How do I accomplish the following in LDAP? - active-directory

I would like to accomplish this goal using AD/ADAM
The ability to make an email or other attributeClass as part of inetOrgPerson globally unique across entries
The ability to attach a regular expression to an attribute for validation purposes
The ability to provide a constraint of enumerated choices such as choosing from a list of valid state codes in a state attributeClass

You can't do any of that in AD or ADAM. They're just the data storage repository: I'm afraid you'll have to build the validation code yourself.

Related

Environment variable as custom metadata type in Salesforce

I am trying to represent environment variables in the Salesforce codebase and came across Custom Metadata Types. So based on which Sandbox I am in, I want to vary the baseURL of an external service that I am hitting from my apex class. I want to avoid hard coding anything in the class, and hence trying to find out an environment variable like solution.
How would you represent the URL as a custom metadata type? Also, how can I access it in the class? What happens when a qa sandbox is refreshed from prod? Do they custom metadata type records get overridden?
How are you calling that external service? If it's truly a base url you might be better of using "named credential" for it. It'll abstract the base url away for you, include authentication or certificate if you have to present any...
Failing that - custom metadata might be a poor choice. They're kind of dictionary objects, you can add more (but not from apex) but if you deploy stuff using Git/Ant/SFDX CLI rather than changesets it'd become bit pain, you'd need different custom metadata value for sandbox vs prod. Kinda defeats the purpose.
You might be better off using custom setting instead (hierarchy is enabled by default, list you'd have to flip a checkbox in setup. List is useful if you need key-value kind of pairs, similar to custom metadata): https://salesforce.stackexchange.com/questions/74049/what-is-the-difference-between-custom-settings-and-custom-metadata-types
And you can modify them with Apex too. Which means that in ideal world you could have a "postcopy" class running as soon as sandbox is refreshed that overwrites the custom setting with the non-prod value. For named credential I don't think you can pull it off, you'd need a mini deployment that changes it or manual step (have you seen https://salesforce.stackexchange.com/q/955/799 ?)

LDAP User Filter

I need help for my AD Integration.
I’m using Spiceworks for the system and there is a portion there for AD Integration.
The problem is that I need to sync two different OU’s
Base DN for LDAP search:
DC=dc1,DC=dc2
LDAP user filter:
(&(objectCategory=person)(|(ou=OU1)(ou=OU2)))
And its not working.
My AD Structure is
dc1.dc2
— OU1
— OU2
— OU3
dc1.dc2 is the top level.
OU1, OU2, OU3 are on the same level.
The reason is I don’t want to include OU3 in the syncing
LDAP filters are generally only applicable to attributes that are in the user entries.
If you want to include attributes that are part of the DN (the path to entries), you need to use extensible filters such as:
(&(objectCategory=person)(|(ou:dn:=OU1)(ou:dn:=OU2)))
Note that while this is standard LDAP filters, not all servers support this.
Active Directory doesn't support filters based on OU. In this instance, it's an "extensible match filter" that some LDAP implementations support, but not all (including AD). More info here.
By the way, you can't do a wildcard search on the distinguishedName, if you're tempted to try.
To be honest, this is why it's best to have all your "person" user accounts in one OU (maybe subdivided further down), groups in another, etc. In your case, if you can, it might be a good idea to move your "synching" account OUs under a new OU. If you have a enterprise environment, you will want to be careful there are no dependencies on the OU structure before making such a change. Or that you can identify any such dependencies and fix them before or at the time of making the change.
Otherwise, you'll need to make your searchbase the root of the domain. If you have other user account attributes you can use to search, such as department names or similar, that will work. If it's employee accounts, do they all have a common field that's populated, such as "employeeID" or "streetAddress" or something? Or do the accounts you want to exclude have a specific name format (such as all the service accounts starting with "SVC")? By combining things like that, you can generally get it pretty good.
Finally, for searching normal user accounts, a more efficient basic query is:
(samAccountType=805306368)
Your query of (objectCategory=person) returns User and Contact objects. The usual way to scope it property is (&(objectClass=user)(objectCategory=person)), but the two clauses makes it less efficient than my recommendation (which is using an indexed attribute as well).

