I'm setting up a new SLES 12 server and want to set the default group for new users so that this is not named users but rather <username> (p.ex. user foo would be assigned to the group foo).
I found that the option USERGROUPS_ENAB in /etc/login.defs is supposed to do this job, but after I changed it to USERGROUPS_ENAB yes and tried to create a new user via yast, such new user would - according to yast- still be assigned to users.
How can I accomplish the desired behavior via yast? Or do I miss something?
After changing USERGROUPS_ENAB to yes in the /etc/login.defs file you've changed the behavior, as you are wanting, for the useradd command defaults. So, for example, you could run this command as root and it will do what you are expecting:
linux-54pe:~ # grep "USERGROUPS_ENAB" /etc/login.defs
USERGROUPS_ENAB yes
linux-54pe:~ # useradd bob
linux-54pe:~ # cat /etc/passwd | grep bob
bob:x:1003:1003::/home/bob:/bin/bash
linux-54pe:~ # cat /etc/group | grep bob
bob:!:1003:
The problem is that you are using YaST2. YaST2 is using its own default group assignment and so it doesn't respect the default changes made to useradd. In the /var/log/YaST2/y2log you can see that when I attempted to create the user frank:
2017-04-25 10:44:02 <1> linux-54pe(2871) [Perl] modules/Users.pm(Users::CommitUser):3517 commiting user 'frank', action is 'add_user', modified: 1, ldap modified: 0
2017-04-25 10:44:02 <1> linux-54pe(2871) [Perl] modules/Users.pm(Users::CommitGroup):3787 commiting group 'users', action is 'user_change_default'
Also, in the YaST2 module when you are creating the user in the Details tab you can see at the bottom that it's assigning it to its own default group parameter of users.
screenshot showing parameter
If you have a support entitlement with SUSE you can contact them to see if they are willing to submit this as a bug. At the very least they should be able to put this in as an enhancement request.
Related
I am trying to find out whether a user is disabled in ldap using ldapsearch utility but I have been unsuccessful so far. This is what i have got so far
ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password'
# extended LDIF
#
# LDAPv3
# base <basedn> with scope subtree
# filter: sAMAccountName=disabled user
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I have even tried with -LLL nsaccountlock it give me nothing. Its the same with a random string for user as well.
I need to find out that the user that I am specifying whether its an active or disabled user or not a user at all. Am I doing something wrong? is there another utility I can use to determine if the user is disabled
You can use this filter:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
To find all users with the User-Account-Control value of 0x00000002
I'm changing an attribute from:
default['splunk']['auth'] = "admin:changeme"
to:
default['splunk']['auth']['username'] = "admin"
default['splunk']['auth']['password'] = "changeme"
and I want to be sure that I don't miss / forget something...
It's easy enough to be sure I didn't miss anything in cookbooks:
nickh#BONHENRY:~/Repositories/chef$ ack-grep "\[.splunk.?\]\[.auth.?\]"
cookbooks/splunk_cookbook/attributes/default.rb
36:default['splunk']['auth']['username'] = "admin"
37:default['splunk']['auth']['password'] = "changeme"
cookbooks/splunk_cookbook/attributes/README.md
72:* `node['splunk']['auth']['username']` - The default admin username to use instead of splunks "admin"
73:* `node['splunk']['auth']['password']` - The default admin password to use instead of splunks "changeme"
cookbooks/splunk_cookbook/recipes/server.rb
219: command "#{splunk_cmd} edit user admin -password #{node['splunk']['auth']['password']} -roles admin -auth admin:changeme && echo true > /opt/splunk_setup_passwd"
228: command "#{splunk_cmd} enable listen #{node['splunk']['receiver_port']} -auth #{node['splunk']['auth']['username']}:#{node['splunk']['auth']['password']}"
326: command "#{splunk_cmd} edit licenser-localslave -master_uri 'https://#{node['splunk']['dedicated_search_master']}:8089' -auth #{node['splunk']['auth']['username']}:#{node['splunk']['auth']['passwor
391: command "/opt/splunk/bin/splunk login -auth #{node['splunk']['auth']['username']}:#{node['splunk']['auth']['password']}"
cookbooks/splunk_cookbook/recipes/forwarder.rb
78:execute "#{splunk_cmd} edit user admin -password #{node['splunk']['auth']['password']} -roles admin -auth admin:changeme && echo true > /opt/splunk_setup_passwd" do
However, I'm not sure of a good way to grep/search JSON roles/environments for the same...
