dI am trying to use openldap as a central authentication system as well as storing some data based on the user type.
My ldap DIT structure is as follows
domain
Superuser Users data
User1 user2 user3 Entry1 Entry2
With every user entry I have fixed auth string,.. example-
for user1
authstring=Entry1-RW #allowing entry1 to be readable and writable
authstring=Entry2.R #allowing entry2 to be readable
and similarly for user2
authstring=*.RW #allowing all entries to be readable and writable
How can I define my slapd.conf without hardcoding all the cases to achieve this functionality?
Usually we can only define the the access control with dn.
can I restrict the access control definitions using attrs?
like
access to dn.regex=uid=[^,]ou=data,dc=my-domain,dc=com
by dn="uid=.*,ou=users,dc=my-domain,dc=com" filter=authstring=$1.RW
I could do the following:(uid is the attribute of data entry it could be cn also)
access to dn.regex="uid=[^,]+,ou=data,dc=my-domain,dc=com"
by set.expand="this/uid & user/authstring" write
But still the problem is that I have to write separate attr for each dataEntry and each type of permission
Example:
For user1:
authstringread:Entry1
authstringreadwrite:Entry2
and the access control settings would be
access to dn.regex=uid=[^,],ou=data,dc=my-domain,dc=com
by set.expand="this/uid & user/authstringreadwrite" write
by set.expand="this/uid & user/authstringread" read
You can certainly restrict the ACL methods using attrs either way :
For user1 :
aci: (targetattr=*)(targetfilter="(entryCategory=Entry1)")(version 3.0; acl "read-write"; allow (read, write)userdn ="ldap:///uid=user1,dc=example,dc=com";)
aci: (targetattr=*)(targetfilter="(entryCategory=Entry2)")(version 3.0; acl "read"; allow (read)userdn ="ldap:///uid=user1,dc=example,dc=com";)
For user2 :
aci: (targetattr=*)(targetfilter="(|(entryCategory=Entry1)(entryCategory=Entry2)")(version 3.0; acl "read-write"; allow (write)userdn ="ldap:///uid=user2, dc=example,dc=com";)
Similarly, you can allow anyone to have specific read or write access.
aci: (version 3.0; acl "anonymous-read-search";allow (read, write) userdn = "ldap:///anyone";)
or
For specific user set :
userdn = "ldap:///uid=b*,c=example.com ||ldap:///cn=b*,dc=example,dc=com";
Checkout this link for more readings :
http://docs.oracle.com/cd/E22289_01/html/821-1277/bind-rule-syntax.html#defining-anonymous-access-anyone-keyword
Hope this helps.
Thanks, John
Related
I have setup Apache Drill version 1.15 in distributed mode on 3 nodes with ZK on the same 3 nodes.
Now, I am trying to configure Plain Authentication in Drill using PAM.
I already have 2 existing users in the 3 nodes with same password and they are present in /etc/passwd and /etc/shadow.
I have followed the steps mentioned here, to configure authentication setup on the Drill cluster.
But, on entering correct username and password, it throws Invalid Username/Password error.
My drill-override.conf looks like:
drill.exec: {
cluster-id: "[cluster_name]",
zk.connect: "[host1]:2181,[host2]:2181,[host3]:2181"
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam",
pam_profiles: [ "sudo", "[profile1]", "[profile2]" ]
}
}
I have set, user1 as an admin and user2 as normal user.
Is it that Drill, doesnt work with existing Users in the linux system and wants users to be created explicitly (which i really doubt), or anything else that I am missing?
pam_profiles is array of PAM profiles, not users.
Example of pam_profiles configs: pam_profiles: [ "sudo", "login" ]. See details in doc.
You can add other PAM profiles from your /etc/pam.d.
We perform migration from enterprise version Alfresco 4.2 to the 5.1.
There are two Active Directory domains (primary and child) in company, for this reason we configure two LDAP(AD) subsystems in Alfresco 5.1.
Structure of properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1
Problem is that authentication and synchronistaion work only for one ldap-ad subsystem (ldap1 or ldap2), which have first place in the list of authentication chain (ldap1 and ldap2 don't work together).
Authentication chain screenshot
For a example, if ldap1 have first place in the list, that user's login from ldap2 fails (and conversely!).
In this case I look error in alfresco.log:
Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
My properties:
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#fake.local
ldap.authentication.java.naming.provider.url=ldap://fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2/ldap-ad-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s#gss.fake.local
ldap.authentication.java.naming.provider.url=ldap://gss.fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow
ldap.synchronization.java.naming.security.principal=fake_user#fake.local
ldap.synchronization.java.naming.security.credentials=somepassword%
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=gss,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=gss,dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
alfresco-global.properties
### Authentication ###
#authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad,alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad,ldap2:ldap-ad
Thanks in advance!
Finally, I resolved issue related to authentication users.
I put empty string of parametr:
ldap.authentication.userNameFormat=
for each LDAP subsystems in files ldap-ad-authentication.properties.
After, users from two ldaps could login successfully.
ldap.authentication.userNameFormat
Specifies how to map the user identifier entered by the user to that
passed through to LDAP. If set to an empty string (the default for the
ldap subsystem), an LDAP query involving
ldap.synchronization.personQuery and
ldap.synchronization.userIdAttributeName will be performed to resolve
the DN from the user ID dynamically. This allows directories to be
structured and does not require the user ID to appear in the DN.
If set to a non-empty value, the substring %s in this value will be
replaced with the entered user ID to produce the ID passed to LDAP.
