Wso2 use memberUid on external LDAP for groups - configuration

I have connected Wso2 with an external LDAP. So, i want to handle the LDAP groups. However in Wso2 doc it states to use :
groupOfNames as our objectClass and
member as our MembershipAttribute
However my current LDAP server is not like that. This means that i use
PosixGroup as my objectClass and
memberUid for my MembershipAttribute
This leads me to the point that , when i add a user to a group, then Wso2 goes and puts this value uid=b1,ou=users,dc=transip,dc=nl inside memberUid. This is not compatible with my set up. What i need is Wso2 to just put the user's uid in the memberUid field and then the entry will be compatible with the rest of my setup.
How can i configure Wso2 to pass the uid when adding a user to a group instead of passing dn (Distinguished Name).

According to JIRA [1], this issue has been already fixed in WSO2 IS 5.1.0. According to the JIRA to get your setup working you need to configure GroupObjectClass as "PosixGroup" and MembershipAttribute as "memberUid" in the UserStoreManager configuration relevant to your UserStore.
[1] https://wso2.org/jira/browse/IDENTITY-3400

The same question has posted in https://wso2.org/jira/browse/IDENTITY-6295 as well. In order to achieve this its need to write custom user store manager, changing member attribute to add only uid, rather full DN.

Related

CAS 6.2.x MFA Principal Attribute Trigger 'memberOf' Active Directory Not Working

I have CAS 6.2.x running in Kubernetes building the image from this repo. I am passing in the cas.properties file via configmap.I have it wired up against Active Directory and am able to login with the Username/Password. I am now working to enable MFA with the Google Authenticator plugin. I have this working as well if I force the flow globally with the following:
cas.authn.mfa.global-provider-id=mfa-gauth
When I try to use the values described here for Multifactor Authentication: Principal Attribute Trigger it doesn't send me to the MFA flow. These are the settings that I have set:
cas.authn.ldap[0].principalAttributeList=userPrincipalName,cn,givenName,sAMAccountName,memberOf
cas.authn.mfa.global-principal-attribute-name-triggers=memberOf
cas.authn.mfa.global-principal-attribute-value-regex=ForceMfa
When I log in these are the values returned back for memberOf:
memberOf
[CN=Group2,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=Group1,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=ForceMfa,OU=MyOu,DC=subdomain,DC=domain,DC=local]
Principal
I used Misagh blog post as a guide.
If I change the trigger and regex to sAMAccountName and my username it then works as expected. Not sure if I need to change the regex format to find the group name or if I just have something else wrong. It just seems like the regex is not finding a match for some reason as the settings seem to be working for me, just not with memberOf.
Thank you
Consider switching this to:
cas.authn.mfa.global-principal-attribute-value-regex=.*ForceMfa.+
Then, attach/review your logs for org.apereo.cas under either DEBUG/TRACE so you can see what's happening.

CAS X.509 auth with attributes from database

I want to configure Apereo CAS 6.0.x to perform X.509 authentication and then retrieve principal attributes from a database table.
Rudimentary X.509 authentication is working with these lines in application.properties (and appropriate reverse proxy setup):
cas.authn.x509.extractCert=true
cas.authn.x509.sslHeaderName=SSL_CLIENT_CERT
cas.authn.x509.principalDescriptor=SUBJECT_DN
The default "Log In Successful" page shows that it knows how to get my certificate's subject DN.
But I can't figure out how to tell CAS to then use that subject DN value to query my database for additional attributes.
This page explicitly mentions my need (though with LDAP instead of JDBC), but does not say specifically how to achieve it:
In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.
What properties need to be set so that the X509 authentication handler resolves the principal against the database?
The missing ingredient was this line in application.properties:
cas.authn.x509.principalType=SUBJECT_DN
Without it, CAS does not attempt to query any attributeRepository settings that you may have.

