I'm running an ejabberd server where I need users whose name applies to a specific pattern will have a fast shaper assigned to them. For example, if I have these users:
A123
A222
B892
C123
I would like to make all the users use the "normal" shaper, but if the user name is "A*", I want it to get the "fast" shaper. I'm trying to avoid configuring a group and manually adding all the "A*" users to that group.
Ideas?
Related
So I'm sending all users through apache with mod_auth_kerb. All users come in with a default userRolesHeader of users.
I'd like to add extra roles for specific accounts, but I'm not seeing a good way to do that. If you could define the users in realm.properties and it would combine with the userRolesHeader, that would be useful.
Is there another way to do this? I don't see how it can be done with apache alone since REMOTE_USER isn't available during if/else logic processing.
#rundeck
rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-Uuid
rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles
#apache
RequestHeader set "X-Forwarded-Uuid" %{REMOTE_USER}s
RequestHeader set X-Forwarded-Roles users
Internally Rundeck gets only one method once, if you configure Rundeck to get the users from the realm.properties file, Rundeck seeks the roles from that file. Currently You can combine methods but the user/role in different methods doesn't.
I want to set up a Keycloak instance which provides AAI to several applications. The users and groups will come from multiple sources (e.g. LDAP) so I want to use mappers so that the attributes on the Keycloak side are the same for users with the same properties. For user attributes, one can use a user-attribute-ldap-mapper, and that works like a charm.
My users now are part of groups, and the groups have their own attributes. So for instance I would have in one of my LDAPs:
Group1
-- MySpecificAttribute1: value
-- MySpecificAttribute2: other value
User1:
-- member of Group1
-- MyUserAttriute1: vall
What I would like to do is to map the attributes MySpecificAttribute1 to Attribute1 in the Group1 group that has been imported into Keycloak.
Is there a (hopefully easy) way to achieve this?
EDIT
I thought it could make sense to specify a bit more what I try to achieve. The thing is we are developing an application that needs to have access to the group information, so answering questions like "give me the list of users who are linked in the contactpoint attribute of all groups". Our current approach is to use the REST API to obtain this data directly from keycloak, and it would not be optimal if we had to implement a translation table for the different sources of information. There may be a way to obtain this information in a different way where we would put the translation somewhere in keycloak, that could be worth investigating too.
Let's say I have 10,000 usernames in the RDBMS database which will use the XMPP chat service like Ejabberd or MongooseIM that I will put manually in the database. Now every 1000 usernames in the above 10,000 have fixed prefix in their JID usernames like:
1-1000 usernames start with aa__ (Example - aa10001, aa10002 , ...)
1001-2000 usernames start with bb__ (Example - bb10001, bb10002, ...)
2000-3000 usernames start with cc__ (Example - cc10001, cc10002, ...)
and so on ... total of 10 different prefix usernames
Now I just want that these 10 different pairs must not know others prefix usernames pairs and must not be able to send any type of stanza (like message, presence, IQ) to other pair (having a different prefix)
Possibilities:
If I can use some regex in the block policy then that would be great instead of blocking the individual.
I know u may suggest of using a different Virtual host for each pair. But managing so many Virtual hosts can be difficult because in the above example 10K is just a small example of a bigger picture.
Please let me know if question is not clear to you?
I just want that these 10 different pairs must not know others prefix usernames pairs and must not be able to send any type of stanza (like message, presence, IQ) to other pair (having a different prefix)
First of all, play with mod_filter. Looking at its example configurations, probably you can accomplish what you want using it:
https://github.com/processone/ejabberd-contrib/tree/master/mod_filter
Maybe you can define ACL based in the usernames patterns ("aa*" or something like that), and this way you can have all users in a single vhost.
In case the only solution requires having a vhost for each user group, some ideas:
Now every 1000 usernames in the above 10,000 have fixed prefix in their JID usernames like:
As you mentioned, you can define a vhost in ejabberd for each user group: 10001#aa.example.com... Or in order to not change existing usernames: aa10001#aa.example.com...
Maybe if I can use Virtual host in some way that it is easy to manage (adding new pairs frequently) without adding a new database for each then that will be a best-ever solution
Right, you can have all the vhosts in a single database, if you configure ejabberd like this and use the apropiate *.sql file when creating the database:
new_sql_schema: true
Can I add a virtual host dynamically in the config without stopping the server?
Yes, it should work (it's a recent feature). Edit ejabberd.yml as you wish, and reload it with:
$ ejabberdctl reload_config
We have two email addresses for some groups due to translations so people can email both addresses but still go to the same people. Rather than having two distr groups for the two languages and each of them having all of the members in them (which would just make a lot of duplicates), we would want one of the groups to be inside the other so it's easier to manage the groups.
In active directory is there a way of having a distribution group with two email addresses or having a distribution group within another distr group so the emails get redirected from one address to the other?
Any suggestions for other ways of doing it if it's not possible in Active directory as well
Thanks
You can assign as many email addresses to a group (or a user) as you want.
Assuming you're using Exchange, the attribute is proxyAddresses. Each address begins with the protocol. For email, that's SMTP:. The primary address has it in upper case. Any secondary addresses are in lower case.
So just add another address with lower case smtp:.
Your proxyAddresses list will look something like this:
SMTP:primaryaddress#example.com
smtp:secondaryaddress#example.com
You can either add it using the attribute editor in AD Users and Computers, or through Exchange PowerShell:
Set-DistributionGroup "Group Name" -EmailAddresses #{Add="smtp:secondaryaddress#example.com"}
User-Ankit
He is in two groups named flights and hotels.
In flights,he is a manager
In Hotels,he is a supervisor.
can we assigns these different roles to Ankit in different groups in keycloak?
I think you have to separate the roles to be specific to the group - you'd need a flights-manager role and a separate hotels-manager role and so on.
You can assign roles to a user or group but assigning roles to a group effectively assigns those roles to all the members of the group. I think this is pretty typical.
When you assign roles to the user, you just assign roles to the user and not a user within a group:
There's a thread in the keycloak mailing list where this comes up. Basically groups are just ways of collecting users and not part of the access control structure.
If hotels and flights correspond to apps then you might want to consider whether you could handle them as clients rather than groups but I think you'd still need to have separate sets of roles.