I have freeradius configured with Microsoft ldap, I use it to authenticate a user and also check for groups.
in
sites-enabled/default
under post-auth, I have an if statement such as
if(LDAP-Group == "OU=groupA,....."){
update reply{
Cisco-AVpair = "shell:priv-lvl=15"
}
}
Is this correct location to handle something like this, I would assume that it should go into the policy.conf but I am not sure how to call it.
help please!!
thanks
Yes, that's the correct location. If the same policy code is used in multiple places then it can be placed in policy.conf as a named policy. This policy can then be called as you would a module in authorize, authenticate or post-auth.
policy {
my_policy {
...
}
}
post-auth {
my_policy
}
Related
What is the correct way in OIDC for an RP to initiate a global logout of all services to which the user is logged in via the OP? I can logout of a single service, but I've read you can create a frontend url for each RP, and load that as an iframe in the OP logout form, which seems somewhat flaky and cumbersome. I've also read up on backchannel logouts, but the library I'm using doesn't seem to support a global logout via this method.
The best thing I can think to do is override the configuration.features.rpInitiatedLogout.logoutSource function and implement what is defined in endSession
if (session.authorizations) {
await Promise.all(
Object.entries(session.authorizations).map(async ([clientId, { grantId }]) => {
// Drop the grants without offline_access
// Note: tokens that don't get dropped due to offline_access having being added
// later will still not work, as such they will be orphaned until their TTL hits
if (grantId && !session.authorizationFor(clientId).persistsLogout) {
await revoke(ctx, grantId);
}
}),
);
}
I'd love to know if there is a better, more idiomatic solution.
It turns out that the global logout is the default behavior, assuming that none of the RP's authorizations have persistsLogout set to true. This can happen if they include the offline_access scope or if the provider.configuration.expiresWithSession is overridden to return false, which was the case in my situation.
How to do Google Pay integration with DIRECT type?
I can't get what to do in this case. Is it possible at all to integrate Google Pay Test Environment with this type? Is it possible to work with test keys for tokenization?
Google provides guide for integration where only PAYMENT_GATEWAY type is described. Please help with some tips.
First, you will need to create a Business Profile to act as a merchant. This will give you a Merchant ID that will later be used in the PaymentDataRequest object.
You can sign up here (it's free and quick)
https://pay.google.com/business/console/home/
Next, you will need to generate a new key pair using OpenSSL, and add it to your Google Business profile.
Please see this link for more details on how to that.
https://developers.google.com/pay/api/web/guides/resources/payment-data-cryptography#key-rotation
Set the type in your tokenizationSpecification to "DIRECT". You will also need to add the below two parameters. Note that the publicKey is the public key you generated earlier and added to your business profile.
const tokenizationSpecification = {
"type": "DIRECT",
"parameters": {
"protocolVersion": "ECv2",
"publicKey": "BOdoXP1aiNp.....kh3JUhiSZKHYF2Y="
}
}
For testing, make sure you are using the 'TEST' environment. See here
function getGooglePaymentsClient() {
if ( paymentsClient === null ) {
paymentsClient = new google.payments.api.PaymentsClient({
environment: 'TEST',
paymentDataCallbacks: {
onPaymentAuthorized: onPaymentAuthorized
}
});
}
return paymentsClient;
}
I am upgrading the Facebook sdk from 3.x to 4.x and the Facebook docs make it clear that read permissions and publish permissions need to be requested separately. When the app requests read permissions, the user logs in and grants the permissions but when the app requests publish permissions, it makes the user log in again even though the user already has an access token? Is there a way to just request the permissions without having to force the user to log in again?
The Facebook android sdk allows this without having to log in twice but iOS seems to be preventing this behavior completely, which seems crazy. If an app implementation requires both read and publish permissions for the integration to even work, forcing the user to log in twice is just unnecessary friction and a bad user experience.
