I am using IS 5.0 and I deleted a group named 'developer' in wso2 IS using SCIM service but entry not deleted from table IDN_SCIM_GROUP. when get the details of same user i got error
{"Errors":[{"description":"Groups not found in the user store for the filter: displayNameEqdeveloper","code":"404"}]}
so i created group again with same name 'developer' but i am getting following error
{"Errors":[{"description":"Error when adding SCIM Attributes for the group: PRIMARY/developer A Group with the same already exists.","code":"500"}]}
Thanks for any suggestion.
After adding the SCIMEnabled property in the usersore(demo.xml), this error didn't come.
The SCIMUserOperationListener is responsible for managing the group attributes. This listener gets triggered only if SCIMEnabled property is set to true in the user store configuration. You could enable this from the UserStoreManagement UI for secondary user stores and directly edit the user-mgt.xml for primary user stores. (here is the JiRA)
Related
I’m having an issue with linking a customer object to a pre-existing contact when creating a new customer within the SOAP/SuiteTalk API using the Mulesoft middleware.
I’m successfully creating the contact object earlier, and then trying to use that internal ID to link that contact object to the newly created customer object. The relevant part I’m posting within the customer object (just hardcoding the internal ID in order to get it running):
contactRolesList:
{
contactRoles:
[
{
contact: {
"type": "CONTACT",
internalId: '74335',
},
role: {
"type": "CONTACT_ROLE",
internalId: ‘-10’,
}
}
]
}
When I attempt to upsert the customer object this way, I don’t get any errors in the integration role execution log, but the contact is never linked. If I try to upsert a second time, I get an error with the format: Unable to find a matching line for sublist contactroles with key: [contact] and value: [74335]. even though a contact object with that internal ID clearly exists.
Am I going about this entirely the wrong way, or am I just narrowly missing the syntax here?
*As a side note, is it possible to set the relationship on a RecordRef using just the external ID? As in, using just the external ID of the contact object in question to reference it and create the link?
Thank you.
The "contactRolesList" field is only for updating contacts already connected to the customer. In order to link a contact with a customer you need to perform an attach operation.
I'm not experienced with the Mulesoft middleware you mention, but in a soap request it would look like this:
<attach xmlns="urn:messages_2017_1.platform.webservices.netsuite.com">
<attachReferece xsi:type="ns1:AttachContactReference"
xmlns:ns1="urn:core_2017_1.platform.webservices.netsuite.com">
<ns1:attachTo internalId="176" type="customer" xsi:type="ns1:RecordRef">
</ns1:attachTo>
<ns1:contact internalId="1467" xsi:type="ns1:RecordRef"/>
<ns1:contactRole internalId="-10" xsi:type="ns1:RecordRef">
</ns1:contactRole>
</attachReferece>
</attach>
You can get additional information in your netsuite CRM's help center at: SuiteCloud Platform/ SuiteTalk Web Services /SuiteTalk SOAP Web Services Platform Guide /SOAP Web Services Operations attach - detach
I am trying to setup User Federation from a LDAP server to Keycloak. I managed to import all the users and groups respectively from LDAP server, however, the user-group (group tab in Users section) doesn’t show the actual mapped groups, although I can see those users presenting in the groups listed in Members tab in Groups section…
I went through all article in Keycloak forum/Jira ticket/Mail list and I did find a ticket describing the exact issue that I am experiencing now (https://lists.jboss.org/pipermail/keycloak-user/2018-February/013076.html) and Marek has also replied to that as well, however, I still couldn't figure out what configuration I set incorrectly just by the information provided in the post.
Could anyone please help me out? Thanks ahead!
User-Group
Group
User Configuration
Group Mapper Configuration
Thanks,
Chance
Looks like the issue was in LDAP server. The problem only exists when I import the users from FreeIPA DB. However, when I try to federate to an AD server, the user-group information just comes along with the users without any additional modification!
Below is the configuration I have used in the successful case. Hopefully it will help others who encounter with a similar issue. Thanks everyone for the attention.
