I can see a lot of recommendation to not create System Users via API (maybe it is not possible?) or to not replicate System User across environments (via package bundle for example).
I'm curious, since System Users doesn't have password or can't be used to system log in, which risks are being mitigated with a manual user creation approach (via crx exporer)?
Related
There is a software which changes its behavior based on accessibility of the Active Directory domain controller (for domain joined machines). For example, if a machine inside a LAN and the domain controller is accessible, all features are available. If the machine goes outside of the LAN, some features of the software are disabled.
It works well on Windows using the standard Win32 API but I cannot find a way to implement it for macOS so far. I could not find any API. I tried some command line tools. For example,
dscl "/Active Directory/<DOMAIN NAME>" read / dsAttrTypeNative:DomainName
odutil show nodenames
Even if I disconnect the macOS machine from the AD LAN, they still show the information for about 30 minutes, like the domain controller is still accessible.
I cannot delete the whole Open Directory AD cache to make the tools to refresh the information because the cache is used by the system and the other applications. I do not want to change behavior of the whole system. I cannot kill (restart) services for that because I need to do it quite often (every 2-5 minutes).
I know I can use ldapsearch (or an LDAP C++ library) to check accessibility of an AD domain controller but my software does not have any idea about the domain controller configuration. It does not have any credentials to request the information. Also, in case of Windows API, Kerberos is used by default. In case of ldapsearch it has to be configured.
So, is there any macOS API (Objective C, C++) or any system command tool which I can use without additional configuration to check if the AD domain controller is accessible?
Apologies if similar has been asked before, I couldn't seem to find anything, just link me in the right direction if so.
I'm brand new to test automation, I will be writing selenium tests against a third party website hosted on an internal network. Our source control is provided by Visual Studio Team Services, although it is possible I can install TFS on premise.
Eventually I need to schedule test runs, I believe all this can be done with team services, seen some demo's, all good.
I will be using a URL to access the system under test which is on our internal network, if team services tries to run a selenium test and connect to the URL it will fail I imagine as it's running from wherever Microsoft are holding the code and building.
I don't think there would be a chance that we would allow Team services any access to our internal network if that was even possible.
So the question is, what are my options? can the build be moved from VS Team Services onto a local machine to run the tests with the internal URL? Is this a good idea if it can? Am i relying too much on the internet for testing on our internal network and is this a risk?
I have spent a bit of time on "the google" but struggling to find a great deal of information, it's possible I am asking the wrong questions.
Any help is greatly appreciated, links to articles are fine, don't mind doing the leg work, just need some pointers.
Many thanks for your help, apologies if any of that makes no sense.
You have a few options:
Install a VSTS Build agent on-premise and connect it to VSTS. The agent connects to VSTS using an outbound connection and it will be able to execute Builds and Release pipelines and from there orchestrate the execution of tests. You can either put this agent in a specific Agent Pool or Agent Queue, or you can add a Capability to it (e.g. "onprem"). By setting the Build Definition to use the specified Pool/Queue the agent will be selected. Or by adding the Demand "onprem" to your Build Definition it will ensure that it always requires that capability of any agent.
Use TFS 2015u3 or TFS2017 with the same agent, but that would mean you loose all the goodness that VSTS has to bring with regards to licenses, "free upgrades" and all.
With regards to security.
Adding a agent to your network that executes commands queued on a cloud service adds a risk. You can minimize that risk by configuring the build agent with a limited account, use Active Directory to limit the machines this user can run processes on/logon to and you can limit the access to this agent through permissions on the Queue and Pool as well. You can ensure that the users who have access to this pool and all your VSTS administrators have configured 2-factor-authentication on their AAD account and if needed add IP access control to these accounts as well. It's recommended that users that administer such agent pools/queues do not have alternate credentials configured and that the Personal Access Token used to register the agent is scoped to the permissions required to do just that.
With these extra measures in place you'll have a pretty secure setup. And it beats the hassle of having to install, backup, maintain a couple of TFS servers on-premise.
Our company is considering Neo4j for a database solution. We're using to Oracle dbs, and have relied upon their built in user authentication management to control who can connect to the db, who has read or write access, and what they are allowed to view in the db.
With Neo4j, most of these security options are missing. While we don't necessarily need to control visibility of nodes and relationships on a per-user level, the lack of multiple user accounts and the inability to control read/write access per account could be a dealbreaker. While application access of Neo4j should be well-contained and secure, we want to allow read-only accounts via the browser client to our developers (at least in our dev and qa environments).
The only solution that's jumped out at us so far has been GraphAware's Enterprise Security offering. I'd like to know if there are any other solutions out there that are compatible with Neo4j 3.0. At the moment we are not considering using the Neo4j REST API.
GraphAware Enterprise Security is compatible with 3.0 and there are no other solutions as far as we are aware. That said, judging from Github activity, it looks to me like the security mechanisms in Neo4j 3.1 will be enhanced to include multiple users and LDAP integration. We have to wait for 3.1 to be out. GraphAware Enterprise will be compatible with Neo4j 3.1 and use its native security features where possible.
DISCLAIMER: I work at GraphAware.
I did find one other partial solution to this, though it has its own hoops to go through to set up.
With the Enterprise edition, in a clustered environment, a node can be configured to be a read-only slave, and configured with its own login/pass for dev use.
