I am testing suid + AD using windows server 2008. I have the following simple structure for now:
+ Test_Users
-----internet_group
--------Matthew Vassallo (user)
-----normal_group
--------Kenneth Grech (user)
I would like to make an ldap query that contains a single common OU but with different groups. The following query worked out well for only one group and one OU:
(&(memberOf=OU=Test_Users,CN=internet_group,DC=matthew,DC=com)(sAMAccountName=%s))
How can I extend that please for more different groups? Thanks
Use:
(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
Then:
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
acl group1 external ldap_group internet_group
acl group2 external ldap_group normal_group
http_access allow internet_group
http_access allow normal_group
Another option is to build a complex filter:
(&(|(memberOf=CN=normal_group,OU=Test_Users,DC=matthew,DC=com)(memberOf=CN=internet_group,OU=Test_Users,DC=matthew,DC=com))(sAMAccountName=%s))
Choose the best option for you :)
Worked for me (&(objectClass=posixAccount)(|(ou:dn:=Users1)(ou:dn:=Users2)))
You need to be sure of the unique user uids!
AuthLDAPURL ldap://localhost/dc=ldapserver?uid?sub?(&(objectClass=posixAccount)(|(ou:dn:=Users1)(ou:dn:=Users2))) NONE
Require ldap-group cn=wsgihg,ou=WebAuth,dc=ldapserver
Related
I'm trying to setup a basic readonlyrest example with Kibana. My config is as follows:
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: Accept requests from users in group team1 on index1
type: allow
hosts: [localhost,127.0.0.1,10.0.0.0/24]
groups: ["team1"]
actions: ["indices:data/read","indices:data/read/mge/*","indices:data/read/mget","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create", "cluster:monitor/*"]
indices: ["<no-index>", ".kibana*", "logstash*", "default" ,"sha*" ,"ba*"]
users:
- username: alice
auth_key: alice:p455phrase
groups: ["team1"]
Unfortunately this does not work. I keep getting Authorization exception with the following error message in elasticsearch logs:
no block has matched, forbidding by default: { action: indices:data/read/mget,
OA:127.0.0.1, indices:[.kibana], M:POST, P:/_mget, C:{"docs":[{"_index":".kibana",
"_type":"config","_id":"4.6.1"}]}, Headers:[]}
What is missing in my config?
In kibana.yml the configuration is:
elasticsearch.username: "alice"
elasticsearch.password: "p455phrase"
If you use case is a basic kibana authentication, you should follow the example in the documentation.
Once you get that working, you could modify the example to assign the required rules to groups, and groups to your hard-coded users.
Keep in mind that this will not be a production ready solution, due to the crappy security level offered by HTTP basic auth between browser and Kibana:
The browser will pass the credentials unencrypted at every request
No way for the user to "logout" from Kibana
Nowadays ReadonlyREST Offers two Kibana plugins (PRO and Enterprise), which fixes the above limitations using encrypted cookies, and injecting a logout button into the Kibana UI.
The 30 days trial is available for download
I am trying to delete document,where conditions is...
Where the user is in Group and having the deletion rights & every users in group is able to delete the document.
But problem is when, If the name I specify is also listed explicitly in the ACL and does not have deletion rights.Then it does not check the group rights which is fair enough.
For that i am trying to give deletion rights to those users who are in group by code given below.
var acl:NotesACL=database.getACL();
var entry:NotesACLEntry=acl.getFirstEntry();
if(entry!=null)
{
var user:NotesACLEntry=acl.getEntry(#UserName());
if(user.isCanDeleteDocuments()==false)
{
user.setCanDeleteDocuments(true);
acl.save();
}
}
Where it shows error like,
Exception occurred calling method NotesACL.save() null.
Even explicitly added user is having user type=person & Access= Manager in ACL.
is there any other way to do this?
Any help would be appreciated.
Thanks in advance.
Using database as a starting point means you're getting the database as the user. Unless the user already has Manager access to the database, this will fail because the user doesn't have access to update the ACL.
You can use sessionAsSigner, but bear in mind you cannot use the getCurrentDatabase() method. Instead you must use the getDatabase(server,filePath) method in order to get the database with the signer authority. Obviously the signer also needs rights to modify the ACL.
I'm meeting troubles with Squid Kerberos auth and the Squidguard ldapusersearch who I use to apply acl by Active Directory groups membership.
The problem is :
Squid and Squidguard see my user as : user#domain.local so the '%s' variable of squidguard is 'user#domain.local'
Into my ldap query there is no default property who can interpret this string.
