Can Openldap automatically assign attribute, or attribute value(text field) when user added to group?
I'm trying to integrate lenovo IMM management with openldap infrastructure, and it need to add some string to any allowed user, for control access to system modules.
Yes, the memberOf operational attribute can be automatically added and maintained by loading and suitable configuring the 'memberof' overlay.
Related
By taking reference from this post and I am successful in authenticating the user. But this post does not authenticate new users that are not present in alfresco. I have also explored SSOAuthenticationFilter.java to find how alfresco creates user when external authentication subsystem is used but not able figure out how the creation of user takes place in the mentioned subsystem. It would be great if anyone could provide the way to create and authenticate user that are not present in alfresco.
Which version of Alfresco do you use ?
Recent version provide a similar function, please take a look to : http://docs.alfresco.com/community/concepts/auth-basics.html
The only thing you need to need is define the header name in your global properties files.
About the new user creation, in Alfresco behaviour it's based on the synchronization.syncWhenMissingPeopleLogIn properties : http://docs.alfresco.com/community/concepts/sync-props.html
When an unknown user try to loggin Alfresco will trigger a synchronization.
Y.
Is there any option under LDAP Directory Search to search ROLE in LDAP. I am using Ping federate version 7.2
PingFederate LDAP data sources can be configured for Active Directory, PingDirectory, OpenLDAP, etc. Since each user repository maintains roles differently the key is to configure the attribute that contains the roles. In the LDAP Directory Search screen when configuring a connection you need to configure the attribute that contains all the roles, for example Active Directory roles are maintained in the memberOf attribute. When a role is needed in fulfillment (e.g. SAML attribute fulfillment), the source to select is the LDAP along with an expression, be sure to Enable OGNL Expression. OGNL expressions allow you to search the result of the memberOf attribute for a specific role (e.g. security group). There is a nice blog series for OGNL expressions on the Ping website that will help you with writing the appropriate expression.
After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false
everyone. I installed Swift 1.7.4 , and I want to add a new user to Swift, How could I do it? I find that in 1.4.8 version, somebody had said that I should install the swauth first and I notice that the Swift api also said that choose one authrize way, so I must install a authorization service first? I also find that there is a tempauth middleware in the proxy-server.conf file, could I use this to add user and how?
Yes. You can choose from swauth or tempauth. The most difference of these two auth systems is where they store user information.
Swauth stores user/password information in swift cluster itself. It uses a special container and store every user's information in it. Swauth provides a set of commands for user management such as swauth-add-user, swauth-prep, etc.
In tempauth, it stores user information in proxy-server.conf, so it is very easy to use.
In your proxy-server.conf, enable tempauth in pipeline and put user information in tempauth section. For example,
[pipeline:main]
pipeline = healthcheck cache tempauth proxy-server
[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin
user_hi_hihi = testing
Then you will have two users. One is admin:admin whose password is admin. The other is hi:hihi whose password is testing.
Could anyone please provide me with guidance on whether it's possible to use aspNetActiveDirectoryProvider for Authentication and aspsqlProfile Provider to store user specific details?
I'm not quiet getting my head around on how do I get userID that's required for aspnet_profile table if I were to switch to Active Direcory.
Also, is it possible to change password from aspnet admin page if active directory is used?
Regards,
Changing password is possible with AD provider: see ActiveDirectoryMembershipProvider.ChangePassword method.
ASP.NET profile generally associates profile with user name. Typically, user name value will be same as the user identity value used by authentication system. So in active directory case, it would be user's domain qualified login-name (in form of <domain>/<login>) - see this link for more info: http://msdn.microsoft.com/en-us/library/ewfkf772.aspx
You may also create a custom profile provider if you need more control at database schema side - sample is already available from microsoft and you can use that as base, check these links:
http://msdn.microsoft.com/en-us/magazine/cc163457.aspx
http://www.asp.net/downloads/sandbox/table-profile-provider-samples