This works:
nickh#BONHENRY:~/Repositories/chef$ knife search environment "override_attributes_splunk_auth:*" -i
1 items found
prod-acme
However, do you have any idea why this works:
nickh#BONHENRY:~/Repositories/chef$ knife search environment "*:*" -i
108 items found
but this doesn't? :
nickh#BONHENRY:~/Repositories/chef$ knife search environment "*splunk_auth:*" -i
ERROR: knife search failed: invalid index name or query
Is there an easy / better way to do it that I'm not thinking of / unaware of? Can I change something w/ my Solr query that would make it work?
Thanks in advance :-)
Because *:* is a special case in the search system that bypasses Solr entirely. Chef's search index uses a transformed version of the query such that I don't think it would be safe to use a glob in the facet name like that. I would recommend running knife download environments/ (and similar for roles) and then doing your grep on the local JSON files.
I'm trying to connect my ldap with the geonetwork database but every time I log in it doesn't show the administrator button. Then I check the database and it is empty. I am using GeOrchestra 13.09 in a localhost enviroment, the geoserver and mapfishapp are running well and they log in without a problem.
My config-security.properties is
Core security properties
logout.success.url=/index.html
passwordSalt=secret-hash-salt=
# LDAP Connection Settings
ldap.base.provider.url=ldap://localhost:389
ldap.base.dn=dc=geobolivia,dc=gob,dc=bo
ldap.security.principal=cn=admin,dc=geobolivia,dc=gob,dc=bo
ldap.security.credentials=geobolivia
ldap.base.search.base=ou=users
ldap.base.dn.pattern=uid={0},${ldap.base.search.base}
#ldap.base.dn.pattern=mail={0},${ldap.base.search.base}
# Define if groups and profile information are imported from LDAP. If not, local database is used.
# When a new user connect first, the default profile is assigned. A user administrator can update
# privilege information.
ldap.privilege.import=true
ldap.privilege.export=true
ldap.privilege.create.nonexisting.groups=false
# Define the way to extract profiles and privileges from the LDAP
# 1. Define one attribute for the profile and one for groups in config-security-overrides.properties
# 2. Define one attribute for the privilege and define a custom pattern (use LDAPUserDetailsContextMapperWithPa$
ldap.privilege.pattern=
#ldap.privilege.pattern=CAT_(.*)_(.*)
ldap.privilege.pattern.idx.group=1
ldap.privilege.pattern.idx.profil=2
# 3. Define custom location for extracting group and role (no support for group/role combination) (use LDAPUser$
#ldap.privilege.search.group.attribute=cn
#ldap.privilege.search.group.object=ou=groups
#ldap.privilege.search.group.query=(&(objectClass=posixGroup)(memberUid={0})(cn=EL_*))
#ldap.privilege.search.group.pattern=EL_(.*)
#ldap.privilege.search.privilege.attribute=cn
#ldap.privilege.search.privilege.object=ou=groups
#ldap.privilege.search.privilege.query=(&(objectClass=posixGroup)(memberUid={0})(cn=SV_*))
#ldap.privilege.search.privilege.pattern=SV_(.*)
ldap.privilege.search.group.attribute=cn
ldap.privilege.search.group.object=ou=groups
ldap.privilege.search.group.query=(&(objectClass=posixGroup)(memberUid={1})(cn=EL_*))
ldap.privilege.search.group.pattern=EL_(.*)
ldap.privilege.search.privilege.attribute=cn
ldap.privilege.search.privilege.object=ou=groups
ldap.privilege.search.privilege.query=(&(objectClass=posixGroup)(memberUid={1})(cn=SV_ADMIN))
ldap.privilege.search.privilege.pattern=SV_(.*)
# Run LDAP sync every day at 23:30
# Run LDAP sync every day at 23:30
#ldap.sync.cron=0 30 23 * * ?
ldap.sync.cron=0 * * * * ?
#ldap.sync.cron=0 0/1 * 1/1 * ? *
ldap.sync.startDelay=60000
ldap.sync.user.search.base=${ldap.base.search.base}
ldap.sync.user.search.filter=(&(objectClass=*)(mail=*#*)(givenName=*))
ldap.sync.user.search.attribute=uid
ldap.sync.group.search.base=ou=groups
ldap.sync.group.search.filter=(&(objectClass=posixGroup)(cn=EL_*))
ldap.sync.group.search.attribute=cn
ldap.sync.group.search.pattern=EL_(.*)
# CAS properties
cas.baseURL=https://localhost:8443/cas
cas.ticket.validator.url=${cas.baseURL}
cas.login.url=${cas.baseURL}/login
cas.logout.url=${cas.baseURL}/logout?url=${geonetwork.https.url}/
<import resource="config-security-cas.xml"/>
<import resource="config-security-cas-ldap.xml"/>
# either the hardcoded url to the server
# or if has the form it will be replaced with
# the server details from the server configuration
geonetwork.https.url=https://localhost/geonetwork-private/
#geonetwork.https.url=https://geobolivia.gob.bo:443
#geonetwork.https.url=https://localhost:443
The geonetwork.log shows these results:
2014-03-11 13:41:00,004 DEBUG [geonetwork.ldap] - LDAPSynchronizerJob starting ...
