How to add/update Ldap server programatically in Liferay - ldap

I have a test server installed with liferay 6.2 g4 and it is configured with a LDAP server.The configuration was done through the portal-ext.properties file.As per my understanding configuration mentioned in the portal-ext.properties file are effective only during the initial setup. Any change in the Ldap configuration should done through the control panel.The control panel show the ldap servers in a list(search container).and we can select and edit the ldap server from control panel.
Now what im trying is like, i want to do this from a custom portlet.ie I want to list the ldap servers in my portlet and should be able update it. I have checked the PortalLDAPExporterUtil,PortalLDAPImporterUtil but that didnt help.
Can someone help me to find out which Liferay API should i look to achieve this.

I got the answer from the liferay forum by their staff Jorge Díaz.
You can find the code where LDAP servers are stored at control panel at following files:
edit_ldap_server.jsp: https://github.com/liferay/liferay-portal/blob/6.2.x/portal-web/docroot/html/portlet/portal_settings/edit_ldap_server.jsp
EditLDAPServerAction: https://github.com/liferay/liferay-portal/blob/6.2.x/portal-impl/src/com/liferay/portlet/portalsettings/action/EditLDAPServerAction.java
At first JSP, edit_ldap_server.jsp the parameters are filed by final user and sent to EditLDAPServerAction. This second java only retrieves that information and stores it to preferences (method EditLDAPServerAction.addLDAPServer)
You cannot call this methods from a portlet, but perhaps you can copy and paste internal logic.
Orginal Answer:https://www.liferay.com/community/forums//message_boards/message/55597042

Related

Trying to connect ldap users two or more subdomains to nifi

I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask

Apache Brooklyn and LDAP against Microsoft Active Directory

I am trying to configure Apache Brooklyn to use the LDAPSecurityProvider against a Windows Active Directory.
I am testing the connection with Apache Directory Studio and it works with the provided credentials.
Screenshot of Apache Directory Studio and the LDAP tree
But when I Configure Apache Brooklyn to use LDAP against the AD it does not work and creates no error logs.
My brooklyn property file is here:
brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.LdapSecurityProvider
brooklyn.webconsole.security.ldap.url=ldap://10.0.20.10:389/????X-BIND-USER=uid=StackAdmin%2cou=users,X-BIND-PASSWORD=Password123,X-COUNT-LIMIT=1000
brooklyn.webconsole.security.ldap.realm=example.com
The LDAP support is documented at http://brooklyn.apache.org/v/latest/ops/brooklyn_properties.html#ldap - your example configuration looks good (very similar to that).
However, the docs say it will then construct something like:
LDAP://cn=John Smith,ou=Users,dc=example,dc=com
(With the "ou" value being configurable).
Looking at your screenshot, it seems you'd need something like that below (though it isn't expanded to see a full user example):
LDAP://cn=John Smith,cn=Users,dc=example,dc=com
Unfortunately that isn't currently supported in Brooklyn.
The workaround would be store your users under "ou" intead.
The LDAP integration code is pretty simple (and low on logging):
https://github.com/apache/incubator-brooklyn/blob/master/brooklyn-server/rest/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
It would be reasonably easy to update the Java to support your use-case.
Do you want to either have a go at creating a pull request for that (https://github.com/apache/incubator-brooklyn/), or opening a jira issue at https://issues.apache.org/jira/browse/BROOKLYN to describe the requirements and someone can take a look?
I had the same problem and solved it by creating my own LdapSecurityProvider for ActiveDirectory. Create a new Class which extends the org.apache.brooklyn.rest.security.provider.LdapSecurityProvider and override the getUserDN Method.
Brooklyn uses the com.sun.jndi.ldap.LdapCtxFactory so you can find a detailed documentation under http://docs.oracle.com/javase/7/docs/technotes/guides/jndi/jndi-ldap.html

Odoo Restrict access to database Manager page

How can I restrict access to database Manager page, by a password, for Odoo / OpenERP? So only master admin can see this page.
I found a good module here:
https://www.odoo.com/forum/help-1/question/how-to-show-the-manage-database-page-for-particular-user-like-administrator-in-openerp-v8-57036#answer-64736
But the problem is this module does not support multiple databases!
Is there any other method or custom module to achieve that ?
You can override the '/web/database/controller' and put the condition to check whether the session's user is admin or not , if it's admin then return the original page which is returned by odoo else you can show your page showing that you can't access this.
You can use this module: Restrict access to Manage Databases to restrict access to the Manage Databases page.
After installing the module, you will only be able to visit the Manage Databases page (/web/database/manager/) if you are signed in as the Administrator (with user ID = 1) or you have Technical Features enabled for that user.
If you have installed the module and are unable to switch databases while logged out, you can add the db flag to your url to manually select the database that you want, for example:
yoursite.com/web?db=database2
Caveat:
This solution might be troublesome as you will have to install it in all your databases on the same instance.
The other solution will be to use nginx to restrict access to /web/database/manager to only your IP address or a range or IP addresses.

Granular access control for MediaWiki with LDAP

My company has a MediaWiki setup which we are looking to make [partially] client accessible. Ideally each client would be able to see only their own page. Our wiki requires the user to be logged into view or edit, and we have the LDAP plugin (This one, specifically) so we can use our Active Directory credentials.
I see this question has come up before a few years ago, but I didn't see an question dealing with LDAP in particular. Can we manage a specific AD account if we give clients one on our domain for this purpose? Alternatively, is there a way to give clients a login directly into the wiki (sort of like logging locally into the computer, instead of the domain), that we could control the access rights of?
For reference: we are on MediaWiki version 1.19.1, PHP version 5.3.15, MySQL version 5.0.96-winx64, and the installation is running on Windows Server 2008 R2 x64 (IIS 7.5).
Thanks very much for the help!
You can use local accounts in addition to the LDAP accounts to log users in. You have to set $wgLDAPUseLocal to true in your LocalSettings.php. Basically, it adds another option to the domain drop down box on the login form that says "local". Users that want to log in with a local wiki account use that. I would also disable account creation on the wiki and create accounts manually for your clients.
Regardless of whether you use local accounts or AD accounts, for page-level access control, you would have to use one of these extensions. Extension:AccessControl seems to be a popular one.

How can I limit Jenkins LDAP access to users in a specific groupOfNames?

I can configure Jenkins so it limits access to users on my ldap server by setting the Server and Root DN without a problem.
Now I want to tie down access a little more and only allow access to members of the groupOfNames cn=MyProject,ou=Group,dc=bogus,dc=biz, but I don't see how to do that in Jenkins.
Can someone explain how they configured Jenkins or Hudson to handle something like this ?
Thanks !
NOTE: I'm not sure if this would work for LDAP (we use active directory)
In the project configuration page, check Matrix-based security.
Remove all access for anonymous
Add your 'groupOfNames' to the "user/group to add" and give them the rights you want to.
Any user in that group should get the rights you assign. This is how we did it.
Old thread, I know. I got it working by installing the memberof and refint overlays on the OpenLDAP server (2.4.31) and setting the User Search Base on Jenkins to filter the result, i.e.
(&(uid={0})(memberOf=cn=MyGroupName,ou=group,dc=mydomain,dc=com))