[User Federation Provider Settings]
Enabled: ON (Default)
Console Display Name :
Priority: 0 (Default)
Import Users : ON (Default)
Edit Mode : READ_ONLY
Sync Registrations : OFF (Default)
Vendor : Active Directory (This is important. Once I switch to AD, instead of FreeIPA, the issue is gone)
Username LDAP attribute: sAMAccountName
RDN LDAP attribute : cn
UUID LDAP attribute : objectGUID
User Object Classes : person, organizationalPerson, user (You should check what Object Class the server is currently configured and adjust accordingly)
Connection URL : ldap://:389 (If you are using ldaps, the port is 636)
Users DN : <the scope includes all your users you would like to import, e.g. OU=User,DC=example,DC=com)
Bind Type: simple
Enable StartTLS: OFF (Default)
Bind DN:
Bind Credential:
Custom User LDAP Filter: <You can leave it blank if you don't want to filter. However, if you would like to filter something, for example, users from a specific group, you can run a filter such as (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=,OU=,DC=example,DC=com)) >
Search Scope: Subtree (It the users after under one level of Users DN, you can choose "One level" option)
Validate Password Policy: OFF (Default)
Trust Email: OFF (Default)
Use Truststore SPI: Only for ldaps
Connection Pooling: On
The rest of setting leave it blank.
You need to configure a group-ldap-mapper as well
[Group Mapper]
Name:
Mapper Type: group-ldap-mapper
LDAP Groups DN : <Where are the groups of this tree saved. For example, OU=Group,DC=example,DC=com>
Group Name LDAP Attribute : cn
Group Object Classes : group
Preserve Group Inheritance: ON
Ignore Missing Groups: OFF (Default)
Membership LDAP Attribute : member
Membership Attribute Type: DN
Membership User LDAP Attribute: sAMAccountName
LDAP Filter : <You can leave it blank if you don't want to filter any group>
Mode: READ_ONLY
User Groups Retrieve Strategy: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
Member-Of LDAP Attribute: memberOf
Mapped Group Attributes:
Drop non-existing groups during sync: ON
Problem:
I need to limit access to a WCF service using only Windows account settings. I have a WCF service with security binding element 'clientCredentialType' set to 'Windows'. Can't change this setting. If I understand correctly, anyone with an authentic windows account is authorized as long as they meet the authorization rules set by the file (EXE) that is hosting that WCF service. So I went into Powershell and queried the settings for that service:
Get-Acl MYSERVICE.exe | Format-List
says:
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\Blah\Server\MYSERVICE.exe
Owner : BUILTIN\Administrators
Group : MYDOMAIN\Domain Users
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:BAG:DUD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)
Every user in my domain seems to have access.
Question, how do I change 'MYDOMAIN\Domain Users' to a different group in my domain so that every domain user (in that group) does not have access?
I have been able to change the list of accounts and their permissions under 'Access' like this:
$perm = "My Other Domain Group","FullControl","Allow"
$rule=New-Object System.Security.AccessControl.FileSystemAccessRule $perm
$myservice_acl.SetAccessRule($rule)
And can presumably explicitly deny or grant access but how do I change the group it inherits from? Or is this the correct approach?
The Windows Security Descriptor(SD) is broken up into four primary parts:
Owner
Group (or Primary Group)
Discretionary Access Control List (DACL)
System Access Control List (SACL)
The Primary Group part of the SD is ignored and has been ignored since Windows 2000 and was preserved for backwards compatability with POSIX operating systems. https://technet.microsoft.com/en-us/library/cc961983.aspx
For your case, the only two fields to concern yourself with are the Owner and the DACL.
The Owner has implicit Full Control over the Securable Object.
The DACL is a list of Access Control Entries (ACEs) which defines Security Identifiers (SIDs or trustees) that have a level of access rights defined.
In other words, if you are concerned about the SD on your service binary, check the owner and all members of the DACL but not the Primary Group.
https://technet.microsoft.com/en-us/library/cc961983.aspx
https://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563(v=vs.85).aspx
EDIT: For the sake of completeness, the SACL is a list of ACEs (trustees and access rights) but instead of governing control, it controls who is audited and for what type of behavior.
Group: The security group of the owner.
only users in following groups are able to reach folder\object:
NT AUTHORITY\SYSTEM Allow FullControl,
BUILTIN\Administrators Allow FullControl,
BUILTIN\Users Allow ReadAndExecute, Synchronize,
you should check only access property to add/remove/query who has access to the folder\file
Domain users have access via the local group BUILTIN\Users (joining a computer to a domain automatically adds the group DOMAIN\Domain Users to the group BUILTIN\Users on the joining host). The group property of the security identifier has nothing to do with the access.
If you want to prevent access by domain users in general and allow just a particular domain group you'd remove the DOMAIN\Domain Users ACE and add an ACE for the desired group:
$ace = $myservice_acl.Access |
Where-Object { $_.IdentityReference -eq 'DOMAIN\Domain Users' }
$myservice_acl.RemoveAccessRule($ace)
$ace = New-Object Security.AccessControl.FileSystemAccessRule ('DOMAIN\Other Group', 'FullControl', 'Allow')
$myservice_acl.AddAccessRule($ace)
Set-Acl -AclObject $myservice_acl -Path ...
