So I have a setup where clearcase and clearquest are integrated.
I.E. if I check in a file in clearcase clearquest will popup asking for a change request number.
Here's the deal, I don't have to "login" every time I start a new clearexplorer.
I have some other tools I have been writing that I would like to take advantage of that capability but I don't know where to start. Basically I want my tool to check the same place clearcase checks to see that I'm a valid user and create my object based on those credentials.
From the looks of things the ALDB server might have something to do with it but I don't know how to interact with it.
Anyone have any ideas on it?
UPDATE:
I guess What I mean is I don't have to login to Clearquest every time I open a new clearcase and check in files. That's what I'm really looking for. using the existing clearquest "authentication" object (If that's what its even called)
Update 2:
Based on Information I found here:
http://publib.boulder.ibm.com/infocenter/cqhelp/v7r0m0/index.jsp?topic=/com.ibm.rational.clearquest.apiref.doc/c_perf_user_admin.htm
You can use this method to obtain the Session object associated with the current user. See the description of the Session object for more information on how to use this object.
I look at Session Object and it doesn't seem to mention about how to use this object as it states.
Update #3
This has been a long time, but it's come up again, I think what I'm really looking to do is build something that shares the Session object since logging in takes quite a while my plan is to login once using a background process, and then I can query that running process for the object when I try to login with a second program, if it works all goes well and continues, if it doesn't then it will require a manual login, (or could spawn the process that logs in, and waits for a response).
If/When I make this I'll post some details on steps I took.
It is true the albd service (Atria Location Broker Daemon) requires a Windows account to function. But not yours. See Updating the Windows ClearCase ALBD Password.
The last one, the ALBD service, requires a Windows user account with ClearCase privileges to function properly.
In the definition of this service, during ClearCase installation, the ClearCase administrator must specify the name of this privileged account, the password, the Windows domain, and the Windows group for this account.
Any ClearCase-related operation will based the user identification on the
credmap informations (if you are with Windows clients and Unix server)
credmap registryServer
or the creds.exe informations
The clearcase objects (like a new version created after a checkin) will get those credentials.
Related
For a school I implemented eduroam two years ago and from time to time we add new students in the AD.
Five days ago I added 40 more new students but I changed the CN's (or what in New-ADUser is called "-Name") format:
from "name.surname" to "SURNAME, NAME" (quotes excluded), hence
earlier it was
CN=name.surname, OU=CLASS_A, OU=STUDENTS, DC...
now it is
CN=SURNAME, NAME, OU=CLASS_A, OU=STUDENTS, DC...
an eduroam's username normally is <string with no blanks>#<yourschool>.<tld> so that the RADIUS proxies can route the auth request based on #<yourschool>.<tld> , So I must keep such a format.
Now, the new users cannot be authenticated anymore by NPS.
All the tests I ran back my thesis (i.e. that NPS uses CN to authenticate) but I cannot find any Microsoft document that states that.
Could anybody share the link to such doc?
is it a way to change the check from CN (if proved by answer of point 1)) to another user's recor like sAMAccountNAme or UPN?
I'm sure I'm touching something deep in AD but I hope somebody has tripped into this issue and has found a answer.
TIA
P.S. I guess the alternative would be to use FreeRADIUS but I would rather explore the options to still make within NPS/AD
• Please check the Windows Server event security log for more details on the issue for NPS authentication because that might shed some more light on the actual issue that you might be facing. Till then, please clear the cache and temporary files from the server and restart the whole infrastructure regarding NPS, i.e., domain controller, NPS Server, Access points and other related devices through which users can login through NPS.
• Once restarted, please try to authenticate any allowed user through NPS once again and check. Also, as you are using NPS as a radius server proxy, please check for the attribute manipulation rules for message forwarding since the CNs are changed in their order/format in your AD. Specifically, regarding the username which is provided by the access client and is included by the NAS in the Radius access-request message. The value of this attribute is a character string that typically contains a realm name and a user account name.
• To correctly replace or convert realm names in the username of a connection request, you must configure attribute manipulation rules for the User-Name attribute on the appropriate connection request policy.
Also, find the below links regarding your query whether which attribute you can use to authenticate in case of NPS. In it, it clearly stated that user principal name should be used as an attribute as a best practice: -
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices#performance-tuning-nps
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices#using-nps-in-large-organizations
Please check the below documentation link for your condition: -
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-proxy#key-steps-3
For a client, we have to connect a WSO2IS 5.10.0 to an Active Directory.
For that we have created a secondary user Store with this configuration:
User store main configuration
User store optional configuration
User store advanced configuration
WSO2IS can connect to Active Directory as we can retrieve users and roles.
Before doing any claim mapping we have tried to edit and create user without any problems.
And then we have mapped some claims to retrieve more information from Active Directory.
And here come our problems:
We can't create a user in Active Directory
We can't update a user in Active Directory
This two problem gives us this error :
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090C45,
comment: Error in attribute conversion operation, data 0, v1db1
Things that we have tried:
Check (and check a second and third time) that all our claims are mapped correctly (and they are)
Reset all claims to default mapping (on the state where we where able to create/update user)
Set User DN Pattern (as explained here)
Restart on a fresh instance of WSO2IS 5.10.0
But all things that we have tried are not helping and we are stuck.
Any help would be hugely appreciated. Thank you for any suggestions.
As asked, this is the AD attribut we have mapped :
sn
givenName
cn
displayName
name
description
mail
sAMAccountName
userPrincipalName
accountExpires
pwdLastSet
userAccountControl
scriptPath
homePhone
mobile
facsimileTelephoneNumber
title
department
company
Here the issue is LDAP_NO_SUCH_ATTRIBUTE returned from the AD.
We don't know which attribute is missing on AD side.
