Liferay Migrating User from legacy database & LDAP - liferay

I am migrating data into Liferay from legacy database for which I have written script to programmatically push data into Liferay's user as I see fit.
Now authentication happens with LDAP and some basic details of user are also in LDAP which is supposed to be synced. Will it cause problem if I migrate users to Liferay and also sync basic details of user from LDAP after migration. Will the LDAP sync try to insert new record instead of updating the existing record in database(earlier from migration)?

If you set the Authentication Search Filter, the Import Search Filter and the User Mapping in the LDAP settings correctly, it should find the appropriate user during synchronization.
Depending on the setup of your LDAP you can use the screen name or the email address of the user as place holder in the Authentication Search Filter:
(cn=#email_address#)
or
(cn=#screen_name#)
The Import Search Filteris just to constrain the possible values, e.g.:
(&(objectClass=inetOrgPerson))
And the User Mapping should at least contain the correct mapping for the screen name, e.g. cn.

Related

wso2 identity server write correct user attributes to openldap

I wonder if anyone can help. I am working on a project that requires the use of wso2is and openldap together on linux. I am quite new to both technologies, so there may be some things I dont quite understand properly.
I have set openldap up as a secondary user store in wso2is. In openldap, using ldif files I have managed to create groups, and some dummy users. These entries can be read and displayed successfully by wso2is. The good user entries follow the format below
In wso2is I can create new users for the secondary data store and it lookks like I can assign them to the different roles. The problem is that when I create a new user in wso2, it seems to be lacking certain attributes such as password, and mail. When I view users created in wso2 (using ldap admin) they are different to users created manually using ldif. I dont know how to add the extra attributes such as email to new users created using wso2 (The extra attributes are necessary for ldap to log into another program).
The image below for user "bob" does not have the correct attributes.
The other things I dont understand is that in wso2is if I set 'cn' as the username attribute and try to view the extra attribute fields for users I created in wso2, I get an 'error reading metadata screen'. However if I set 'uid' as the username attribute and try to view extra attributes, I am allowed to see them (most are blank), but if I try to populate those fields such as surname or mail, I then get an error message saying they are not supported by the underlying ldap.
Maybe Im missing something fundamental but I dont know what it is, apparently it almost does what I want.
When you configure an external LDAP, you need to map its attributes to the WSO2 local Claims. Because with in WSO2 Identity Server all user attributes are considered as claims. Hence please try mapping secondary userstore attributes to the each local claim in the user profile. For example http://wso2.org/claims/emailaddress claim can be mapped your secondary user-store attribute as shown in the image.
Moreover, Hope you have added User Search Base, User Search Filter and User List filter properly in the secondary userstore configurations.

CouchDB add user without predefined admin

I'm just want to create a standalone application with CouchDB back-end, but I don't know if I can add a new (ordinary) user without using admin credentials.
In the documentation I just got information about creating an admin user and existing user's permissions:
Only administrators may browse list of all documents (GET
/_users/_all_docs) Only administrators may listen to changes feed
(GET /_users/_changes)
Only administrators may execute design functions like views, shows and
others
There is a special design document _auth that cannot be modified
Every document except the design documents represent registered
CouchDB users and belong to them
Users may only access (GET /_users/org.couchdb.user:Jan) or modify
(PUT /_users/org.couchdb.user:Jan) documents that they own
Here is the relevant part of documentation.
Short answer:
YES, you can
Makes no sense in a registration if you have to use admin credentials to create your account. Anyway, here is an example:
https://serverfault.com/questions/742184/couchdb-user-creation-without-authentication-standard-behavior
In this topic also can be useful this articol:
http://www.staticshin.com/programming/easy-user-accounts-management-with-couchdb
One more tip:
Creating regular users in CouchDB

Restrict user access to some docs in CouchDB

I am very new to the CouchDB world! I have a database that can be read by all users, and also can edit the docs except for the design docs. Is there a way I can make a specific user edit only the doc that was created by him/her. I am using CouchApp nd the jquery.couch.js plugin
CouchDB doesn't have per-document permissions, only per-database permissions. If you grant write access to a user, he has write access to all the documents in the database.
Assuming you avoid making all users admin and that you use CouchDB's build-in authentication mechanism, I think that's the default behaviour.
For creating regular users, see Creating regular users in CouchDB.
For more details about how the user authentication and authorization actually works, see Security Features Overview, specifically the section below "Authentication database", which outlines the built in rules in CouchDB.
Only admin users can create new users, but there's nothing stopping your from having a program logging in and doing it automatically (using an admin user, this is assuming you are looking for some kind of "Registration" process where you would do for instance email validation through some other software of yours).

Entity Framework and SQL Server user roles: how to enable EF to generate role-aware queries?

Background
We have a WinForms application with Entity Framework 4.2 code-first / FluentAPI using SQL Server 2008 R2.
The security is a custom implementation of IPrincipal and IIdentity with the roles for the user. These roles are checked when a Form/menu/button is displayed and it will be disabled/removed based on the user role.
Users are authenticated against the database so there is no "master" user for the connection: it's created using the username/password provided on the login screen.
So, access to data (general) is working.
The problem
But some cases might require me to disable access to a specific table or to a column inside the table.
Some tests have shown here that IGenericRepository.Find<MyCustomType>(_idToFind) (which returns the complete entity) will fail because there is no access to a single column and SQL server will prevent the whole select statement.
I've found, however, that create a query like
IGenericRepository.All<MyCustomType>().Select(_c => _c.JustASingleField)
will work because the generated query will look only for a specific field for which I have access.
Question
Is there a way for me to create queries that will be role-aware to the database?
For instance: Find<MyCustomType>(id) will return the object as usual but with the field that the user does not have access set to NULL or with no value?
Or I'll just have to write "generic" queries for every single item that does not require protection and rely on the security system to completely block access to a resource?
Another example would be to fill a grid but the column for which the user does not have access will be blank.
Is it possible at all using Entity Framework?
Is it possible at all using EntityFramework?
No. EF is not aware of security configuration on SQL server and it is not able to react to any security demands expected by SQL server except providing credentials for connection string.
If you require this type of security you should use database views providing only accessible items to specific role and let EF to use model mapping only views the user role has access to - it can result in quite big set of different "models" due to many roles.

Liferay - Custom Authentication Web Service. Do not need user info in liferay db

I have followed Custom Authentication Web Service link to customize authentication.
But Liferay is still checking whether the same user email id is configured in the liferay db or not. If its not, it is saying that authetication failed.
I do not want to keep any user information in the liferay db. Do any one know how to do that?
Regards
Vishal G
Create dummy users for your real users with fake data. Liferay requires some sort of Liferay user in the database to function correctly. You can create one dummy user for each real user or one dummy user for all your users depending on your needs.

Resources