Let say the Active Directory have Group A, B and C.
How to specified like only Group A sync to Sitecore?
Thanks for any help! :)
If you just want to get the members in a specific group, you can do this using a customFilter.
If for membership, you can add the following under your membership element in the web.config:
<add name="ad"
type="LightLDAP.SitecoreADMembershipProvider"
connectionStringName="ManagersConnString"
applicationName="sitecore"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
connectionUsername="user"
connectionPassword="12345"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true"
customFilter="(memberOf=cn=test role 1,OU=CRM,DC=VM)"
/>
Just ensure that you have a connection string configured for your AD, which would be something like: <add name="ManagersConnString" connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
And ensure that your custom filter gets to the specific group you're trying to allow access for. I used LDAP Browser to navigate to my groups using a simple GUI and then copied the path.
See more in the documentation about customFilters in section 4.1.
Try to specify your group in the connection string:
<connectionStrings>
<add name="ManagersConnString"
connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
</connectionStrings>
This example is copied from the Documentation (see chapter 2.1.3). In this example, Managers is just a sample organization unit. But this is a normal LDAP connection string, so you can insert and filter there whatever you want.
Related
I am trying to use InTune to manage devices joined to Azure AD, there is no on-premise Active Directory so no access to group policy. I need to be able to completely lock down Windows 10 PC's so that the user cannot access things such as command prompt (CMD) or Regedit or anything like this that would allow them to cause any problems on the PC.
I can see in InTune where I can restrict access to the "Settings" section etc but there doesn't seem to be anything for restricting the applications mentioned above.
Imagine the PC's being in a school for example where they need to be completely restricted so that no troublesome users can mess about with them.
Does anyone know if this is possible using InTune and if so how, otherwise what are the alternatives, is there a better MDM to be using?
Applocker is the only way I have found to do this.
Create Custom OMA-URI
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/000000001/EXE/Policy
Value String
Use XML file to detail what you want to restrict.
See https://www.petervanderwoude.nl/post/managing-applocker-on-windows-10-via-oma-dm/ for fill details. Can do the same for CMD and regedit.
IE this example blocks Powershell and python
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="e16ce5e4-67f2-4ebf-ad01-c81fc8f28cd5" Name="All Files" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9eb15b2e-f9c2-42d4-8692-ad1a0f6a0722" Name="All files" Description="Allows user to run files execpt powershell" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
<Exceptions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL_ISE.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Exceptions>
</FilePathRule> <!-- This is a test to block python from running --> <FilePublisherRule Id="3d6ce594-1cc7-4870-b839-48c43a8954c0" Name="Signed by O=PYTHON SOFTWARE FOUNDATION, L=WOLFEBORO, S=NEW HAMPSHIRE, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=PYTHON SOFTWARE FOUNDATION, L=WOLFEBORO, S=NEW HAMPSHIRE, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule> </RuleCollection>
In DNN 8, I have 3 (three) different portals, all with the same IA (pages & content). Example: portal1.site.com, portal2.site.com, portal3.site.com.
Using SiteUrl.config, I want to re-write the URL so that a vanity URL that doesn't exist redirects to the correct page. After further investigation, I realized that siteurl.config uses URLs in relative basis. It's not able to comprehend what portal you're coming from.
<RewriterRule>
<LookFor>[^?]*/plan/speakers/.*-(.*)</LookFor>
<SendTo>~/Default.aspx?TabId=180&SpeakerId=$1</SendTo>
</RewriterRule>
<RewriterRule>
<LookFor>[^?]*/plan/speakers/.*-(.*)</LookFor>
<SendTo>~/Default.aspx?TabId=144&SpeakerId=$1</SendTo>
</RewriterRule>
<RewriterRule>
<LookFor>[^?]*/plan/speakers/.*-(.*)</LookFor>
<SendTo>~/Default.aspx?TabId=264&SpeakerId=$1</SendTo>
</RewriterRule>
If a user wants to go to portal1.site.com/plan/speakers/mike, portal2.site.com/plan/speakers/mike, or portal3.site.com/plan/speakers/mike, they all redirect to tabid 180 (which works only for the second portal).
