Is there any option under LDAP Directory Search to search ROLE in LDAP. I am using Ping federate version 7.2
PingFederate LDAP data sources can be configured for Active Directory, PingDirectory, OpenLDAP, etc. Since each user repository maintains roles differently the key is to configure the attribute that contains the roles. In the LDAP Directory Search screen when configuring a connection you need to configure the attribute that contains all the roles, for example Active Directory roles are maintained in the memberOf attribute. When a role is needed in fulfillment (e.g. SAML attribute fulfillment), the source to select is the LDAP along with an expression, be sure to Enable OGNL Expression. OGNL expressions allow you to search the result of the memberOf attribute for a specific role (e.g. security group). There is a nice blog series for OGNL expressions on the Ping website that will help you with writing the appropriate expression.
Related
I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
Background
Another team within our organization has a fully configured Active Directory server. My team builds Ruby on Rails applications and we authenticate users of our web applications against their setup. Due to some new security policies that are being put in place, our development machines will no longer be able to talk directly to the production servers. As a result, I'm trying to install OpenLDAP on my local machine (running Fedora) and use that to authenticate users when I'm developing.
Setup
I have been able to fully configure OpenLDAP and insert a record. My database looks like:
dc=dev,dc=com
ou=Users
cn=User 1
Inside the cn=User 1 entry, I have an attribute called accountName and I also have the standard userPassword attribute. As a test, I downloaded an LDAP browser and I'm able to successfully authenticate when I specify the full DN (cn=User 1,ou=Users,dc=dev,dc=com) and give the password that's in the userPassword field.
Question
In our production environment, all I have to give for authentication is the base DN (dc=dev,dc=com), the value for an accountName and the associated password. Once I authenticate, I'm able to access the other fields in the User 1 entry. What do I need to do to authenticate using the accountName field instead of a full DN?
There are two things to address here:
First off, if your production environment is ActiveDirectory and you can't access it from your developer workstation, ask the team in charge of the AD environment to create a "dev" environment that you can access.
While the basic concepts of LDAP are standardised, the implementation specific details will vary greatly between AD and OpenLDAP.
Secondly - the way that most^ software is able to authenticate against LDAP using just a username and password is thus:
User: submits a form (web, native app, whatever) with their username and password
Login process: binds to the LDAP server, either anonymously, or with a fixed service account DN and password.
Login process: does an LDAP search for the supplied username, matching against which ever attributes are relevant for the environment (e.g. "accountName" in your case)
Login process: fetches the DN of the found record (if any)
Login process: attempts an authenticated bind using the fetched DN and the supplied password from step 1.
Edit:
^ In some situations, the username supplied is the value component of the user's RDN, e.g. if my login is stephenr, my user entry's RDN might be cn=stephenr. If this is the case, and all user entries have the same parent object, the DN to authenticate as (step 5 above) can be created just by building a string, e.g. "cn={userid},ou=users,dc=example,dc=com" where {userid} is replaced with the supplied username value in step 1.
After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false
So, I've gotten weary with trying to search for my problem online.
I am currently creating an ASP.NET 2.0 application. The application currently is connected to a database which stores all the information I need to store. I also have connection to the LDAP directory at my workplace on it. I am using the LDAP directory for my application as everything is tracked by employee ids. I now need to add authentication and authorization.
Since my workplace is large, I need the ability to limit who has access to the website within the company as well as what they are allowed to do on the website. I know that ASP.NET has some sort of authentication and authorization, but I am completely oblivious as to how it works.
My current solution is to add a table to my database with two columns (employee id and access_id). The employee id can be used to pull information from LDAP about the employee whenever I need to. The access_id is a set of integers that represent what the user is allowed to see on the website.
When the user first starts a session on my website I use their nt id and pull the employee id from LDAP. I then look up all the access_id's and store them in an array for the session. Everytime a user accesses part of the website, I check whether they have the access_id associated with that section and allow or disallow them based on that. My first access_id of 1 allows the user to see the webpage by setting the visibility of in C# as
if(access_id == 1)
Enter.visible = true;.
What kind of LDAP directory are you using? If it's Active Directory, try:
http://msdn.microsoft.com/en-us/library/ff650308.aspx
or
http://msdn.microsoft.com/en-us/library/ff647405
You could also consider: http://msdn.microsoft.com/en-us/library/ff649313
If it's not AD, you could implement your own MembershipProvider: http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
It's better to use the framework(s) where you can and only roll your own code when you have to.
Could anyone please provide me with guidance on whether it's possible to use aspNetActiveDirectoryProvider for Authentication and aspsqlProfile Provider to store user specific details?
I'm not quiet getting my head around on how do I get userID that's required for aspnet_profile table if I were to switch to Active Direcory.
Also, is it possible to change password from aspnet admin page if active directory is used?
Regards,
Changing password is possible with AD provider: see ActiveDirectoryMembershipProvider.ChangePassword method.
ASP.NET profile generally associates profile with user name. Typically, user name value will be same as the user identity value used by authentication system. So in active directory case, it would be user's domain qualified login-name (in form of <domain>/<login>) - see this link for more info: http://msdn.microsoft.com/en-us/library/ewfkf772.aspx
You may also create a custom profile provider if you need more control at database schema side - sample is already available from microsoft and you can use that as base, check these links:
http://msdn.microsoft.com/en-us/magazine/cc163457.aspx
http://www.asp.net/downloads/sandbox/table-profile-provider-samples