Im new on Ansible and i try to create some user accounts on remote servers and i encountered some trouble.
I want to create users if they do not exist, and update them password if they are present.
I read the documentation and found the parameter "update_password" but im stuck on how to verify their existence.
I try to do like that :
- name: Determine local user accounts
getent:
database: passwd
- name: Add user
user:
name: support
comment: support account
password: bonjour
groups: support,pricing
append: yes
with_items: {{ user }}
when: user not in ansible_facts.getent_passwd
- name: Update user password
user:
name: support
password: bonjour
update_password: always
with_items: {{ user }}
when: user in ansible_facts.getent_passwd
Im not sure to understand the concept of ansible_facts.
A key foundation of Ansible, is that it is built around idempotency. This means you simply describe the state you want your system to be in, and leave it to Ansible to figure out the details of what needs to be done to make your system match your desired state.
Therefore, you simply need to define the user you want on the system, and Ansible will take care of checking whether they already exist or not, and act accordingly:
- name: Manage support user
user:
name: support
comment: support account
password: <some crypted password string>
groups: support,pricing
append: yes
This will add the user if they do not already exist, otherwise update the users parameters to match your specification.
Note You should not place clear text passwords in these tasks. Checkout this page for details of how to create an encrypted password.
Related
I'm trying to setup a basic readonlyrest example with Kibana. My config is as follows:
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: Accept requests from users in group team1 on index1
type: allow
hosts: [localhost,127.0.0.1,10.0.0.0/24]
groups: ["team1"]
actions: ["indices:data/read","indices:data/read/mge/*","indices:data/read/mget","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create", "cluster:monitor/*"]
indices: ["<no-index>", ".kibana*", "logstash*", "default" ,"sha*" ,"ba*"]
users:
- username: alice
auth_key: alice:p455phrase
groups: ["team1"]
Unfortunately this does not work. I keep getting Authorization exception with the following error message in elasticsearch logs:
no block has matched, forbidding by default: { action: indices:data/read/mget,
OA:127.0.0.1, indices:[.kibana], M:POST, P:/_mget, C:{"docs":[{"_index":".kibana",
"_type":"config","_id":"4.6.1"}]}, Headers:[]}
What is missing in my config?
In kibana.yml the configuration is:
elasticsearch.username: "alice"
elasticsearch.password: "p455phrase"
If you use case is a basic kibana authentication, you should follow the example in the documentation.
Once you get that working, you could modify the example to assign the required rules to groups, and groups to your hard-coded users.
Keep in mind that this will not be a production ready solution, due to the crappy security level offered by HTTP basic auth between browser and Kibana:
The browser will pass the credentials unencrypted at every request
No way for the user to "logout" from Kibana
Nowadays ReadonlyREST Offers two Kibana plugins (PRO and Enterprise), which fixes the above limitations using encrypted cookies, and injecting a logout button into the Kibana UI.
The 30 days trial is available for download
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'ServerLdap'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'uid=***,ou=JeniePortal,ou=applications,***'
password: 'passw#rd'
active_directory: false
allow_username_or_email_login: false
base: '0=sample'
user_filter: ''
EOS
I tried uid also instead of sAMAccountName.
Still users are unable to authenticate.
Any help please.
I'm not sure what your actual issue is, but the thing I notice first is that your bind_dn is missing the uid value-part. The bind_dn defines the user that is used to do lookups for the user that wants to log in. When you connect to an ActiveDirectory that should be something like sAMAccountName=xyz,ou=JeniePortal,ou=applications and the password should ve that users password. When the ActiveDirectory allows anonymous access you can leave those two parameters blank (bind_dn='')
I'm using ldapjs.
I got this code from some sites:
var newUser = {
cn: 'new guy',
sn: 'guy',
uid: 'nguy',
mail: 'nguy#example.org',
objectClass: 'inetOrgPerson',
userPassword: ssha.create('s00prs3cr3+')
}
The thing is, the password saved as OctetString, and can't be used for login. Do anyone here knows how do I assign password using node (ldapjs preferred)?
Try saving in plain text.
Most LDAP server implementations expect to receive the password in plain text and the server will then encrypt the password.
There are dependencies on the LDAP server implementation and configuration.
-jim
Oh, You did not mention it was AD. Active directory is quite different. It uses [unicodePwd][1], not userPassword. Password operations must be over an encrypted connection. And finally, the password must be "text value in UTF-16". Those Quotes are required.
See updateUserPassword for the JNDI (Java) code for this.
I'm using the Symfony framework with the FOS User Bundle. I'm using the security context to determine which menu items and other items to display.
$securityContext = $this->get('security.context');
if ($securityContext->isGranted($report['Permission'])){
//add the menu item...
}
Is there any way to give a anonymous user a security context of 'ROLE_USER'? I've got logged in users working properly.
I tried adding the line:
role_hierarchy:
IS_AUTHENTICATED_ANONYMOUSLY: ROLE_USER
to my security.yml hoping this would do it, but apparently not. I've Googled around a little bit and read the documentation.