I was able to implement a workaround.
1. you want to mask a new url using IIS rewrite in the web.config.
<rule name="Redirect to plan" enabled="true" stopProcessing="true">
<match url="^plan/speakers/([_0-9a-z-]+)-([0-9]+)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{HTTP_HOST}" pattern="^(.*).domain.*" />
</conditions>
<action type="Rewrite" url="/{C:1}/{R:0}" />
</rule>
This will re-write your url to something like this: portal1/plans, portal2/plans, etc.
Then, you want to edit your siteurl.config to account for these re-writes.
<RewriterRule>
<LookFor>[^?]*/portal1/plan/speakers/.*-(.*)</LookFor>
<SendTo>~/Default.aspx?TabId=180&SpeakerId=$1</SendTo>
</RewriterRule>
<RewriterRule>
<LookFor>[^?]*/portal2/plan/speakers/.*-(.*)</LookFor>
<SendTo>~/Default.aspx?TabId=144&SpeakerId=$1</SendTo>
</RewriterRule>
<RewriterRule>
<LookFor>[^?]*/portal3/plan/speakers/.*-(.*)</LookFor>
<SendTo>~/Default.aspx?TabId=264&SpeakerId=$1</SendTo>
</RewriterRule>
P.S. Make sure too add these urls to the list of to-ignore in your advanced url settings.
I would have done this by adding Records to the TabURLS table for each page. If you modify a Page, using the page settings, you can modify the URL of the page. Try that. Look at the records in the table for that page.
select * from taburls where tabid = ##
Then change the URL back to the original URL
select * from taburls where tabid = ##
See if it adds a new record there. If so, then just copy the format of that "row" in the table for any additional records you need to create.
You might also check out this codeplex project
I am trying to use the ADMembershipProvider to connect to a local ADAM server and I am getting the error in the title. If I remove the enable password reset and the properties it relies on I am able to connect.
I have tried to google it and nothing has come up. Below is my provider config. Any advice would be highly appreciated.
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
connectionUsername="[username]"
connectionPassword="[password]"
connectionProtection="Secure"
enableSearchMethods="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
description="Default AD connection"
requiresUniqueEmail="true"
clientSearchTimeout="30"
serverSearchTimeout="30"
attributeMapPasswordQuestion="department"
attributeMapPasswordAnswer="division"
attributeMapFailedPasswordAnswerCount="badPwdCount"
attributeMapFailedPasswordAnswerTime="badPasswordTime"
attributeMapFailedPasswordAnswerLockoutTime="lockoutTime"
attributeMapEmail = "mail"
attributeMapUsername = "userPrincipalName"
maxInvalidPasswordAttempts = "5"
passwordAttemptWindow = "10"
passwordAnswerAttemptLockoutDuration = "30"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"/>
</providers>
FYI... The closest thing to a similar result was someone who got this error on a similar attribute and he just restarted the machine. That didn't work for me. I did find this article as well http://blogs.msdn.com/b/dansellers/archive/2005/10/20/483272.aspx but I am struggling to get the LDAP admin to make this change. Especially since we already have those properties.
I finally had the LDAP admin perform the steps in the following link an we are up and running.
http://blogs.msdn.com/b/dansellers/archive/2005/10/20/483272.aspx
I am trying to authenticate users to an Active Directory Instance using spring security, I am getting an Partial Results Exception. I am going around in circles trying to figure this out. Below is my config.
security-app-context
<authentication-manager erase-credentials="true">
<authentication-provider>
<user-service>
<user name="admin#damien.com" authorities="ROLE_ADMINISTRATOR" password="123admin123" />
</user-service>
</authentication-provider>
<authentication-provider ref="ldapActiveDirectoryAuthProvider"/>
</authentication-manager>
<bean id="ldapActiveDirectoryAuthProvider"
class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="myDomain.com" />
<constructor-arg value="ldap://ldapurl:389/" />
<property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>
Error I am getting
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0 org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
I am struggling to find examples and the documentation indicates I am working in the right direction.
