We have a Java based application, where we are using CN as login.
However we want to use samAccountName as userId.
Following is the shiro.ini
contextFactory=com.trmsys.cargo.shield.shiro.ldap.JndiExtLdapContextFactory
contextFactory.url=ldaps://ldaps.test.net:636
contextFactory.systemAuthenticationMechanism=simple
contextFactory.systemUsername=CN=SRV,OU=ServiceUsers,DC=test,DC=net
contextFactory.systemPassword=12WEty%^
contextFactory.environment[java.naming.security.protocol]=ssl
ldapRealm=com.trmsys.cargo.shield.shiro.ldap.JndiLdapRoleRealm
ldapRealm.contextFactory=$contextFactory
ldapRealm.userDnTemplate=CN={0},OU=AppUsers,DC=test,DC=net
ldapRealm.searchBase=OU=Groups,DC=test,DC=net
ldapRealm.searchUserBase=OU=AppUsers,DC=test,DC=net
ldapRealm.groupObjectClass=group
ldapRealm.uniqueMemberAttribute=member
ldapRealm.uniqueMemberAttributeValueTemplate=CN=0},OU=AppUsersDC=test,DC=net
Can anybody please provide the proper way of making the desired change.
Got the correct way of doing this.
We have to make changes in the following line
ldapRealm.userDnTemplate=CN={0},OU=AppUsers,DC=test,DC=net
Changes would be like following
ldapRealm.userDnTemplate={0}
Now, sAmAccountName can be used as userId. While logging in, username should be used as either "domain/account" or "account#domain".
If we do not want to use "domain/account", change as following
ldapRealm.userDnTemplate=domain/{0}
Now user id would be "account". [account == value of sAmAccountName]
Related
How do I update the LDAP value using LDAP Output Step in Spoon?
I couldn't find any documentation on Pentaho's website. I am trying to update the group name of a particular user in Active Directory.
Until now, I was able to connect with the AD. But I can't make any changes to LDAP.
In General -> Settings, my operation is updated.
And in Fields -> Search Base, I defined the DC attributes. Eg: dc=xyz,dc=com.
And in Attributes, I defined the OU along with the value it should be changed too.
Is this how it should work?
I am getting an error saying "can not find DN(Distinguished Name) in the input stream!"
My guess is that you are using the values you want to inject instead of the fields containing those values. This step heavily relies upon fields coming in from previous steps.
In the image below you will see I am passing in the 'dn' field which is used in Settings > 'Dn fieldname' to lookup the field I want to alter.
Then under Fields I am mapping the incoming 'new_name' field to the property 'givenName' on the LDAP object identified by the DN.
So my DN to lookup and the value to set the field to are coming from my transformation stream. I only statically identify the Attribute on the LDAP object to be mapped.
the dn is not right. dn is cn + ou-structure like ou + domain-structure like dc.
If you dont know the cn, you cant define the dn. You must take a LDAP-Input with query like your uid for getting dn.
With this dn you can update attributes with LDAP-Output, if you have rights for writing.
I am trying trying to get the middle Initial of a user from LDAP. I don't know what pass into the DirectorySearcher. Here is what I have so far
search.PropertiesToLoad.Add("memberOf");
search.PropertiesToLoad.Add("distinguishedname");
search.PropertiesToLoad.Add("name");
search.PropertiesToLoad.Add("usnchanged");enter code here
search.PropertiesToLoad.Add("objectguid");
search.PropertiesToLoad.Add("givenname");
search.PropertiesToLoad.Add("sn");
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("samaccountname");
There is an "initials" attribute in user object.
Is this what u want?
http://msdn.microsoft.com/en-us/library/ms676202%28v=vs.85%29.aspx
I'm evaluating the hippo cms,
after add hst-security as a dependence ,so public site need login, but how can I fetch the login user's detail information like email and something else.
I used HstRequest.getUserPrincipal ,but only get the username.
and tried to write a query "SELECT_USER_QUERY = "SELECT * FROM hipposys:user"
but only get a user 'liveuser', after login with admin.
so , Anyone can help me ,how can I get the detail info?
You can do this:
final User user = JcrSessionUtils.getHippoSession(request.getRequestContext().getSession()).getUser();
user.getEmail();
user.getLastLogin()
I am using activiti-ldap jar to achieve ldap in activiti. I am able to succeed with authentication but I am not able to perform authorization.
Code is using below filter to authenticate (It is giving result)
(&(objectClass=person)(objectClass=user)(sAMAccountName=my-name))
Code is using below filter to authorize (i.e search group based on authenticated user). The enunumeration is not giving any result
(&(objectClass=group)(member=my-distinguised-name))
However when use the same group filter Softerra LDAP Browser, it is giving result.
NamingEnumeration< ? > namingEnum = initialDirContext.search(baseDn, searchExpression, createSearchControls());
while (namingEnum.hasMore()) {
System.out.println("Inside While");
}
I am sure, I am missing something. Can anyone point out my mistake?
I'm not sure if this answers your question, but something you have to be careful of when using a Distinguished name with Active Directory (I am assuming it is Active Directory because there is a sAMAccountName attribute) is comma's, or other special characters in the DN (an example would be cn=Harley, Gregory). Comma's and other special characters need to be escaped with a single backslash ("\"), Softerra may automatically escape these in the query string for you.
Like I said, it may not answer your question, but may give you an avenue to search.
Cheers,
Greg
I want to setup the following url in my MVC4 website, using the user's full name in the url:
http://www.myapp.com/profile/steve-jones
I have setup the following route in Global.asax:
routeCollection.MapRoute(
"profile", "profile/{userName}",
new { controller = "myController", action = "profile", userName = string.Empty
});
And I can take the parameter 'steve-jones' and match it to a user with matching name. My only problem though is, what if there is more than one 'Steve Jones', how can I handle this?
Does anyone know of a workaround/solution to this so that I can use a user's full name as part of the url and still be able to retrieve the correct user in the controller method?
Am I forced into including the user's id with the url (something that I do not want to appear)?
The usual way of handling this is by appending a number when creating the profiles. So if "steve-jones" is already a name in the database, then make the user's display name "steve-jones2". You basically have to insist that all profile urls are unique, which includes updating any existing database and account creation code.
Alternatively (and/or additionally), if two same names are found then have the script reroute to a disambiguation page where the user is presented with links and snippet of profile info of the many existing Steve Joneseses so they can go to the full correct profile.
Another way of handling it is by giving all user profiles an additional numeric code on the end. At my university all logins are based on name, so they give everyone pseudo-random 3-digit extensions so that they are safe as long as they don't get 1000 people with the exact same names :)
Some people might be happier being steve-jones-342 if there is no steve-jones or steve-jones1, if you're concerned.