Activiti engine intergation with custom user & group data table

My company has their own database and it contains user and group tables.I am creating a workflow manager using Activiti API also i am using Activiti-REST. I need to fetch user data and group data from my company database instead of using ACT_ID _USER and ACT_ID_GROUP. I searched through internet and post in their forum but i didnt get any sensible answers.
In the forum they suggest to use LDAP but i dont have touch LDAP.
I went through activiti source.can i just modify its iBATIS mapping files related to ACT_ID _USER.Will it work. Or their any better approach. Also activiti-rest api must work according to our own tables.
Please can some one show some good references regarding to this.
you have to implement the interface org.activiti.engine.impl.interceptor.SessionFactory and return the type of org.activiti.engine.impl.interceptor.Session appropiate (org.activiti.engine.impl.persistence.entity.UserIdentityManager.class or org.activiti.engine.impl.persistence.entity.GroupIdentityManager.class), then you have to create your own User/Group Manager (usually extending the org.activiti.engine.impl.persistence.entity.UserEntityManager or org.activiti.engine.impl.persistence.entity.GroupEntityManager).
Finally you have to register your Custom Session Factories on your processEngineConfiguration, for more info (a little outdated because in 5.13 the session types changed) is available on this blog post

Configuring Fed-lab.org as Identity Provider

MY AIM : I am creating a Service provider at my local server using opensaml-java latest library from shibboleth.I want a Test IdP.I chose https://fed-lab.org/ . There is no clear procedure for this configuration also
1.I have created Metadata programmatically using opensaml.
I need to check whether my metadata is correct according to its standard schema.How can i check this?
2.I have registered my SP at https://fed-lab.org/ site after logging in.
3.I have downloaded the Identity Provider from https://fed-lab.org/online/identity-provider-metadata/
It has two IDPSSODescriptors.
In that SIngleSignOnServices are
1.https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php and
2.https://fed-lab.org/simplesaml-test/module.php/fedlab/SingleSignOnService.php
I am using HTTP-Redirect binding
I have created the AuthnRequest message first . then did , deflate , base64encoding , URL encoding as per specification of SAML
https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php?SAMLRequest=processedAuthnRequest
I am trying to access this URL , But I am getting nothing Response from the site.
WHere am I wrong ? please Let me help to figure it out.
Can u provide Test IdPs where there is a clear way(documentation) to do the configuration.
There is a very simple Idp at http://stubidp.kentor.se that doesn't require any kind of registration. Just enter your acs url and a subject nameid to send an unsolited Saml2Response.
It won't let you test everything (yet), but it can get you started on receiving a basic message and handling that.

How can I use the Box Java SDK to create a shared link without specifying the share type?

In Box API v1, it was possible to request creation of a shared link for a file or folder, without caring about what kind of sharing was required. In fact, it was not possible to ask for a particular type of share - you just used the public_share method and passed in the target type (file/folder) and target ID, and optionally a share password. In an Enterprise Account, for instance, this might result in the maximum access level being "company" or "collaborators", if public links are disallowed.
With Box API v2, according to the docs here, you need to specify an access parameter that has to be "open", "company", or "collaborators".
The problem is, using the wrong type may cause the share to fail. For instance, in a folder/account that only allows collaborators, I get a 400 error if I ask for a "open" share.
What I really want is to get exactly the same result as if the user clicked the "Share" link in the Box web site. Which is, it should enable sharing for the file but default the level appropriately.
Is there a way to do this with v2, without the admin having to tell us their "preferred" access level for shared links we create? I'm using the Java SDK, like this:
BoxItemRequestObject req = BoxItemRequestObject.createSharedLinkRequestObject(BoxSharedLinkRequestObject.createSharedLinkRequestObject("open"));
BoxItem item = itemsManager.createSharedLink(<ID>, req, BoxResourceType.FILE);
Thanks,
Ben Gilbert
Smartsheet.com
Just set the access to the empty set {}
So your request would look like this:
{"shared_link": {}}
I figured out how to make this work. I need to set access to null when creating the BoxSharedLinkRequestObject, like this:**
BoxItemRequestObject req = BoxItemRequestObject.createSharedLinkRequestObject(BoxSharedLinkRequestObject.createSharedLinkRequestObject(null));
This doesn't produce quite the same JSON as was recommended (shared_link: {}), but it does produce JSON that is apparently equivalent: shared_link: { access: null }. I couldn't figure out any way to produce an empty shared_link object using the SDK -- I either had to have a null shared_link (which didn't work at all) or some value for the access field.