I am running OpenLDAP 2.4.31. Based on Reverse Group Membership Maintenance:
The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates.
I would like to change these defaults, so the overlay is based on the objectClass groupOfUniqueNames and the attribute uniqueMember. I did not find any mention on how to do this in the documentation, and also I did not find any default setting for this in cn=config; what are the settings that I have to add here to make the desired changes?
I have already added the memberof and referential integrity configuration to cn=config based on this article.
Use the following to change the memberof behaviour. I'm showing the solution here for a traditional slapd.conf configuration.
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
As for the referential integrity, you can use the memberof overlay's own setting to do this, which is much easier:
memberof-refint true
For cn=config, you probably therefore want the following:
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: UniqueMember
The example provided on www.schenkels.nl (your link) almost gets you there. You can append the following to the block dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config:
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
Above shows the defaults that you already mentioned. It should be possible to change those to the attributes you want to use. Check out the member-of man page for a description of the configuration options.
Related
I would like to set rule, if qradar does not find the string in event payload for one week? How can I do it?
I am looking to list of conditions, but I did not find any suitable condition. I have this:
when the event(s) have not been detected by one or more of there log source types for this many seconds
However I think it is not very suitable for me, because I need to work with payload. Could someone help me how to solve this problem?
One approach to resolve this problem is to use reference sets. A concept for this is explained here. You need two rules and a reference set:
Reference Set
Create a reference set and configure the time to live to the duration when the absence should be detected.
Rule 1 (Tracker Rule)
Set up a rule that triggers on the pattern whose absence you want to detect. In your case a string in the payload. Select "Add to a Reference Set" as rule response. Use the reference set from above.
Rule 2 (Watcher Rule)
Create a second rule which triggers on Event Name (or QID) "Reference Data Expiry". Maybe you need a custom event property for the name of the reference set and/or the expired element too. With this CEP you can test for the expiry of the item added from rule 1.
I want to give access to users who have attribute with certain value.
Let's say I have "ou=protected,dc=example,dc=com" directory and I want it to be writable by any user with canAccessProtected attribute set to TRUE.
Something like
access to dn.subtree="ou=protected,dc=example,dc=com"
by users/canAccessProtected="TRUE" write
I've checked documentation and was unable to find a way, although I haven't grasped sets and few other things.
Is it possible to manage user access by attribute value? If yes, then how?
Create a dynamic group like:
dn:cn=protectedGroup,ou=groups,dc=example,dc=com
objectClass:top
objectClass:groupOfURLs
cn:protectedGroup
memberURL: ldap:///ou=users,dc=example,dc=com??sub?(canAccessProtected=TRUE)
Enable dynlist in your slapd.conf like:
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
Grant write access to the members of that group:
access to dn.subtree="ou=protected,dc=example,dc=com"
by set="[cn=protectedGroup,ou=groups,dc=example,dc=com]/member & user" write
Add necessary ACL rules as you see fit.
I'm using SA in a script I'll be using to periodically 'copy' a subset of mysql tables from a 'production' replica to dev/test systems. I had written code to simply reflect the source tables and meta.create_all(destination_engine). Due to the nature of FKs, I now know I need to apply use_alter=True to the ForeignKeys on the tables as I create them so that I won't get CircularDependencyErrors or other problems. I need to assume I dont know how many FK's or their names until I go through the metadata.
I'm new to SA and typically Java programmer (as you will tell :D). I tried to change the use_alter attr. iteratively at first:
tablesd = smeta.tables.items()
for tname, t in tablesd:
for c in t.columns:
for fk in c.foreign_keys:
fk.use_alter = True
smeta.create_all(to_engine)
EDIT: It's important to note that create_all() does NOT throw a CircularDependencyError after I set the use_alter property like I do above. If I remove that code, create_all() does not work. It just doesnt seem to be removing the FKs from the create...
This obviously didn't work. I then read Overriding Reflected Columns in the SA docs, sample being:
mytable = Table('mytable', meta,
Column('id', Integer, primary_key=True), # override reflected 'id' to have primary key
Column('mydata', Unicode(50)), # override reflected 'mydata' to be Unicode, autoload=True)
I'd guess reflecting each table individually then adding use_alter=True in the FK definition would work, but I CANNOT assume the names and values or # of FK's/columns. I read a lot about using DeclarativeBase to do something like this, but I'm not really sure how that would work...
How can I take my arbitrary list of tables, reflect them, then Override the use_alter option on their respective foreign keys? Am I thinking about this the wrong way?
The answer ended up being inside the problem (Imagine that...). Although each ForeignKey object has a use_alter value that can be set, Constraints also have a separate property that can be set (I was not able to find this in the API Documentation. After running it through PyDev's Debugger, I noticed the former were being set, but all the keys that had Constraints associated with them were still False. I set them to true thusly:
for fk in table.foreign_keys:
fk.use_alter=True
fk.constraint.use_alter=True
This seemed to produce the SQL I was looking for and tables were created correctly with no CircularDependencyErrors and metadata.sorted_tables seemed to work fine with no errors. I was actually able to refactor my code and do things the RIGHT way!
For anyone looking to do DB-->DB reflecting with complex FKs using SQLAlchemy, this answer and Tyler Lesmann's article are for you.
*UPDATE: * Using this method has passed a peer review and is now being used as production code. Seems to work well!
Let's suppose that we have multi-site CMS and every website in this CMS having 2 options: preview_width and preview_height. We know that every option should have default value if isn't defined by user. Also we know that list of options will be extented in near future. What is the best practice to store such options in MySQL table?
I know three practices and both of them have lacks (or maybe I don't know how to correctly use this practices)...
Practice #1: Each option is
represented as column in options
table.
Disadvantage: We should
modify options table each time
we're adding new option.
Practice #2: All options are stored
as serialized object/array in
options column of sites table.
Disadvantages: To add new option
with default value - we need to loop
through all rows and modify
serialized options; or we can add
this option when it is requested and
found not present.
Practice #3: All options are stored
in options table with structure: id,
site_id, option_name, option_value.
Disadvantages: When adding new option we should update this table with default-valued options for each website.
What is your choice?
What practice to choose when new options are added very often?
Any other practices?
Thank you.
I would use Practice #3. In order to store default value you can try writing a method to get options:
get_value(option) {
value = read_from_db(option);
if value == not_present_in_db {
value = default_value(option);
}
return value;
}
You also need to write default_value(option) method which should look for some defaults in a configuration file or whatever.
While a record is edited,how should be the ID stored ? I could have a textbox with enabled false, but I don't like this approach.
In ASP.NET I used to have a property which has saved the value in viewstate(Actually a hidden field + encrypted value).
The only solution I found Is to use a hidden field. Is it save enough ?
Are there any others options ?
If you wish it to work in stateless mode, you need to add id to the url.
http://mywebsite/users/123/edit
Otherwise use the Session collection.
There is also the TempData collection to store data between two requests only. It may or may not be of use to you though.
P.S. Hidden field is also an option.
Is the ID auto-generated by SQL Server?
If yes, hiding this is an approach you can consider. Either you can hide it or remove it entirely.
We removed all the ID textboxes on our ASP.NET MVC Projects.
Cheers
It is save enough if you check permissions.
If a user is allowed to edit something with ID 1 and 2 nothing happens if he decides do change the ID. If he changes ID 1 to ID 2 it is the same as if he edits the dataset with ID 2 in the userinterface. If he tries to change the ID to 3 you have to block it ("You are not allowed to edit this dataset ...")