I'm struggling with the customization of the provisioning of an identity from OIM to an OUD server as target resource.
I've been able to perform the provisioning with default attributes, the user identity is created successfully and I'm able to use it for the authentication in a Spring web application.
Now I want to add authorization based on the user location. The location of the user is available in OIM, so I want to provision it to the LDAP server in order to avoid to manually edit each identity.
I've searched a lot but I've not been able to add an additional attribute to the provisioning process, up to now I've just modified reconciliation and provisioning lookups in OIM, but this is not enough or either I've made a mistake.
I've found some guides to extend the functionality of the connector but they were related to Active Directory.
Does someone has any advice or a guide to help me solve this issue?
This is pretty well described in their documentation, so from the high level perspective it's:
you add a new field on the provisioning form
associate the new form version with the application instance
make lookup changes to reflect the attribute mapping
add provisioning tasks to the provisioning process
Related
I am trying to enroll a user on my Moodle site via using the Moodle API.
My Moodle instance is hosted on AWS and all relevant ports are open and listening. So, from the network perspective, I can commit that is all ok.
The steps I have already done based on Moodle Documentation:
I have enabled web services on Administration > Mobile app >Mobile settings
I have gone through the 10 steps on the overview of allowing an external system to control Moodle as explained in the documentation (shown also in this Youtube video)
For testing purposes, I am using Postman. Some requests are going through (e.g. getting the token for a certain user, getting the list of all courses, etc.)
Example:
But when I try to i.e. create a user or enroll a user in an existing course I am getting this error:
{
"exception": "webservice_access_exception",
"errorcode": "accessexception",
"message": "Access control exception"
}
The way I am trying to i.e. create the user is as follows:
In the body section I am sending the following data:
users[0][username]
users[0][email]
users[0][lastname]
users[0][firstname]
users[0][password]
Based on my research, most of the contributors suggested enabling web services, but as mentioned above I have enabled them but the problem persists.
Can someone help me solve the issue here or maybe suggest a way of debugging it?
Fortunately, I managed to solve the issue for both user creation and user enrollment.
Here is a great guide that helped me. In addition, you need to add some additional functions to the web service (roles wary based on what you want to do in Moodle) and also you need to alter the permissions of the new user (again depending on what you want to do)...
I am using Fusion Auth as an auth backend for my project.
After starting up the container as shown here(https://fusionauth.io/docs/v1/tech/installation-guide/docker), if we open the URL(Ex: http://localhost:9011) we need to create an admin user and then we will be able to create Application, API Key, Lambda.
As my project doesn't involve UI interaction, I wanted to create Application without involving UI interaction(i.e., setup-wizard).
I was unable to find an API that relates to setup-wizard.
As I saw Since this is your own private instance of FusionAuth, you need to create a new administrator account that you will use to log in to the FusionAuth web interface. in setup-wizard I thought this is required only for UI, So I tried to create Application using this(https://fusionauth.io/docs/v1/tech/apis/applications#create-an-application) API, but it is returning a 401(Unauthorized).
Can someone help me to either create an application without authentication or bypass setup-wizard?
The FusionAuth Kickstart does exactly what you need. It will allow you to pre-define the configuration that you require in a JSON file and then the system will bootstrap itself automatically.
The base use case it to provision an API key which would allow you to programmatically configure the rest of the system by using APIs after an API key has been created.
{
"apiKeys": [{
"key": "a super secret API key that nobody knows"
}]
}
You also have the option of building your entire configuration in the Kickstart definition. There are a bunch of examples and walk throughs on the Kickstart installation guide.
Good luck!
GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.
I have installed SonarQube 5.2 and the LDAP plugin 1.5 a few hours ago. I am really happy about the easy configuration of the LDAP plugin in an Active Directory domain.
But I experience something which looks like a huge problem.
1) An AD user loads the web page of the SonarQube instance
[behind the scenes] a user is being created (starting up from the headers of the HTTP request and the information present in the Active Directory)
2) An administrator of the platform (e.g. admin, default administrator of the platform) gives her some rights (e.g. add her to the sonar-administrators group)
the web interface shows an updated set of rights for this user
3) The user starts a new session
!!! The user has lost all of its rights. She doesn't belong anymore to the sonar-administrators group
(expected behavior) the user gets an updated interface, with the menus reserved to the sonar-administrators group
Am I missing some important part of the documentation?
You have configured SonarQube to use an external system to manage security, in this particular case Active Directory. So the default (and expected) behaviour is to delegate both the authentication and the authorizations to this system.
In your example, if you want the user to belong to some specific group, you have to configure this in your Active Directory. Next time the user logs in, he will be associated to this(those) group(s).
Note that the groups must exist in SonarQube otherwise this won't work (i.e. you have to manually add them in the "Security > Groups" ).
To elaborate on Fabrice's answer, when you have a user or group in the AD that you want to have administration permissions to the SonarQube instance, go to:
<your sq instance>/roles/global
and add the user or the group to the Administer System global permission.
Iam using Apache Directory Ldap. I started using it just recently. I had one query:
I had one attribute called 'user-last-date', so as soon as this user end-date reaches, I should be able to disable the user account in ldap and also should send out an automated email to his manager. So, Is that possible to disable the user automatically in ldap as soon as the 'user-last-date' reached?
I already searched in google on this, not finding much info on this.
No, it is not possible by default, however you can write a custom interceptor to achieve this.
Or you can set the value of attribute pwdAccountLockedTime to 000001010000Z to permanently lock the account, but this will be effective only if the passwordpolicy is enabled.