Example :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And sAMAccountName should be only 'user' and not 'user#domain.local' !!!
So I found a solution but It's not very comfortable :
I edit a unused attribute of the AD user and I write into it my kerberos login so my conf looks like this :
src ldap {
ldapusersearch ldap://dc1.domain.local:3268/dc=domain,dc=local?displayNamePrintable?sub?(&(displayNamePrintable=%s)(memberOf=CN=group,OU=Groups,DC=domain,DC=local))
}
And it works !!!
Anyone an idea to bypass the need to create a custom attribute in AD who contents ?
I precise that userPrincipalName is the same as the email and can't interpret Kerberos login.
Thanks all !!!
i am using Squid Version 3.4.5-20140514-r13135 with squidguard 1.5-beta and the strip-domain-realm Patch of Mathieu Parent which is able to strip the Domain and Strip the Realm.
So the users appear as "user" and not as "user#KERBEROSDOMAIN"
Here is an exmaple configuration thats working for me
dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard
ldapbinddn squidguard#domain.tld
ldapbindpass squidguardpass
ldapprotover 3
ldapcachetime 2400
stripntdomain true
striprealm true
src users {
ldapusersearch "ldap://ldapserver:3268/dc=ADDomain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=SQUID_USERS,OU=Squid_Groups,OU=Groups,DC=ADDomain,DC=com))"
}
I've been attempting to authenticate to an Active Directory Windows 2008 server with ldap.js. The only goal is to authenticate to the server, and I am using the client side stuff (not creating new server, which is what all the documentation is about). I'm totally new to LDAP, and as such, authenticating with username "MYDOMAIN\myuser" does not work in ldap.js, but does in ldapsearch: ldapsearch -H ldap://192.168.1.212:389 -x -D 'MYDOMAIN\myuser' -w pa33w0rd -LLL -b "dc=mydomain" '(sAMAccountName=myuser)' which authenticates successfully but then spits out Referral (10).
trying that in ldap.js with client.bind("MYDOMAIN\myuser", 'pa33w0rd', function(err) { ... } ); fails with 49 InvalidCredentialsError 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, ...
Attempting to re-write MYDOMAIN\myuser as a Distingushed Name dn: cn=myuser, dc=mydomain also fails with auth errors also in ldap search. What is the proper way to convert DOMAIN\USER (domain backslash user format) to a DN?
From http://www.rlmueller.net/NameTranslateFAQ.htm:
Distinguished Names - format as specified in RFC 1779. For example cn=TestUser,ou=Sales,dc=MyDomain,dc=com.
NT format - the name format used in Windows NT 4.0. For example MyDomain\TestUser, where MyDomain is the NetBIOS name of the domain and TestUser is the NT name of the object (the pre-Windows 2000 name). The value of the sAMAccountName attribute is the NT name of the object.
Thus, the NT format (domain backslash user) login name MYDOMAIN\myuser can map to cn=myuser,cn=Users,dc=mydomain,dc=com or cn=myuser,cn=Users,dc=mydomain,dc=local or a bunch of others. I suggest you look at the hosts file or DNS domain name of the AD server. You should also change the -b (base) to include the dc=com or dc=local, or whatever to fix the referral error.
I am developing a CRUD based database which needs to have some ACL (Access Control Lists) based on users. We want to make it so that there's an Admin access panel as well so we can quickly delete content if needed or otherwise moderate it. I am trying to keep it flexible so that it could be a separate interface for convenience but also not diverge from the general user interface because otherwise it will be harder to maintain.
What would be a good way to handle creating a user interface in the front end, assuming the backend will deal with the ACLs? Is it necessary to create a separate BB.js interface to serve or is it fine to pass a bit of extra code to all users that will be ignored?
Recommendations or warnings would be appreciated too!
I interpreted your question as you want to serve up different interfaces for different access levels of users. Therefore I would:
Put a check for the users access before they hit each route to make sure they aren't accessing a page they shouldn't see
They can still try to circumvent this (since they can change their user model), your backend would still catch any unauthorized requests.
You can also conditionally show and hide page elements based on user access levels.
Heres an example code for my ACL.coffee
acl = {}
acl['admin'] = [
'page1',
'page2',
'page3',
'page4',
'page5'
]
acl['user'] = [
'page1',
'page2',
'page3'
]
hasAccess = (route) ->
# Get User Model
user = window.App.user
# Get Associated ACL
permissions = acl[user.get('role')]
# Check each URL for Access Privileges
# Returns false if route not in array
permissions.some (r) -> ~route.indexOf r
{hasAccess}