From the existing DEBUG logs of the server, probably you wouldn't be able to log all the attributes that WSO2 is going to update. Therefore, you have to choose an alternative option.
Manual check - Even though there are only few attributes configured (and verified) by you, there are other claims with default attribute mappings. Please check all the mapped attributes that are there in the http://wso2.org/claim dialect.
Remote debug - Remote DEBUG the server to check what are the attributes WSO2 is trying to write in to. (Smaller subset than previous approach) Then verify if those exist.
To do this remote debugging you can check out the Kernel source code from here.
To find out the correct tag to checkout, you can find the kernel version of your identity server version from this release matrix.
Once you clone and checkout the correct tag, you can use IntelliJ Idea or a capable IDE to remote debug the server as explained in the this blog.
Though it's hard to point an exact line of code, you can put DEBUG points to ActiveDirectoryUserStoreManager.doAddUser() and ActiveDirectoryUserStoreManager.doSetUserClaimValue() methods and start from there.
P.S. You can also check if the carbon log's stack trace contains any clue of the failing attribute or the respective claim, so that you can check validate it.
We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .
The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .
But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .
In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats
Thanks
As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.
If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.
For the CQ5 environment I work on we have a farm of publisher servers. Some of the content on these servers is restricted so only users who belong to certain groups can see the content. I'd like to script the setting of permissions for the folders (nodes) that are to be secured so I don't have to manually repeat the steps of applying security using the Access Control Editor of Content Explorer (This Adobe documentation has instructions for doing it manually via Access Control Editor). The scenario is that sometimes new folders are to be created to hold secure pages, and we want to apply permissions to the folders prior to activating any content into those folders.
Since the environment has several publishers, it is repetitive, manual, and error-prone work to open Content Explorer and set the permissions on each one. I'd like to do be able to automate this so I could roll out permissions to all the servers via a script--perhaps via a curl command or some other mechanism (perhaps a package?) that can be automated.
I found the Sling jackrabbit-accessmanager bundle that seems like it will facilitate automation of this, but it seems like it opens a security hole. If I put this bundle on my publishers, it seems like I would be providing an REST interface to let anyone modify the permissions and grant access to folders/nodes that should be secured or to add security restrictions on nodes that should have none.
How can I automate the creation/modification of node permissions via a script--and do so in a way that only allows an administrator to apply the permissions changes?
This tool lets you manage permissions in a centralised way, they can also be installed automatically at deploy time:
https://github.com/Netcentric/accesscontroltool
Regarding permissions applied to new folders, the solution is setting permission properly on their parent folder. CQ/AEM will automatically apply the same permissions to all children unless another rule break the inheritance.
I found one alternative I hadn't considered before: using the Day CQ ACL Setup Service. It is mentioned at http://dev.day.com/docs/en/cq/5-5/developing/security_model_changes.html.
AclSetupService allows one to add permission to a single path or a given user/group. This will be applied on each restart of CQ to guaranteed a certain permission state within CQ. For example, "allow;inherit;everyone;/" prevent everyone from accessing CQ (i.e. it forces all users to login first). As noted in the description of AclSetupService, you will need the following pattern per entry:
( "allow" | "deny" ) ";" ( privileges | "inherit" ) ";" principal ";" path
Choose either "allow" or "deny" for the first part.
Next enter one of the privilege below or set it to inherit permission from ancestor.
Then enter a single user/group.
Finally enter a single path to apply the permission to.
Using this will replace permission set within the repository when you restart CQ. These could be scripted by using the process outlined here and here.
Privileges can be:
jcr:read
rep:write
jcr:all
crx:replicate
imp:setComplete
jcr:addChildNodes
jcr:lifecycleManagement
jcr:lockManagement
jcr:modifyAccessControl
jcr:modifyProperties
jcr:namespaceManagement
jcr:nodeTypeDefinitionManagement
jcr:nodeTypeManagement
jcr:readAccessControl
jcr:removeChildNodes
jcr:removeNode
jcr:retentionManagement
jcr:versionManagement
jcr:workspaceManagement
jcr:write
rep:privilegeManagement
If you would like to use the Sling jackrabbit-accessmanager bundle on a publish instance it is possible. You would want to make sure your dispatcher which sits in front of the publish instance does not allow the permission requests (/.modifyAce., .deleteAce., etc) and the publish instances can only be accessed directly from inside your network. It's standard practice to deny all requests in the dispatcher and specify what is allowed.
Is there are reason you are not just replicating the permissions when the folder is activated? There should be a rep:policy node underneath the secure folder which gets replicated.
I want to get the privileges of a selected user on a local machine. I know how to get them from the current user, so my problem is how to open a process as as a different user.
I'm currently looking for more info about CreateProcessAsUser()
thanks
You shouldnt create a process as a different user just to get his priviledges. To get an user priviledges you need an iudentity token. To start a process as an user you need an impersonate token. Idenity tokens are very low security risk, impersonation tokens on the other hand are very serious business. At the very least, you need to know the password of the user in order to impersonate (or have an impesonation capable context, like an SSPI exchange security context).
Use LookupAccountName to get the SID, LsaOpenPolicy and LsaEnumerateAccountRights.
Check this link for how to do this from a service within Delphi: Launch your application in Vista under the local system account without the UAC popup
To launch a process under the local
system account I perform the following
steps (from a service application):
Get the Active Console SessionId using WTSGetActiveConsoleSessionId
Since I need to launch the application under a system account, I
use the token from Winlogon, since
Winlogon runs under the system
account. So I obtain the process ID of
Winlogon and Duplicate the token.
Then I make sure I sent the startupinfo parameter lpDesktop to
winsta0\Default since I need to launch
my process there.
Then I use CreateProcessAsUser with Winlogon's duplicate token to
launch my process into session 1.
That's all. I am done.