Category:I805 Authentication and Authorization

From ICO wiki
Revision as of 15:29, 14 February 2017 by Lvosandi (talk | contribs) (Milestone 1)

Authentication and Authorization

General information

In this course we continue where we left off with Firewalls and VPN/IPsec course.

Relevant topics for research and implementation in the lab. Lectures coming up for most of the topics:

  • File based password stores eg. /etc/shadow, .htaccess
  • Signing and encrypting e-mail using GPG
  • Active Directory protocols: LM, NTLM, Kerberos, GSSAPI, SPNEGO, LDAP
  • More TLS and client side authentication in particular
  • Filesystem permissions: access control lists, selinux, apparmor
  • Multi-factor authentication: smartcards, Yubikey, Mobile-ID, etc
  • Contactless cards
  • On the web: Cookies, OAuth, OpenID, iPizza,

Intro slides & video recording:


Tasks, not necessarily all have to be covered. Pick the one you like the most:

  • Play the red team: Kustas, Ender, Mikus
  • Set up instead of IRC server: Meelis Hass
  • Set up file synchronization with NextCloud: Etienne
  • Set up domain controller on hq Windows server: Mohanad/Madis
  • Set up backup domain controller on rnd: Arti
  • Reconfigure Gogs: <insert your name here>
  • Reconfigure wiki: <insert your name here>
  • Reconfigure mail server: Sheela
  • Reconfigure webserver/MySQL: Joosep
  • Set a blank smartcard as TLS client authentication token: Keijo?
  • NFC card backups: Keijo
  • OpenVPN with Estonian ID-card howto: Ardi Vaba
  • Set up OpenWrt wifi routers as access points with username/password authentication (like eduroam wireless network): <insert your name here>

With Lauri/Belgin from Linux/Windows admin course:

  • Set up domain controller /w MS AD/Samba:
  • Set up fileserver with several shares: <insert your name>
  • Use iMac and HP Probook at 412/411 for joining them to domain. Needs some network rewiring first, ask Lauri.
  • Set up group policies, eg install software and configure VPN for HP Probook

With Viktor from Incident management course:

  • Set up incident management software, configure to authenticate with AD


Lecturers: Lauri Võsandi

If you forget (local) Windows password use System Rescue CD to reset the password:


Every service should use accounts from Active Directory. To achieve that try to use LDAP protocol first. Via LDAP you can retreieve the data about accounts. If the service machine is not joined to domain create a service account in AD to access LDAP interface first. It really depends on the software how you need to configure it.

For fileserver/SSH/FTP/mail server first join to domain using winbind: For NextCloud,, OwnCloud and most web services configure LDAP plugin to retrieve accounts from AD and LDAP bind authentication.

Milestone 1

Domain controller is working. In the internal network and over VPN connection DNS requests work as expected.

On a Linux box command line users can authenticate with kerberos client utils:

 kinit username@OFFICE.LAN

On a Linux box command line users can fetch stuff via LDAP:

ldapsearch -b dc=office,dc=lan  -H ldaps:// -D lauri@office.lan -W

Also authenitcation with Kerberos should work:

ldapsearch -b dc=office,dc=lan  -H ldap:// -Y GSSAPI

Pages in category "I805 Authentication and Authorization"

This category contains only the following page.