allow users from specific static ip - static

We already completed the site. The problem is The site is having 3 logins .
one is the main super admin for the client
another two is for college admin .(Colleges will login here)
& their students. All the works are completed.
For example:
College IP:
172.16.4.1
172.16.1.101
This college should not be able to login except from this IP.
And there might be many college and each college can login only from there static IP.
will it be possible.
Thanks

Since there is no language mentioned, I give a sample in php
function canLogin() {
$allowed = array ('172.16.4.1', '172.16.1.101');
if (in_array ($_SERVER['REMOTE_ADDR'], $allowed)) return 1;
else return 0;
}
All you have to do is find the REMOTE_ADDR (user IP) and check if it is in approved list.
Note: It is possible to spoof remote address. But the above sample is simpler solution and better than nothing.

Related

Exception in Site.createExternalUser in Apex RESTclass: Site.ExternalUserCreateException: [That operation is only allowed from within an active site.]

I have a Non-Salesforce Auth System which holds usernames and passwords for a few thousand users. I am willing to migrate these users to Salesforce and give access to these users to my Experience Cloud site. I am developing an apex REST Resource which will take username and password as arguments and create a user with that username and password with a community profile. I am planning to call this API from my Non-Salesforce system and migrate all these users. I am using Site.createExternalUser method in this API. I am getting the exception
Site.ExternalUserCreateException: [That operation is only allowed from within an active site.]
The reason I am using Site.createExternalUser is because I don't want to send the welcome email/reset password email to my users since they already have signed up successfully long ago.
I am open to any alternatives for achiving this.
Below is my code:
#RestResource(urlMapping='/createUser/*')
global with sharing class createUserRestResource {
#HttpPost
global static String doPost(){
Contact con=new Contact();
con.Firstname="First";
con.LastName= "Last";
con.Email="first.last#example.com";
con.AccountId='/Add an account Id here./';
insert con;
usr.Username= "usernameFromRequest#example.com";
usr.Alias= "alias123";
usr.Email= "first.last#example.com";
usr.FirstName= "First";
usr.IsActive= true;
usr.LastName= "Last";
usr.ProfileId='/Community User Profile Id/';
usr.EmailEncodingKey= 'ISO-8859-1';
usr.TimeZoneSidKey= 'America/Los_Angeles';
usr.LocaleSidKey= 'en_US';
usr.LanguageLocaleKey= 'en_US';
usr.ContactId = con.Id;
String userId = Site.createExternalUser(usr, con.AccountId, 'Password#1234', false);
return userId;
}
}
You can suppress sending emails out in whole org (Setup -> Deliverability) or in the Community config there will be way to not send welcome emails (your community -> Workspaces -> Administration -> Emails).
Without running on actual Site I don't think you can pull it off in one go. In theory it's simple, insert contact, then insert user. In practice depends which fields you set on the user. If it's Partner community you might be setting UserRoleId too and that's forbidden. See MIXED DML error. In Customer community you might be safe... until you decide to assign them some permission sets too.
You might need 2 separate endpoints, 1 to create contact, 1 to make user out of it. Or save the contact and then offload user creation to #future/Queueable/something else like that.

Windows Domain Account SID and SIDs

I'm coding on top of some JNI libraries, and I don't really know the details about how they are doing it, but the output of lib is the windows domain user information with sid and sids... They look as shown below
sids: [
"S-1-5-21-2923429462-2395316905-2569861443-1123",
"S-1-5-32-545",
"S-1-5-2",
"S-1-5-5-0-79699478",
"S-1-5-11",
"S-1-1-0",
"S-1-5-15",
"S-1-18-1",
"S-1-5-21-2923429462-2395316905-2569861443-513"
],
sid: "S-1-5-21-2923429462-2395316905-2569861443-1123"
Issue
Can I get the information without a password but only with a user
id?
Is the information changeable?
What are SIDs... I thought there's only one secure identifier.
I'll take a stab at it:
I understand that you're using a Java Native Interface but I'm not sure what other language you're using. If it is with Active Directory, Powershell is perfect for it, though, I'm not sure how it would work with a JNI.
Anyway, here is what I can gather. Each account has a specific Security Identifier, called a SID. There are well-known SIDs for the common accounts (Administrator, for example). Even local account and groups have SIDs, as with any in Active Directory.
If you want to translate a SID to an account, that isn't a problem. If you aren't using Powershell, at least this may give you a starting point:
$SID = New-Object System.Security.Principal.SecurityIdentifier("SID_GOES_HERE")
$user = $SID.Translate([System.Security.Principal.NTAccount])
$user.Value
You could feed each line into these 3 steps by putting it into a function like so:
Function SIDtoUser($SIDint) {
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDint)
$user = $SID.Translate([System.Security.Principal.NTAccount])
return $user.Value
}
Gather all of the SIDs into an array and run through them like this:
$SIDArray | %{
SIDtoUser($_)
}
I hope this helps. Let me know if I can assist any further.

