I have done extensive research on the subject of adding roles to WebLogic domain using WLST, but of no use. Is there any way or am I wasting my time...? I can add user, groups and even assign roles to users but can not find any example of adding roles to domain...!
Wlst Sample code :
rm=cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper("XACMLRoleMapper")
rm.createRole(None,"TestRole",None,"")
Related
I am using sonarqube 8.9.7 version.
I am trying to do authentication using LDAP. we have 2 groups in LDAP one group is admin and another one is normal user.
sonar.security.realm = LDAP
sonar.authenticator.downcase=true
ldap.url=ldap://<IP address>
ldap.bindDn=CN=BInd username ,CN=Users,DC=company name,DC=in
ldap.bindPassword = BindPassword
ldap.authentication=simple
above one is for bind this is working fine.
ldap.user.baseDn=cn=Users,dc=CompanyName,dc=in
ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=cn=Sonarusers,cn=Users,dc=companyName,dc=in)(memberOf=cn=SonarAdmin,cn=Users,dc=companyName,dc=in)))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
User access is also working fine giving access only to those groups.
ldap.group.baseDn=CN=Users,DC=companyName,DC=in
ldap.group.request=(&(objectClass=posixGroup)(member={uid}))
ldap.group.idAttribute=sAMAccountName
This is group access
for this I am not able to configure things.
I have 2 groups in LDAP sonarUsers and sonarAdmin and created same group in Sonarqube and give
permission for sonarAdmin.
please help me to sync the groups.
Thanks in Advance
I found the solution.
the mistake was from filter i was using wrong object class
Im trying to conect gitlab with ldap to centralize my authentication.
Im having a problem when i try to log in because gitlab blocks the users.
The base_dn where the users are is ou=People,dc=dominio,dc=com
When i try to log in all works fine until Gitlab make a sync and block the user because on the gitlab database the base_dn is saved in lowcase.
LDAP account "uid=user1,ou=people,dc=dominio,dc=com" does not exist anymore, blocking GitLab user "Usuario" (user1#dominio.com)
Gitlab is able to read all the info from the user in theLDAP and also create the user on the gitlab system(full name, email, etc).
User "Usuario" (user1#dominio.com) was created
But later block the user and im not able to log in, every time i unblock manually, the gitlab block again.
Here all the process:
User "Usuario" (user1#dominio.com) was created
(LDAP) saving user user1#dominio.com from login with admin => false, extern_uid => uid=user1,ou=people,dc=dominio,dc=com
LDAP account "uid=user1,ou=people,dc=dominio,dc=com" does not exist anymore, blocking GitLab user "Usuario" (user1#dominio.com)
When i check in the user profile they show this info:
LDAP uid: uid=user1,ou=people,dc=dominio,dc=com
In the LDAP the real path is:
uid=user1,ou=People,dc=dominio,dc=com
Some idea how i said to gitlab rescpect the upercase or not be case sensitive?
LDAP itself is case-insensitive, so in queries against LDAP it doesn't matter. GitLab tries to normalize all DNs to lowercase before comparing values on its side since GitLab itself is case-sensitive.
With that in mind, I'm not clear where you're running into problems. It sounds like it's probably a bug if it really is related to the case. It's also possible there's another issue causing the user sync to block your user(s).
If you have clear reproduction steps the best bet is probably to create an issue at https://gitlab.com/gitlab-org/gitlab-ce/issues. Tag the issue with ~ldap and ping me (#dblessing). Happy to try to reproduce.
Finally i found the solution.
the user_filter: i used have some issue, dont support omniauth-ldap's custom filter syntax.
I was using
user_filter: '(&(objectclass=*)(memberof=cn=gitlab,ou=Groups,dc=dominio,dc=com)(uid=%{username}))'
But i change for somnething simple as:
user_filter: '(memberof=cn=infra_gitlab,ou=Groups,dc=dominio,dc=com)'
And start to works...
I am working for an IBM Business Partner and I am trying to complete a first PoC ICP installation. The basic installation has worked. I did not configure LDAP during the deployment but I am trying to add an LDAP connection in the console now, afterwards.
Unfortunately, I always fail. And there seem to be a number for limitations and/or bugs in the LDAP connection of ICP to the point of making it unuseable.
First, I would like to connect to an IBM Domino Directory as my LDAP server. Anyone who has worked with a Domino directory before knows that many Domino deployments have an O=Org suffix where Org is a company name containing spaces. For example, in our case it is "O=ARS GmbH". I would normally need to use this as the base DN (search base). However, ICP does not allow spaces in this field ... that need to be fixed! Any other LDAP client product I tried to connect to our Domino directory over many years was able to deal with spaces in the base DN.