Change HP Fortify C rule priority

I was wondering if anyone had any information on how to change a priority on a rule in HP Fortify?
For example in C, the category "Uninitialized Variables" has the fortify priority order of LOW. I need to change to HIGH for auditing purposes. Is there any way to change a rule or do I need to create a new rule?
If I need to create a new rule, how would I make a rule that matches "Uninitialized Variables" and make it global for other users to use?
There's not really way for you to modify the existing rule pack. But that's okay. There's something much easier that I can suggest that does not involve trying to create or modify custom rules (which can get a very messy if you're not careful).
The easiest thing you can do is create a custom Folder Filter.
Open up your FPR in Audit Workbench. Select the correct Filter Set that you normally use.
Your chosen Filter Set will be home to
our new Visibility Filter. For example purposes I will use the Security Auditor View. Then select the Filters tab and click Create New Filter.
Use the values shown below, but feel free to adjust if needed, and then click Save:
At this point, you should be able to see the Uninitialized Variable findings in the High tab.
SPECIAL CONSIDERATIONS:
This change to the organization of your Fortify Findings right now, only is in effect for this one FPR. If you wish to have this filter rule exist in scan for other projects, then you will need to modify the default fortify filters be creating something called a custom Fortify Issue Template. Check your fortify documentation to get more information on this.
If you try to upload this to SSC (Software Security Center) where you might want to perform some reporting, then the default Issue Template that lives on SSC will be used to sort and organize your scan's issues, when generating reports. If you wish for your new custom Fortify Issue Template to be used for reporting and organization withing the web UI, then you will need to override the default Issue Template on the SSC server with your new custom Issue Template. Again, see your documentation for more information on this.
Finally, there is a way to potentially create a custom Fortify Control Flow rule (which will need to be used, together in combination, with a suppression rule) that will make it possible to essentially reassign the priority metadata for your particular issue, but this is quite difficult.

Composition relation between object in active directory schema

I played a bit with AD and schema and was able to made some custom attributes for my users.
For some reason, adding attributes is not enough for me and I would like to know if it is possible to create a new AD object "clearance", with some attributes, and add a 0..* relation betwen user and clearance like this :
I'm a total noob in Active directory so I wasn't able to find some reliable information about the schema meta-model so ... is it even possible ? If yes, how can I do that ?
To get further I need to make a security claim on this relation and then use it in Dynamic Access Control rules ...
Thanks for your help

Cakephp automated validation generation from MySQL database constraints

I'm looking for an easy solution to generate automatically the validation rules in the model from the database constraints in Cakephp because I don't want to make that all by hand with cake bake. So e.g. if there is a NOT NULL constraint for a field in the database it should create a "not empty" validation rule for the field.
So is there a tool that can do this sort of thing?
CakePHP does not support this by default, but I like the idea.
But you could implement that by overloading AppModel::__construct(), adding code into the AppModel::beforeValidate() callback, load the schema by using CakeSchema for the table the model is using and loop over the schema it returns and build rules on the fly and set them to $this->validate.
If you don't want a specific model do it you could add another property like boolean autoValidationRules. Also check if notEmpty is not already set and don't overwrite it automatically or merge it, depends on your needs.
Edit: Try this behavior, I just hacked it together because I like the idea. Going to add an unit test later tonight.
https://github.com/burzum/BzUtils/blob/develop/Model/Behavior/AutoValidateBehavior.php
Indeed there is no built-in feature in CakePHP for this.
Otherwise if you don't want to use the console, you can use an online tool that allows you to design your applications : Models, relations and validations rules, and then automatically generate a SQL file with the right constraints on columns, your Models with the corresponding validation rules for fields, Controllers and Views : Online Cake Bake.
You do not get to do exactly what you want, but at least you get to design your database's constraints and your validation rules at the same time which saves a lot of time.

Resources