When I run Keycloak, I'd like it to load my LDAP configuration (user federation) automatically when it is run, so I don't have to enter it manually. Is there any way to do this with Keycloak? I'm using the containerized version 7.0.0, if it matters. I am also running in standalone mode. Thanks
You should be able to create your realm from a template that has your LDAP configuration in it.
From what I understand from your question, you want to use LDAP as your user Federation server, so you should have an LDAP up and running before starting your Keycloak container, and the container should start with the LDAP configuration.. to do this, I'll suggest a method that is a bit cumbersome at first, but it will give you a better grasp on how to configure Keycloak in the future.
Start by downloading keycloak from the website and run it without putting it in a container.. set up your Realm, clients and everything apart from the LDAP configuration.
Copy the Keycloak.json file outside of the directory, we're going to use that later
Get back to your web interface, configure your LDAP server, and save the configuration.
Now copy the keycloak.json file again, and place both versions in a text comparison tool, Diffmerge for example, and see the difference in the configuration related to your LDAP, that should be added to your container's keycloak.json.
A good practice using keycloak container is to create your whole configuration, and replace the default one, this way your container will start every time with your Realms, clients and all other pre-configured attributes.
OK so I think I figured it out. In Keycloak I had to export the realm via the standalone.sh script as specified in the documentation. Using the kcadm.sh admin CLI did not export the whole realm. Then I could import the realm using the admin CLI later. Thanks for your help it lead me to this answer.
Related
I'm running jira in openshift using the basic image from atlassian: https://hub.docker.com/r/atlassian/jira-software
So far most things work fine.
I installed a plugin using the web ui which worked as well.
But now I'm running into an issue when a pod is restarted. The pod uses the image and naturally (as specified) my plugin is not installed anymore. I can install the plugin via webservice calls and register it as an osgi module for jira. But I don't want to do this manually. Building a pipeline or jon for this is quite easy (I'm thinking jenkins or ansible tower). But I so far I didn't find a way to trigger this pipeline after the pod is started (or better after jira is started).
Anyone got an idea how to handle this?
Thanks and best regards. Sebastian
Why not create a custom image based on the Atlassian image with everything you need installed?
As far as I know, there isn't a way to trigger a pipeline when a Pod is started; only Webhook, Image Change, and Config Change triggers are available. You'll need to write a Jenkinsfile to script all of the installation and setup you want, but then that can be triggered in one of the three ways mentioned.
I'm thinking an Image Change trigger would work best for you, so when the latest version of Atlassian's image comes out, you can run your pipeline to set everything up on the latest version.
Also, just curious, but do you have some persistent storage attached to the Jira pod? If not, you'll lose everything in Jira if the Pod dies; that means tickets, boards, comments, everything.
Update:
Looking at this page, it looks like most of the stuff you're trying to persist is stored in jira-home, so maybe mounting that as a persistent volume will be a good solution for you.
You're correct that the tickets are stored in the database, but I'm guessing the database connection settings are getting wiped when the Pod is cycled.
The jira-home directory stores your application and database connection settings, as well as a subdirectory for your plugins.
dbconfig.xml
This file (located at the root of your JIRA home directory) defines
all details for JIRA's database connection. This file is typically
created by running the JIRA setup wizard on new installations of JIRA
or by configuring a database connection using the JIRA configuration
tool.
You can also create your own dbconfig.xml file. This is useful if you
need to specify additional parameters for your specific database
configuration, which are not generated by the setup wizard or JIRA
configuration tool. For more information, refer to the 'manual'
connection instructions of the appropriate database configuration
guide in Connecting JIRA to a database.
jira-config.properties
This file (also located at the root of your JIRA home directory)
stores custom values for most of JIRA's advanced configuration
settings. Properties defined in this file override the default values
defined in the jpm.xml file (located in your JIRA application
installation directory). See Advanced JIRA configuration for more
information.
In new JIRA installations, this file may not initially exist and if
so, will need to be created manually. See Making changes to the
jira-config.properties file for more information. This file is
typically present in JIRA installations upgraded from version 4.3 or
earlier, whose advanced configuration options had been customized
(from their default values).
plugins/
This is the directory where plugins built on Atlassian's Plugin
Framework 2 (i.e. 'Plugins 2' plugins) are stored. If you are
installing a new 'Plugins 2' plugin, you will need to deploy it into
this directory under the installed-plugins sub-directory.
'Plugins 1' plugins should be stored in the JIRA application
installation directory.
This directory is created on JIRA startup, if it does not exist
already.
My Laravel database got hacked for the second time. the hacker deleted all tables and left a table threatening to delete it If I didn't send bitcoin. That's not a problem since I do have a backup but what can I do to prevent it?
