I'm working on customize profile attributes as per this link. I did the ditto same as per that link but I'm not successful.
Short description of what I have done
Add below content in /root/openam/config/xml/amUser.xml under user node
<AttributeSchema name="customAttribute"
type="single"
syntax="string"
any="display"
i18nKey="Custom Attribute">
</AttributeSchema>
Delete iPlanetAMUserService
$ /opt/openam-tool/openam/bin/ssoadm delete-svc --adminid amadmin --password-file /tmp/pwd.txt --servicename iPlanetAMUserService
Create iPlanetAMUserService
/opt/openam-tool/openam/bin/ssoadm create-svc --adminid amadmin --password-file /tmp/pwd.txt --xmlfile /root/openam/config/xml/amUser.xml
Add scchema definitions as per the link
$ /root/openam/opends/bin/ldapmodify --port 389 --hostname frock.gworks.mobi --bindDN "cn=Directory Manager" --bindPassword gworks.mobi1 --filename /tmp/custom-attr.ldif
Top realm -> data store -> embeddj-> Add customObjectclass & customAttribute
To Allow Users To Update the New Attribute
$ sh /root/openam/opends/bin/control-panel
In step 6 I can't find iPlanetAMPolicyService for edit sun-key value
Easy for your reference https://postimg.org/image/it7ovadwh/
can you please help me to proceed further?
Related
I'm trying to add an account for OracleCloud, and I'm not sure I'm setting some of the required parameters correctly. My current command looks like this:
cbb addAccount -st OracleCloud -d OracleCloud -un "storage-a229571:" -kv no -c oracle-data-storagea-1 -ep https://a229571.storage.oraclecloud.com/v1/storage-a229571 -reg "US Commercial 2 us2" -ak https://us2.storage.oraclecloud.com/auth/v1.0
I get this response when I run it:
Can't validate account
Code: get openstack token v1. Message: Can't get token
Code: get openstack token v1. Message: Can't get token
Code: Can't get work url. Message: Can't get work url
Has anyone been able to use Cloudberry Backup for Linux against the OracleCloud?
This due to your -kv flag which you set to "no". You need 2 or 3, which guides Cloudberry Backup to use v2 or v3 Keystone version (consult your Oracle reps). Check this page
The below are full list of flags you may want to use:
[root#localhost]# cbb addAccount -d Display_Name -st OracleCloud -h
CloudBerry Backup Command Line Interface started
addAccount -d Display_Name -st OracleCloud <-un UserName> <-ak ApiKey> <-c BackupContainer> <-ep Endpoint> [-useInternalUrl yes/no(default)] [-reg Region] [-bp BackupPrefix] <-kv no> | <-kv 2 <-tn TenantName | -ti TenantID> > | <-kv 3 [-us < yes | no > <-pn project_name> | <-pi project_id>] <-dn DomainName | -di DomainID> >
-d Display_Name : Display name.
-un UserName : User name.
-ak ApiKey : Api key.
-reg Region : Region. Optional.
-c BackupContainer : Backup container.
-ep Endpoint : Auth endpoint.
-bp BackupPrefix : Backup prefix to differentiate between backups from different computers. Optional, by default is computer name.
-kv Keystone Version: Keystone version. Possible values 2, 3, no.
-pn project_name : Project name. Use only with keystone version 3.
-pi project_id : Project id. Use only with keystone version 3.
-tn TenantName : Tenant name. Use only with keystone version 2.
-ti TenantID : Tenant id. Use only with keystone version 2.
-us Use_scope : Use scope. Use only with keystone version 3. Possilble values yes, no.
-dn DomainName : Domain name. Use only with keystone version 3.
-dn DomainID : Domain id. Use only with keystone version 3.
-useInternalUrl : use internal url. Optional, by default is no. Possilble values yes, no.
OK, I finally had time to work on this again. This is what I figured out:
cbb addAccount -st OracleCloud \
-d <Some Name> \
-un "storage-<identity domain>:<Oracle Cloud User Name>" \
-ak "<Password for -un>" \
-c "<An existing Container>" \
-ep <Authentication Endpoint> \
-kv no
-ep is usually https://<data center>.storage.oraclecloud.com/auth/v1.0
-reg is optional, and I could not get cbb to work if I included it
I want to update passwords [user's already existing in ldap] of the user by importing data from /etc/passwd & /etc/shadow
How to achieve this ?
I will give the overview of my setup.
nodes user id & password managed by management node [xcat], ldap not used for this purpose.