How to find that "NT AUTHORITY" it is not an AD server?

I am trying to read an msExchMailboxSecurityDescriptor, to find whether it contains a Full Access to another person. The access control entries contain the trustees in the netbios format (DOMAIN\Username).
SecurityDescriptor secDesc = (SecurityDescriptor)userDirectoryEntry.Properties["msExchMailboxSecurityDescriptor"].Value;
AccessControlList usrAcl = (AccessControlList)secDesc.DiscretionaryAcl;
foreach (AccessControlEntry ace in (IEnumerable)usrAcl)
{
var netbiosDn = ace.Trustee.Split('\\')[0];
var netbiosUser = ace.Trustee.Split('\\')[1];
// now, the problem:
UserPrincipal user = UserPrincipal.FindByIdentity(
new PrincipalContext(ContextType.Domain, netbiosDn),
netbiosUser
);
This works until the last line, where I have to connect to the correct AD server and get some user info. Obviously, this fails when there is no server available for that domain, like any of the "NT AUTHORITY" or "BUILTIN" "domains". It does not only fail, it needs quite some time until it does.
How on earth would I distinguish which ones are AD domains, where I can connect to the AD server, and which ones aren't?
Some example users I may find in the Security Descriptor, just for you to get a feel for the problem:
CONTOSO\Alex
CONTOSO\Michael
SUBDOMAIN\Kirk
TRUSTED\George
NTPD\ChiefBrown
NT AUTHORITY\SELF
NT INSTANS\INTERAKTIV
BUILTIN\Администраторы
BUILDING2\Владимир
VORDEFINERT\Administrator
Take a look at SecurityIdentifier.IsWellKnown
You can pass various values, including WellKnownSidType.NTAuthoritySid to determine what kind of SID you have.
(See also this PowerShell code on translating into readable names.)