This is for Laravel 6. the first time I had debugging mode ON in the .env file so I thought this might be the problem. after turning debugging off I still got hacked am I missing anything?
Hello Mohamed Elmoniry,
I would check your server database configuration for the following security settings I mean this is pretty basic and normally done automatically if you are not self hosting and using a service like forge or digital ocean, but here you go:
Update the password plugin
Change the root password
Remove anonymous users
Disallow remote root login
Remove test database
If you are new to this and you are using MYSQL on your server you can run the following command/script that will automatically guide you through that process
sudo mysql_secure_installation
Additionally:
If you are using a web server I would also enable SSH and deactivate password login.
If you are using a firewall I would check that only the necessary ports to your application are allowed by the UTM (Unified threat management) if it is a hardware firewall. (same applies to a software firewall)
It would be great if you know how the hacker got into the database. Maybe you have an old database version? Maybe you have an easy-to-crack password and have exposed your database to the internet. Laravel by default blocks SQL injection, so that can't be it.
If you have exposed your database, a good first step is to block all requests and allow only ones from certain IP addresses, like your server and IP addresses where you often work. This way, hackers can only get to your database if they are on one of those IP's.
Do you publish your code to GitHub? Maybe the hacker got the password from your repository (this is only possible if this is public). You should make sure you NEVER EVER publish your .env file to the internet and only keep local copies.
But the best solution would be to find out how he got in. Then you can block that entrance. You should certainly check your database version and update it if necessary.
it seems your website has some shell (malware) stored. Virus take palace with following reasons :
Old version framework (but you are using v6, that is updated)
A shell/virus already in code (check if a php shell exist, & scan with antivirus)
You have public git repo, where attacker placed his malware
You have credentials hardcoded that leaked, either through git repo or JS files.
You have unrestricted file upload option in your code, which allow hacker to upload shell.
your database server is publicly exposed,allowing anyone to access.
If you are using older jenkins or other automation tool, which exploit used.
SQL injection, (check logs)
Thanks, Jaikey
Check whether your .env or .env.sample files expose to public for some reason?
https://yourdomain.com/system/.env
If yes, block the public access of .env by adding the code below to the .htaccess file.
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>
I am trying to use buildpublisher in the ccnet.config to copy some files over after the build. I am able to do this locally on the server but if I try to copy it over to another server that is on the same network it doesnt go. I think it has to do with security settings but I am not seeing anything in the Documentation about setting a user/pass security setting or anything. Any suggestions on what do do?
<buildpublisher>
<sourceDir>C:\Build\Publish\</sourceDir>
<publishDir>\\remoteserver\Site</publishDir>
<cleanPublishDirPriorToCopy>true</cleanPublishDirPriorToCopy>
<useLabelSubDirectory>false</useLabelSubDirectory>
<description>Build publish</description>
</buildpublisher>
You need to share the \remoteserver\Site directory. Also make sure the user (or service account) that runs the CruisControl.Net service has read/write permissions on the shared directory. We use nant to copy files from Clear Case to another server with this method.
I want to do authentication for my SVN server through Apache Web Server by mod_dav_svn. Authentication users I want to use MySql since later I want to extend other functions later on.
I've follow this instruction and it's working out correctly and perfect for me
SVN Authentication using MySQL
But what happen since I want to define group of user with read-only and other groups read-write permission.
I'm out of ideas so please help me :) .
PS: AuthzSVNAccessFile dynamic editing would take too much of effort :'(
From what I have read if you are going to use the open source subversion server, your options are limited to modifying the access file as you were hesitant to do.
The issue is mentioned here, although in regards to LDAP auth: https://serverfault.com/questions/188023/webinterface-for-configuring-svn-access-in-mod-dav-svn
My advice is to set up a cron job to automatically generate the auth file on a regular interval.
Is there a way to change the configuration store location for the OSGi Configuration Admin service? I'd like to have the properties files exist in another bundle so they'd exist in source control & in the deployment rather than the OSGi store.
In the end I decided to use Apache Felix File Install to update the configuration properties of a Configuration Admin ManagedService. This seems to work passably well.
It's a little kludgy because when the files are updated the new configuration properties get pushed to the managed service without regard to their being correct values. This means that on next startup the values will still be bad & need to be set to defaults.
It should work for now.
The Config Admin implementations cannot do this, at least not in a portable way via the specification. Instead you need a "management agent" that pushes configuration data into Config Admin via the API; it can derive that configuration data from any source it wishes.
FileInstall is a very simple example of a management agent. If it does not do exactly what you want then it is not too difficult to write your own.
The ManagedServices will still need to perform validation of incoming configuration data and dynamically react to new configuration data. OSGi is a dynamic platform and Config Admin is designed to allow for on-the-fly reconfiguration of a running system.