I have configured TeamCity (8.1.4) for LDAP logins and it works as advertised including synchronization of displayname and email. But I have a problem with synchronization of VCS properties.
New users are being created (when they first log in) without their display name or email address being populated. This is remedied when the sync happens, so I know the sync works for those properties.
I need the "Default for all of VCS roots" property filled out properly as well though. This is required so that people can be matched to their check-ins (it's not happening at the moment) so they can be emailed when they break the tests.
The "Default for all of VCS roots" property is simply being populated as username, but I need it to be DOMAIN\username.
My settings:
java.naming.provider.url=ldap://my.domaincontroller.com:389/DC=mydomain,DC=local
java.naming.security.principal=monkey
java.naming.security.credentials=bubbles
teamcity.users.base=OU=group2,OU=Users
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName
teamcity.auth.loginFilter=.*
teamcity.options.users.synchronize=true
teamcity.users.filter=(objectClass=user)
teamcity.options.groups.synchronize=false
teamcity.options.createUsers=false
teamcity.options.deleteUsers=false
teamcity.options.syncTimeout = 3600000
teamcity.groups.property.member=member
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
teamcity.users.property.plugin\:vcs\:anyVcs:anyVcsRoot=mydomain\\$sAMAccountName$
You can play around with the settings for LDAP to achieve this but we ran into some issues when we set this up on our projects. We had more than one type of VCS repo and when we started to move to Git, our repository just did not store usernames in DOMAIN//username syntax.
A better way would be to update the user tables in teamcity database to set the default userid for all TFS based roots to DOMAIn/username. This is the syntax
insert into user_property
values(<user_id>,'plugin:vcs:jetbrains.**tfs**:anyVcsRoot','DOMAIN//username')
Related
While looking at our snowflake.account_usage.login_history in order to identify users with outdated client drivers (using reported_client_type + reported_client_version), I came across this user_name that I did not recognize: WORKSHEETS_APP_USER.
It's not one of our users, so I'm wondering where it's coming from.
The client driver it's using is OTHER 1.1.5.
It's using OAUTH_ACCESS_TOKEN to authenticate (which is not an authentication method we use for Snowflake).
And it's using a ton of different IPs in the 10.4.* range.
It has a lot more logins during the week than during the weekend -- so probably a human(s).
I'm thinking it's probably related to the worksheets UI (either in Snowsight or in the old console).
If so, would there be any way to know who was the original user(s) behind this activity?
The first time Snowsight is accessed in an account, Snowflake creates an internal WORKSHEETS_APP_USER user to support the web interface. This user is used to cache query results in an internal stage in your account. For more information, see Getting Started With Snowsight.
https://docs.snowflake.com/en/sql-reference/account-usage/users.html#usage-notes
I've been tasked with maintaining a DNN site that has been running for a while, so I copied it to my local development environment to get up to speed on the setup. I have the site up and running locally, and I can browse all (I think) of the pages. It seems to display correctly and yesterday, the DNN login worked correctly. However, today, when I try to login to manage changes, I enter my username and password on the login page, but it does not actually log in. On screen, all that seems to happen is that the password field clears. No error message displays. In my Firebug console, the only error message that appears is "Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen." Again, yesterday, I was able to log in and get to all of the DNN management features -- I changed skins, modified CSS, changed code, etc. I've tried multiple logins (host, superuser, and regular user) -- all have the same result.
I don't see anything in the database EventLog, except for a startup record.
I saw a couple of other SO posts tangentially related to failed DNN logins on development environment, and checked that Form Authentication is Enabled in IIS and the security for the site folders are set correctly and the folder is not read-only.
I generally use Firefox for development, but I also tried IE. I'm certain I'm missing sometime obvious, but it has me stumped. Ideas? I'm new to DNN, so I'm not up to speed yet on the best practices for debugging. Any other suggestions would be welcome.
Some details: Live site is SQL Server 2008; Dev is SQL Server 2012. Both sites use IIS 7. Dev is DNN 7.2.2. Locally, I'm using VS 2010 for development.
Couple of things to check.
1) Check to make sure your database connection strings (2 of them) in the web.config are both pointing to your local database.
2) Check to make sure the MachineKey values in the web.config still match the values in the production web.config
3) You might turn off SSL on the site, though you'll have to do that in the database as you can't get logged in. I believe you can likely just set Secure to 0 on all of the Tabs table records, but you might need to track down a HOST setting as well to make this work (hostsettings table)
An update. I was able to get this to work by using a different user account. I'm still not sure what the root of the problem was, but I believe it was related to specific settings on my particular user account. I used a generic 'admin' account, and was able to make it work.
Im experiencing the same issue, I think its something to do with the the .dotnetnuke cookie
For the CQ5 environment I work on we have a farm of publisher servers. Some of the content on these servers is restricted so only users who belong to certain groups can see the content. I'd like to script the setting of permissions for the folders (nodes) that are to be secured so I don't have to manually repeat the steps of applying security using the Access Control Editor of Content Explorer (This Adobe documentation has instructions for doing it manually via Access Control Editor). The scenario is that sometimes new folders are to be created to hold secure pages, and we want to apply permissions to the folders prior to activating any content into those folders.