This is from the logs
SpringSecurityLdapTemplate.java 213 - Searching for entry under DN '', base = 'dc=myDomain,dc=com', filter = '(&(objectClass=user)(userPrincipalName={0}))'
and this is what I would expect that to look like on a successful attempt from some scripts that work
Searching for entry under DN 'OU=Users and Groups,DC=one,DC=two,DC=myDomain,DC=com', base = 'OU=Users and Groups,DC=one,DC=two,DC=myDomain,DC=com', filter = '(&(objectClass=user)(userPrincipalName={0}))'
Do I need to get the DN populated? How? I have looked through the ActiveDirectoryLdapAuthenticationProvider properties and don't see a way? Also the base is off but myDomain.com is the correct domain for users e.g john.doe#myDomain.com. Has anyone come across a similar problem?
To solve this I used the default LDAP provider which enables user search base to be specified, specifying the user search base and user search filter.
<ldap-authentication-provider
user-search-base="OU=Users and Groups,DC=abc,DC=myDomain,DC=com"
user-search-filter="userPrincipalName={0}" />
A user would then be logging in with john.doe#myDomain.com but the usersearch base is more specific(abc.myDomain.com). I believe AD Spring was falling down due to this.
Running into an issue where our datasources for two different DBMS (MS-SQLServer and Informix) are not picking up the security-domain configuration in the login-config.xml file.
Our datasources look like this:
<datasources>
<local-tx-datasource>
<jndi-name>ourTX</jndi-name>
<connection-url>jdbc:informix-sqli://our.server.com:1526/wlms:informixserver=ol_db</connection-url>
<driver-class>com.informix.jdbc.IfxDriver</driver-class>
<security-domain>ourDS</security-domain>
<!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
<metadata>
<type-mapping>InformixDB</type-mapping>
</metadata>
<min-pool-size>5</min-pool-size>
<max-pool-size>50</max-pool-size>
<prefill>yes</prefill>
<prepared-statement-cache-size>10</prepared-statement-cache-size>
<idle-timeout-minutes>5</idle-timeout-minutes>
<new-connection-sql>set lock mode to wait 4;set isolation to cursor stability;</new-connection-sql>
<check-valid-connection-sql>SELECT count(*) FROM dummy;</check-valid-connection-sql>
</local-tx-datasource>
</datasources>
And our login-config.xml has the following entry:
<application-policy name="ourDS">
<authentication>
<login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
<module-option name="userName">user</module-option>
<module-option name="password">-4e5f8b6c4217c342c03b57ed16d31678</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=ourTX</module-option>
</login-module>
</authentication>
</application-policy>
However, once the JBoss server is deployed, we get an error like this for Informix:
13:23:13,521 WARN [JBossManagedConnectionPool] Throwable while attempting to get a new connection: null
org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (java.sql.SQLException: Incorrect password or user com.informix.asf.IfxASFRemoteException: user#my.computer.com is not known on the database server.)
And for MS-SQLServer we get a similar error to Informix which looks like:
13:25:23,053 WARN [JBossManagedConnectionPool] Throwable while attempting to get a new connection: null
org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user ''. The user is not associated with a trusted SQL Server connection.)
Now if, we comment out the security-domain element in the *-ds.xml file and replace it with a simple user name and a clear text password, both datasource work with both database engines. We're using the 'all' server configuration in JBoss. We've made sure that login-config.xml is getting loaded on start-up. And the hqsqldb-ds.xml using the security-domain element works. But using our added application-policy to the login-config.xml, it seems that the datasource does not get the values when establishing a new connection.
Any ideas what we're doing wrong? Have we missed something?
We were testing the validity of the datasource through the admin-console. Because of where we were testing the database, this is bug in the JBoss EAP 5.0.0.GA version. While not confirmed, may also be a but bug in the admin-console for 5.0.1.GA and maybe 5.0.2.GA.
Everything above was actually working.