We are currently planning to develop a suite of Windows Store Apps. They are independent and fully work alone, but they are related and act in concert. If a user has several of them, they should share some of their settings (and data), so that the user does not have to manually change these settings in every single one of them.
Is such a scenario even intented?
And how to implement it?
Registry: Does not work. Apps cannot access the registry.
ApplicationData (LocalFolder, LocalSettings etc.): Does not work. Apps cannot access the data of other apps.
Cloud services: Kind of works, but only when the machine is online. Our apps should work offline, too. And we would need to create/rent such a cloud service, which would cause additional costs.
KnownFolder.DocumentsLibrary: This –currently– looks like the only solution to me. The apps are already saving and sharing data there, so let's just save our settings there, too. But the name of the shared folder is one of the settings! And Windows Store Apps cannot create hidden files, so the user can see the settings file. This makes this solution a bit... "rough".
Any other ideas or additional information I have missed?
If you want them to sync with each other instantly, even when the device is offline, then that's your only option. Windows 8 Apps are not intended to share settings.
So much want of sharing.
Roaming API will only share with the SAME app, the SAME user, ANY W8 device.
SkyDrive will only share across ANY app, the SAME user, ANY device.
Using Azure (or any web service) will share across ANY app, ANY user, ANY device.
Don't do this
Don't use the register, the API is not supported
Don't use the file system, the boundaries cause your app to be brittle
Don't use ApplicationData.AnyFolder, this is restricted to a single app GUID
You had might as well get "instant" out of your language, man. That just doesn't happen. But you can have fast (let's call it near instant); you can use Sockets or SignalR to connect your client to some service out there with nearly instant responses. A less sophisticated approach would be to poll from your client, too. It has served developers for decades.
I'm helping a typical small company that started with a couple of outsourced systems (google apps, svn/trac). added an internal jabber server (ejabber for mostly iChat clients). subscribes to a couple of webservices (e.g. highrisehq). and has a vpn service provided by a pfsense freebsd firewall.
And the net result of all this is that they're drowning in passwords and accounts.
It seems that if they had a single unified login / single signon service they could go a long way to combining these. E.g.: ldap as the master repository, radius linked to it for vpn, ejabber and even WPA2 wireless access, plugins for google app sign on, and perhaps an openid server for external websites like highrisehq.
It seems that all these tools exist separately, but does anyone know of a single box that combines them with a nice GUI and auto-updates? (e.g. like pfsense/m0n0wall for firewalls, freeNAS for storage). It doesn't have to be FOSS. A paid box would be fine too.
I figure this must exist. Microsoft's Active Directory is likely one solution but they'd rather avoid Windows if possible. There seem to be various "AAA" servers that ISPs use or for enterprise firewall/router management, but that doesn't seem quite right.
Any obvious solutions I'm missing? Thanks!
It's been over a year since you originaly asked the question, so I'm guessing you've solved your problem by now. But if someone else is interested in a possible solution I suggest the following:
First of all, I don't know of any "all in one" solution to your problem. However it's quite easy to combine three products that will solve all of your needs and provide a single source for User management and password storage.
The first thing to do is install an LDAP Directory to manage Users and Groups (and possibly other objects outside the scope of your question). This can be OpenLDAP, Apache DS, Microsoft Active Directory, etc. Basically any LDAP Server will do.
Second I recommend installing FreeRADIUS with the LDAP Directory configured as it's backend Service.
Third get a license of Atlassian Crowd. It provides OpenID and Google Apps authentication. Prices for up to 50 Users start at $10 and go all the way up to $8000 for an unlimited user license.
Installation and Configuration of the three is relatively easy. You'll probably put most work into creating your Users and Groups. You can install all three components on a single Server and end up with a box that allows you to authenticate pretty much everything from Desktop Login, over Google Apps and other Web Apps, down to VPN and even Switch, WiFi and Router Login.
Just make sure you configure your Roles and Groups wisely! Otherwise you might end up with some Sales Person being able to do administration on your Firewalls and Routers :-)
I would encourage anyone searching for this type of solution to check out the Gluu Server (http://gluu.org).
Each Gluu Server includes a SAML IDP for SAML SSO, an OpenID Connect Provider (OP) for OpenID Connect SSO, an UMA Policy Decision Point (PDP) for web access management, and a RADIUS and LDAP server.
All the components of the Gluu Server are open source (i.e. Shibboleth, OX, FreeRADIUS, OpenDJ, etc.), including the oxTrust web user interface for managing each component of the server.
For commercial implementations, Gluu will build, support, and monitor this stack of software on a clients VM.
You may not want to standardise passwords across so many apps (especially external ones), though for internal ones using an auth service like LDAP makes sense.
You could solve the issue of remembering passwords with an eSSO like Novell SecureLogin
Also you might be interested in Novell Access Manager and Novell Identity Manager
I too could use such a device, however the only one I could find was a (possibly outdated) data sheet from Infoblox. They seem to have since concentrated on automated network managment and I can't find the LDAP appliance on their current website. I guess building a linux box with the FOSS stuff mentioned above is what everyone does, but it would be great not to have power supplies, disks, fans etc. I suppose you could use something like an EEE PC and put the config on a flash card.
This is something I was looking for as well, and http://www.turnkeylinux.org/openldap looks like the solution: "appliance" installation, and it includes encrypted online backup which is easily restored to a new or replacement machine.