I can configure Jenkins so it limits access to users on my ldap server by setting the Server and Root DN without a problem.
Now I want to tie down access a little more and only allow access to members of the groupOfNames cn=MyProject,ou=Group,dc=bogus,dc=biz, but I don't see how to do that in Jenkins.
Can someone explain how they configured Jenkins or Hudson to handle something like this ?
Thanks !
NOTE: I'm not sure if this would work for LDAP (we use active directory)
In the project configuration page, check Matrix-based security.
Remove all access for anonymous
Add your 'groupOfNames' to the "user/group to add" and give them the rights you want to.
Any user in that group should get the rights you assign. This is how we did it.
Old thread, I know. I got it working by installing the memberof and refint overlays on the OpenLDAP server (2.4.31) and setting the User Search Base on Jenkins to filter the result, i.e.
(&(uid={0})(memberOf=cn=MyGroupName,ou=group,dc=mydomain,dc=com))
Related
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
I was using a openldap server to control the user in jira and confluence. But after I insert a user into ldap and add the user into the jira-users group, i still need to synchronize the user in jira. Can i set something to let it synchronize automatically after i insert the user into ldap server?
Here are the main steps :
Log in as a user with the JIRA System Administrators permission
Check your configuration : Settings > User Management > User Directories
You can manually synchronize the LDAP cache by clicking 'Synchronize' on the 'User Directories' screen.
If it works, you just need to set the Synchronization Interval on the directory configuration screen.
Otherwise there is probably something wrong with the current config. In this case, I would:
Check the server settings, see if it's reachable when connecting from a terminal.
Similarly, try to perform a search from a terminal using the schema settings.
Disable Incremental Synchronization if enabled.
Ensure the directory order is correct. Changes to users and groups will be made only in the first directory where the application has permission to make changes.
Ref: Connecting to an LDAP directory
I have a test server installed with liferay 6.2 g4 and it is configured with a LDAP server.The configuration was done through the portal-ext.properties file.As per my understanding configuration mentioned in the portal-ext.properties file are effective only during the initial setup. Any change in the Ldap configuration should done through the control panel.The control panel show the ldap servers in a list(search container).and we can select and edit the ldap server from control panel.
Now what im trying is like, i want to do this from a custom portlet.ie I want to list the ldap servers in my portlet and should be able update it. I have checked the PortalLDAPExporterUtil,PortalLDAPImporterUtil but that didnt help.
Can someone help me to find out which Liferay API should i look to achieve this.
I got the answer from the liferay forum by their staff Jorge Díaz.
You can find the code where LDAP servers are stored at control panel at following files:
edit_ldap_server.jsp: https://github.com/liferay/liferay-portal/blob/6.2.x/portal-web/docroot/html/portlet/portal_settings/edit_ldap_server.jsp
EditLDAPServerAction: https://github.com/liferay/liferay-portal/blob/6.2.x/portal-impl/src/com/liferay/portlet/portalsettings/action/EditLDAPServerAction.java
At first JSP, edit_ldap_server.jsp the parameters are filed by final user and sent to EditLDAPServerAction. This second java only retrieves that information and stores it to preferences (method EditLDAPServerAction.addLDAPServer)
You cannot call this methods from a portlet, but perhaps you can copy and paste internal logic.
Orginal Answer:https://www.liferay.com/community/forums//message_boards/message/55597042
How can I restrict access to database Manager page, by a password, for Odoo / OpenERP? So only master admin can see this page.
I found a good module here:
https://www.odoo.com/forum/help-1/question/how-to-show-the-manage-database-page-for-particular-user-like-administrator-in-openerp-v8-57036#answer-64736
But the problem is this module does not support multiple databases!
Is there any other method or custom module to achieve that ?
You can override the '/web/database/controller' and put the condition to check whether the session's user is admin or not , if it's admin then return the original page which is returned by odoo else you can show your page showing that you can't access this.
You can use this module: Restrict access to Manage Databases to restrict access to the Manage Databases page.
After installing the module, you will only be able to visit the Manage Databases page (/web/database/manager/) if you are signed in as the Administrator (with user ID = 1) or you have Technical Features enabled for that user.
If you have installed the module and are unable to switch databases while logged out, you can add the db flag to your url to manually select the database that you want, for example:
yoursite.com/web?db=database2
Caveat:
This solution might be troublesome as you will have to install it in all your databases on the same instance.
The other solution will be to use nginx to restrict access to /web/database/manager to only your IP address or a range or IP addresses.
My company has a MediaWiki setup which we are looking to make [partially] client accessible. Ideally each client would be able to see only their own page. Our wiki requires the user to be logged into view or edit, and we have the LDAP plugin (This one, specifically) so we can use our Active Directory credentials.
I see this question has come up before a few years ago, but I didn't see an question dealing with LDAP in particular. Can we manage a specific AD account if we give clients one on our domain for this purpose? Alternatively, is there a way to give clients a login directly into the wiki (sort of like logging locally into the computer, instead of the domain), that we could control the access rights of?
For reference: we are on MediaWiki version 1.19.1, PHP version 5.3.15, MySQL version 5.0.96-winx64, and the installation is running on Windows Server 2008 R2 x64 (IIS 7.5).
Thanks very much for the help!
You can use local accounts in addition to the LDAP accounts to log users in. You have to set $wgLDAPUseLocal to true in your LocalSettings.php. Basically, it adds another option to the domain drop down box on the login form that says "local". Users that want to log in with a local wiki account use that. I would also disable account creation on the wiki and create accounts manually for your clients.
Regardless of whether you use local accounts or AD accounts, for page-level access control, you would have to use one of these extensions. Extension:AccessControl seems to be a popular one.