I have created a site in OpenAM.
./ssoadm create-site -s "Site1" -i http://localhost:8080/opensso -u amadmin -f password-file
I would like to set this Site as a Parent Site in this server.
I can do this easily using the Admin Console, but my challenge is to do this using ssoadm, or through CLI.
I tried googling but can't find any examples. Also, list-server-cfg does not show any property that corresponds to Parent Site.
EDIT: I did try something like ./ssoadm update-server-cfg --options -u amadmin -f password-file -s "http://localhost:8080/opensso" -a parentsite="Site1" but all this does is to create a new property called parentsite and the value "Site1". This did not work for me.
Use add-site-members:
ssoadm add-site-members -s "Site1" -e http://localhost:8080/opensso -u amadmin -f password-file
Related
I am trying to link a window from another session by specifying target session using format variable. In that way I hope to get it always linked next to the current active window.
The hard coded version of the working command:
:link-window -a -s 1:remote -t 0:2
in which case I specify a target pane literaly. When I try any of:
:link-window -a -s 1:remote -F -t "#{session_name}":"#{window_index}"
:link-window -a -s 1:remote -F "#{session_name}":"#{window_index}"
:link-window -a -s 1:remote -t "#{session_name}":"#{window_index}"
I got an error. The notable part here is that when I do use -F flag, the usage for link-window command is displayed. And when I omit it and use only -t, the error is cann't find window #{session_name}
Does it mean that link-window command simply doesn't support format variables?
-t does not support format variables and link-window does not support -F. run-shell will expand so you can do it by doing, for example:
run "tmux linkw -t '#{session_name}'"
I need to migrate from a windows based proxy to a linux one.
In the old server Squid uses mswin_auth.exe to authenticate user against an Active Directory domain. For this reason my users now enter ntdomain\username in the browser popup for proxy authentication.
In the linux Centos server Squid will use basic_ldap_auth, in this case the ntdomain must not be entered by the user. It will be very annoying for my users to change the old habit. Is there a way to automatically remove the ntdomain from the entered username?
In squid.conf I have
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ntdomain.parentd.it
...
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it -S
thanks in advance
Use -K option in your request (it Strip Kerberos realm from usernames):
external_acl_type ldap_group %LOGIN /usr/lib64/squid/ext_ldap_group_acl -R -K -b "dc=ntdomain,dc=parentd,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it" -W /etc/squid/squid.adpwd -f "(&(objectclass=person) (sAMAccountname=%u)(memberof:1.2.840.113556.1.4.1941:=cn=%g,OU=Squid,OU=Sede,DC=ntdomain,DC=parentd,DC=it))" -h vfdc1.ntdomain.parentd.it and all be fine.
This is my solution: I created to small bash script based on sed to strip the domain and used it squid.conf as in
auth_param basic program /usr/local/bin/squid_auth
where the file /usr/local/bin/squid_auth is
#!/bin/bash
/usr/bin/sed -u "s/^ve[\\]//i"|/usr/bin/sed -u "s/^ve%5c//i"|/usr/lib64/squid/basic_ldap_auth -R -b "dc=ve,dc=dipvvf,dc=it" -D "CN=squid,OU=Squid,OU=Sede,DC=ve,DC=dipvvf,DC=it" -W /etc/squid/squid.adpwd -f sAMAccountName=%s -h vfdc1.ve.dipvvf.it
The domain name is ve
I have new goal. Be able to create users of openam with ssoadm.
I have read the documentation of Openam
https://wikis.forgerock.org/confluence/display/openam/ssoadm-identity#ssoadm-identity-create-identity
However, I don't know how to create a user and then assign it a password. For now I just can create users by openam web, but is not desirable, I want to automatize.
Somebody know how can I create a normal user with ssoadm?
./ssoadm create-identity ?
./ssoadm create-agent ?
UPDATE: I have continued with my investigation :) I think I'm closer than before
$ ./ssoadm create-identity -u amadmin -f /tmp/pwd.txt -e / -i Test -t User
Minimum password length is 8.
But where is the parameter for password?
Thanks!
To create a new user in the configured data stores you could execute the following ssoadm command:
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -a givenName=Hello sn=World userPassword=changeit
Here you can see that I've defined the password as the userPassword attribute, which is data store dependent really. For my local OpenDJ this is perfectly legal, but if you are using a database or something else, then you'll have to adjust the command accordingly.
If you don't want to provide the attributes on the command line, then you could put all the values into a properties file, for example:
$ echo "givenName=Hello
sn=World
userPassword=changeit" > hello.txt
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -D hello.txt
But I must say that using OpenAM for identity management is not recommended, you should use your data store's own tools to manage identities (i.e. use an LDAP client within your app, or just simply use the ldap* CLI tools). You may find that OpenAM doesn't handle all the different identity management related tasks as normally people would expect, so to prevent surprises use something else for identity management.
I have a web server that basically accepts input for a knife ec2 create server command.
In my knife command, I pass in
-j '{"branch":"clone"}'
From documentation I thought I would be able to do this in my recipes that are being loaded:
##branch = node['branch']
...
git clone git#github.com/blah -b #{##branch}
However, the git clones are failing because ##branch doesn't return. Or atleast the chef logs say begin output of result:
git clone git#github.com/blah -b
~Git error showing options and appropriate input~
How do I load in my passed JSON attribute? What is the correct way?
Edit:
I manually put in the knife command, and the JSON Attributes seem to load using Ruby hash instead of JSON
JSON Attributes: {"branch"=>"Air"}
Last Edit:
My command:
sudo knife ec2 server create -x ubuntu -i ~/.ssh/key.pem -I ami-0eca6e67 -d ubuntu-12.04 -j '{ "branch" : "clone" }' -Z us-east-1a -s subnet-6827ec00 -f c1.medium -g sg-bc9d86d0 -r 'role[role]'
Answer below.
So it seems if I use a bootstrap template that already exists, -d ubuntu-12.04, knife ec2 does NOT load -j json-attributes.
Get rid of the -d option. Json loads appropriately.
I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).
From man slapcat (from OpenLDAP 2.3) :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.
(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)
Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.
I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.
For example, dump database from a master server under dc=master,dc=com and load it in a backup server
$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.
Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.
ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.
Export your DB with slapcat:
slapcat > ldif
Import the DB with slapadd (make sure the LDAP server is stopped):
slapadd -l ldif
Some appointments:
Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):
include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.
I prefer copy the database through the protocol:
first of all be sure you have the same schemas on both servers.
dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif
and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif
in one line:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a
By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files
(Not enough reputation to write a comment...)
Ldapsearch opens a connection to the LDAP server.
Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")
Thanks, Vish. Worked like a charm! I edited the command:
ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif
ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif
Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).