I am running CQ 5.4 currently (5.5 upgrade pending) and need to establish a few sub-directories that can only be accessed by logging in and validating against the LDAP. This also means the files users can download after logging in have to be authenticated as well.
I have read as much of Adobe's documentation (and 3rd party) as I can:
http://dev.day.com/docs/en/cq/5-4/howto/create_apply_cug.html
http://dev.day.com/docs/en/cq/5-4/deploying/dispatcher.html#/sessionmanagement
http://www.wemblog.com/2013/01/how-to-associate-cug-with-dam-asset-in.html
We have LDAP enabled to log in and use CQ5 on our development server, but this is different from having our publish server use it for subdirectory-specific authentication and allowing all other static pages be cached. Unless I'm reading all of this wrong, none points out how to accomplish such.
Having the default login component work with LDAP authentication would be wonderful, but I am not holding my breath.
It's possible to configure ACLs (access lists) for each node.
For example, through LDAP you export users which belong to group ldap-users. Then, if you go to Content Repository Explorer (/crx/explorer/index.jsp) -> Content Explorer - > Choose node you need to set ACL for -> Security Access Control Editor -> New ACE. There you can set the access rights for the node.
More on how to set the ACLs: http://helpx.adobe.com/cq/kb/CQ53ACLsMappingToCRX2.html
Related
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
I am attempting to set up an IIS 6.0 application running on Windows Server 2003 to use impersonation in order to avoid having to give users direct read/write access to the shared folders where the DB and web pages are stored. Can anyone provide me with details of how this can be set up to work in conjunction with Windows Integrated Authentication?
So far, I can tell that the web.config file (not sure whether it's the correct one) has the two lines mentioned on this thread (Impersonation in IIS 7.0) to allow impersonation and use the Windows logon method. However, users are still prompted for a logon and then told they are not authorized to view web pages. They can view pages if we turn anonymous logon "on", but then their user credentials aren't passed on to the site and therefore they can't access most of it.
I'm fairly inexperienced, so I'm a bit lost here. Thank you very much in advance for the help!
Thanks to intervention from Microsoft (definitely worth the flat fee they charge per incident), we were able to identify the problem. Instead of using the network path to identify the website location on the "Home Directory" tab of the IIS properties, we were using the local drive path. That was all that needed to be changed.
Once we switched to the network path and added a dedicated service account to "Connect As...", impersonation started working right away. Users pass their logged on credentials via integrated authentication (no logon required) and the service account takes care of executing their actions on the database file.
Access to the shared folder is limited to a brief list of administrators, and data access on the web application is limited based on user names.
If anyone is stuck with this and needs help, let me know!
I'm using Artifactory 3.0.3 (open source).
In our company, we have two own repositories and both are on a different machine than Artifactory. Let's call them:
OurRepo1 - public, any developer can download artifacts from it
OurRepo2 - private, only some developers are allowed to access and download artifacts from it
And here's the thing:
Due to security reasons we want OurRepo2 not to be cached by Artifactory (easy to do), BUT NOW, how can I define permissions for this OurRepo2 to be accessible only by some users?
When I'm creating a new permission target I can select only local repos and caches of remote repos (e.g. OurRepo1-cache). But I don't want either of that. I want to limit the very access to the physical OurRepo2.
Is it possible with Artifactory?
In this case, I'd use an HTTP proxy like nginx in front of your Artifactory instances, and use rewrite rules to direct traffic to the correct back-end repo. You can then insist on certain auth credentials when trying to access OurRepo2 whilst leaving OurRepo1 free of authentication.
I have helped to manage such an "nginx + Artifactory" combination in an organisation with 100+ developers, and it worked very well.
I have a file (or set of files under a directory) published on my web server. Each of this resource needs to be access-protected based on the user's credentials and authority.
The authorization details are stored in a DB, so I need to make a call to the Java code in application server to determine the access.
Everytime the user hits this particular path in the webserver, I need to ensure s/he has access to the requested resource by, ensuring he is logged in and has the necessary priveleges to access this resource.
The webserver is apache - Can you please point me to the settings in apache that allows me to secure resource access using the above logic?
Thanks for the suggestions to correct the Tag and the Question!:
My Web Server is Apache HTTPD
Agree that this is not a Java Question: The only reason why I am bringing the Java perspective, is that I am most likely going to use some Java POJOs to go and check for user authorization for a particular directory that is stored in the DB - That is unless there is a trick in the apache httpd configuration that goes and checks the DB automatically - something similar to the one that is pointed out here...At the end of the it, I need to check if a particular user (authenticated previously by the Single Sign On Server (Sun access manager)) has access to a particular directory (user mapping to directory stored in the DB) and protect the resources under the directory accordingly.
Please let me know if that clarifies.
i am not sure why this is tagged with java - unless your db structure is VERY sepcific, you might able to get it done with apache authz and authn:
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
or, for an ovierview:
http://httpd.apache.org/docs/2.2/howto/auth.html
My company has a MediaWiki setup which we are looking to make [partially] client accessible. Ideally each client would be able to see only their own page. Our wiki requires the user to be logged into view or edit, and we have the LDAP plugin (This one, specifically) so we can use our Active Directory credentials.
I see this question has come up before a few years ago, but I didn't see an question dealing with LDAP in particular. Can we manage a specific AD account if we give clients one on our domain for this purpose? Alternatively, is there a way to give clients a login directly into the wiki (sort of like logging locally into the computer, instead of the domain), that we could control the access rights of?
For reference: we are on MediaWiki version 1.19.1, PHP version 5.3.15, MySQL version 5.0.96-winx64, and the installation is running on Windows Server 2008 R2 x64 (IIS 7.5).
Thanks very much for the help!
You can use local accounts in addition to the LDAP accounts to log users in. You have to set $wgLDAPUseLocal to true in your LocalSettings.php. Basically, it adds another option to the domain drop down box on the login form that says "local". Users that want to log in with a local wiki account use that. I would also disable account creation on the wiki and create accounts manually for your clients.
Regardless of whether you use local accounts or AD accounts, for page-level access control, you would have to use one of these extensions. Extension:AccessControl seems to be a popular one.