accquire 'root' privilege access when with ldap remote auth - openldap

I'm setting up a box which is using remote LDAP auth for user access. For a normal group and user, it's working fine.
But I'm thinking is it possible to setup a specific group in LDAP. This group has the privilege as a local 'root'. I saw something on web talking about 'sudoers', is it the right direction?
Thanks.

I don't think my thought is correct. Many files are only changeable by 'root' user itself. Even I put an user in 'root' group, the user still can't change those files in any way. I'd like to drop the question.

I worked it out. In 'sudoers', there is an line talking about 'rsuroot' for LDAP. Add a posixGroup as 'rsuroot' to ldap, then add the LDAP user into the group. Then the user will get 'root' access automatically when it run 'sudo cmd'

Related

Alfresco - How to make admin unable to delete user from Active Directory

Is there a way to make admin not able to delete user from Active Directory? I need to disable this feature some how in global properies or else. I want admin only to create users,edit them and disable them, but not delete. The version of Alfresco is Community 5.2. Thanks in advance.
I guess you mean the other way around:
Is there a way to prevent admin from deleting users which have been created by ldap sync?
or do you mean:
Is there a way to revoke permission to delete any user?
Do you understand the difference between a user which has been created by ldap sync and a user manually created in the Alfresco admin UI?
There is no (easy and supported) way I know of to restrict admin permissions or for a member of the group ALFRESCO_ADMINISTRATORS. The ROLE_ADMINISTRATOR has always any permission.
There maybe a way to achieve what you expect in a customization module implementing a new behavior which disallows user deletion in a specific zone or by creating your own permissionGroups/permissions in a customPermissionDefinitions, setting the new introduced permissions on the user zones to specific groups but that kind of customization would be hard to maintain on later updates/upgrades.
EDIT:
What is your use case for allowing (end) users to create new users inside Alfresco although you have an user directory (AD) in place?
If your aim is to support external users, managed by specific internal user groups you may add another directory like samba4 which your internal users may get permissions to create/delete users (that's what we actually do from/thru our CRM system) or if you prefer integrations with OAuth2 providers such as Google, Facebook, Github you may take a look on the Spring Cloud Gateway for the Alfresco platform project

How is the Airflow Superuser different from a standard user?

I have been setting up Apache Airflow over the past few days as a way to manage dependencies across our platform. In order to secure the web ui, I have implemented OAuth authentication.
Authentication works, it logs the user in appropriately and then creates a user record for them.
One thing I don't understand is the significance of the 'Superuser' privilege - does it actually do anything?
When a user logs in for the first time, their account is created. On first log in, the account does not have super user privilege. However they are able to go to 'Users' in the UI and then make themselves a 'Superuser'. That doesn't make sense to me, also having this privilege does not appear to grant any more access to elements of the UI than a standard user.
Is it suppose to work like this?
I use password authorization and in that case difference is that Admin drop-down menu contains only Variables for simple users, but the rest for superuser.

How to restrict users from deleting entities in LDAP

I am newly working on openldap.
We have an application that will restrict users from deleting entities from ldap.
But if the user connects using python ldap module from console then there is no way of restricting.
Is it possible to restrict the users from executing "ldapdelete" directly?
We are using common user name(manager account) and password for all the users to connect to ldap. It is not possible to maintain different user accounts as there are 30000+ users and not possible to create separate accounts for all the users.
Please let me know how to go with this situation.
Thanks in advance.
Yes it's possible. You need to write an access control rule in the OpenLDAP comfiguration, that for example restricts deletion to admins. Building this sort of thing into an application is a waste of time while other applications and command lines exist. It must be configured at the server.

Alfresco : ldap sync after user login authentication

After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false

(drupal 6) how to disable admin login by modify file in server?

In my drupal site, admin user name is admin.
Im worried someone brute force this account.
I hope when I just logged out using admin user name, I can temporarily disable admin user name by modify some file in the server through ssh
You could rename the admin account by going to "user/1/edit" (or using the Users list), and change "admin" to something else. It will still be seen internally as the super-admin account, yet people won't be able to login using the name "admin" even if they try to brute-force it.
I agree with Wildpeaks, but he doesn't really answer your question.
Locking out any user, including the #1 superuser, is easy if you have access to the database, either using mysql over ssh or with a tool like phpmyadmin. To block a user, you need to set the status column to 0. for instance, if you want to block user #1:
UPDATE `users` SET `status` = 0 WHERE `uid` = 1;
This method will prevent the blocked user from logging in and will terminate his current session.
Another way to enable or disable users via SSH: Drush.
drush is a command line shell and scripting interface for Drupal, a veritable Swiss Army knife designed to make life easier for those of us who spend some of our working hours hacking away at the command prompt.
Use the command drush user-block 1 to block the admin account.
Use the command drush user-unblock 1 to unblock the admin account.
I would go with wildpeaks' suggestion, or set the admin account to 'inactive' if you have another account that you use to do daily administration.

Resources