I'm trying to setup RhodeCode as well as other services to work with LDAP (OpenLDAP v3) and everything goes fine except one thing, my structure looks like this:
dc=domain,dc=com
ou=Groups | ou=People
hgusers | test1
sshusers | test2
others
These are examples via ldapsearch
dn: cn=sshusers,ou=Group,dc=domain,dc=com
objectClass: top
objectClass: posixGroup
cn: sshusers
userPassword:: e2NyeXB0fXg=
gidNumber: 14567
memberUid: test1
dn: uid=test1,ou=People,dc=domain,dc=com
uid: test1
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15472
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 10099
gidNumber: 10099
homeDirectory: /home/test1
gecos: test
userPassword:: e1NTSEF9WDUvSWpYeU9YQjlESGxYdy9ETWFTRFhaejFVN3VLSm8=
Now I'm trying to create a filter for RhodeCode and other things, so it allow access for people only from hgusers group, but I have no idea how to create it. What worries me there's no memberOf attribute that I could use and don't really know how I could add it. Could anybody help me with this one?
I would use either organizationalRole or groupOfUniqueNames as the group class, and set respectively roleOccupant or uniqueMember to the DN of the user who is in the group. Then you just search that subtree for groups with the user DN in that attribute. UID will also work, but it has referential integrity problems that you can solve if you use a DN-valued attribute and the 'refint' overlay, whcih you really must.
Go about it the other way. Don't try to assign the groups to the user, but rather create groups that are a list of users.
If you create a groupOfUniqueNames with a series of uniqueMember attributes, each being the DN of one of your users, you won't see that when you dump the attributes if your users.
But a simple search for:
"uniqueMember=dn-of-user”
Will give you every group which has the user as a member.
Related
In Riak, how do I retrieve a list of currently existing users? I can't seem to find it anywhere on Stack Overflow.
This info can be accessed at any time:
riak-admin security print-users
Example output, assuming user named riakuser with an assigned password:
+----------+--------+----------------------+------------------------------+
| username | groups | password | options |
+----------+--------+----------------------+------------------------------+
| riakuser | |983e8ae1421574b8733824| [] |
+----------+--------+----------------------+------------------------------+
Note: All passwords are displayed in encrypted form in console output.
If you’d like to see which permissions have been assigned to riakuser, you would need to use the print-grants command.
The security print-user (singular) command can be used with a name as argument to see the same information as above, except for only that user.
See basho/docs Security Basics for more information on user management.
I have a situation in Firebase where users have roles. According some profile already defined in another "schema" users can delete, update, create, delete and update, etc, etc... Many combinations are made.
Ex.:
Users/:
user_1:
create: "ok"
delete: "no"
update: "ok"
user_2:
create: "no"
... etc ...
How manage this in firebase once ".write' permission do not accept dynamic condition? I found Bolt that have some alias (create(), update(), delete()) to that however, you have only create OR update OR delete. Once one is defined you cannot change.
Thanks
Okay, so I'm going to assume that your data is structured something like below. This answer is my own subjective approach to how I would dynamically manage users accessing different parts of the DB.
NOTE::the chmod that I use stands for READ-WRITE-DELETE, instead of READ-WRITE-EXECUTE (i.e. 6=read+write but not delete, 7=full CRUD privileges). This sample DB is structured in 3 parts, and models a social media app. Also, the default for the "world" (3rd digit would most likely be only authenticated users. This is a very simple example:
root/
|
|-- user/ <-main node that contains profile info
| \uid <-node name - one for each user with sub-nodes containing profile info
| \user
| |-<UID> <-shows who has "user" privileges (1st digit)
| \group
| |-<UID> <-shows who has "group" privileges (1st digit)
| \permissions = 744 <-universal "user" entry rule
|
|-- trending/ <-node that contains global, read only info
| \user <-No one will be here for "trending"
| \group
| \feed-data
| \<POST_UUIDS> <-Data here
| \permissions = 444 <-Everyone can read the global feed
|
|-- messaging/
| \<chat-uuid-number-1>
| \user
| |-<User1>
| |-<User2>
| \group
| \messages node
| \<chat-uuid-number-2>
| \user
| |-<User8>
| |-<User5>
| \messages-node
|
| \permissions = 600 <-Only 2 users can read&send messages in their node
|
|-- chatrooms/ <-each node contains a list of UID, and list of messages
| \<room-uuid-number>
| \user
| |-<Admin1>
| |-<Admin2...>
| \group
| |-<uid1>
| |-<uid2>
| |-<uid3...infinity>
| \permissions = 760 <-Only admins have user privilege, users in chat can send and receive in the chat though
So this is a somewhat denormalized database structure, like JSON databases are apparently supposed to be. Read about this here: https://firebase.googleblog.com/2013/04/denormalizing-your-data-is-normal.html Each branch does not hold very much information except exactly what it is concerned with. Now, if you have a unified "inheritance" type structure, then you can use relative directory paths to check relative to the directory that a user is trying to access and isolate the validation rules in one spot- at your root - and then all the children nodes will be covered as long as they all have uniform structure for basic permissions!