Next, in a Domino directory usually the groups do have a different suffix (e.g. search base) than users. But ICP only offers ONE base DN field and not separate base DN fields for users and groups. Any other LDAP client ... DOES offer this. This needs to be fixed in ICP as well.
Next, the bind DN field does not allow some commonly used special characters which are often found in account names, such as the - character. This needs to be fixed as well (as it happens, the special user ID we have in our Domino directory which we use for LDAP binding is named dir-client ...).
Well, after hitting all those blocking problems, I finally tried to connect to our Microsoft Active Directory. This time I could successfully complete the LDAP connection. After doing so, I turned to "Users" and discovered I need to "Import group". However, no matter what I try to enter as (correct) values into the CN and OU fields, I only end up with an "internal server error".
Further more, after I could save the LDAP connection to Active Directory, I could no longer log in to the console with the builtin admin account! But since I could not import any users/groups, I could not assign that role to an LDAP account ... luckily, I had a VM snapshot of the master server and could thus revert to the state before.
This is really frustrating ...
I ran into identical issue when hooking up to an openldap server running in a docker container. It took me awhile to figure out the ICP pod and container where the log file is to get more information than "Internal Server Error".
Here is how to find the relevant ICP pod/container log:
Look for the "auth-idp" pods in the kube-system namespace. I use:
kubectl get pods --namespace=kube-system | grep auth-idp
If you are running an HA cluster, you will have a pod on each master node.
In my case I have 3 master nodes. If you are running only a single master, then you will have only one auth-idp pod.
Again, in an HA scenario, you need to figure out which is your current master node. (The easiest, crude way to do that is ssh to your master VIP and see which node you land on.)
Now figure out which pod is running on the current master node. On each pod I use:
kubectl describe pod auth-idp-vq5bl --namespace=kube-system | grep IP
or
kubectl get pod auth-idp-vq5bl --namespace=kube-system -o wide
The one on the IP that is the current master node is where the log of interest will be.
The container in the pod that has the log of interest is: platform-identity-mgmt
To actually see the log file use:
kubectl logs auth-idp-vq5bl --namespace=kube-system --container=platform-identity-mgmt
At that point you will be able to scroll through the log and see a more detailed error message.
In the case of my error the log indicated my search filter for the group was not working properly. I decided to mess with the user ID map and user filter so I used a user ID map of *:cn and a user filter of: (&(cn=%v)(objectclass=inetOrgPerson)) Once I changed those in the ICP LDAP configuration, the user import succeeded. However, later I realized the logins were not working because the login is based on a search on userid or uid. So I changed the user ID map back to *:uid and the user filter back to (&(uid=%v)(objectClass=inetOrgPerson)). That corrected the login issue. I added some users to my LDAP group and reimported the group and the import worked as well. At this point, I'm not sure what was going on with the original import not working until I messed with the user ID map and user filter. Go figure.
In my OpenLDAP directory instance my groups are all under ou=groups and each group member is listed as, e.g., cn=Peter Van Sickel,dc=ibm,dc=com. I had to edit the group member to get it using the full DN of an actual user.
My users are all directly under the root DN: dc=ibm,dc=com.
As to specific issues with other LDAPs, it is my experience that each has its own set of idiosyncrasies to get things working as desired.
I am doing LDAP with websphere setup. I did all the priamary setps in the DN am using OU=Users, O= O=IN.
for the federated repository in websphere for PersonAccount i gave the same DN name and in filters i used (objectclass=user). But in the manage user, no user is getting listed.
Turn on the following trace: com.ibm.ws.wim.*=all.
Restart your server. Go to admin console and click Manage Users.
Look in the logs for "JNDI_CALL search"
You will see the filter being used, eg. (&(objectClass=inetorgperson)(uid=*)) and the baseDn being searched on. Verify these are correct by comparing to your ldif of a user you expect to see or by using the ldapsearch utility. It is probably not correct, so take action to fix the filter.
I'm deploying an ear to one of my Weblogic servers with CustomRoles security model. From the console it's not a problem to define a new role and to assign it to a group.
However I'm trying to do this from the WLST console with no success. Is there a way to do this with WLST? The deployment/undeployment gives me no problem using the following commands
deploy('app','app.ear','server', securityModel='CustomRoles')
undeploy('app','server')
See the oracle docs
You want to do something like
serverConfig()
auth=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
auth.createUser(login, password, login)
auth.addMemberToGroup(group, login)