mercurial-server manages user database under keys folder. Users and groups are represented by files and folders.
AclExtension relies on linux user group through ssh.
they don't seem to match. or did I miss something?
I have managed to make mercurial-server work. but just don't see how to integrate AclExtension with it so I may have finer grained access control.
Unfortunately, the AclExtension does key its access off of usernames. If you are creating separate UNIX user accounts for each using with hg-ssh you've got everything you need, but if all of your ssh users are using the same Unix user account then the AclExtension isn't going to work for you.
Unless...
I did just look into the acl.py file and it looks like it uses the getpass.py module's getuser which checks the environment for the user name using this code:
for name in ('LOGNAME', 'USER', 'LNAME', 'USERNAME'):
user = os.environ.get(name)
if user:
return user
so it might be possible to fake that out by setting an environment variable in the hg-ssh user's authorized_keys file like this:
command="hg-ssh path/to/repo" environment="LOGNAME=fakeusername" ssh-dss ...
where then you could put fakeusername in ACL rules, and could have a different fakeusername for each key, all running under the same UNIX account.
BTW: Everyone seems to just use hg-ssh alone, I never see the (non-official) mercurial-server app used anymore.
The environment trick doesn't seem to work on my Solaris box; my solution was to pass in the fakeusername as a parameter to hg-ssh and have that set os.environ['LOGNAME'] so that getpass sees it.
command="hg-ssh fakeusername" ssh-dss ...
Related
Intro
Our apache2 setup serves files from a wide variety of folders using webdav, and use authz_dbd to communicate with a mysql database (this part works without problems).
Summary:
Apache2, mod_authz_dbd, mod_authn_dbd, mysql, enabling webdav, multi user environment (iot nodes).
However... some of these folders are user specific.
folder1 admins
+--subfolder1.1 admins+some other folk+user1
+--subfolder1.2 admins+again other folk+user1
folder2
+--subfolder 2.1 same as 1.1 but with user2
+--subfolder 2.2 as1.2.. but..user2
We use dbd-groups with wildcards, similar to this:
location /var/www/html/*/subfolder1.1
require dbd-group read
And normally wrote all in the vhosts file
(require user.. )
The problem
This becomes too large, we need another fix.
We cannot use .htaccess files in combination with dbd groups (dbd groups are not allowed in .htacces). Our debian (jessy) does not allow the other mysql apache2 mods.
The combination of .htaccess files with dbd's mysql authorization does not work (dbd groups are not allowed in .htaccess).
Our debian server does not allow other mysql apache2 mods (like mod_auth_mysql).
How can I combine mysql authorization with the folder specific users?
Ok, i believe ive cracked it:
Technique
Apache natively support for named groupes and backreferances.
The capture group can be employed to identify the folder (and with this the user).
How does this work;
every subdir with of the hosted directory (/var/www/web)
Beginning with M and containing at least three decimals (M\d{3,}) <- the capture group.
This is stored in a variable ( sitedir)
eg.
/var/www/web/M1234/etc. sitedir=M1234
/var/www/web/M1234567/test/ANY other directory sitedir=M1234567
In my case I match the user with the directory name require user %{env:MATCH_SITEDIR}
Be very aware to use the queries outside the require directives (as shown below).
Using cascaded RequireAny/Requireall other requirements can be made
(requirements on dbd groups, ip ristrictions etc).
Drawbacks
The capture group might allow for multiple folders with an Mcode.
This can be mitigated by adapting the capture group.
The captured foldername cannot be used inside the query (it does not allow this)
This would have been even nicer, but it does not work...(the variable is considered plain text).
working example
<DirectoryMatch /var/www/web/(?<sitedir>(M\d{3,}))>
AuthDBDUserPWQuery "SELECT password FROM mysql_auth WHERE username = %s"
AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = %s"
<RequireAny>
Require user %{env:MATCH_SITEDIR}
<RequireAll>
Require valid-user
Require ip 10.0.0.0/16
<RequireAny>
Require dbd-group internal
Require dbd-group write
</RequireAny>
</RequireAll>
</RequireAny>
</DirectoryMatch>
I am new to OpenLDAP. I would like to know the method to restrict some user from searching part of the LDAP database.
For example, I have ldap root dn <dc=abc,dc=com>
There are other groups like below:
ou=department1,dc=abc,dc=com
ou=department2,dc=abc,dc=com
ou=people,dc=abc,dc=com
cn=userA,ou=people,dc=abc,dc=com
cn=userB,ou=people,dc=abc,dc=com
I would like to allow userA to only able to search data from dn:
ou=department1,dc=abc,dc=com
But restrict it from searching from dn: ou=department2,dc=abc,dc=com
How could I implement that?
