Does Symfony Acl can implement Acl System like this:
http://phpgacl.sourceforge.net/manual.pdf
This's concept used by Joomla (http://www.aclmanager.net/).
After researching for weeks. I'm not sure Symfony Acl can make it or not. The key of difference in this case is permission with allow and deny value. Symfony's permission have not value (just mask key edit,delete, ...) but Phpgacl's permission have a value (edit:allow|deny...).
What I want? I want to break (grant new) some user's permission is granted to group or role.
Example (probably not right please refer to phpgacl).
A. User_A have ROLE_X.
B. ROLE_X granted 'VIEW and EDIT' to some resource (object, class).
-- $acl->insertObjectAce($roleSecurityIdentity, $mask) // mask VIEW,EDIT
C. User_A deny `EDIT`
D. User_A have only `VIEW`.
---- and.
A. User_B have ROLE_X
B. User_B have `VIEW` and `EDIT`
Related
We perform migration from enterprise version Alfresco 4.2 to the 5.1.
There are two Active Directory domains (primary and child) in company, for this reason we configure two LDAP(AD) subsystems in Alfresco 5.1.
Structure of properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1
Problem is that authentication and synchronistaion work only for one ldap-ad subsystem (ldap1 or ldap2), which have first place in the list of authentication chain (ldap1 and ldap2 don't work together).
Authentication chain screenshot
For a example, if ldap1 have first place in the list, that user's login from ldap2 fails (and conversely!).
In this case I look error in alfresco.log:
Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
My properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#fake.local
ldap.authentication.java.naming.provider.url=ldap://fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#gss.fake.local
ldap.authentication.java.naming.provider.url=ldap://gss.fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword%
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=gss,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=gss,dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
alfresco-global.properties
### Authentication ###
#authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad,alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad,ldap2:ldap-ad
Thanks in advance!
Finally, I resolved issue related to authentication users.
I put empty string of parametr:
ldap.authentication.userNameFormat=
for each LDAP subsystems in files ldap-ad-authentication.properties.
After, users from two ldaps could login successfully.
ldap.authentication.userNameFormat
Specifies how to map the user identifier entered by the user to that
passed through to LDAP. If set to an empty string (the default for the
ldap subsystem), an LDAP query involving
ldap.synchronization.personQuery and
ldap.synchronization.userIdAttributeName will be performed to resolve
the DN from the user ID dynamically. This allows directories to be
structured and does not require the user ID to appear in the DN.
If set to a non-empty value, the substring %s in this value will be
replaced with the entered user ID to produce the ID passed to LDAP.
This restricts LDAP user names to a fixed format. The recommended
format of this value depends on your LDAP server.
Sorry if this question has been asked many times but I didn't found any solution on the Web.
So, I just have installed FOSUserBundle and I've created 2 users on my application with the console. The problem is they don't have any role.
So in on controller, I get the user Entity and y set his role but when I try to access to a page restricted for admin, it says access denied. Moreover, the roles has no changed on the databse.
My code in the controller :
$user = $this->container->get('security.context')->getToken()->getUser();
$user->setRoles('ROLE_ADMIN');
if (!$this->get('security.context')->isGranted('ROLE_ADMIN')){
throw new AccessDniedException('Access Denied !');
}
Anyone have an idea ?
Thanks in advance !
It is a very bad practice to set a user role in your controller if you want to keep them away from the controller in the first place. I hope you use this line of code for testing only.
The FOSUserBundle provides a number of command line utilities to help manage your application's users.
The one you need is:
$ php app/console fos:user:promote testuser ROLE_ADMIN
Replace testuser with your username.
Did you also define your roles in your firewall?
I'm doing a project with Symfony2 and I want to use Google/Facebook/Twitter for connection. So I installed HWIOAuthBundle, but I got this error when I update my composer.json
"The child node "firewall_name" at path "hwi_oauth" must be
configured.".
Thanks for you help !
Yes, and if you read the doc :
(it gives the config... )
Step 2: Configuring resource owners
HWIOAuthBundle creates a dedicated service for each resource owner you
want to use in your application. These resource owners will be used in
the oauth firewall. The bundle ships several pre-configured resource
owners that need only a little configuration.
To make this bundle work you need to add the following to your
app/config/config.yml:
app/config/config.yml
hwi_oauth:
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: secured_area
# an optional setting to configure a query string parameter which can be used to redirect
# the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
# redirect the user to /my/destination after facebook authenticates them. If this is not
# set then the user will be redirected to the original resource that they requested, or
# the base address if no resource was requested. This is similar to the behaviour of
# [target_path_parameter for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html).
# target_path_parameter: _destination
dI am trying to use openldap as a central authentication system as well as storing some data based on the user type.