I have gone through the SDK class named FBSDKInternalUtility.h, in which we got one method
+ (BOOL)areAllPermissionsReadPermissions:(NSSet *)permissions
{
for (NSString *permission in permissions) {
if ([[self class] isPublishPermission:permission]) {
return NO;
}
}
return YES;
}
+ (BOOL)isPublishPermission:(NSString *)permission
{
return [permission hasPrefix:#"publish"] ||
[permission hasPrefix:#"manage"] ||
[permission isEqualToString:#"ads_management"] ||
[permission isEqualToString:#"create_event"] ||
[permission isEqualToString:#"rsvp_event"];
}
They check below permission in both cases which, while passing permission as NSSet order are getting different, so below checks for first string and return NO. So What did is I have commented out few lines as mentioned below.
+ (BOOL)areAllPermissionsReadPermissions:(NSSet *)permissions
{
//for (NSString *permission in permissions) {
// if ([[self class] isPublishPermission:permission]) {
// return NO;
// }
//}
return YES;
}
I not sure about the changes what I have done is valid or not, but I could have achieved what I wanted. So Happy.
Please, let me know if you have any suggestion to change.
I am developing modx manager custom page and cannot check if user is logged in and has access to manager ? So far I tried
$modx->user->get('username');
All i get is (anonymous) even if i am logged in and when i am not logged in.I have also tried sessioncontext etc as well. Am i doing something wrong. Did anyone faced same issue.
You need a custom snippet to manage showing things for people who are logged in or not and the Login Extra to easily access user fields. Then paste this in and call it isAdmin:
<?php
if ($modx->user instanceof modUser) {
if ($modx->user->hasSessionContext('mgr')) {
return true;
}
}
return false;
And then you want to use it like this...
[[!isAdmin:notempty=`
<!-- Do something for people logged in -->
`:default=`
<!-- Do something for everyone else -->
`]]
Code is from Mark Hamstra's blog.
we have a scenario in which we are sharing a folder with group Everyone (which I think includes all users from your domain)
when we are using \\server-ip\sharedFolder in Win+R we are able to connect to the folder and browse with out any password (my computer is logged in using a user on same domain)
when I code it in java application using File class like this
File f = new File(\\server-ip\sharedFolder );
it works then also, But I want to make my application work on mac/linux also so I am trying to use JCIFS for this purpose. But I am having issues while authenticating what should I use as username and password when guest account is also out of picture. I tried
package test;
import java.net.MalformedURLException;
import jcifs.smb.NtlmAuthenticator;
import jcifs.smb.NtlmPasswordAuthentication;
import jcifs.smb.SmbException;
import jcifs.smb.SmbFile;
public class JCIFSTest {
public static void main(String args[]){
String user = "";
String pass ="";
String sharedFolder="sup";
String path="smb://server-ip/"+sharedFolder+"/";
//ntlm
// NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication("",user, pass);
try {
SmbFile smbFile = new SmbFile(path,NtlmPasswordAuthentication.ANONYMOUS);
if(smbFile.isDirectory()){
for(SmbFile f: smbFile.listFiles()){
System.out.println(f.getName());
if(f.isDirectory()){
for(SmbFile g: f.listFiles()){
System.out.println(g.getName());
}
}
}
}
//SmbFile.
} catch (MalformedURLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SmbException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
but this is also giving error "Account Disabled" I guess its trying to user guest which is disabled.
since when connecting with windows using simple \\server-ip\sharedFolder it works, I think there will be a way to do this.
I want to figure out how windows is authencating when we are doing this???
EDIT: Found the way to do it. You need not be added to the list of users who are allowed to login.
If you are in the Everyone List and the folder is shared with Everyone you need to give your username and password during NTLM authentication and the folders that are shared with everyone can be accessed after that
However this late reply, but as Matheiu pointed out I should probably write an answer here to help others.
There was no code change required. It was more of a conceptual thing.
Actually when you share your file with everyone it's actually shared with everyone on your DOMAIN or guest if the guest account is enabled.
You need some way to authenticate when someone is trying to access it. When you access it like this
\server-ip\sharedFolder using windows it authenticates itself using your logged-in user and if you are part of the same domain it gives you access.
You need to do the same when you are connecting via JCIFS using linux/mac. You need to give your username and password and if your user is part of that domain you will be authenticated and you can access things that are shared publically or shared with everyone.