I have a database-project, created based on my existing database. It also added the scripts for creating users. One of those scripts is =>
CREATE USER [JOOS_NT\Indigo.Development] FOR LOGIN [JOOS_NT\Indigo.Dev.svc];
This script works fine on my database. But in my database-project this script is throwing an error when I build it. The error is:
"SQL70527: 'JOOS_NT\Indigo.Development' is not a valid name because it contains characters that are not valid."
It seems the "\" in the [JOOS_NT\Indigo.Development] is not allowed. However on the database itself I can run the query and it works fine. If I change it to [JOOS_NT/Indigo.Development] I don't get the error, but when comparing the scripts in the project to the existing database, it would drop the user ([JOOS_NT\Indigo.Development]) and replace it with ([JOOS_NT/Indigo.Development])
What am I missing?
Answering for someone who will look in the future.
On the database project, if a '\' character is included in the user name, the login should match the user name.
Because that, this don't work:
CREATE USER [JOOS_NT\Indigo.Development] FOR LOGIN [JOOS_NT\Indigo.Dev.svc];
But this will:
CREATE USER [JOOS_NT\Indigo.Development] FOR LOGIN [JOOS_NT\Indigo.Development];
Or
CREATE USER [JOOS_NT\Indigo.Dev.svc] FOR LOGIN [JOOS_NT\Indigo.Dev.svc];
I'm not sure if this is the expected behavior or a bug.
This is by design. The core issue is that in the "CREATE USER FOR LOGIN" based on a windows user login, if you are using a domain name for the user then this must match the login's domain name + login name. See this post on MSDN
Related
During some testing I applied SID value 0x01050000000000051500000085E77E2F11C35F7307E53B2B531D0200 of a system account received from SUSER_SIDfunction to User Mapping of a certain Login object in SSMS. Now based on that I cannot get rid of it as I keep getting an error message Value was either too large or too small for a UInt64 no matter what I enter or erase. I would appreciate if somebody would know how to get rid of a certain User Mapping either via UI or code specially when I encountered such an error message, thank you
Your actions were:
Open login properties of some windows login
Changing the corresponding user for some database to sid (why on the erth did you map the login to the user named as sid???)
This corresponds to the following code:
alter user... with name = [0x01050000000000051500000085E77E2F11C35F7307E53B2B531D0200];
Now you want to do the inverse action, so you need to execute this code:
use CDR_MDS;
alter user [0x01050000000000051500000085E77E2F11C35F7307E53B2B531D0200] with name = NAME=[GROUP\gg ORG RAACO MS BI Team];
I am debugging confirmation email flow when signing up a new User in Asp.Net Core web application with Identity Server 4.
Since I had already signed up with my actual email, to reuse it, I modified the UserName and Email in AspNetUsers table using SQL Update to some random value.
Now when I am signing up with the original email again. I am getting a duplicate user error
result = await _userManager.CreateAsync(user, model.Password);
I have already:
Cleared browser cache.
Closed local IIS Express
Restarted Visual Studio.
Used_userManager.DeleteAsync() after updating the UserName and Email back to original values but this gives an Microsoft.AspNetCore.Identity.IdentityError with description Optimistic concurrency failure, object has been modified.
On running this query on Sql Server
select * from INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME in ( 'UserName' , 'Email')
I get the following:
I know that this is not a good practice to mess with backend, but this is development environment and I could continue my work with another email.
I would request readers to help in understanding how the User could be safely scorched to be able to reuse the email.
Appreciate your time
I agree with Kyle's comment and to further speed up your debug process you should note that if you use gmail to do this you can debug this process using one email.
from google/gmails perspective myaccount#gmail.com == my.acount#gmail.com == m.y.a.c.c.ount#gmail.com etc etc just try it out, google disregards all period characters in the email. you can enumerate/exhaust ~2^8 emails (in this example) if you just enumerate through the local-part of the e-mail address. but from your applications side, myaccount#gmail.com is not the same as my.account#gmail.com, ie they are different user accounts. Basically you can use one email to test out this feature of yours without having to delete the user.
Here is how I did it and finally got passed the pesky "concurrency failure" error message... This works in ASP.NET CORE 2.2
Obtain the user object through the FindByName method first.
Remove the user from their assigned Role (in this case I hard coded "Admin" because that is the role I'm interested in but fill in your own), then delete the user.
//Delete user.
//Obtain the user object through the FindByName method first.
