I wonder if anyone can help. I am working on a project that requires the use of wso2is and openldap together on linux. I am quite new to both technologies, so there may be some things I dont quite understand properly.
I have set openldap up as a secondary user store in wso2is. In openldap, using ldif files I have managed to create groups, and some dummy users. These entries can be read and displayed successfully by wso2is. The good user entries follow the format below
In wso2is I can create new users for the secondary data store and it lookks like I can assign them to the different roles. The problem is that when I create a new user in wso2, it seems to be lacking certain attributes such as password, and mail. When I view users created in wso2 (using ldap admin) they are different to users created manually using ldif. I dont know how to add the extra attributes such as email to new users created using wso2 (The extra attributes are necessary for ldap to log into another program).
The image below for user "bob" does not have the correct attributes.
The other things I dont understand is that in wso2is if I set 'cn' as the username attribute and try to view the extra attribute fields for users I created in wso2, I get an 'error reading metadata screen'. However if I set 'uid' as the username attribute and try to view extra attributes, I am allowed to see them (most are blank), but if I try to populate those fields such as surname or mail, I then get an error message saying they are not supported by the underlying ldap.
Maybe Im missing something fundamental but I dont know what it is, apparently it almost does what I want.
When you configure an external LDAP, you need to map its attributes to the WSO2 local Claims. Because with in WSO2 Identity Server all user attributes are considered as claims. Hence please try mapping secondary userstore attributes to the each local claim in the user profile. For example http://wso2.org/claims/emailaddress claim can be mapped your secondary user-store attribute as shown in the image.
Moreover, Hope you have added User Search Base, User Search Filter and User List filter properly in the secondary userstore configurations.
Related
I am looking into using Keycloak to give some users special permissions.
The permissions will need to have a limited validity.
My current idea is to set special user attributes, for example ALLOW_PERIOD_1='2022-01-01:2022-02-01' and ALLOW_PERIOD_2='2023-01-01:2023-02-01'
We will add a mapper to add claims based on the user attributes.
In the application the claims in the token will be checked and allowing this user only access in January 2022 or 2023.
I have 2 questions about this:
Is this the right way to manage temporary access per user?
Perhaps there is a simpler way to achieve the same.
Is this secure?
Can a user set its own custom attributes via the Keycloak pages?
For example, we have added the custom attribute middleName to our registration page by simply adding a form-variable "user.attributes.middleName" to the registration form.
Can any user add "user.attributes.ALLOW_PERIOD_1=2022-01-01:2030-01-01" to a POST to one of the keycloak pages and give himeself access?
Thanks for any advice,
Rob
This is the my web-app "User Settings" page.
I have simplified it to a minimum to better highlight the problem.
To authenticate users I use Auth0, I wanted to use the sub claim user_id to identify the users inside my MySQL database for update and retrieve user's info. Unfortunately the user_id is different for each provider, for example, if the same user with the same e-mail logs-in via Auth0 he gets a user_id if he does it via google he gets another one.
I thought about using email to link logged user to his info.
The problem is in my API. Before the change it was "localhost: 8080 / api / users /: id"
each time it created a new id and in any case it was impossible to recover the data of the single user. Now that I have replaced "id" with "email" my API has also changed in "localhost: 8080 / api / users /: johnsmith#xxx.com".
Before:
After:
In a few words, the request url on the client side has also changed.
I would like to make sure that the GET and PUT requests are made based on the e-mail of the logged user without going to modify the whole back-end.
Sounds like something is wrong with how you authenticate users. If you have multiple ways to authenticate a user, those methods need to be in a one to many relation with the user. For example each user has a list of auth-methods, and whenever an authentication is made you check your table of authentication methods and find the one user it maps to.
Im not sure if you are doing this yourself or if the framework you are using is handling that, but it sounds like you need to change the model to allow many Auth methods for a single account.
Also you could use email, but that is also an "old" way of uniquely identifying users almost every single person has multiple active email accounts nowadays, so you should also have a one-to-many relation for users to emails. What if the user has different email accounts for their Facebook and Google accounts?
See account linking here: https://auth0.com/docs/users/user-account-linking
It is dangerous to trust that the external providers are truthful about what email belongs to who. What if I open a new account using someone else's email on one of the providers? Then I can log into that users account in your application, which is a pretty big security risk.
So I am very interested in using Cloudkit but the documentation on anything over the basic features is horrible. I am looking to establish two basic user types: standard user (someone that can read records only) and an Admin user (can create and modify records). I setup security roles to reflect this and changed the access modifiers on each of the record types to include these roles. However, I cannot find anywhere how to change a user from one role to the other. I have implemented an Admin login of sorts in the app. Once they enter in the appropriate credentials, I want to allow that user to start editing records.
Does anyone know how to do this?
Thanks
I think it's still not possible to assign a security role to a user using code. Then this answer is still valid: How do I access security role in cloudkit
I am migrating data into Liferay from legacy database for which I have written script to programmatically push data into Liferay's user as I see fit.
Now authentication happens with LDAP and some basic details of user are also in LDAP which is supposed to be synced. Will it cause problem if I migrate users to Liferay and also sync basic details of user from LDAP after migration. Will the LDAP sync try to insert new record instead of updating the existing record in database(earlier from migration)?
If you set the Authentication Search Filter, the Import Search Filter and the User Mapping in the LDAP settings correctly, it should find the appropriate user during synchronization.
Depending on the setup of your LDAP you can use the screen name or the email address of the user as place holder in the Authentication Search Filter:
(cn=#email_address#)
or
(cn=#screen_name#)
The Import Search Filteris just to constrain the possible values, e.g.:
(&(objectClass=inetOrgPerson))
And the User Mapping should at least contain the correct mapping for the screen name, e.g. cn.
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value