I have only ssh access to machine where I need to setup the Archiva. So i wonder have can I create a admin account and set a password to that account.
I found in Archiva API /userService/createAdminUser but still I don't understand how to add a password to the user that will be created by this API request.
Or maybe you can help me with another solution?
The user format is defined here: http://archiva.apache.org/docs/2.0.1/rest-docs-redback-rest-api/el_ns0_user.html (the api accept both json and xml)
NOTE: you won't be able to use this api#method if the admin user already exists!
Related
I have set the proper LDAP configuration in Sonar 5.6.6 LTS (ldap plugin v2.2.0.608) and I see in logs that the connection is established.
When I first try to login with my LDAP-login, I am able to do so, but my user has of course no permissions - that is okay.
The problem occurs, when I want to first add my user and give him i.e. sonar-administrators group. When it is set and I try to login, Sonar authenticates me not against the external system (LDAP) but uses his own data base.
I am sure it worked with Sonar 4.5 but now I cannot configure it properly.
The problem was that creation of new users adds them by default to the local database of SonarQube. To change this default behavior I found out that the REST API endpoint to create users contains the flag 'local' which defines whether the user should be considered as a local user added to the local database or he should be added as an external user authenticated again an external system like LDAP.
So final answer is to use the following REST API endpoint:
private final String CREATE_USER_API = "/api/users/create?login={login}&name={name}&local=false"
Please note the following property: local=false at the end of the string.
I'm trying to use wso2 APPM (vers 1.10.0) with an external ldap as authentication without real success.
I'll try to be as factual as possible to let it be testable:
I've unzip the wso2appm zip file under linux
I've setup the java_home var
I've start the wso2server.sh ==> no problem displayed in the log, at this step I must precise I'm using the default database of wso2.
Then logging to carbon gui, and adding a new userstore management setting up to a read-only external ldap.
after few seconds, the ldap users appears in the user list.
then selecting me in the list and adding the internal/store role.
opening the store url, and trying to login with the login / password of my user
Then having a message to inform me that the user has not the store profile.
If I log into carbon with my ldap user, it's working.
The same use case with the API looks fine to log into the store.
Any fix or ideas are welcome.
BR,
jfv
By the looks of it I suspect your issue is, the privileges are not set correctly for your ldap user store roles. Please make sure that you have assigned the internal/subscriber role to the relevant user in your permission tree. You can find more details about this at JIRA ticket [1]
[1] https://wso2.org/jira/browse/APPM-279
Cheers,
Pubudu
Hi and thank your for your answer,
first: I've checked this morning the solution you've proposed, and there is no change.
In a second time, I've tryied to add all privileges without more success
but if I create a new user manually, this one can login.
The following error in the log are shown when I try to login with an ldap user.
[2016-05-09 07:48:54,272] INFO - ReadOnlyLDAPUserStoreManager LDAP connection created successfully in read-only mode
[2016-05-09 07:48:54,283] INFO - UserStoreDeploymentManager Realm configuration of tenant:-1234 modified with /opt/wso2appm/repository/deployment/server/userstores/orange_com.xml
[2016-05-09 07:50:18,187] WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1234]' at [2016-05-09 07:50:18,187+0200]
[2016-05-09 07:50:18,189] WARN - AuthenticationHandler Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,189] ERROR - AUDIT_LOG Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,221] WARN - acs:jag User jaav7491 does not have permission to access the store application. Make sure the user has the store role.
the login is "jaav7491"
Thank you for your ideas,
BR,
jfv
I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.
I am trying to follow the tutorial here: http://wiki.cloudbees.com/bin/view/Documentation/CloudBeesEclipseToolkit that describes how to configure your eclipse to use the CloudBees subversion respository. When I get to step 2, and try to validate my account username and password, I get:
Failed to validate your account.
Reason:
Failed to get account services info.
Authentication of user: xxxx failed.;
Details -
Unexpected response code:400. Message: Bad Request
I did use my google account (and oauth?) to create my cloudbees account. I am using my google username and password to try to validate.
The account name is what you see when you enter in cloudbees on the top right.
Regarding your missing password this is due to the fact that google and github sign in don't ask user to define a password - that's why you get an authentication failure.
Users can use https://grandcentral.cloudbees.com/account/forgot_password to request password reset and define the password.
I was able to fix this by clicking on the builds sectio of my account. This led me to some pages that told me I didn't have a password with cloudbees, and prompted me to create one.
When I used this password, instead of my gmail one, validation worked.
Also, I had to use my account name minus #gmaail.com to perform svn checkins, which wasn't the most intuative - it's not clear what un/ow and where
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.