So as long as your new data is NEVER going into the root directory or any of the main nodes/directories below it (you can write rules to ensure this also), you use data.parent() to get to the parent of your entry, then call parent() again to get to the main directory (e.g. chatroom), then you check the permissions value for each consecutive number, and match against the list of users/group/world:
".write": "data.parent().parent().child('permissions').val().beginsWith('6') && data.parent().child('users').child($uid).exists"
This (pseudocode?) checks the first digit of the permissions code, and then checks the node's "users" subdir to see if the current user has user privileges for that particular sub-node. Add a conditional OR after this to check and see if there's group writing privileges and the user exists in the group. And so on... all from the root directory! Just make sure you guard against writing under '/' or '//' (write those conditionals first using '&&' so it fails the check before trying to get parent of the root, etc.) and it should work well.
This isn't an absolute structure, but I set mine up to be 'shallow' database all while restricting each entry under a major directory like "messages" to have a permissions code and check for that UID of the user making the DB read/write, and it saved me a ton of pain down the line. Although the last time I used it was about 5 months ago, I'm not sure if things have gotten simpler or simple tools/libraries exist now. Hope this helped!
I found a solution... no ideia if is the best one... however, solve my problem.
In any case, is a little painful to write the conditions.
and then in your firebase rules:
CUD means Create Update Delete. You can use chmod numbers as well (777, 765, etc).
Now, I need to discover how to write the conditions for -ud, --d, etc.
:)
Assuming a simple data structure:
-root
-uid
name:string
-uid2
name:string
Is there a way on firebase side(server) to restrict the unique name?
I've seen some solutions like to store names on another node. The problem would be the store action is actually carried out on client side. It is still easy for a registered user to bypass the checking.
Thanks!
I just installed OpenLdap 2.4.44 with the overlay memberOf. I configured the overlay to use uniquemember and groupOfUniqueNames for the attribute
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniquemember
The problem is that the attribute memberOf seems to only be applied to the first entry of the group. If I have a group with more than one uniqueMember, only the first one is returned when I do a query by memberOf. And if I try to get the attribute memberOf for any other entry, it returns empty, like it does not belong to the group. Any idea?
Well, it was actually a silly thing, but in case somebody has the same issue in the future, I posted the solution here. It wasn't a problem with OpenLdap but with the data import. The load was done from an existing LDIF file. For some reason the order of the file was something like this:
dn: cn=Employee1, cn=employees, dc=dev, dc=company,dc=com
cn=Employee1
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: inetOrgPerson
dn: cn=Employees,cn=groups,dc=dev, dc=company,dc=com
objectClass: groupOfUniqueNames
uniqueMember: cn=Employee1, cn=employees, dc=dev, dc=company,dc=com
uniqueMember: cn=Employee2, cn=employees, dc=dev, dc=company,dc=com
uniqueMember: cn=Employee3, cn=employees, dc=dev, dc=company,dc=com
cn: Employees
dn: cn=Employee2, cn=employees, dc=dev, dc=company,dc=com
cn=Employee2
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: inetOrgPerson
dn: cn=Employee3, cn=employees, dc=dev, dc=company,dc=com
cn=Employee3
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: inetOrgPerson
So only the first entry existed before the group with the references to all entries was imported, and memberOf worked for that first entry, but not for the entries imported later.
I've tried searching this for days and can't seem to find an adequate answer so I'll ask here.
I'm building an asp.net Membership website.
What I want to do is:
Allow a user to create an account - say UserA
I then want to allow UserA to create "sub accounts" tied into his account, but with different roles as well as different login names (I'll be using email address as the login name)
UserA would be the account admin of sorts.
UserA's sub accounts would be less "adminish" than UserA, but any data that they write to my DB (Entity Framework) would still be tied to the main UserA account which will be referenced to my tables via Membership.GetUser() API calls.
So 2 questions:
1) How would I reference the Membership tables in my EntityDataModel using DB First (I already ran the aspnet_regsql.exe)
2) How would I need to go about allowing UserA to create his own sub users?
Here's an image of my custom tables:
[MasterAccountUser]
MasterAccountId = aspnet_Membership.UserId
AccountNumber = autoincrement number
[UserAccount] - subaccount of [MasterUserAccount]
AccountId = aspnet_Membership.UserId (if I have to have each user create their own)
MasterAccountId = aspnet_Membership.UserId (but the same one as the [MasterAccountUser]
If this is too vague, let me know and I can expand.
I was able to get this to work.
Basically, you just do the standard aspnetdb.mdf with all the in-place security features.
Then you simply add a table with the same fields, and then you reference the
MembershipUser.GetUser(Page.User.Identity.Name);
So you own table will have a "masteruser" with this User.ProviderKey. Every "sub-user" then has the SAME masteruser guid on their record so that they all fall under the same account.
If anyone want more details on how i got this to work, i can happily provide them.