I have to check if a user is a member of an nested group within a subdomain.
LDAP setup.
MasterGroup -> Domain company.biz
Group1 -> Member of Mastergroup -> Domain sub.company.biz
User1 -> Member of Group1
I know the MasterGroup and the User1.
How do I check whether the user is a (nested) member of the MasterGroup or not?
Atm I have the following query which is not working.
(&(objectClass=user)(sAMAccountName=<User1sAMAccountName>)(memberof:1.2.840.113556.1.4.1941:=<distinguishedName of MasterGroup>))
The same request for the Group1 is working and I assume that is because of the subdomain.
(&(objectClass=user)(sAMAccountName=<User1sAMAccountName>)(memberof:1.2.840.113556.1.4.1941:=<distinguishedName of Group1>))
This returns the user.
Question: Is there any way to trigger the subdomain search?
One tip I found on the internet is to search all the subdomains one by one for every group i have to check.
This means I have to send over 256.000 requests...
Thanks in advance.
Related
I have a domain A and another B. Both have a relationship of trust.
Then I think my Sharepoint site within domain A and added a PeoplePicker field. The detail is that in the PeoplePicker field when I search for users of domain B (User by user) if it recognizes them, but when I search for a group in domain B (User group) I get an error saying "This user does not exist or is not unique".
I want to be able to add user groups from domain B from the PeoplePicker field.
You need configure people picker to search other domain.
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp
Check the thread for more details.
http://www.sharepointdoug.com/2014/06/how-to-configure-people-picker-in.html
This may be a simple question, but it's my first time setting-up a website this way and I need some advice please.
The setup:
I have two websites: WS1 & WS2, each with different domainnames.
They both point to the same IP using nginx server blocks and SSL is
setup for each domain name. I will be using Express.js with ArangoDB (where I can
add additional databases in ArangoDB to split-up the two sites in the
backend if necessary)
The problem:
Sometimes these two sites will be accessing the same info from the database and I would
prefer NOT having to duplicate the data but they will have different
authentications. Each site will have different account
authentications and page restrictions for each member of each site.
The question:
How would I set this up to ensure security, so that one account
doesn't get access to any other site? Do I need two separate frameworks in each server block? Should I create two databases? Best recommendations pls ?
This depends on your authorization framework.
Authentication identifies who is accessing your site, and part of that identity is the user, the company/domain, and the role/group they belong to.
Authorization is the description of what that user, company/domain, or role/group is allowed to access.
You probably know about cookies and username/passwords for the user identification. The user is stored in the database and mapped to the company/domain they belong to. and the user is also mapped to the role/group they belong to.
select userID, company from users where username = ?, $username
select group from groups where userID = ?, $userID
Some of the records in the database are probably scoped to a single domain/company and others to a role/group. You add the domain/company or role/group as a column on the database, and use it in your query.
select content from companyPages where company = ?
or
select content from groupPages where group in (select group from groups where userID = ?))
You can have users from multiple companies/domains using the same groups too.
And putting it together:
Select content from pages WHERE
group in (select group from groups where userID= ?)
AND company = (select company from users where userID=?);
Basically you have to define your authorization scheme and map it to your data model.
Hello I'd like restrict all users to just access the Work Center with ID = 1
I added a record rule for mrp.workcenter and added the domain filter [('id','=',1)]. But still I can see all the work centers...
Any ideas?
Given domain is correct and work fine.
You can see all the records from admin login. But if you can login from other user, suppose Manufacturing Manager than they can see only one record(I mean id=1).
By default, there are no any rules are apply to admin user. Please check it from other user.
define access rules in security/ir.model.access.csv there you can set rights for create, edit, view and delete for specific groups
I have scenario as, I have say 5 branches for example Branch A, Branch B, Branch C etc. All branches have different set of users and different set of data(in liferay portlets). My requirement is like, Whenever user from Branch A logs in he should not able to logged in to other branch. In short he should not have any permission to view, login to Branch B (other than his own branch).
All 5 branches has two sub-sites.
Eg. Branch A has sub sites Site A1 and Site A2. separate users are associated to the site.
My Question is what should I use to develop such system.
As of now I had created one Organisation and created Location Sub organisation.
How can I restrict user to log in himself into his own organisation and not anyone else.
How can I restrict user to view the contents on his own site and not other site.
Do I need to create User Groups.
Any Pointers would be helpful. Thanks in advance.
First of all: You don't need Locations. They're just like Organizations, but can't have any more suborganizations. This is a limitation that you don't need to impose on your branche offices. You can, but don't need to.
You always log in to your account, not into an organization. When there's content in an organization's site that must not be seen by non-members of that organization, just make the pages private - this restricts them to be seen only by members of the organization.
Membership of organizations is centralized anyways - thus nobody can become member of another organization without an administrator making the connection.
If you need user groups depends on what your overall structure is. If you interface with LDAP, I like to use user groups as the importing target for LDAP groups. If you don't, it still might make sense to group users into User Groups - just to keep an overview over the different memberships and permissions that you give. It's a lot easier if you restrict yourself to not grant any roles and permissions to individual users, only to User Groups - at least once you have a certain number of users.
Say that i have an active directory group called "Group1". I add this Group1 to a SharePoint site ( People and Group >> New User).
All the users that are part of Group1 can now access sharepoint site.
Now,for a specific custom webpart, i need to target to only users who belong to Group1. But when a user who belongs to Group1 logs into the sharepoint site, i am not finding a way to determine from within SharePoint context if this user belongs to Group1. Any thoughts?
Thanks,
Faiz
Use the following code to check if the current user is in the given security group:
WindowsIdentity wi = WindowsIdentity.GetCurrent();
WindowsPrincipal wp = new WindowsPrincipal(wi);
wp.IsInRole("Group1");