Is there any way that I could set in redis to allow a specific user to login only from local?
Try to limit the login source for a specific user
Related
I've created an app that uses Auth0 for login. I have google-oauth2 enabled for the app. What I would like to do is have a whitelist of approved users who can login but all I see is a Users page where I can block users after they've logged in. Is there a way I can configure Auth0 to restrict Google users (and all users except approved ones). Thanks....
There are a few options that you could use in order to implement what you want:
Using Auth0 Rules. Maybe you can try to create a Rule that check the user's email adress against a whitelist of adresses, and allow only access if the adress exists on the list. Rules docs
Using Auth0 Client Grants. It will allow you to grant access to specific users, based on their userId. Grant Types
Probably you could try to create a Group and assign users to that group and allow just them to log in or using auth0's connection .
You could try to use that method based on email invitation too Email invitation
RE: https://jfrog.com/knowledge-base/when-do-the-groups-associated-with-an-ldap-user-get-updated-in-artifactory/
The Knowledge Base article above says:
"LDAP user authentication requests using Encrypted password or plain text password will update the LDAP group association changes from the LDAP server."
We've added a user to a group, but that user still can't see the artifacts governed by that group even after he has logged in. How can we cause Artifactory to update its group membership cache?
Please ask the user to logout and log back in after being added to the groups. Artifactory will try to reach to the LDAP server for validating the creds and then get the groups associated with the user which is returned from the LDAP server.
There is a chance that LDAP cache as mentioned in here https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache might take effect the groups to be associated if the user session is not hitting the LDAP server.
I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.
I have implemented password expiry for my website. If a user has an expired password, then I would like to redirect the user to a specific form where I then resend a random password.
To do this, I have:
setup a form with a WebQuerySave agent that changes the password using the AdminP ChangeHTTPPassword method
set the custom form to load in the domcfg database
made the form a public access form, and the agent runs on behalf of an admin account
The issue I have, is that the user appears to get stuck in a loop of wanting the password changed (names.nsf?ChangePassword) and will not even let me redirect the user to complete a new form from that will then kick off the password reset etc. This includes a link to my password reminder page that sends the user their password.
These are external users, and I am using directory assistance. I do not use the ID vault here.
Is it possible to get out of this loop?
If not, then is it possible to add an agent to run when the standard password reset works?
I have IIS 7.5 site:
Authentication = Windows Aythentication enabled
Application Pool = DefaultAppPool
DefaultAppPool Identity = ApplicationPoolIdentity
Load User Profile = True
On the filesystem,
DefaultAppPool has Read and Execute privileges to the entire site.
Also added a security group with Read and Execute privileges to the entire site.
With these settings, only users in the security group are able to access the site. All others get a AD login window, which has no affect. I'm not understanding this behaviour.
From research, it looks like I don't need to add the DefaultAppPool to the filesystem, if users are only executing, but still doesn't explain why they get the login challenge.
I'm also unclear if i need to set the AuthenticatedUserOverride (in Config Editor) from UseAuthenticatedUser to UseWorkerProcessUser if i want to use the filesystem security of DefaultAppPool. When i set this, i get an access error, not even the login challenge.
Note: site is not in the Default Web Site, but on a specific port number.
I'm unclear why i seem to need users listed in an ACL rather than using the generic DefaultAppPool.
Windows authentication determines how you determine who is who. Impersonation means which user account the security context runs under. Because you are loading the user profile, the context is taking on the AD user's security. Your DefaultAppPool identity is now out of the picture which is why you need ACL's on your files / folder.
Users will continue to receive the login prompt who are not cleared at the ACL level because IIS doesn't know what to do until an account that can access the files is provided. Watch in fiddler and you'll continue to see challenge messages from the server.