In our AD, we have the following structure for a user's full dn
Cn=username,ou=ou1,ou=ou2,ou=ou3, dc=...
Question is, is it possible to get a user's full dn when we only have the username and ou=ou2...dc... (Missing ou1 value)?
Sure. Just run an LDAP search with a query like (&(CN=username)(objectClass=user)). Just remember that in general CN is a full name, not a username, so if you actually have a username instead of full name you might get better result with (&(sAMAccountName=username)(objectClass=user)).
Related
I am working on a function that allows a user to check if their existing device contacts are using our platform, based on phone numbers.
For privacy and security, we are hashing the user's contact's phone numbers on device (salted with the user's id) before sending to our server.
Server side, we then need to hash our entire contacts table (using the user's id as a salt), which is currently being done in a for loop.
We then check this list against the request list, and return the details for any matches.
However, I'm sure there is a more efficient way of doing this, something like computing the hash in a calculated field then including the $request->hashes in a "whereIn" clause.
Could someone give me a pointer on the best approach to be taking here?
The question is, what privacy and security are you achieving by sending hashed value of contact number?
You are hasing the contact in client side(device), that means you are using a key and salt that is available in clinet side already. How can that be a security feature?
If you want to search hashed value in database then it's better to save hashed contract number in a column in the first place. So you can directly run where query in database table.
Ideally, if you really concern about user's contact number you should:
Encrypt the user's contacts in backend/databse not in frontend.
If you need to query for a field in database then you should make a hash valued column that can be matched easily. I mean searchable fields should be hashed so you can run direct query.
Nothing to worry about user's contact security in frontend if you are already passing it trhough Secure HTTP(HTTPS).
Even it a common practice in the industry, to pass a submitted plain password via HTTPS when a user submit it in frontend. It shouln't be a concern of privacy or security.
Since my 2 post about the LDAP Authentication (first post, second post), we created our own custom authentication scheme and function to connect to the application using our Active Directory credentials.
We can successfully log in the application. However, we have a second function which retrieves the group of the user in the AD. Here's the code when I'm trying to retrieve the group into a Text Field (P1_GROUP) :
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => 'thepassword')
As you can see, this is working, because the password is in static text. This leads me to my main question :
How to retrieve the user's password in Oracle Apex, and what is the most secure way ?
I tried to set a Branch or a Process in the Log-In page while redirecting the user's the the home page, and Set Value of the :P9999_PASSWORD field to the home page text field P1_PWD.
So, I tried to adapt my code with the text field
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => :P1_PWD)
Unfortunately, this doesn't seems secure because the password would be visible in the HTML code of the page (right click + inspect and there it is. Moreover, sometimes it gives me an error
Error computing item source value for page item P1_GROUP
It seems like the application cannot execute the function because the password is still not initialized.
Is there a way to retrieve :P9999_PASSWORD or to transfer it from the login page to a global variable/global page or a text field ? Or is there a function to retrieve the current user's password ?
Thank you again for your time, do not hesitate to ask for more details as this is a very specific case,
Thomas
I don't think your approach is correct. Ideally, even an administrator of your system should not be able to decrypt a user's passwords; they should be stored as hashes.
You're trying to look up the user's group memberships? You don't need the user's own credentials to do that. Use a dedicated account that has access to your Active Directory system and store that password encrypted in your database. Use that account to search for and look up the user's group memberships. That way, even if your system is compromised, only that account is exposed.
Thank you all for your answers and your advices on my case, and for taking the time to help.
We found a solution that we think is reliable, here's what we did if that could help other people.
We created a global variable G_GROUP, which will receive the group of the user
On the login page, we created a process before the login process.
Set the Source of the Process to PL/SQL Code :
:G_GROUP := pdbadmin.ldap_get_group_apex_from_user( --our custom function to retrieve groups
p_username => :P9999_USERNAME,
p_password => :P9999_PASSWORD); -- the function get the username and password in the fields
If i want to display the group of the user in the main page, let's create a Text Field P1_GROUP which as for Source the PL/SQL Expression :G_GROUP
Our group is initialized, and the password is not shown in any field.
Let me know what you think about it, and if you guys think this could be improved.
I am trying to run a LDAP query against AD to give me all the email addressed for a given group. I tried this but it gives me the email address for the distribution but not for the members.
I tried this (&(objectCategory=group)(Name=My-TEST-Group)) LDAP query with Mail being output but it does not give emails for the members .
I tried member as output but that gives me members CN details with this format CN=Smith\, Johne,OU=Standard Users,OU=SouthWest,OU=Active-Users,DC=NOV,DC=net
I found the problem. The problem is the memberof (at least in my environment) requires full OU.
so 2 steps. First I had to get the full OU for the given group.
(&(objectCategory=group)(cn=dg-fmog-sp-test)) and get distinguishedName
so my final query looks like following and it works.
(&(&(objectCategory=person)(objectClass=user))(memberOf=cn=my-test-group, OU=SW Distribution, OU=Email Servers, OU=Data Mining, OU=US, dc=NOV,dc=net)) and get mail
I'm creating a VBS to create a user from our HR-systems.
Most of it worked; but I noticed the domain field stays blank (the field on the right of the logon name in the dsa.msc tool; the second part of the User Principal Name).
you can see it in this screenshot as "#Entcert2.com"
I can't find any information on this on the internet.
There is basically only one value possible, but it's blank after the user creation.
The NETBIOS-domain name is filled in correctly.
What's the correct fieldname for this to fill in the value using vbs?
You just forget to fill the userPrincipalName attribute.
I am trying to identify incoming user into Oracle in order to give them access right according to their identity (FGAC). Users are located in different domain's. which means that they might have identical system username (windows userename).
I have been trying to use the Environment context variable sys_context('userenv', 'var') where I get the Domain name (f.ex. SYS_CONTEXT('USERENV','HOST') and SYS_CONTEXT('USERENV','OS_USER')) but I seem to get different result's depending on the connection method.
Are there any other means of getting users true identity I can explore?
I'm not sure which variable you should use but you may want to look at select * from v$session to help you pick one.
If you're basing FGAC on OS_USER environment variable, you're truly not securing the data. OS_USER isn't a credential passed to Oracle, it's just a string that can be manipulated by an attacker.