Is there a way to get user security attibutes (like password expiration warning time, maximum age for password and so on) by AIX 5 API?
Look at the getuserpw() API for password information, and getuserattr() for the more generic user information.
Note that you will have to be a member of the appropriate group(s) in order to access the files in /etc/security.
Related
I am trying to get some user attributes from Active Directry using Windows LDAP API. I am using:
Active Directory Version: The one that comes with Windows Server 2012
LDAP version: 3
Wldap32.lib version: The one that comes with Windows 10 x64
Eg:
PCHAR myAttributes[4];
myAttributes[0] = "DistinguishedName";
myAttributes[1] = "DisplayName";
myAttributes[2] = "PasswordExpired";
myAttributes[3] = "mail";
ldap_search_s(
myLdapConnection, // Ldap connection
myDomain, // DN to start search
LDAP_SCOPE_SUBTREE, // Scope
myFilter, // Filter
myAttributes, // Retrieve list of attributes
0, // Get both attributes and values
&mySearchResult // [out] Search results
);
It returns DistinguishedName, DisplayName and mail attributes, but does not reuturn the PasswordExpired attribute.
I queried with some other attributes and it looks like it does not return attributes with boolean values as well as the EmailAddress attribute.
Why does it not return PasswordExpired attribute?
What about EmailAddress ?
Is there a difference between EmailAddress and mail ?
There is no PasswordExpired LDAP attribute in Active Directory. To build your query look at this URL for attribute names in standard Active Directory schema https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx. To check if password for given account is expired you'll need to check userAccountControl attribute, which is actually value storing flags of different states of user account https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx. There is IADsUser interface that will translate this all for you in case you don't have to stick just to LDAP https://msdn.microsoft.com/en-us/library/aa746343(v=vs.85).aspx
You will find current primary email address in mail attribute. There is no EmailAddress LDAP attribute, unless you meant E-mail-Addresses which is CN for the same schema attribute as mail, so no difference there.
See above. In general if you do not have compelling reason to stick just to C/LDAP I'd recommend you to use .Net Framework instead. Otherwise you have a lot of work ahead of you - not just interpreting bit flags like in case of password expiration but possibly also with different authentication methods, different structures capturing time and date, accounting for timezones, UTF, chasing referrals and other stuff you might need depending on complexity of what you want to achieve. You will be productive much faster in .Net Framework. See DirectoryServices https://msdn.microsoft.com/en-us/library/mt481534(v=vs.110).aspx namespace or Security namespace https://msdn.microsoft.com/en-us/library/mt481561(v=vs.110).aspx for details.
I have this problem: we try to authenticate a user against an Active Directory that uses ForeignSecurityPrinciple to map users from different domains.
We have several groups that are stored inside a single domain and users that are coming from different domains.
The problem we have here is that we cannot get the real user name from ForeignSecurityPrinciple.
We tried to use the guidelines from here:
http://www.brandonclaps.com/?p=57
but with no luck.
When we tried to edit the entry for group that had 3 members, we found this next to the member field:
CN = S-1-5-21-other numbers, CN=ForeignSecurityPrinciple; DC=DomainName, DC=local
Do you have other solutions for retrieving the username against Active Directory using ForeginSecurityPrinciple ?
Is there any recommendation for using that?
Thanks a lot in advance
Is it possible in CakePHP 1.3 to login a user by indicating the user's id in the users table?
Now, to do a "manual" login, I do this (which works):
$this->data['User']['username'] = username;
$this->data['User']['password'] = password;
$this->Auth->login($this->data);
I would like to be able to indicate the specific user, for example adding $this->data['User']['user_id'] before the login() function. (I've tried that but it doesn't work).
The reason I want to do this is because in the users table there are different users records of users who have the same username and password. It seems odd but in my case makes sense, since one same user may create several accounts for different reasons, and he may choose the same username/password.
Any ideas would be much appreciated!
EDIT:
I'm going to give a specific example of what I'm trying to do, maybe it helps to bring some ideas.
Say I have this 2 records in the users table (fields are user_id / username / password / account_id):
Record 1: 1 / johndoe / password1 / 10
Record 2: 2 / johndoe / password1 / 15
So this 2 records have same username and password, but different user_id and account_id. When the login is processed, I know what account_id the user has chosen. So I want to log in the corresponding user. So if the user chooses account 15, then logs is, I should be logging in the user with id 2.
However, the way cake's login works, it always retrieves the first record that matches username / password. In this example, cake would be logging in the user with id 1.
Is there any way I can do what I want?
