How do config mandatoryGroup in Gerrit's LDAP? My gerrit.conf is currently like this... I'm not sure if the mandatoryGroup value should be LDAP syntax or plan text. I can not figure this out based on documentation.
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
ldap.mandatoryGroup
All users must be a member of this group to allow account creation or authentication.
Setting mandatoryGroup implies enabling of ldap.fetchMemberOfEagerly
By default, unset.
gerrit.config
[ldap]
server = ldaps://company.com
sslVerify = false
username = ldapUsername
password = ldapPassword
accountBase = DC=COMPANY_DOMAIN,DC=LOCAL
groupBase = DC=COMPANY_DOMAIN,DC=LOCAL
referral = follow
accountPattern = (sAMAccountName=${username})
groupPattern = (cn=${groupname})
accountFullName = displayName
accountMemberField = memberOf
accountEmailAddress = mail
mandatoryGroup = grp_IT_SourceCode
mandatoryGroup = ldap/"AD_Group_Name" worked for me... I'm not sure why but the "ldap/" was required before the AD group and all is good now.
Related
I set up superset to use LDAP in order authentication but I have one problem.
All users have Gamma Role by default and everyone can view other users' dataSources and databases.
How can it be set so that each user can see only the datasources he created?
Modify LDAP configuration
AUTH_TYPE = AUTH_LDAP
AUTH_ROLE_ADMIN ='Admin'
AUTH_LDAP_USE_TLS = False
AUTH_USER_REGISTRATION_ROLE= "Admin"
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTNAME_FIELD = "sn"
AUTH_LDAP_EMAIL_FIELD = "mail"
AUTH_USER_REGISTRATION = True
AUTH_LDAP_SERVER = "ldap://xxx.xxx.xxx.xxx:389"
AUTH_LDAP_SEARCH = "cn=hall.net,ou=groups,dc=dataops,dc=dg"
AUTH_LDAP_USERNAME_FORMAT = "uid=%s,ou=groups1,dc=dataops,dc=dg"
AUTH_LDAP_UID_FIELD = "uid"
AUTH_ROLES_MAPPING = {
"cn=hall.net,ou=groups,dc=dataops,dc=dg": ["Admin"],
"cn=hall.biz,ou=groups,dc=dataops,dc=dg": ["Admin"],
}
#AUTH_LDAP_GROUP_FIELD = "memberOf"
AUTH_ROLES_SYNC_AT_LOGIN = False
PERMANENT_SESSION_LIFETIME = 1800
AUTH_LDAP_BIND_USER = "cn=supersetadmin_MX4G,cn=hall.net,ou=groups,dc=dataops,dc=dg"
AUTH_LDAP_BIND_PASSWORD = "6P8HIKBZCZ"
AUTH_ROLE_PUBLIC = 'Public'
PUBLIC_ROLE_LIKE = 'Alpha'
Good day. I have a scenario where we have multiple web applications running on the same server and we would like one login to serve all applications. Currently, if you switch applications, you need to be re-authenticated. Try as I may, I can not get this resolved.
I went through the session management page to try and implement what they call Poor Man's SSO (https://shiro.apache.org/session-management.html)
Here is my shiro.ini:
[main]
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = ldap://1.2.3.4:389
contextFactory.systemUsername = me#testdomain.local
contextFactory.systemPassword = Password
realm = com.me.shared.security.shiro.meADRealm
realm.ldapContextFactory = $contextFactory
realm.searchBase = OU=ME,DC=testdomain,DC=local
securityManager.realms = $realm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionIdCookie=org.apache.shiro.web.servlet.SimpleCookie
sessionIdCookie.name=sid
sessionIdCookie.maxAge=1800
sessionIdCookie.httpOnly=true
sessionManager.sessionIdCookie=$sessionIdCookie
sessionManager.sessionIdCookieEnabled=true
securityManager.sessionManager = $sessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 3600000
securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
URL mapping is done in a custom java IniWebEnvironment and looks like this
/faces/common/Login.xhtml = authc
/faces/common/unauthorized.xhtml = anon
/faces/secured/** = authc
/faces/myAdmin/** = roles[administrator]
/faces/myManagement/** = roles[administrator]
/faces/people/** = roles[administrator]
I have a custom JSF bean where I perform login like this:
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(getUserName(), getPassword());
subject.login(token);
I am open to doing SSO in a different fashion, but this is an internal application and doesn't need much. Any ideas?
As part of my new years learning new technologies initiative I have started messing around with the Apache Shiro Security Framework.
