2018-08-20
19:53:36 UTC</small> </h1> <h2
class="cf-subheadline">Direct IP access not allowed</h2>
</div><!-- /.header -->
<section></section><!-- spacer -->
<div class="cf-section cf-wrapper"> <div
class="cf-columns two"> <div class="cf-column">
<h2 data-translate="what_happened">What happened?</h2>
<p>You've requested an IP address that is part of the <a
data-orig-proto="https"
data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error...
target="_blank">Cloudflare</a> network. A valid Host header must be
supplied to reach the desired website.</p> </div>
<div class="cf-column"> <h2
data-translate="what_can_i_do">What can I do?</h2>
<p>If you are interested in learning more about Cloudflare, please <a
data-orig-proto="https"
data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error...
target="_blank">visit our website</a>.</p> </div>
</div> </div><!-- /.section -->
<div class="cf-error-footer cf-wrapper"> <p> <span
class="cf-footer-item">Cloudflare Ray ID:
<strong>44d76832d2d654e6</strong></span> <span
class="cf-footer-separator">•</span> <span
class="cf-footer-item"><span>Your IP</span>:
209.116.32.50</span> <span
class="cf-footer-separator">•</span> <span
class="cf-footer-item"><span>Performance & security
by</span> <a
href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_...
id="brand_link" target="_blank">Cloudflare</a></span>
</p></div><!-- /.error-footer -->
</div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper
-->
<script type="text/javascript"> window._cf_translation = {};
</script>
</body></html>* Closing connection 0* Trying 10.1.6.250...* TCP_NODELAY set*
Connected to $IPASERVER1 (10.1.6.250) port 443 (#1)* ALPN, offering h2* ALPN, offering
http/1.1* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH*
successfully set certificate verify locations:* CAfile: /etc/ssl/cert.pem CApath: none*
TLSv1.2 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS handshake, Server hello
(2):* TLSv1.2 (IN), TLS handshake, Certificate (11):* TLSv1.2 (IN), TLS handshake, Server
key exchange (12):* TLSv1.2 (IN), TLS handshake, Server finished (14):* TLSv1.2 (OUT), TLS
handshake, Client key exchange (16):* TLSv1.2 (OUT), TLS change cipher, Client hello (1):*
TLSv1.2 (OUT), TLS handshake, Finished (20):* TLSv1.2 (IN), TLS change cipher, Client
hello (1):* TLSv1.2 (IN), TLS handshake, Finished (20):* SSL connection using TLSv1.2 /
ECDHE-RSA-AES256-GCM-SHA384* ALPN, server did not agree to a protocol* Server
certificate:* subject:
O=EXAMPLE.NET; CN=$IPASERVER* start date: Mar 6 21:52:54 2018
GMT* expire date: Mar 6 21:52:54 2020 GMT* issuer:
O=EXAMPLE.NET; CN=Certificate
Authority* SSL certificate verify result: self signed certificate in certificate chain
(19), continuing anyway.> POST /ipa/session/json HTTP/1.1> Host: $IPASERVER1>
User-Agent: curl/7.54.0> referer:https://$IPASERVER1/ipa>
Content-Type:application/json> Accept:applicaton/json> Content-Length: 2>* upload
completely sent off: 2 out of 2 bytes< HTTP/1.1 401 Unauthorized< Date: Mon, 20 Aug
2018 19:53:36 GMT< Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1 mod_nss/1.0.14
NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5< WWW-Authenticate: Negotiate* Added cookie
ipa_session="" for domain $IPASERVER1, path /ipa, expire 1534794816<
Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;< X-Frame-Options:
DENY< Content-Security-Policy: frame-ancestors 'none'< Last-Modified: Thu,
30 Nov 2017 20:03:14 GMT< Accept-Ranges: bytes< Content-Length: 1474<
Cache-Control: no-cache< Content-Type: text/html; charset=UTF-8<<!DOCTYPE
html><html><head> <meta charset="utf-8">
<title>Identity Management</title> <script
type="text/javascript"
src="../ui/js/libs/loader.js"></script> <script
type="text/javascript"> (function() { var styles = [
'../ui/css/patternfly.css', '../ui/css/ipa.css'
]; ipa_loader.styles(styles); })();
</script></head>
<body class="info-page">
<nav class="navbar navbar-default navbar-pf"
role="navigation"> <div class="navbar-header">
<a class="brand" href="../ui/index.html"><img
src="../ui/images/header-logo.png" alt="Identity
Management"></a> </div> </nav>
<div class="container-fluid"> <div class="row">
<div class="col-sm-12">
<h1>Unable to verify your Kerberos credentials</h1> <p>
Please make sure that you have valid Kerberos tickets (obtainable via
<strong>kinit</strong>), and that you have configured your browser correctly.
</p>
<h2>Browser configuration</h2>
<div id="first-time"> <p> If this
is your first time, please <strong>configure your browser</strong>.
Use <a href="browserconfig.html">Firefox configuration page</a>
for Firefox or <a href="ssbrowser.html">manual
configuration page</a> for other browsers. </p>
</div> </div> </div> </div>
</body>
</html>* Connection #1 to host $IPASERVER1 left intact
I was able to export/extract my kerberos key for this user. I found something on
stackexchange or another website like it that said I could use the
variables KRB5_CLIENT_KTNAME & KRB5CCNAME. Which I have defined and I think curl
should pick up on those. However its still not authenticating me. Is there something
else I need to be doing? Maybe something I did wrong?
Regards,Andrew Meyer