Using sssd I have a RHEL6 client configured to login using ldaps. The login works, but if the user logged is assigned to more than 1 group at the ldap level, groups only returns 1 group? Could I be missing a configuration somewhere?
The group shown is the default group assigned to the user. In RHEL5 client, the group command display all the groups that are assigned to the user.
In general the things to check are:
1) Is the LDAP schema the one you want to use? (RFC2307 vs RFC2307bis). The former stores the plain username in the "memberuid" attribute, the latter (used by AD for instance) stores the full DN in the "member" attribute.
2) Are the search bases set correctly?
If you can paste the RHEL6 and RHEL5 config files for comparison, that would be great. Feel free to sanitize/remove info like bind DNs, passwords or URIs.
I was able to spend some time today and was able to fix the issue. RHEL 6 uses sssd. The configuration file /etc/sssd/sssd.conf had to be changed to have the following in the domain/default section
ldap_search_base = dc=domain,dc=something,dc=com
ldap_group_member = uniquemember
Is the missing changes in the default config.
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=domain,dc=something,dc=com
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://yourldap.server.com/
ldap_chpass_uri = ldaps://yourldap.server.com/
krb5_kdcip = kerberos.example.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))
Related
I'm using RDF4J to add RDF triples to a completely open (Security off) GraphDB instance. I use the RemoteRepositoryManager and it works fine:
RepositoryManager repositoryManager = new RemoteRepositoryManager(GraphDBInstanceURL);
Repository repository = repositoryManager.getRepository(graphDBrepoName);
RepositoryConnection repositoryConnection = repository.getConnection();
Now we need to add security to GraphDB, but it is not clear to me how to add the specific GraphDB user credentials in the above code. Any pointers are wellcome, thanks
I'm currently playing around with gitlab-ce (omnibus, on an Ubuntu VM) in an environment with LDAP authentication.
The LDAP administrator recently reconfigured the OUs from something like
ou=temp, ou=users, ou=baseinfrastructure to
ou=users, ou=baseinfrastructure.
Now when I do something as simple as git pull with a regular user account, that user account will be set to ldap_blocked since gitlab queries for the user with the temp part in the cn string and obviously doesn't find it.
Is there a way to update the users or something else so gitlab no longer queries with the ou=temp, part?
After some search, I've found out the information is stored in the identities table.
In gitlab omnibus, you can start a database console using gitlab-psql.
In my case, the required query for verifying I'm doing the right thing was:
SELECT external_uid, replace(external_uid, 'ou=temp,', '') FROM identities;
and then actually replacing them by executing:
UPDATE identities SET external_uid = replace(external_uid, 'ou=temp,', '');
For a single user you can use gitlab-rails console.
Find your user:
user = User.find_by_email("user#email")
Get user extern_uid:
user.ldap_identity.extern_uid
the above should print result similar to: => "uid=username,ou=people,dc=example,dc=com"
Update values as neccesary:
user.ldap_identity.extern_uid = "uid=newusername,ou=newpeople,dc=example,dc=com"
Verify:
user.ldap_identity.extern_uid
=> "uid=newusername,ou=newpeople,dc=example,dc=com"
And finally save
user.save
I believe this script Gitlab rake task to mass update ldap dn may be useful for updating multiple users at once.
I can't figure out how to setup Gitlab Pages on my self-hosted Gitlab instance without wildcard domains. For example, I have 1 server with 3 public IP addresses and domain names:
10.8.0.10 (git.example.com) - main GitLab instance
10.8.0.11 (registry.example.com) - container registry
10.8.0.12 (pages.example.com) - GitLab Pages
Then' I set up the Omnibus config /etc/gitlab/gitlab.rb like that:
external_url 'https://git.example.com'
nginx['enable'] = true
nginx['listen_addresses'] = ['10.8.0.10']
registry_external_url 'https://registry.example.com'
registry_nginx['enable'] = true
registry_nginx['listen_addresses'] = ['10.8.0.11']
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/git.example.com.crt"
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/git.example.com.key"
pages_external_url 'https://pages.example.com'
pages_nginx['enable'] = false
gitlab_pages['enable'] = true
gitlab_pages['cert'] = "/etc/gitlab/ssl/pages.example.com.crt"
gitlab_pages['cert_key'] = "/etc/gitlab/ssl/pages.example.com.key"
gitlab_pages['external_http'] = ['10.8.0.12:80']
gitlab_pages['external_https'] = ['10.8.0.12:443']
For example, I have a project located on https://git.example.com/somegroupname/project. I can get an access to container registry of this project by https://registry.example.com/somegroupname/project and pull the Docker image with command docker pull registry.example.com/somegroupname/project.
I know that GitLab Pages set namespaces as the A-record. In my case, it sets up like https://somegroupname.pages.example.com/project, but I don't have an availability to use such domain names. Instead of that, I want to place the namespace in path like that:
https://pages.example.com/somegroupname/project
but I can't find any settings or parameters to enable this behavior, and it doesn't work with the current setup. All the pages stored correctly in default path /var/opt/gitlab/gitlab-rails/shared/pages/. Can please somebody help me?
Our SVN administrator is on holidays, and I need to add a new user to subversion.
We're using Collabnet Subversion on a RedHat box.
I've found the CollabNet_Subversion/conf/ directory with all the configuration files, including an auth file that I can see contains all our users and the groups that they belong to.
All our users need to log in with their LDAP credentials, so I don't need to change any of that.
It looks something like this:
company_auth_production
`[groups]
it-leads = jsmith, hsimpson, pgriffin
it-all = ajolie, rwitherspoon, #it-leads
[/]
* =
[prod:/]
#it-all = rw
`
So I added the new user and restarted subversion. But that doesn't seem to have done the trick. Am I missing something else ? Thanks
a. You have mention that there is "company_auth_production" file. Please check if there is some other authorization file, probably "authz". Can you please provide more information on this.
As per the structure in your file
[prod:/]
#it-all = rw
should have given the read write access to all the users of "it-all" till the path "prod".
b. If this is not working then please try using "VisualSVN Server". It has a very nice gui to add users and give them priviledges also.
Hope this helps.
In your apache Configuration is usually a require directive (eg "require group" or "require user"). Often there is a specific group which user has to belong to access svn (eg svnusers, etc...)
I'm looking for a way to query the Terminal Services Home Folder property of user objects in Active Directory. My goal is to be able to perform a reverse lookup, finding the user(s) that use a particular home folder.
Normally to perform a search I would do something like this:
using (var search = new DirectorySearcher())
{
// Find a user based on their telephone number
search.Filter = "(telephoneNumber=999)";
search.PropertiesToLoad.Add("displayName");
var result = search.FindOne();
if(result != null) {....}
}
But the Terminal Services settings don't seem to have a referable LDAP attribute name - in the past to set these values I've had to use the IADsTSUserEx interface with an existing DirectoryEntry to manipulate the TS profile and home folder properties. However this is only useful when I have the user account in question - it's not very practical to step through every user in a domain and create a DirectoryEntry object for them just to check their TS profile path.
Is there any practical way to perform a "WHERE User.TerminalServicesProfilePath=X" query in .NET?
Nobody here so, I try an explanation.
In Windows Server 2008 (and R2), the Terminal Services Terminal Server Runtime Interface takes the user parameters from the user Active-Directory attribute called userParameters. As explain in Microsoft documentation userParameter contains Terminal Server parameter as blob.