You can explicitly set permissions and blocks in the slapd.conf file --- the base install has a few samples
You have to configure ACLs in the slapd.conf file. Here are two examples ACLs that you could use for your case. But remember to add whatever other permissions for other users to "ou=department1,dc=abc,dc=com" and "ou=department2,dc=abc,dc=com".
access to dn="ou=department1,dc=abc,dc=com"
by dn="cn=userA,ou=people,dc=abc,dc=com" read
by * none
access to dn="ou=department2,dc=abc,dc=com"
by dn="cn=userA,ou=people,dc=abc,dc=com" none
by * none
For more information, read the documentation about OpenLdap access control: http://www.openldap.org/doc/admin24/access-control.html
I am trying to debug a weird issue with one user's roster in ejabberd.
He is having a roster group "_root" show up in his client (PSI).
The server is using mod_ldap for user authentication.
Things tried so far:
deleting the group from the client -> the group appears again after a while
unregistering the user with /ejabberdctl unregister user domain.com -> the group appears again after a while
Only one user is affected by this on the server, which makes me think it has to be something specific to this one user's settings (or client). But we have a bunch of people also using PSI with no problems.
Is there a way to look at the roster groups defined for a specific user in the database directly?
Thanks,
kaza
That "_root" value must come from the roster module data. You did not say which roster module you use, but I guess the server is configured to use mod_roster_ldap and possibly mod_shared_roster_ldap. Check the configuration of the module and explore the content of the LDAP directory to see if you see that value. I would think that value comes from there.
I need to run a MS Access job as an automated task. I know Access isn't really built for this type of task, but I have MOST of it working except for one, critical part. In short, this is what it's supposed to do:
Generate a PDF report for a user
Generate an email for the user
Attach the PDF to the email
Send the email via SMTP
It works if a user is logged into a desktop session. The process needs to run as an automated process, without requiring a user to be logged in. Using Powershell and the built-in Task Scheduler (Windows 7 Ultimate, 64-bit), I'm able to get it running on schedule. But the Access code fails when it tries to save the PDF. Through experimentation, I learned that I need to save to the "My Documents" folder, and I have the process running as "me", but I keep getting the same error message:
8/18/2014 4:00:17 PM Report Error in <method name>
2302
-1
0
<project name> can't save the output data to the file you've selected.
MTS
So I suspect that if I select the correct location to save the PDF, it will work. Is there a special location that the system and/or Task Scheduler (TS) can save to? Is there a special way to share a folder that it will allow TS to write to it (without requiring a user to be logged in)?
I personally usually save all these types of files/reports into the %TEMP% folder, which seems appropriate for this application since it is only to store it until it is emailed.
I haven't had any permission issues saving into this folder yet.
If you're unfamiliar with %TEMP% you can search for Environ variables and there are usually different useful file paths to common folders used by the system e.g. %APPDATA%,%USERPROFILE%` etc
Thanks for all the input. After exhaustive testing--based on the response from ashareef above--I've demonstrated that it can't be done. I tried saving to the following environment variable locations:
TEMP
APPDATA
LOCALAPPDATA
PUBLIC
USERPROFILE
I also tried:
C:\Users
C:\Temp
C:\Users\<my user name>\Documents
And none of those worked if I set the task to run whether I was logged in or not:
One location does work, but only if I'm logged in and I set the task to run only when I'm logged in:
C:\Users\<my user name>\Documents
To sum up:
Saving a file from Access
Running as a Scheduled Task
Whether you're logged in or not
Is not possible! So here at work, we're going with Plan B. Thanks for your help!
Sorry for my english...
In my project I use ACL with SonataAdminBundle, but I can not understand why they did so, you need to have to create a record in the database, even when I want to use only Class-scope without Object-scope.
Also, when you create, for example, comments, SonataAdminBundle automatically creates an entry in acl_object_identities, it clutters up this action database.
I created a role that has the right to full access to all records in a table, regardless of who created the records, but SonataAdminBundle only displays them and prohibits editing.
The documentation for SonataAdminBundle reads:
because the object ACL permission is checked, the ACL for the object
must have been created, otherwise the AclVoter will deny EDIT access
for a non super admin user trying to edit another non super admin
user. This is automatically done when the object is created using the
Admin. If objects are also created outside the Admin, have a look at
the createSecurityObject method in the AclSecurityHandler.
But why? How to avoid this?
Do not want to write hooks.
Thank you in advance for any comments and help on this.
You can generate the object ACLs with php app/console sonata:admin:generate-object-acl