I managed to get the basic example working which stores usernames, passwords and roles in the shiro.ini file, but when I modified my shiro.ini file to use JDBC it just stopped working. I now keep getting prompted for my username and password when trying to access my application. I've kept it as simple as possible (the passwords aren't even hashed).
Below is my shiro.ini file, does anyone have any idea what I'm doing wrong?
[main]
authc.usernameParam = j_username
authc.passwordParam = j_password
authc.failureKeyAttribute = shiroLoginFailure
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = "SELECT password FROM user WHERE username = ?"
jdbcRealm.userRolesQuery = "SELECT role FROM user WHERE username = ?"
ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
ds.serverName = localhost
ds.user = root
ds.password = password
ds.databaseName = database
jdbcRealm.dataSource = $ds
# Use Built-in Chache Manager
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/* = authcBasic
If you are not giving permission query then better disable permission lookup. Also if you want to use basic Authentication why use authc attributes.
Try Following
[main]
#authc.usernameParam = j_username
#authc.passwordParam = j_password
#authc.failureKeyAttribute = shiroLoginFailure
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = false
jdbcRealm.authenticationQuery = SELECT password FROM user WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role FROM user WHERE username = ?
ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
ds.serverName = localhost
ds.user = root
ds.password = password
ds.databaseName = database
jdbcRealm.dataSource = $ds
# Use Built-in Chache Manager
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/* = authcBasic
I am new in USSD but i am already sending message using Kannel 1.5.4 since long.
I want send/receive USSD request by using kannel. I have smpp v5 account for the same.
It's better if anyone help me by configuration file.
my configuration file is:
#SMSC CONNECTIONS
group = smsc
smsc = smpp
smsc-id = USSD-ACC
host= 10.*.*.*
port= 1234
transceiver-mode=true
smsc-username = "USER"
smsc-password = "PWD"
system-type = ""
interface-version=34
source-addr-ton=5
source-addr-npi=0
dest-addr-ton=0
dest-addr-npi=1
max-pending-submits=10
wait-ack=600
wait-ack-expire=0x01
# SMSBOX SETUP
group = smsbox
bearerbox-host = localhost
sendsms-port = 12345
sendsms-chars = "0123456789 +-"
log-file = "/tmp/kannel_smsbox.log"
log-level = 3
# SERVICES
group = sms-service
keyword = default
get-url = "http://localhost/request.php?MNO=%p&SHORTCODE=%P&CONTENT=%a"
name="*123#"
max-messages=0
group = sendsms-user
username = ussd
password = ussd
user-deny-ip = *.*.*.*"
user-allow-ip = "127.0.0.1"
max-messages = 5
concatenation = true
default-sender = "123"
Seems like you need to use smpp-tlv section to pass ussd_service_op TLV to/from USSDC.
See this link for configuration examples:
I'm making some testing with Apache Shiro just for learn, and i have a problem with permissions. The method isPermitted() just not work I mean, it's always return false.
shiro.ini
[main]
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName=SHA-256
authc.loginUrl = /faces/views/login.xhtml
authc.successUrl = /faces/views/index.xhtml
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $builtInCacheManager
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = select senha from VUsuarioPerfil where usuario = ?
jdbcRealm.userRolesQuery = select perfil from VUsuarioPerfil where usuario = ?
jdbcRealm.permissionsQuery = select permissoes from VUsuarioPerfil where usuario = ?
jdbcRealm.credentialsMatcher = $sha256Matcher
ds = com.microsoft.sqlserver.jdbc.SQLServerConnectionPoolDataSource
ds.serverName = 192.168.50.254
ds.user = xx
ds.password = xxx
ds.databaseName = shiro
jdbcRealm.dataSource = $ds
Each user should have his own permission, so on the view(VUsuarioPerfil) there is a column called permissoes where I placed a string, like "clientes:visualizar".
And on code I test this way
public void test() {
System.out.println(SecurityUtils.getSubject().hasRole("usuario"));
System.out.println(SecurityUtils.getSubject().isPermitted("clientes:visualizar"));
}
Result is output:
true
false
I don't now why just the permission isn't caught on database.
In the JDBC realm, the permissions query is not expected to map users->roles, it is expected to map roles->permissions.
So essentially, the query that is getting called is:
select permissoes from VUsuarioPerfil where usuario = usuario
And, as you would expect, it returns nothing. Therefore the role has no permissions, and the user has no permissions.
Perhaps considering the default permissions query would help you think about how to map a query to your data structure?
select permission from roles_permissions where role_name = ?
Check out your property:
select permissoes from VUsuarioPerfil
You need to correct permissions