2014-03-11 13:41:00,006 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - Got Ldap context on server 'ldap://localhost:389/dc=geobolivia,dc=gob,dc=bo'
2014-03-11 13:41:00,008 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'resourceManager'
2014-03-11 13:41:00,026 DEBUG [geonetwork.ldap] - LDAPSynchronizerJob done.
2014-03-11 13:41:26,429 INFO [geonetwork.lucene] - Done running PurgeExpiredSearchersTask. 0 versions still cached.
2014-03-11 13:41:56,430 INFO [geonetwork.lucene] - Done running PurgeExpiredSearchersTask. 0 versions still cached.
and the that appear in the geonetwork.log is
2014-03-11 13:44:06,426 INFO [jeeves.service] - Dispatching : xml.search.keywords
2014-03-11 13:44:06,427 ERROR [jeeves.service] - Exception when executing service
2014-03-11 13:44:06,427 ERROR [jeeves.service] - (C) Exc : java.lang.IllegalArgumentException: The thesaurus external.theme.inspire-service-taxonomy does not exist, there for the query cannot be excuted: 'Query [query=SELECT DISTINCT id,uppc,lowc,broader,spa_prefLabel,spa_note FROM {id} rdf:type {skos:Concept},[{id} gml:BoundedBy {} gml:upperCorner {uppc}],[{id} gml:BoundedBy {} gml:lowerCorner {lowc}],[{id} skos:broader {broader}],[{id} skos:prefLabel {spa_prefLabel} WHERE lang(spa_prefLabel) LIKE "es" IGNORE CASE],[{id} skos:scopeNote {spa_note} WHERE lang(spa_note) LIKE "es" IGNORE CASE] WHERE (spa_prefLabel LIKE "***" IGNORE CASE OR id LIKE "*") LIMIT 35 USING NAMESPACE skos=<http://www.w3.org/2004/02/skos/core#>,gml=<http://www.opengis.net/gml#>, interpreter=KeywordResultInterpreter]'
The version of GeoNetwork currently used in geOrchestra does not show the "administration" button on its first page. You have to fire a search, then in "other actions" menu on the top right, you should be able to get to the administration interface. We know that it is not very intuitive, but it should change in the next months (we recently planned an upgrade of GeoNetwork before the end of the year).
Did you solve it? I think in your config-security.properties, at this place ldap.base.dn.pattern=uid={0},${ldap.base.search.base}
you need to replace {0} with the username typed in the sign-in screen of geonetwork
I'm adding some attributes from live to staging for testing purposes, I'm using ldifde:
D:\Shared>ldifde -i -v -f attr3.ldf -j .
Connecting to "myDomain.com"
Logging in as current user using SSPI
Importing directory from file "attr3.ldf"
Loading entries
1: CN=myAttribute,CN=Schema,CN=Configuration,DC=myDomain,DC=com
Entry modified successfully.
1 entry modified successfully.
The command has completed successfully
D:\Shared>
But when I try to update it using vbs, I got:
C:\Users\update.vbs(8, 1) Active Directory: The requested operation did not
satisfy one or more constraints associated with the class of the object.
Please notice that other attributes, the original ones, are able to be updated, this issue is only for the ones I'm importing.
So, I wonder if I'm missing some step like link or detach the new attribute after imported.
This is attr3.ldf
#attr3.ldf
#adding my new attribute
dn: CN=myAttribute,CN=Schema,CN=Configuration,DC=myDomain,DC=com
changetype: add
objectClass: top
objectClass: attributeSchema
cn: my-Attribute
distinguishedName: CN=my-Attribute,CN=Schema,CN=Configuration,DC=myDomain,DC=com
instanceType: 4
whenCreated: 20100401175340.0Z
whenChanged: 20100401175341.0Z
uSNCreated: 24154
attributeID: 2.16.840.1.113805.111
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
rangeLower: 0
rangeUpper: 1
uSNChanged: 24163
showInAdvancedViewOnly: TRUE
adminDisplayName: my-Attribute
adminDescription: my-Attribute
oMSyntax: 64
searchFlags: 0
lDAPDisplayName: myAttribute
name: my-Attribute
schemaIDGUID:: tonVW6suWUu1Gev/D1pI9Q==
isMemberOfPartialAttributeSet: TRUE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=myDomain,DC=com
#The following attributes were removed because I was getting:
#Add error on entry starting on line 1: Unwilling To Perform
#The server side error is: 0x20e7 The modification was not permitted for security
#reasons.