Since the environment has several publishers, it is repetitive, manual, and error-prone work to open Content Explorer and set the permissions on each one. I'd like to do be able to automate this so I could roll out permissions to all the servers via a script--perhaps via a curl command or some other mechanism (perhaps a package?) that can be automated.
I found the Sling jackrabbit-accessmanager bundle that seems like it will facilitate automation of this, but it seems like it opens a security hole. If I put this bundle on my publishers, it seems like I would be providing an REST interface to let anyone modify the permissions and grant access to folders/nodes that should be secured or to add security restrictions on nodes that should have none.
How can I automate the creation/modification of node permissions via a script--and do so in a way that only allows an administrator to apply the permissions changes?
This tool lets you manage permissions in a centralised way, they can also be installed automatically at deploy time:
https://github.com/Netcentric/accesscontroltool
Regarding permissions applied to new folders, the solution is setting permission properly on their parent folder. CQ/AEM will automatically apply the same permissions to all children unless another rule break the inheritance.
I found one alternative I hadn't considered before: using the Day CQ ACL Setup Service. It is mentioned at http://dev.day.com/docs/en/cq/5-5/developing/security_model_changes.html.
AclSetupService allows one to add permission to a single path or a given user/group. This will be applied on each restart of CQ to guaranteed a certain permission state within CQ. For example, "allow;inherit;everyone;/" prevent everyone from accessing CQ (i.e. it forces all users to login first). As noted in the description of AclSetupService, you will need the following pattern per entry:
( "allow" | "deny" ) ";" ( privileges | "inherit" ) ";" principal ";" path
Choose either "allow" or "deny" for the first part.
Next enter one of the privilege below or set it to inherit permission from ancestor.
Then enter a single user/group.
Finally enter a single path to apply the permission to.
Using this will replace permission set within the repository when you restart CQ. These could be scripted by using the process outlined here and here.
Privileges can be:
jcr:read
rep:write
jcr:all
crx:replicate
imp:setComplete
jcr:addChildNodes
jcr:lifecycleManagement
jcr:lockManagement
jcr:modifyAccessControl
jcr:modifyProperties
jcr:namespaceManagement
jcr:nodeTypeDefinitionManagement
jcr:nodeTypeManagement
jcr:readAccessControl
jcr:removeChildNodes
jcr:removeNode
jcr:retentionManagement
jcr:versionManagement
jcr:workspaceManagement
jcr:write
rep:privilegeManagement
If you would like to use the Sling jackrabbit-accessmanager bundle on a publish instance it is possible. You would want to make sure your dispatcher which sits in front of the publish instance does not allow the permission requests (/.modifyAce., .deleteAce., etc) and the publish instances can only be accessed directly from inside your network. It's standard practice to deny all requests in the dispatcher and specify what is allowed.
Is there are reason you are not just replicating the permissions when the folder is activated? There should be a rep:policy node underneath the secure folder which gets replicated.
I have 50+ report parts which have specific AD Groups assigned to them as Browser.
This is so only certain people have access to the data.
To accomplish this, on the security settings I changed it by clicking 'Edit Item Security'
This resulted in SSRS not inheriting the security anymore (i.e If I put an individuals AD name for the project folder they would be given access to everything)
So all my report parts have individual groups as it stands, the problems is I now need to give 1 individual access to everything.
With the current set up this would mean adding them 1 by 1 to all the report parts however there is a button called 'Revert to parent security'.
My question is, if i click this will it remove all the individual group security settings I have applied or will it allow me to add 1 person to all whilst leaving all the others the same?
According to Books Online ( http://msdn.microsoft.com/en-us/library/ms180265.aspx )
Revert to Parent Security will remove all the individual group security settings
Click to reset the security settings to that of the immediate parent
folder. If inheritance is unbroken throughout the report server folder
hierarchy, the security settings of the top-level folder, Home, are
used.
In your scenario, it seems that you have to add user individually to every secured item. You could do it programmatically using Reporting Services scripting host (see http://msftrsprodsamples.codeplex.com/wikipage?title=SS2008%21Script%20Samples%20%28Reporting%20Services%29 for some sample scripts) or Powershell ( see Using Powershell to set user permissions in Reporting Services for a sample)
Let's assume that you are working at the first version of a new Django application and you are keep adding changing the models.
Being a data-driven application you are mostly working to customize django admin.
In this case syncdb is not too useful because it will fail to update models. South was interesting but it does not make too much sense when you are working at the first version.
Deleting database and reinitializing it require several commands and also you manually entering the new admin account.
How do you propose to set your development environment so you can:
auto-restart django server when files changed
auto-reinitialize database when django is restarted
As a result, I expect to be able to add a new attribute to a model, switch to the browser and refresh the admin page and see the new attribute.
Providing initial data for models
It’s sometimes useful to pre-populate your database with hard-coded data when you’re first setting up an app. There’s a couple of ways you can have Django automatically create this data: you can provide initial data via fixtures, or you can provide initial data as SQL.
In general, using a fixture is a cleaner method since it’s database-agnostic, but initial SQL is also quite a bit more flexible.
http://docs.djangoproject.com/en/dev/howto/initial-data/