This restricts LDAP user names to a fixed format. The recommended
format of this value depends on your LDAP server.
i am new to firebase. i have set up a firebase realtime database and can read from and write to it if the read and write rules are set to true.
i have a problem with authentication.i have set up authentication for google and email plus password.
my goal is to allow any user to read the data but only one user (myself) can write data after logging in using a single email address and password.
i can successfully read from and write to the database if i login with google (with rules set to: auth != null.)
i can also read from and write to the database using the same rules (auth != null) if i log in with the email address and password.
i don't know how to set it up to only allow write access for the single user logging in with an email address and password.
i have tried including a user node in the rules but i can't get access when using the simulator (see below) and i don't know how to include the uid (which i can get after logging in) when building the reference - this is the reference i currently use (which works with the read and write rules set to true):
DatabaseReference databaseReference = mRootReference.child("Action_helper/1/Action_table_of_contents");
i have not included a users node in my database as i am assuming that is taken care of by firebase authentication.
here is the layout of my data:
i have tried the simulator using various rules options. testing access using these settings in simulator (choosing the Custom provider option):
Auth {"provider" : "firebase", "uid" : "Rp3OgoaABMN3hqTv0aF29ECQRCQ2"}
note: i get the provider and uid from Firebase object after logging in with an email address and password which i have set up in Firebase authentication:
FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
if (user != null) {
// User is signed in
userId = user.getUid();
String provider = user.getProviderId();
i would appreciate some help in 1) formulating my rules, 2) if and how i should change my data structure, and finally 3) how to include the uid in the database reference which i'll use to write data to the database.
thanks
There is no users node so, defining in rules would not help. I think the rule that may work would be something like below (assuming 0 and 1 are uid):
{
"rules": {
"Action_helper":{
"$uid":{
//user-based security
".read": "auth != null && $uid === auth.uid",
".write": "auth != null",
}//$uid
}//Action_helper
}// rules
}
Examining above rules by default if we do not define rules then it is false i.e. at Action_helper it is false for both read and write. When it comes to the node uid (where $ denotes wild card) then, we check if the user id of logged in user is same to uid of this node and define rules accordingly.
I highly recommend to go
through the link The key to Firebase security - Google I/O 2016 , it is very helpful, easy to follow, and best explanation I found so far with demo example.
The data layout will depend on your requirement and screens. Although Firebase allows 32 level of nesting it is highly recommended to nest nodes as less as possible. And other important thing to think about the data layout is to keep data as denormalize as possible even if we
have to make copies of fields across the nodes.
To include uid in database reference you can keep on appending each child:
DatabaseReference databaseReference = mRootReference.child("Action_helper).child(uid).child("Action_table_of_contents");
So, here we are referring from root node to child "Action_helper" and going further down to it's child that matches uid and of that uid we are referencing to the child "Action_table_of_contents".
thanks for the help. i managed to get it working (partly) but am not sure that i am doing it correctly. here is my data structure (i have changed the names)- there is one user node (using the authentication uid), and two child nodes which contain the data:
and here are my rules:
essentially it works in the simulator but in code, i am able to log in and read and write. BUT i now have a problem, if i don't log in then the uid passed in the query reference is null, if i put a dummy value as the uid then i can't access the data at all (as the data is under users/the_valid_uid node and the dummy uid does not match the_valid_uid).
so how do i build a database reference without hard coding the valid user's uid? so that i can access the data in the Addiction_items and table_of_contents_items nodes (my aim is to allow anyone to read data in both nodes but to only allow one user (myself) to be able to write to both nodes after logging in with my email address and password?
thanks
Does Symfony Acl can implement Acl System like this:
http://phpgacl.sourceforge.net/manual.pdf
This's concept used by Joomla (http://www.aclmanager.net/).
After researching for weeks. I'm not sure Symfony Acl can make it or not. The key of difference in this case is permission with allow and deny value. Symfony's permission have not value (just mask key edit,delete, ...) but Phpgacl's permission have a value (edit:allow|deny...).
What I want? I want to break (grant new) some user's permission is granted to group or role.
Example (probably not right please refer to phpgacl).
A. User_A have ROLE_X.
B. ROLE_X granted 'VIEW and EDIT' to some resource (object, class).
-- $acl->insertObjectAce($roleSecurityIdentity, $mask) // mask VIEW,EDIT
C. User_A deny `EDIT`
D. User_A have only `VIEW`.
---- and.
A. User_B have ROLE_X
B. User_B have `VIEW` and `EDIT`
Does anybody successfully authenticate against AD global catalog using http://drupal.org/project/ldap? I've got the following configuration:
LDAP server:
ldaps://service.mydomain.com
LDAP port:
3269
Binding Method:
Service Account Bind
Base DNs for LDAP users:
DC=service,DC=mydomain,DC=com
DC=otherdomain,DC=mydomain,DC=com
AuthName attribute:
userPrincipalName
The module successfully authenticate users, which are members of parent domain called "service", but LDAP search can't find any user from "otherdomain", which is connected to parent domain inside AD domain forest. I´m able to test LDAP search using ldp.exe and using this tool I can find any user from any domain.
Also, there is the following error message in the Drupal watchdog:
ldap_search() function error. LDAP Error: Referral, ldap_search() parameters: ldap_search() call: base_dn: DC=otherdomain,DC=mydomain,DC=com, filter = (userPrincipalName=somebody#otherdomain.mydomain.com), attributes: , attrsonly = 0, sizelimit = 0, timelimit = 0, deref = , scope = 3
Any help will be greatly appreciated.
The LDAP client should follow the referral that is being returned in the search result - or an LDAP directory proxy server should be installed to automatically follow referrals.
When the LDAP directory server was unable or unwilling to perform the search operation, it may return a referral indicating that another server may be able to perform the requested operation. It is the responsibility of the LDAp client to "chase" referrals. Referrals are indicated by the presence of the referral field and the search result code being set to 10.
You have to write: ldaps://ldapserver:3269 in the LDAP server field and keep the same port number in LDAP port field.