#The extended server error is:
#000020E7: SvcErr: DSID-03152D2C, problem 5003 (WILL_NOT_PERFORM), data 0
#objectGUID:: eTKYtnXbCE2fPMgc8UIe0w==
#attributeSecurityGUID:: VAGN5Pi80RGHAgDAT7lgUA==
And this is the vbs code,
'update.vbs
Set objUser = GetObject("LDAP://CN=John Lennon,CN=Users,DC=myDomain,DC=com")
objUser.myAttribute="someValue" 'Also tried with integers but not luck
objUser.SetInfo
Thanks,
m0dest0.
Thank you JPBlanc, you are right, I was missing to add the attr to the class and then refresh the schema,
Register the dll, regsvr32 schmmgmt.dll
Open Run and type mmc.exe
Add Active directory schema snap-in
Right click on the class, properties and hit the Add button and so on.
Finally, refresh the schema:
C:\Users>admod -sc refreshschema
AdMod V01.17.00cpp Joe Richards (joe#joeware.net) March 2011
Modifying ROOTDSE...
DN Count: 1
Using server: myServer.myDomain.com:389
Directory: Windows Server 2008 R2
Modifying specified objects...
DN: ROOTDSE...
The command completed successfully
Regards,
Adding an attribute to the Schema is not enought, you must also add the attribute to the user class (in the schma) if you want to use it in a user object. You must modify your LDIF file:
# Define your attribute
# Reload the schema
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# modify user class
Have a look to your Schema using Microsoft MMC (registering schmmgmt.dll)
If you still have trouble, I can help again tomorow morning.
I'm using the Google App Engine Launcher to deploy my app to the GAE servers. Is there a way to save my user account and password so I don't have to type it in every time I redeploy?
I'm still in the learning stages of using GAE so typing my 16 odd character password gets tiresome when I redeploy 15+ times per evening.
You can make a .bat file that has the following text:
echo <password> | c:\python25\python.exe "C:\Program Files\Google\google_appengine\appcfg.py" --email=username --passin update <directory of app on your pc>
(According to GAE docs you cannot specify the password as a command line option)
Use oauth to save an OAuth2 token so you don't need to keep re-typing your password.
The accepted solution didn't work for me. Using pipes did
echo <password> | c:\python25\python.exe "C:\Program Files\Google\google_appengine\appcfg.py" --email=username --passin update <directory of app on your pc>
appcfg already does this for you. Per the docs:
appcfg.py gets the application ID from
the app.yaml file, and prompts you for
the email address and password of your
Google account. After successfully
signing in with your account,
appcfg.py stores a "cookie" so that it
does not need to prompt for a password
on subsequent attempts.
If this isn't occurring for you, you might want to try deleting any .appcfg* config files.
Other tips & trick: using command line as below:
To get appcfg.py to accept --password on the command line instead of being prompted for it:
Change: *appengine/google_appengine/google/appengine/tools/appcfg.py*
add the following in the parser.add_option section:
parser.add_option("-p","--password", action="store", dest="password",
metavar="PASSWORD", default=None,
help="The password")
Then modify the GetUserCredentials function:
def GetUserCredentials():
"""Prompts the user for a username and password."""
email = self.options.email
if email is None:
email = self.raw_input_fn("Email: ")
password = self.options.password
if password is None:
password = self.raw_input_fn("Password: ")
# password_prompt = "Password for %s: " % email
# if self.options.passin:
# password = self.raw_input_fn(password_prompt)
# else:
# password = self.password_input_fn(password_prompt)
return (email, password)
That's it, now you can call:
appcfg.py update demos/guestbook --email=email#gmail.com --password=xxxx
Ref: http://samalolo.blogspot.com/2009/04/appcfgpy-tweak-to-allow-passing.html
I just wanted to say thank you to Friar Broccoli, it's exactly what I was looking for. To clarify for other beginners like myself, my final batch file ended up looking like the following,
c:\python27\pythonw.exe "C:\Program Files (x86)\Google\google_appengine\appcfg.py" --oauth2 update "C:\Users\[username]\[directory]\app.yaml"
Worked perfectly, wish this solution was higher up.
For windows 7, .appcfg_cookies under C:\Users\username\.appcfg_cookies
You could write a command line script that executes appcfg.py to do this.
You can specify the email to use with the --email= command line parameter.
You can pass in the password from stdin by using the --passin parameter.
It's amazingly simple. Just put this in a batch file:
appcfg.py --oauth2 update "X:\local\path\to\your\app.yaml\file"
The first time you run it google will authenticate, after that it's all automatic.