My ldap DIT structure is as follows
domain
Superuser Users data
User1 user2 user3 Entry1 Entry2
With every user entry I have fixed auth string,.. example-
for user1
authstring=Entry1-RW #allowing entry1 to be readable and writable
authstring=Entry2.R #allowing entry2 to be readable
and similarly for user2
authstring=*.RW #allowing all entries to be readable and writable
How can I define my slapd.conf without hardcoding all the cases to achieve this functionality?
Usually we can only define the the access control with dn.
can I restrict the access control definitions using attrs?
like
access to dn.regex=uid=[^,]ou=data,dc=my-domain,dc=com
by dn="uid=.*,ou=users,dc=my-domain,dc=com" filter=authstring=$1.RW
I could do the following:(uid is the attribute of data entry it could be cn also)
access to dn.regex="uid=[^,]+,ou=data,dc=my-domain,dc=com"
by set.expand="this/uid & user/authstring" write
But still the problem is that I have to write separate attr for each dataEntry and each type of permission
Example:
For user1:
authstringread:Entry1
authstringreadwrite:Entry2
and the access control settings would be
access to dn.regex=uid=[^,],ou=data,dc=my-domain,dc=com
by set.expand="this/uid & user/authstringreadwrite" write
by set.expand="this/uid & user/authstringread" read
You can certainly restrict the ACL methods using attrs either way :
For user1 :
aci: (targetattr=*)(targetfilter="(entryCategory=Entry1)")(version 3.0; acl "read-write"; allow (read, write)userdn ="ldap:///uid=user1,dc=example,dc=com";)
aci: (targetattr=*)(targetfilter="(entryCategory=Entry2)")(version 3.0; acl "read"; allow (read)userdn ="ldap:///uid=user1,dc=example,dc=com";)
For user2 :
aci: (targetattr=*)(targetfilter="(|(entryCategory=Entry1)(entryCategory=Entry2)")(version 3.0; acl "read-write"; allow (write)userdn ="ldap:///uid=user2, dc=example,dc=com";)
Similarly, you can allow anyone to have specific read or write access.
aci: (version 3.0; acl "anonymous-read-search";allow (read, write) userdn = "ldap:///anyone";)
or
For specific user set :
userdn = "ldap:///uid=b*,c=example.com ||ldap:///cn=b*,dc=example,dc=com";
Checkout this link for more readings :
http://docs.oracle.com/cd/E22289_01/html/821-1277/bind-rule-syntax.html#defining-anonymous-access-anyone-keyword
Hope this helps.
Thanks, John
I'd like to limit a view in the Plone site root for logged in members only.
Which permission I should check?
For the clarification I'd like to use this permission as Zope 3 view config and have something which works by default. I don't want to create and assign a permission to Authenticated myself if I can avoid the situation.
There is no "authenticated" permission, all permissions are for specific actions only and if an authenticated user needs to be able to execute that action then you should assign the corresponding permission to the 'Authenticated' role.
To get a quick list of (Zope2 string-based) permissions for the 'Authenticated' role, use the following ZMI view:
http://localhost:8080/Plone/manage_roleForm?role_to_manage=Authenticated
where I assume you run your site on port 8080 and you named the Plone object Plone. It shows all permissions in a multi-select list with those currently assigned activated.
On a default site, this list is pretty meagre, only Set own password, Set own properties and Use external editor are assigned. For the first two, Zope3 equivalents are defined in Products.CMFCore; they are cmf.SetOwnPassword, and cmf.SetOwnProperties; the third one doesn't have a Zope3 equivalent at the moment, but would be easy to define, just add this to a ZCML file somewhere:
<permission
id="plone.UseExternalEditor"
title="Use external editor"
/>
Zope3 permissions are simply aliases for their Zope2 counterparts using valid python ids.
I really do not know what you want to do with your view, but your best bet is to either find an appropriate permission and assign it to the 'Authenticated' role, or create a new permission.
The latter is really easy, actually.
Say I want to create a 'Access foo bar' permission, I'd simply register it directly with a Zope3 identifier in a ZCML file:
<permission
id="foobar.AccessFooBar"
title="Access foo bar"
/>
That's all there is to it; the "Access foo bar" permission will now be visible in the ZMI.
If you want to give this permission to specific roles by default, list them as contained elements:
<permission
id="foobar.AccessFooBar"
title="Access foo bar">
<role name="Authenticated" />
</permission>
This only works for 'global' roles (defined at the Zope root), such as 'Manager', 'Anonymous' and 'Authenticated'.
Optionally, list it in a GenericSetup profile using the rolemap.xml file to assign this new permission to the Authenticated role:
<?xml version="1.0"?>
<rolemap>
<permissions>
<permission name="Access foo bar" acquire="False">
<role name="Authenticated"/>
</permission>
</permissions>
</rolemap>
You'll need to use the latter only if you want to assign permissions defined at the Plone level, such as 'Site Administrator' or 'Editor'.
In a stock Plone authenticated but not anonymous users may change their own password. You can use that permission. It is called:
cmf.SetOwnPassword