If you just want to deny access to a particular user you could also create a deny ACE for that user. However, mixing permissions like that tends to become pretty messy pretty fast, so I wouldn't recommend going this route.
I'm using openstack4j to do project-scoped authenticatation.
os = OSFactory.builderV3()
.endpoint("http://controller:5000/v3")
.scopeToProject(Identifier.byId("1435221d37fd41699101bd739fe4375b"))
.credentials("admin", "openstack", Identifier.byName("default"))
.authenticate();
This statement can be run correctly. But my problem is: before authentication, how do I know the project id?
So I changed another way to solve this question. First, I removed the scopeToProject method in above code and got a successfully unscoped authentication.
os = OSFactory.builderV3()
.endpoint("http://controller:5000/v3")
.credentials("admin", "openstack", Identifier.byName("default"))
.authenticate();
I can obtain the userId = os.getToken().getUser().getId();. But when I execute os.identity().users().listUserProjects(userId) to get the projects this user belongs to, the following exception was thrown:
java.lang.NullPointerException
at org.openstack4j.openstack.identity.internal.DefaultEndpointURLResolver.resolveV3(DefaultEndpointURLResolver.java:120)
at org.openstack4j.openstack.identity.internal.DefaultEndpointURLResolver.findURLV3(DefaultEndpointURLResolver.java:70)
at org.openstack4j.openstack.internal.OSClientSession$OSClientSessionV3.getEndpoint(OSClientSession.java:388)
at org.openstack4j.core.transport.HttpRequest$RequestBuilder.build(HttpRequest.java:405)
at org.openstack4j.openstack.internal.BaseOpenStackService$Invocation.execute(BaseOpenStackService.java:192)
at org.openstack4j.openstack.internal.BaseOpenStackService$Invocation.execute(BaseOpenStackService.java:187)
at org.openstack4j.openstack.identity.v3.internal.UserServiceImpl.listUserProjects(UserServiceImpl.java:121)
...
This exception thrown at token.getCatalog(). Because the result of getCatelog() is null.
NOTE: I know in openstack dashboard login page, the user just need input the domain name, username, password and then the project information will returned after authentication. This is exactly what I want.
I assigned a default project for user admin using openstack dashboard, and now it works fine.
How to delete a user from a role or disable the user from that particular role in JasperReports Server? But I need the role in the main tenant. It should only be removed from the role (Group)
What I am doing now is a goof up like:
Method: DELETE
URL: http://localhost:8080/reportservice/rest/user/username|TenantID
Payload:
<user>
<tenantId>tenantID</tenantId>
<username>{username}</username>
<emailAddress>{emailAddress}</emailAddress>
<enabled>false</enabled>
<externallyDefined>true</externallyDefined>
<fullName>{fullName}</fullName>
<roles>
<externallyDefined>false</externallyDefined>
<roleName>ROLE_USER</roleName>
</roles>
</user>
From the REST API Reference Manual (6.3.0):
To modify the properties of a user account, put all desired information in a user descriptor, and include it in a
PUT request to the users service, with the existing user ID (username) specified in the URL.
In the community edition of the server, or commercial editions without organizations, use the first form of
the URL.
In commercial editions with organizations, use the second URL to specify the user’s organization. When
specifying the organization, use its unique ID, not its path. When logged in as the system admin
(superuser), use the first URL to modify users of the root organization.
To modify a user, the user ID in the URL must already exist on the server or in the organization. If the user ID
doesn’t exist, a user account will be created, as described in 21.3, “Creating a User,” on page 155.
Method: PUT
URL:
http://:/jasperserver[-pro]/rest_v2/users/userID
http://:/jasperserver[-pro]/rest_v2/organizations/orgID/users/userID
Content-Type:
application/xml
application/json
Content:
A user descriptor that includes the properties you want to change. Do not
specify the following properties:
username – Specified in the URL and cannot be modified in the descriptor.
tenantID – Specified in the URL and cannot be modified in the descriptor.
externallyDefined – Computed automatically by the server.
previousPasswordChangeTime – Computed automatically by the server.
Return Value on Success:
200 OK – The user properties were successfully
updated.
Typical Return Values on Failure:
404 Not Found – When the organization ID cannot be
resolved.
To add a role to the user, specify the entire list of roles with the desired role added. To remove a role from a
user, specify the entire list of roles with the desired role removed. The following example shows the descriptor
in JSON format:
{
"enabled":true,
"password":"newPassword",
"roles":[
{"name":"ROLE_USER"},
{"name":"ROLE_STOREMANAGER", "tenantId":"organization_1"}]
}