Ldap query only returning 1000 users... yes I am using paging

I have a simple GetStaff function that should retrieve all users from active directory. We have over a 1000 users so the directory searcher is using paging because the default for the AD MaxPageSize is 1000.
Currently the search works 'sometimes' when I build and sends back all 1054 users, and other times it only sends back 1000. If it works once, it works all the time. If it fails once, it fails all the time. I have set everything in using statements to make sure the objects are destroyed, but it still doesn't always seem to respect the PageSize attribute. By default if the PageSize attribute is set, the searcher should use a SizeLimit of 0. I have tried leaving the size limit out, setting it to 0, and setting it to 100000 and the unstable result is the same. I have also tried lowering the PageSize to 250 and get the same unstable results. Currently I am trying changing the ldap policy on the server to have a MaxPageSize of 10000 and I am still receiving 1000 users with the search PageSize to 10000 also. Not sure what I am missing here, but any help or direction would be appreciated.
public IEnumerable<StaffInfo> GetStaff(string userId)
{
try
{
var userList = new List<StaffInfo>();
using (var directoryEntry = new DirectoryEntry("LDAP://" + _adPath + _adContainer, _quarcAdminUserName, _quarcAdminPassword))
{
using (var de = new DirectorySearcher(directoryEntry)
{
Filter = GetDirectorySearcherFilter(LdapFilterOptions.AllUsers),
PageSize = 1000,
SizeLimit = 0
})
{
foreach (SearchResult sr in de.FindAll())
{
try
{
var userObj = sr.GetDirectoryEntry();
var staffInfo = new StaffInfo(userObj);
userList.Add(staffInfo);
}
catch (Exception ex)
{
Log.Error("AD Search result loop Error", ex);
}
}
}
}
return userList;
}
catch (Exception ex)
{
Log.Error("AD get staff try Error", ex);
return Enumerable.Empty<StaffInfo>();
}
}
A friend got back to me with the below response that helped me out, so I thought I would share it and hope it helps anyone else with the same issue.
The first thing I think of is "Are you using the domain name, e.g. foo.com as the _adpath?"
If so, then I have a pretty good idea. A dns query for Foo.com will return a random list of all of up to 25 DCs in the domain. If the first DC in that random list is not responsive or firewalled off and you get that DC from DNS then you will experience the behavior you describe. Since the DNS is cached on the local machine, you will see it happen consistently one day, then not do it the next. That's infuriating behavior. :/
You can verify this with a network trace to see if this is happening.
So how do you workaround it? A couple of options.
Query DNS -> create a lists of hosts returned -> Try the first one. If it fails, Try the next one. If you hit the bottom of the list, Fail. If you do this, log each independent failure noisily so the admins don't blame you.
Even better would be to ask the AD administrators for a list of ldap servers and use that with the approach described above.
80% of administrators will tell you just to use the domain name. This is good because that deploying a new domain will "just work" with no reconfiguration required.
15% of administrators will want to specify a couple of DCs that are network closest to the application. This is good for performance, but bad if they forget about this application when the time comes for them to upgrade their domain.
The other 5% doesn't really matter. :)
The next point that I see is that you are using LDAP, not LDAPs. That is fine, but there is a risk that you will use "Basic" binds. With "Basic" binds, joe hacker can steal your account credentials using a network sniffer. There are a couple of possible workarounds.
1. There is another DirectoryEntry constructor that will let you specify "Secure" as the auth method.
2. Ask your admins if you can use LdapS. (more portable, in case you need to talk to an LDAP server other than Active Directory)
The last piece is regarding Page Size. 1,000 should be fine universally. Don't use any value > 5,000 or you can expect some fidgety behaviors. i.e. This is higher than the default limit under Windows 2003, and in Windows 2008 the pagesize is hardcoded limited to 5,000 unless it's been overridden using a rather obscure bit in AD called dsHeuristics. http://support.microsoft.com/kb/2009267
LDAP is configured, by default, to only return a maximum of 1000. You can change this setting on the domain your requesting from.

cakephp authenticate user with repeated entries in the Database table (manual authentication?)

I'm creating an authentication system for a group of websites. The problem is that I have to use a pre-existing Database, which has a users table already full of entries, and that one user can have several accounts. Basically, a user has one account per website he has access to (it's not the best way to do this, but I can't change it). Each account is represented by an entry in the users table, with login, password, name... and the important field: website_id. This field tells the system what website that account has access to.
The big problem is that some users with more than one account have the exact same login/password information for all of them. For example, one user has 3 accounts:
account1: login = charly / pwd = 1234 / name = Charles ... website_id = 1
account2: login = charly / pwd = 1234 / name = Charles ... website_id = 2
account3: login = charly / pwd = 1234 / name = Charles ... website_id = 3
So if he goes to the website that has id = 2 and uses those credentials, he's granted access. If he goes to the website that has id = 4, he's denied access.
My problem is that since CakePHP does the login automatically, when a user tries to login, CakePHP checks only the first entry in the Database that matches the login/password submited in the form. So if a user is currently in the website with website_id = 3 and tries to login, Cake finds the first entry (account1), compares its website_id (1 in this case) to the current website's id (3), and since they're different, the access is not granted, but it should. _Please note that the comparison of the website_id vs the account's website_id is already being made manually in the login() function_.
This how the login() function looks like now:
function login() {
$userInfo = $this->Auth->user();
if ( isset($userInfo) ) {
if ($userInfo['User']['website_id'] == $this->website_id) {
//Users gets access to a website that he has an account for
}
else {
//User is denied access because his account is not registered for the current website
$this->Session->destroy();
$this->Session->setFlash(__('You don't have access to this website', true));
$this->redirect($this->Auth->logout());
}
}
}
What I would like is to be able to manually authorize the access to the current website by using the login/password submitted by the user to manually search in the users table, and if I find a match in one of the user accounts, grant the access, or otherwise deny access. To sum up, avoid all the automagic of Auth's component.
If the Auth component's login method fails, control is transferred back to the custom login action (e.g. UsersController::login()). I've used this to authenticate using either username or email address, but it could be easily adapted for this purpose. Same idea, different criteria. I offered what I think is a reasonably thorough response (with code) to a similar question. It may help you as well.

Resources