//Remove the user from their assigned Role, then delete the user.
var userManager = serviceProvider.GetRequiredService<UserManager<ApplicationUser>>();
ApplicationUser delAppUser = new ApplicationUser
{
Email = "SomeEmailForindividualAdminUser",
UserName = "SomeUsernameindividualAdminUser"
};
Task <ApplicationUser> taskGetUserAppUser = userManager.FindByNameAsync(delAppUser.UserName);
taskGetUserAppUser.Wait();
Task<IdentityResult> taskRemoveFromRoleAppUser = userManager.RemoveFromRoleAsync(taskGetUserAppUser.Result, "Admin");
taskRemoveFromRoleAppUser.Wait();
Task<IdentityResult> taskDeleteAppUser = userManager.DeleteAsync(taskGetUserAppUser.Result);
taskDeleteAppUser.Wait();
Long story short the security people at my company does not want us to use the default 'admin' username in Apache DS. Is there a way to change it without breaking anything? Also how to create an additional admin account that is a clone of the default 'admin' user? I couldn't find any documentation for this.
You can use Apache Directory Studio to do this:
Copy (Ctrl-C) entry uid=admin
Paste (Ctrl-V) into ou=system renaming the user entry on the way
Select cn=Administrators,ou=groups,ou=system
Add a member reference to the new user entry
Check you can successfully bind using the new user
I'm using openstack4j to do project-scoped authenticatation.
os = OSFactory.builderV3()
.endpoint("http://controller:5000/v3")
.scopeToProject(Identifier.byId("1435221d37fd41699101bd739fe4375b"))
.credentials("admin", "openstack", Identifier.byName("default"))
.authenticate();
This statement can be run correctly. But my problem is: before authentication, how do I know the project id?
So I changed another way to solve this question. First, I removed the scopeToProject method in above code and got a successfully unscoped authentication.
os = OSFactory.builderV3()
.endpoint("http://controller:5000/v3")
.credentials("admin", "openstack", Identifier.byName("default"))
.authenticate();
I can obtain the userId = os.getToken().getUser().getId();. But when I execute os.identity().users().listUserProjects(userId) to get the projects this user belongs to, the following exception was thrown:
java.lang.NullPointerException
at org.openstack4j.openstack.identity.internal.DefaultEndpointURLResolver.resolveV3(DefaultEndpointURLResolver.java:120)
at org.openstack4j.openstack.identity.internal.DefaultEndpointURLResolver.findURLV3(DefaultEndpointURLResolver.java:70)
at org.openstack4j.openstack.internal.OSClientSession$OSClientSessionV3.getEndpoint(OSClientSession.java:388)
at org.openstack4j.core.transport.HttpRequest$RequestBuilder.build(HttpRequest.java:405)
at org.openstack4j.openstack.internal.BaseOpenStackService$Invocation.execute(BaseOpenStackService.java:192)
at org.openstack4j.openstack.internal.BaseOpenStackService$Invocation.execute(BaseOpenStackService.java:187)
at org.openstack4j.openstack.identity.v3.internal.UserServiceImpl.listUserProjects(UserServiceImpl.java:121)
...
This exception thrown at token.getCatalog(). Because the result of getCatelog() is null.
NOTE: I know in openstack dashboard login page, the user just need input the domain name, username, password and then the project information will returned after authentication. This is exactly what I want.
I assigned a default project for user admin using openstack dashboard, and now it works fine.
In Gforge, when a new user tries to log in; the user is automatically registered by fetching data from LDAP. It works fine for other users but one particular user is not able to log in and gets the error LDAP Authentication failed: Invalid Credentials . I don't understand what could be the issue? Could you please help?
This is the search function I am using.
ldap_bind($ldap, $dn, $pw)
$dn = ldap_get_dn($ldap, $entry);
$entry = ldap_first_entry($ldap,$res);
$res=ldap_search($ldap, $sys_ldap_base,$sys_ldap_id_attribute . '=' . $id,
array());
If it works for some users but not for one specific user, then it's something to do with the LDAP configuration, or with the characters in that user's ID or pwd.
Is the failing user in a different org/OU? Do they have accent characters in their username or password? These things can cause compatibility issues between GForge and the LDAP server.
Does this user have a much longer user name than other users? There is a GForge config setting called "usernameregex" that governs the complexity and length of allowed user names. Even though LDAP logins result in automatic account creation, the validation of the user's unix name might fail due to the regex in place. The error noted above could certainly be the catch-all message when this happens.
The default setting is "^[a-z0-9_.-]{3,15}$". You can change the upper length limit by changing the 15 to something else. The unix_name field in the GForge database is TEXT, so it can be extremely long (1GB?).
In GForge 6.3.x and earlier, you can find that setting in /etc/gforge/gforge.conf. Change the value and then update the system using:
cd /opt/gforge/bin && php create_config_cache.php
In GForge 6.4 and later, you can use the gf-config utility to set the value. It will take effect right away:
/opt/gforge/bin/gf-config set "usernameregex" "new regex value"