We want to use OpenLDAP to proxy multiple customer LDAP servers we have, e.g. normal LDAP in Linux and Windows AD etc. Since there are multiple LDAP servers proxied, we also needed one to many attribute mappings. So in the slapd.conf file, we defined the rwm overlay section as below.
overlay rwm
rwm-map attribute lastName sAMAccountName
overlay rwm
rwm-map attribute email emailAddress
rwm-map attribute mobileNumber mobile
rwm-map attribute lastName sn
rwm-map attribute uid uid
rwm-map attribute firstName givenName
rwm-map objectClass inetOrgPerson person
Note that how lastName maps to both sn and sAMAccountName. I understand entries like lastName or mobileNumber are not legitimate LDAP attributes with valid OIDs defined in a schema. That's why there is below warning when starting slapd. But let's just leave that as it is for now.
5a71c27c /etc/openldap/slapd.conf: line 125: warning, source attributeType 'lastName' should be defined in schema
The proxy itself works. We can use it to query a user and get all attributes that are available. And the mappings can also be successfully done.
But strangely if we specify mapped attributes in the ldapsearch call as below, those attributes won't be successfully retrieved.
ldapsearch -h localhost -x -b "dc=local,dc=foo,dc=bar,dc=com" "mail=someone#foo.bar.com" lastname firstname mobilenumber
Only the dn attribute is shown in the output. And if we add one more attribute that is default from the LDAP server. All of them can be successfully retrieved.
ldapsearch -h localhost -x -b "dc=local,dc=foo,dc=bar,dc=com" "mail=someone#foo.bar.com" lastname firstname mobilenumber notesemail
We don't know much about OpenLDAP. Just want to get this proxy work first. So wondering if above configuration is a valid tryout.
You are naming foreign attributes to the local server in your search filter. It doesn't know about them, because they have been mapped. You need to use the mapped name, e.g. givenName.
Eventually I found out that the trick is to NOT use the rwm overlay at all. Instead just using the map statement after the uri directive is sufficient enough. So in the database declaration section, instead of
database meta
suffix "dc=foo,dc=bar,dc=com"
rootdn "cn=admin,dc=foo,dc=bar,dc=com"
rootpw "p#ssw0rd"
uri "ldaps://tstbluepages.mkm.can.ibm.com:636/dc=foo,dc=bar,dc=com"
lastmod off
readonly yes
suffixmassage "dc=foo,dc=bar,dc=com" "ou=bluepages,o=ibm.com"
uri "ldaps://<AD_HOSTNAME>:636/dc=local,dc=foo,dc=bar,dc=com"
lastmod off
readonly yes
suffixmassage "dc=foo,dc=bar,dc=com" "dc=testad,dc=ibm,dc=com"
overlay rwm
rwm-map attribute lastName sAMAccountName
overlay rwm
rwm-map attribute email emailAddress
rwm-map attribute mobileNumber mobile
rwm-map attribute lastName sn
rwm-map attribute uid uid
rwm-map attribute firstName givenName
rwm-map objectClass inetOrgPerson person
now the slapd.conf file has below section.
database meta
suffix "dc=foo,dc=bar,dc=com"
rootdn "cn=admin,dc=foo,dc=bar,dc=com"
rootpw "p#ssw0rd"
uri "ldaps://tstbluepages.mkm.can.ibm.com:636/dc=foo,dc=bar,dc=com"
lastmod off
readonly yes
suffixmassage "dc=foo,dc=bar,dc=com" "ou=bluepages,o=ibm.com"
map attribute mobileNumber mobile
map attribute email emailAddress
map attribute lastName sn
map attribute firstName givenName
map objectClass inetOrgPerson person
uri "ldaps://<AD_HOSTNAME>:636/dc=foo,dc=bar,dc=com"
lastmod off
readonly yes
suffixmassage "dc=foo,dc=bar,dc=com" "dc=testad,dc=ibm,dc=com"
map attribute lastName sAMAccountName
I know that the slapd-ldap manpage says that the functionality of the map directive is delegated to the rwm overlay, but the slapd-meta manpage still has the map directive listed and it works.
This well served our original purpose of mapping different attributes from multiple back-end LDAP servers into a uniform one.
Related
So i have a mail server say "mailer.com". Postfix handles mail for mailer.com also for "virtual.com" (postfix virtual domain).
So, when i create the DKIM key pair:
opendkim-genkey -s mail -d example.com
Which domain do i use here? mailer.com or virtual.com?
Then i put the public key in TXT record on the virtual.com domain?
FYI I used this guide:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
You need to create keys for each domain you want to sign messages for and put appropriate DNS records in each domain DNS zone.
I need current login and username in Alfresco to construct org.apache.chemistry.opencmis.client.api.Session instance as described here https://docs.alfresco.com/6.1/concepts/opencmis-ext-intro.html but I don't know how to do that, could you tell me?
My aim to get more than 1000 records from the repository using CMIS request and since I can not change the configuration I need use paging with org.apache.chemistry.opencmis.client.api.Session instance as described here https://issues.alfresco.com/jira/browse/MNT-15540 and here https://stackoverflow.com/a/21127909
Please, help me to get more than 1000 documents with single CMIS query?
Thank you!
