I'm writing a permission checking scheme for a website, and want it to integrate with Active Directory. My question is how to check group membership for a specific username and group. I have the linked server, but I don't know how to query AD.
I'm new to Active Directory, so an explanation of the acronyms would be nice.
Thanks in advance!
This worked:
SELECT * FROM OpenQuery (
ADSI,
'SELECT *
FROM ''LDAP://company.com/DC=company,DC=com''
WHERE objectCategory = ''User''
AND sAMAccountName = ''username''
AND memberOf=''cn=CM_Documents_ALL,OU=Groups - Website,OU=CompanyName,DC=company,DC=com''
')
Related
I am getting into Supabase and to practice I am making a suuuper simplified website-builder.
However I am having troubles with the row-level-security policies.
I have three tables:
user → with users' information like first name, last name, etc.
website → all websites
user_website → Contains the information which website belongs to which person (since a website can be owned/editted by multiple users)
user
user_id
...
website
website_id
...
user_website
user_id
website_id
user_role
...
I didn't find any useful resource, because honestly I still lack the knowledge to know how to search properly for what I need.
I only found simple expressions like (uid() = user_id), but since the "permissions" are stored in another table, I don't know how to access that.
I used queries like the following but it didn't work as intended:
SELECT
*
FROM
user_website as uw
JOIN website as w
ON uw.website_id = w.website_id
WHERE
uw.user_id = auth.uid()
Help is much appreciated – thanks!
You could define a policy like that:
CREATE POLICY may_edit ON website
FOR UPDATE TO PUBLIC
USING (EXISTS
(SELECT 1 FROM user_website
WHERE user_website.website_id = website.website_id
AND user_website.user_id = uid()
)
);
Here, uid() is a function that returns your current user ID.
This policy will let everyone modify their own website.
I called a friend for help and he pointed out a section in the Supabase docs about "policies with joins" ... yet it still didn't work for me.
The reason was that the RLS-policy on the table website references the table user-website, which didn't allow users yet to access anything.
Solution
RLS-policy for select on website:
auth.uid() in (
select user_id from user_website
where website_id = website.website_id
)
RLS-policy for select on user-website:
auth.uid() = user_id
I have to maintain a PowerShell script which transfer the employees informations from our database into our Active Directory.
This script runs every night automatically with elevated rights that I do not posess. In other words, I cannot "test" the script. To run the script, I have to commit my changes and create a PR that will trigger a deployment when accepted and wait until the next morning to see if it worked.
The informations are usually updated without any problems, except for the country. I tried updating the fields countryCode, c and co and it didn't work because we received an error like "value was not in the acceptable range...". Apparently this error happens when you try to update one of these 3 fields separately.
I found how to update them all at once and I was going to make the changes but I was surprised to discover that there is another field called Country.
I have a few questions :
Why does that Country field even exist ? Aren't countryCode, c and co enough ?
Should I update Country or should I update the countryCode, c and co ?
Why are there 4 different fields in the AD just to hold the country ?
I'd like to know more about this because I really want to get this right on the second try (the first one failed, hence why I'm here) Thanks in advance for your help !
Why does that Country field even exist ? Aren't countryCode, c and co enough ?
It doesn't actually exist - the Country property exposed by the ActiveDirectory module maps directly to the c attribute in the AD schema - it's just an alias.
Should I update Country or should I update the countryCode, c and co?
Given the answer above, no, you don't need to set Country when you set c.
Why are there 4 different fields in the AD just to hold the country ?
As we've established, there are only 3:
c is part of LDAPv3 specification (see RFC2256) to ensure compatibility with X500 DITs.
co was (to my best knowledge) included in the original schema for NT domains for the same reason
countryCode was introduced in the AD schema to help administrative tools enforce input validation of country names - unlike co, it's an enumeration type, and tools like "Active Directory Users and Computers" populate the Country dropdown with the possible enumeration values and then sets all three fields based on the chosen values
If you have null values for the users you need to change the country to, it worked for me like this, hope this helps somebody, it gave me some headaches until I figured it out.
$users = get-aduser -SearchBase "ou=RandomOU, Ou=AnotherOU, DC=Domain, Dc=local" -Filter * -Properties c,co,countrycode | Where-Object{$_.co -eq $null}
$users | Set-ADUser -Replace #{c="RO";co="Romania";countrycode=642}
Is there a way in the DB of confluence to get the number of users which have been imported via Active Directory? Like searching for a tag which identifies if a user has been imported or created on the site.
I believe you can run following query against your database:
select u.id, u.user_name, u.active from cwd_user u
join cwd_membership m on u.id=m.child_user_id join cwd_group g on m.parent_id=g.id join cwd_directory d on d.id=g.directory_id
where d.directory_name='<External_Directory_Name>;
Replace the with the name of your External User Directory. If you don't know the name maybe you can take it from following:
select * from CWD_Directory
I am quite new to OrientDB, I have a Node labeled Resource, and i have other nodes labeled User and Administrator connected to it. I know I can Select all the Users who are "HasAccessTo" the Resource, like this:
SELECT in("HasAccessTo") FROM Resource
But how do I write the Query if I want to Select only those who are labeled as User and not Administrator?
Thanks for the help in advance.
Long answer:
SELECT FROM (
SELECT expand(in("HasAccessTo")) FROM Resource
) WHERE #class = "User"
Short answer:
SELECT in("HasAccessTo")[#class = "User"] FROM Resource
or (expanded)
SELECT expand(in("HasAccessTo")[#class = "User"]) FROM Resource
We're converting all SP permissions into ActiveDirectory groups (one per uninherited object, per role level). I wanted the group names to reflect where the permissions were/are, so I assigned each group with a name that matched the site structure:
sitecollection|site|list|Full Control
Active Directory had issues with the pipes and the potential length, so I reconfigured everything to use the description of the Active Directory object instead. The actual CN of the group is -someNumber- (-1-,-2-, etc).
I ran across an interesting phenomena while adding the groups into SharePoint under the same role level; I had to start the groups at 1000 else the EnsureUser couldn't find the group no matter what.
$web.EnsureUser('c:0-.f|myprovider|-1-') says it doesn't exist, whereas $web.EnsureUser('c:0-.f|myprovider|-1000-') does just fine.
Is there some sort of limitation to the number of characters a SAM Account Name / Principal Name must be when being searched by SharePoint?
You need to include the Domain name in EnsureUser - Domain\Username
Or you can just add i:0#.f|myprovider| to the username so it looks like i:0#.f|myprovider|myuser and pass the result into EnsureUser. In my case "myprovider" is the name of my custom membership provider.