Doesn't sound like a very good idea to me, but if you really want/must do it that way, then have a look at AuthComponent::userScope. You can use it to define additional conditions for authentication lookups, for example:
$this->Auth->userScope = array('User.account_id' => 15);
That way authentication would only be successful when username and password match and the users account_id is 15, ie the resulting query would look something like this
User.username = 'abc' AND User.password = 'xyz' AND User.account_id = 15
Using the Salesforce Web Services API is it possible to check (or query) if a User is Locked Out (if they have attempted to log in unsuccessfully too many times and are therefore blocked from logging in)?
Although there is no specific field on the User object to indicate that they are locked out, you can query the LoginHistory object.
select Id, UserId, LoginTime, Status from LoginHistory where
UserId = 'xxxxxxxxx' order by LoginTime desc limit 20
Then loop through the results, checking the value of the Status field. If the user has been locked out, the most recent login attempts will have a value of "Password Lockout" in this field.
Other possible values of this Status field include:
Success
User is Inactive
Invalid Password
Failed: API security token required
Failed: Computer activation pending
Failed: Computer activation required
Failed: Invalid Timestamp
Failed: Mobile License Required
Nevermind; I found the answer.
It says in the documentation:
The password lockout status and the ability to reset the User locked-out status is not available via the API. You must check and reset the User password lockout status using the user interface.
For admin users - it's now possible to unlock users on iphone / ipad via the SalesforceA mobile app. https://itunes.apple.com/au/app/salesforcea/id731117958?mt=8
In Apex, I can check the IsPasswordLocked field on UserLogin object to check if a User is locked out or not by using the following SOQL -:
[SELECT IsPasswordLocked FROM UserLogin
WHERE UserId = 'ENTER YOUR USER ID HERE'];
Is there any way to programmatically get the current user's email address?
I know the email is usually user#hostname but is there any I can get the email?
I know how to get the username and the hostname so I can build it myself, but I want to be sure that I get the email address even when the email is not user#hostname.
Code in C is appreciated.
Thanks
There is no such standard mapping of user account to email address - at least not for ordinary /etc/passwd derived accounts. Consider that a user might not even have an email address.
Nobody's mentioned the GECOS fields in the /etc/passwd file.
You'll notice that the fifth field in your entry in /etc/passwd is either blank, or a comma-separated list the first element of which is your full name. Originally in Bell Labs (before the days of email) the GECOS fields were:
User's full name (or application name, if the account is for a
program)
Building and room number or contact person
Office telephone
number
Any other contact information (pager number, fax, etc.)
Some Linux distributions store the user's default email address in the 4th GECOS field, and if your system doesn't do this by default, you can set it up yourself. Ordinary users without superuser privilege can edit their GECOS fields using the command line command chfn. To access this field, you can then do
grep ${USER}: /etc/passwd | awk -F\: '{print $5}' | awk -F\, '{print $4}'
or whatever floats your boat in your language of choice (No, I am NOT going to write C. This is the twenty-first century!).
There is no standard mapping of user accounts to RFC822 (i.e. user#domain) email addresses. Generally, a default setup of typical mail transfer agents will accept local mail to addresses without a domain and deliver it to the user account of the same name. But even that can't be relied on, as you may not even have an MTA.
The UNIX way of doing this is to send email through the local mail-transfer-agent - simply invoking /usr/bin/mail is enough. The system administrator is responsible for configuring the local MTA to make sure email works properly.
If you want to send email to the local user, just send it to their username - if they read their email somewhere other than locally, the MTA should be configured to forward it to them.
If you just want to use the right "from" email address when sending email on behalf of a local user, so they get replies in the right place - again, just use their username. The MTA should be configured to do the right translation.
This way of doing things is good, because it means that this configuration only has to be done in one place (the MTA), rather than having to manually configure every single application on the box that sends or recieves email.
Just to complement Simon's answer and given I don't have enough reputation to make a comment on it, GECOS stands for General Comprehensive Operating System aka General Electric Comprehensive Operating Supervisor and the most portable way I found to get the user GECOS field (As it might not be defined in your /etc/passwd file directly depending on your system's configuration) is the following:
getent passwd <USERNAME> | awk -F ':' '{print $5}'
It depends how the user is stored. In a simple passwd file there's no email address, only a username. But you can have additional information with other authentication method like LDAP or SQL.
Prompt the user for their email. If you have no guarantee that the email is user#hostname, then how else do you expect to determine what their email is other than asking them?
You can't get the actual email address in any standard way. I would try to send the mail to just username. Chanses that it will end up on the correct domain are actually not that bad ...
Check in the terminal you're using, that is :
root#peter-laptop#
for root users it is shown before the # sign, that is
root#peter-laptop or peter#peter-laptop# for user peter
Try to get to /var/mail/ and there you should have a file for each user that has (not all users have to have it) an email address. And you can indeed read the mail from those files.
Then you can redirect the mail to anywhere else with the sendmail tool.