Can the Admin users in Artifactory be validated with the LDAP group. In short, we do not want to enable the user as a Admin in artifactory manually. We want artifactory to look at the ldap group and validate if the user can be a admin.
No, you can't, and for a very good reason. Think about a change in your LDAP query schema. Everybody will be locked out forever.
Since version 5.3 Artifactory supports granting Admin privileges to a group of users.
This allows you to import a group from your LDAP or Crowd server and grant Admin privileges to the whole group in a single action.
Related
Is there a way to make admin not able to delete user from Active Directory? I need to disable this feature some how in global properies or else. I want admin only to create users,edit them and disable them, but not delete. The version of Alfresco is Community 5.2. Thanks in advance.
I guess you mean the other way around:
Is there a way to prevent admin from deleting users which have been created by ldap sync?
or do you mean:
Is there a way to revoke permission to delete any user?
Do you understand the difference between a user which has been created by ldap sync and a user manually created in the Alfresco admin UI?
There is no (easy and supported) way I know of to restrict admin permissions or for a member of the group ALFRESCO_ADMINISTRATORS. The ROLE_ADMINISTRATOR has always any permission.
There maybe a way to achieve what you expect in a customization module implementing a new behavior which disallows user deletion in a specific zone or by creating your own permissionGroups/permissions in a customPermissionDefinitions, setting the new introduced permissions on the user zones to specific groups but that kind of customization would be hard to maintain on later updates/upgrades.
EDIT:
What is your use case for allowing (end) users to create new users inside Alfresco although you have an user directory (AD) in place?
If your aim is to support external users, managed by specific internal user groups you may add another directory like samba4 which your internal users may get permissions to create/delete users (that's what we actually do from/thru our CRM system) or if you prefer integrations with OAuth2 providers such as Google, Facebook, Github you may take a look on the Spring Cloud Gateway for the Alfresco platform project
I have inherited administration of a Nexus server and am trying to understand user management. There are a number of users that are in the default realm and some in the LDAP realm, and I would like to delete users in both realms.
I've been able to disable and remove all roles except for one for users in the default realm (mandatory that it has at least one role associated with it) and all non-LDAP roles for those in the LDAP realm.
What I can't figure out is how to delete users. Is this even possible?
We are on Nexus 2.11.4
You need to be logged in as admin, or another user which has the necessary rights and navigate to Security / Users.
For more details, check the Sonatype book on Nexus here.
I am newly working on openldap.
We have an application that will restrict users from deleting entities from ldap.
But if the user connects using python ldap module from console then there is no way of restricting.
Is it possible to restrict the users from executing "ldapdelete" directly?
We are using common user name(manager account) and password for all the users to connect to ldap. It is not possible to maintain different user accounts as there are 30000+ users and not possible to create separate accounts for all the users.
Please let me know how to go with this situation.
Thanks in advance.
Yes it's possible. You need to write an access control rule in the OpenLDAP comfiguration, that for example restricts deletion to admins. Building this sort of thing into an application is a waste of time while other applications and command lines exist. It must be configured at the server.
After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false
How to give an admin access to the users who have logged in using ldap username and password after authentication. And should we store this $_POST values in drupal database.
If you are using the ldap_integration module after an LDAP user logs in for the first time a full local Drupal user is created for them. Install http://drupal.org/project/adminrole which lets you assign your users, even LDAP users, into an "Admin Role". This module gives all available permissions to users in this role.