I imagine that:
if ($securityContext->isGranted($report['Permission'])
|| ($report['Permission'] === 'ROLE_USER' && $securityContext->is_anonymous()))
would work, but this feels like kind of a hack (and not very DRY)
Edit:
This is for an intranet site. I've got a table that contains names of reports. Some reports should be able to be seen by everyone, regardless of if they are logged in or not. Some reports require permissions to view. I don't want to create several hundred users when only a handful will need access.
If you are trying to give access to people to a given url why not simply authorize it this way ?
You have 2 method to achieve this: create a firewall authorization or role defined a url
1) Firewall autorization
firewalls:
test:
pattern: ^/ws // you url or schema url with regex
anonymous: true
2) url with a role defined access
access_control:
- { path: ^/given-url, roles: IS_AUTHENTICATED_ANONYMOUSLY }
// in app/config/security.yml
in both case, non authenticated user and authenticated user will have access to this url
By the way , if you want to test (in order to display some user variables) if a user is authenticated or not , just make your test in twig
{% if app.user is defined and app.user is not null %}
The user {{ app.user.username }} is connected.
{% else %}
No user connected
{% end %}
EDIT : Content based view : juste create a route for your action which would not match your firewall rules
I'm currently setting up a gitlab server using a LDAP backend.
When I try to login as a user present in the LDAP db, I get the following error:
"Could not authorize you from LDAP because: "Undefined method 'persisted?' for #"
Peeking into the source code (specifically app/controllers/omniauth_callbacks_controller.rb) the villain seems to be:
#user = Gitlab::LDAP::User.find_or_create(oauth)
#user.remember_me = true if #user.persisted?
It is totally correct for him to fail here because there is no method persisted? (neither in lib/gitlab/ldap/user.rb nor lib/gitlab/oauth/user.rb). Changing the second line to
#user.remember_me = false #true if #user.persisted?
doesn't work either since remember_me is an invalid function for ruby.
I really have no clue about ruby, let alone Ruby On Rails, so I stopped digging here.
Since I certainly am not the first person to try using LDAP auth in gitlab I consider this an error on my side. Since authentication seems to work (if I enter a false password for the user gitlab happily tells me so), I don't have any idea where to start looking.
I appreciate any help from you guys,
Best Richard
Edit: My gitlab.yml is here.
Solved the problem myself. The database lookup yielded a nil object due to the user creation failing (whenever a ldap user logs in, gitlab uses the ldap data to fill its own database).
During creation of the user database entry the query got an invalid email entry resulting in a failed insert query. Unfortunately this was very hard to debug.
In case anyone should have this problem, try changing the following code in lib/gitlab/oauth/user.rb:
begin
user.save!
rescue ActiveRecord::RecordInvalid => e
raise_error ("(OAuth) Error #{e.to_s}") # <-- add this line
log.info "(OAuth) Email #{e.record.errors[:email]}. Username #{e.record.errors[:username]}"
return nil, e.record.errors
end
This will - in case gitlab is not able to add your user - print the error message the database backend returned as the usual red error banner when trying to log in. Keep in mind to remove this line when you no longer need it.
I can suggest a patch (tested on Gitlab 7.1.0). This code sets the gitlab_rails['ldap_uid'] as username when a ldap user is connecting for the first time :
in /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/oauth/user.rb (see INCLUDE START and STOP) :
user = model.build_user(opts)
user.skip_confirmation!
# Services like twitter and github does not return email via oauth
# In this case we generate temporary email and force user to fill it later
if user.email.blank?
user.generate_tmp_oauth_email
elsif provider != "ldap"
# Google oauth returns email but dont return nickname
# So we use part of email as username for new user
# For LDAP, username is already set to the user's
# uid/userid/sAMAccountName.
email_username = email.match(/^[^#]*/)[0]
# Strip apostrophes since they are disallowed as part of username
user.username = email_username.gsub("'", "")
else
# INCLUDE START
# if LDAP config "ldap_uid" is set : we pick this attribute to set the username :
if ldap_conf['uid'].present?
user.username = auth.extra.raw_info.send(ldap_conf['uid'])[0]
end
# INCLUDE STOP
end
begin
user.save!
In my case the problem was importing (copying file) fro old gitlab repositories to new one.
Gitlab wasn't able to create clean folder for the new user.
Solution:
remove imported repositories
create new, empty repository by first login with LDAP credentials
read your PRIVATE-TOKEN
start gitlab server on your repository ie. 'git daemon --verbose --export-all'
import data from old gitlab using API:
curl -X POST --header "PRIVATE-TOKEN: xxxxxffxxxyyxxxxzzz" http://testserver07.lq/api/v3/projects"?name=project01&import_url=git://localhost/var/opt/gitlab/git-data/repositories-old/repos/project01.git"
First, check if your email address in Gitlab DB is correct:
# login to Gitlab DB (MySql)
mysql -u gitlab gitlabhq_production -p
# check user email address
select email from users where username like 'foo';
Then remove stored LDAP objects from Gitlab DB for the user:
# clear ldap data
update users set extern_uid = '' where username = 'foo';
On next login Gitlab write a new extern_uid.