I am attempting to create a custom claim rule in ADFS but I am at a loss as to how to do it. I have the following for users in my AD:
ObjectClass = PrivatePerson
Attribute = PrivatePersonAttribute1
I need to be able to return the value for the attribute in the claim as NameID. Anyone have any suggestions, I am at a complete loss here?
The claims rule wizard in ADFS is editable i.e. you can enter data in the "dropdown".
So create an LDAP rule that maps PrivatePersonAttribute1 to something like http://company.com/PrivatePersonAttribute1
These values won't be in the dropdown so you have to enter them.
Then create a Transform rule that maps http://company.com/PrivatePersonAttribute1 to NameID, You should probably choose a format as well e.g. email or UPN.
Related
We have a Java based application, where we are using CN as login.
However we want to use samAccountName as userId.
Following is the shiro.ini
contextFactory=com.trmsys.cargo.shield.shiro.ldap.JndiExtLdapContextFactory
contextFactory.url=ldaps://ldaps.test.net:636
contextFactory.systemAuthenticationMechanism=simple
contextFactory.systemUsername=CN=SRV,OU=ServiceUsers,DC=test,DC=net
contextFactory.systemPassword=12WEty%^
contextFactory.environment[java.naming.security.protocol]=ssl
ldapRealm=com.trmsys.cargo.shield.shiro.ldap.JndiLdapRoleRealm
ldapRealm.contextFactory=$contextFactory
ldapRealm.userDnTemplate=CN={0},OU=AppUsers,DC=test,DC=net
ldapRealm.searchBase=OU=Groups,DC=test,DC=net
ldapRealm.searchUserBase=OU=AppUsers,DC=test,DC=net
ldapRealm.groupObjectClass=group
ldapRealm.uniqueMemberAttribute=member
ldapRealm.uniqueMemberAttributeValueTemplate=CN=0},OU=AppUsersDC=test,DC=net
Can anybody please provide the proper way of making the desired change.
Got the correct way of doing this.
We have to make changes in the following line
ldapRealm.userDnTemplate=CN={0},OU=AppUsers,DC=test,DC=net
Changes would be like following
ldapRealm.userDnTemplate={0}
Now, sAmAccountName can be used as userId. While logging in, username should be used as either "domain/account" or "account#domain".
If we do not want to use "domain/account", change as following
ldapRealm.userDnTemplate=domain/{0}
Now user id would be "account". [account == value of sAmAccountName]
How do I update the LDAP value using LDAP Output Step in Spoon?
I couldn't find any documentation on Pentaho's website. I am trying to update the group name of a particular user in Active Directory.
Until now, I was able to connect with the AD. But I can't make any changes to LDAP.
In General -> Settings, my operation is updated.
And in Fields -> Search Base, I defined the DC attributes. Eg: dc=xyz,dc=com.
And in Attributes, I defined the OU along with the value it should be changed too.
Is this how it should work?
I am getting an error saying "can not find DN(Distinguished Name) in the input stream!"
My guess is that you are using the values you want to inject instead of the fields containing those values. This step heavily relies upon fields coming in from previous steps.
In the image below you will see I am passing in the 'dn' field which is used in Settings > 'Dn fieldname' to lookup the field I want to alter.
Then under Fields I am mapping the incoming 'new_name' field to the property 'givenName' on the LDAP object identified by the DN.
So my DN to lookup and the value to set the field to are coming from my transformation stream. I only statically identify the Attribute on the LDAP object to be mapped.
the dn is not right. dn is cn + ou-structure like ou + domain-structure like dc.
If you dont know the cn, you cant define the dn. You must take a LDAP-Input with query like your uid for getting dn.
With this dn you can update attributes with LDAP-Output, if you have rights for writing.
How can we validate a custom field while checkin in to Oracle WebCenter Content?It may be an email validation or custom validation say the file will allow user to input only 10 chars of which first four are alpha and the next sixth char are numeric.
Regards,
Ananda Roy
Try adding a rule to the profile (or using global rule). Then, in the rule side effect, set this: <$xCustomField:maxLength=10$>
You can get fancier validation by doing more customization such as this.
I am using activiti-ldap jar to achieve ldap in activiti. I am able to succeed with authentication but I am not able to perform authorization.
Code is using below filter to authenticate (It is giving result)
(&(objectClass=person)(objectClass=user)(sAMAccountName=my-name))
Code is using below filter to authorize (i.e search group based on authenticated user). The enunumeration is not giving any result
(&(objectClass=group)(member=my-distinguised-name))
However when use the same group filter Softerra LDAP Browser, it is giving result.
NamingEnumeration< ? > namingEnum = initialDirContext.search(baseDn, searchExpression, createSearchControls());
while (namingEnum.hasMore()) {
System.out.println("Inside While");
}
I am sure, I am missing something. Can anyone point out my mistake?
I'm not sure if this answers your question, but something you have to be careful of when using a Distinguished name with Active Directory (I am assuming it is Active Directory because there is a sAMAccountName attribute) is comma's, or other special characters in the DN (an example would be cn=Harley, Gregory). Comma's and other special characters need to be escaped with a single backslash ("\"), Softerra may automatically escape these in the query string for you.
Like I said, it may not answer your question, but may give you an avenue to search.
Cheers,
Greg
I want to setup the following url in my MVC4 website, using the user's full name in the url:
http://www.myapp.com/profile/steve-jones
I have setup the following route in Global.asax:
routeCollection.MapRoute(
"profile", "profile/{userName}",
new { controller = "myController", action = "profile", userName = string.Empty
});
And I can take the parameter 'steve-jones' and match it to a user with matching name. My only problem though is, what if there is more than one 'Steve Jones', how can I handle this?
Does anyone know of a workaround/solution to this so that I can use a user's full name as part of the url and still be able to retrieve the correct user in the controller method?
Am I forced into including the user's id with the url (something that I do not want to appear)?
The usual way of handling this is by appending a number when creating the profiles. So if "steve-jones" is already a name in the database, then make the user's display name "steve-jones2". You basically have to insist that all profile urls are unique, which includes updating any existing database and account creation code.
Alternatively (and/or additionally), if two same names are found then have the script reroute to a disambiguation page where the user is presented with links and snippet of profile info of the many existing Steve Joneseses so they can go to the full correct profile.
Another way of handling it is by giving all user profiles an additional numeric code on the end. At my university all logins are based on name, so they give everyone pseudo-random 3-digit extensions so that they are safe as long as they don't get 1000 people with the exact same names :)
Some people might be happier being steve-jones-342 if there is no steve-jones or steve-jones1, if you're concerned.