We have imported the user's from management node to ldap server by following the below given steps:-
Copied /etc/passwd, /etc/group & /etc/shadow from management node.
getent passwd > /tmp/passwd.out getent shadow > /tmp/shadow.out
cd /usr/share/migrationtools/ ./migrate_passwd.pl /tmp/passwd.out > /tmp/passwd.ldif
ldapadd -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Now we want to update the passwords frequently and keep the ldap server sync with out management node. please give me idea how to achive this.
I tried the same way i imported users into ldap but it gives me an error.
[root#iitmserver2 migrationtools]# ldapmodify -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Enter LDAP Password:
ldapmodify: modify operation type is missing at line 2, entry "uid=pharthiphan,ou=People,dc=aadityaldap,dc=com"
I have new goal. Be able to create users of openam with ssoadm.
I have read the documentation of Openam
https://wikis.forgerock.org/confluence/display/openam/ssoadm-identity#ssoadm-identity-create-identity
However, I don't know how to create a user and then assign it a password. For now I just can create users by openam web, but is not desirable, I want to automatize.
Somebody know how can I create a normal user with ssoadm?
./ssoadm create-identity ?
./ssoadm create-agent ?
UPDATE: I have continued with my investigation :) I think I'm closer than before
$ ./ssoadm create-identity -u amadmin -f /tmp/pwd.txt -e / -i Test -t User
Minimum password length is 8.
But where is the parameter for password?
Thanks!
To create a new user in the configured data stores you could execute the following ssoadm command:
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -a givenName=Hello sn=World userPassword=changeit
Here you can see that I've defined the password as the userPassword attribute, which is data store dependent really. For my local OpenDJ this is perfectly legal, but if you are using a database or something else, then you'll have to adjust the command accordingly.
If you don't want to provide the attributes on the command line, then you could put all the values into a properties file, for example:
$ echo "givenName=Hello
sn=World
userPassword=changeit" > hello.txt
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -D hello.txt
But I must say that using OpenAM for identity management is not recommended, you should use your data store's own tools to manage identities (i.e. use an LDAP client within your app, or just simply use the ldap* CLI tools). You may find that OpenAM doesn't handle all the different identity management related tasks as normally people would expect, so to prevent surprises use something else for identity management.
R creates a group called staff and I want to be able to update packages without starting R as sudo. So I added myself to staff using:
sudo usermod -G adm,dialout,cdrom,plugdev,lpadmin,admin,sambashare,staff matt
(side question is there a way to add yourself to a group without listing every other group you're a member of?)
If i check /etc/groups i see
staff:x:50:matt
and the same for /etc/shadow
staff:*::matt
however if i run groups or id i'm not a member of staff. Also, I can't make changes to anything in /usr/local/lib/R.
Did you log the "matt" account out and back in after running the sudo usermod command? Changes to the groups a user is in under unix only take affect at login time.
https://superuser.com/questions/272061/reload-a-linux-users-group-assignments-without-logging-out
check that out ~
both
newgrp groupname
OR
su - username
will do the trick well ~
In answer to your side question, yes you can add a user to a group without listing them all. If you run a Debian based system, you can do it with
sudo adduser matt staff
The adduser utility is just a friendly wrapper around useradd/usermod etc.
If you don't have the adduser utility, you can still do it with usermod:
sudo usermod -a -G staff matt
The -a flag means append (as opposed to overwrite).
I know the original question is for Linux but OSX users can do the same with this command:
sudo dseditgroup -o edit -a newusertoadd -t user grouptobeaddedto
Explanation: The operation succeeded - that's why your name appears in the right linux files on /etc/passwd & /etc/group but as soon as you open a new terminal process the bash will be updated with this setting and you can perform id matt as well.
Clarification: You added yourself to additional group so you should have used append option -a (and not editing the all bunch of groups names to your user).
sudo usermod -aG staff matt
I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).
From man slapcat (from OpenLDAP 2.3) :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.
(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)
Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.
I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.
For example, dump database from a master server under dc=master,dc=com and load it in a backup server
$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.
Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.
ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.
Export your DB with slapcat:
slapcat > ldif
Import the DB with slapadd (make sure the LDAP server is stopped):
slapadd -l ldif
Some appointments:
Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):
include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.
I prefer copy the database through the protocol:
first of all be sure you have the same schemas on both servers.
dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif
and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif
in one line:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a
By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files
(Not enough reputation to write a comment...)
Ldapsearch opens a connection to the LDAP server.
Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")
Thanks, Vish. Worked like a charm! I edited the command:
ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif
ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif
Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).