You can't get the password but you can retrieve the username and authenticate with the alf token.
Java API: PersonService
getPerson
#Auditable(parameters="personRef")
PersonService.PersonInfo getPerson(NodeRef personRef)
throws NoSuchPersonException
Retrieve the person info for an existing person NodeRef
Parameters:
personRef - NodeRef
Returns:
PersonInfo (username, firstname, lastname)
Throws:
NoSuchPersonException - if the person doesn't exist
If you fetch the user's ticket, which you can do in a variety of ways, including the public REST API or your own custom web script, you can then use the ticket as the password when creating a CMIS session using OpenCMIS. This is the proper way to authenticate with CMIS when you don't know the user's password.
We perform migration from enterprise version Alfresco 4.2 to the 5.1.
There are two Active Directory domains (primary and child) in company, for this reason we configure two LDAP(AD) subsystems in Alfresco 5.1.
Structure of properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1
Problem is that authentication and synchronistaion work only for one ldap-ad subsystem (ldap1 or ldap2), which have first place in the list of authentication chain (ldap1 and ldap2 don't work together).
Authentication chain screenshot
For a example, if ldap1 have first place in the list, that user's login from ldap2 fails (and conversely!).
In this case I look error in alfresco.log:
Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
My properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#fake.local
ldap.authentication.java.naming.provider.url=ldap://fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#gss.fake.local
ldap.authentication.java.naming.provider.url=ldap://gss.fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword%
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=gss,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=gss,dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
alfresco-global.properties
### Authentication ###
#authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad,alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad,ldap2:ldap-ad
Thanks in advance!
Finally, I resolved issue related to authentication users.
I put empty string of parametr:
ldap.authentication.userNameFormat=
for each LDAP subsystems in files ldap-ad-authentication.properties.
After, users from two ldaps could login successfully.
ldap.authentication.userNameFormat
Specifies how to map the user identifier entered by the user to that
passed through to LDAP. If set to an empty string (the default for the
ldap subsystem), an LDAP query involving
ldap.synchronization.personQuery and
ldap.synchronization.userIdAttributeName will be performed to resolve
the DN from the user ID dynamically. This allows directories to be
structured and does not require the user ID to appear in the DN.
If set to a non-empty value, the substring %s in this value will be
replaced with the entered user ID to produce the ID passed to LDAP.
This restricts LDAP user names to a fixed format. The recommended
format of this value depends on your LDAP server.
Hi i am gooling but without result.
I am trying to check one field in DB while encoding password to user. How?
The service
services:
my_password_encoder:
class: TB\WelcomePageBundle\Security\Encoder\MyPasswordEncoder
<?php
namespace TB\WelcomePageBundle\Security\Encoder;
use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
use TB\UserBundle\Entity\User;
class MyPasswordEncoder extends BasePasswordEncoder
{
public function encodePassword($raw, $salt)
{
$user = new User;
$old_or_new=$user->getOldNew();
print_r($user);
print_r($old_or_new);die();
The point:
1. withdrawn one field from DB from current logging user.
2. Depend on the value i need: encode his password MY WAY and log in + CHANGE THE PASSWORD THE SYMFONY WAY and update DB.
3. Depend on the value just use the symfony way.
There is easy condition. The problem is just how i can withdrawn this field + encode password symfony way. (how encode password my way i know). + encode the password not more via my way but symfony and update DB.
My points is to migrate low secure passwords to symfony2. Why? Because i have existing DB where the passwords are encoded my way. So i need to "update" them.
THE MAIN PART OF QUESTION:
HOW CAN I GET THE USERNAME OF USER WHO TRY LOG IN IN ENCODE PASSWORD FUNCTION??? THX!!!
I know that I can get the fully qualified domain name by using the windows NT network domain. I'd like to do the reverse:
Ex: User.Identity.Name = "slaterock\fflintstone";
Active Directory returns fully qualified domain name of slaterock.bedrock.us.com.
I would like to be able to get the domain portion of User.Identity.Name by querying Active Directory (LDAP) by that user. I would be using the user's email address:
(&(objectClass=user)(objectCategory=Person)(mail=fred.flintstone#slaterock.com))
I have no trouble returning the AD attributes, but I cannot figure out an absolute link between the attributes I have and the domain name returned in User.Identity.Name. I see parts of it in the domain components (DC=slaterock,DC=bedrock,DC=US,DC=blah,blah) but I need the direct link.
Thanks
First, a bit of terminology to be clear (and to help any searches you do):
the 'slaterock' in 'slaterock\fflintstone' is the NetBIOS Domain Name for the domain.
'DC=slaterock,DC=bedrock,DC=US,DC=blah,blah' is the defaultNamingContext for the domain.
CN=fred flinstone,OU=Quarry1,DC=slaterock,DC=bedrock,... is the user account's distinguishedName.
To translate from the user's distinguishedName to the NetBIOS Domain Name of their domain:
get the user account's distinguishedName and chop it up to get the defaultNamingContext.
Then do a search against the container: "CN=Partitions,CN=Configuration,DC=JohnLewis,DC=co,DC=uk"
for an object with an nCName value that matches the defaultNamingContext from above.
Get the nETBIOSName attribute of that object and you've got what you're after.