I need to call CreateProcessWithLogonW, for which I need to pass builtin account name (say Administrator). The problem is that builtin account names are localized. For example in French its "Administrateur" and when I pass "Administrator" to the function, it returns ERROR_LOGON_FAILURE.
In order to get a builtin account name, I can pass its SID to LookupAccountBySid. Pretty easy. The problem is that, according to this, the SID I need to pass is following:
S-1-5-21domain-500
How do I get the domain part?
I found this code, but in order to get current user's SID (from where I could get the domain part), it calls chain of functions including OpenProcessToken, GetTokenInformation, HeapAlloc, GetSidIdentifierAuthority, GetSidSubAuthorityCount, GetSidSubAuthority...
This would be rather insane for getting simple domain string. Is there a shorter way to do this?
Related
I have an active directory that looks a little like this:
gdcmpny.com
|__GoodCompany
|
|__NYC
| |__Users
|
|__SF
|__Users
When a user sends me his username+password, i cant know if he's under NYC/Users or SF/Users. Is there a way to compound a string like this:
CN=Users,OU=%s,OU=GoodCompany,DC=gdcmpny,DC=com
so the ldap request will look in both NYC/Users and SF/Users? Or do I have to specify the exact absolute path?I am using Go to send the request, with the package github.com/jtblin/go-ldap-client.Thanks!
Unfortunately not on Microsoft Active Directory.
There is a thing called ExtensibleMatch, but not supported on Microsoft Active Directory.
-jim
You do not need to use the fully qualified DN for LDAP binds against an Active Directory server. You can use sAMAccountName and userPrincipalName values to authenticate to AD LDAP... provided you've got a single tree in a single forest, these are formed by concatenating the user-provided logon ID with a string.
For the AD domain gdcmpny.com with legacy domain name GDCMPNY, the user with logon ID MyUserName has userPrincipalName MyUserName#gdcmpny.com and sAMAccountName of GDCMPNY\MyUserName regardless of where their ID resides within the directory structure.
In cases where you've got multiple domains within the forest and cannot simply know the proper string to add to the user ID, you can bind under a known system credential, search for the user-supplied logon ID, and return the fully qualified DN (FQDN) of the matching entry. Then use the FQDN with the user-supplied password to validate the user's credentials.
string formatting, like:
CN=Users,OU=%s,OU=Goenter code hereodCompany,DC=gdcmpny,DC=com
isn't supported, but I can simply don't specify the whole hierarchy in my request.This is what worked for me:
OU=GoodCompany,DC=gdcmpny,DC=com
I'm just getting started with Apiary and I can't tell if this is a limitation of the product or just me not understanding what to do.
I'm documenting an API which authenticates the user as part of every request. Sometimes the authentication is part of the path (a request for the user's profile would have the user id in the path), other times just as parameters (?user_id=1&auth=secret), and for POST requests, part of the incoming body as JSON.
Also, there are 3 methods of authentication in the app. You can log in with a Facebook UID, email address, or using the unique id of the device you're using. The result is something that looks like this:
##User [/user/{facebook_uid}{?access_token}, /user/{email}{?device_id}, /users/{device_auth_id}{?device_id}]
This works fine, and displays in the API as I'd expect:
But this introduces 2 issues:
1) If I wanted to add a set of parameters shared by all authentication methods, I would need to add it to all 3 like this:
## User [/user/{facebook_uid}{?access_token, extra_thing, this_too},
/user/{email}{?device_id, extra_thing, this_too},
/users/{device_auth_id}{?device_id, extra_thing, this_too}]
This seems a bit messy, it'd be much nicer to apply shared parameters at the end of the path array so they apply to all, something like this:
## User [/user/{facebook_uid}{?access_token}, /user/{email}{?device_id}, /users/{device_auth_id}{?device_id}]{&extra_thing, this_too}
But this doesn't work. Is there a way to do this? The documentation wasn't very helpful with more complicated stuff like this.
Also, would there be a way to create some kind of template which I could apply to all my methods? In the case where the authentication is part of the path its a bit unavoidable, but for other requests it would be nice to just do something like include: authentication and have it pull the unique_id/auth combo from a defined template somewhere.
Thanks!
First, there isn't really support for having a single model with multiple resource representations. It is an unusual thing to do and is actually good food for thought.
Second, using multiple URIs in [path segment] is probably going to confuse Apiary's mock server and make it unusable.
In my opinion, I'd split this into three models: Facebook User, E-mail User and Device User, with slightly different documentation (how are they created? Can you really create all of them through api? etc. etc.)
It also depends on how you want to document this. As path segments are not validated (it would be strange to have different resources based on the type of the arguments), you can just have (and I'd personally do just that)
## User [/user/{id}{?access_token, extra_thing, this_too}]
+ Parameters
+ id (required, string, `test#example.com`)...id of the user. Can be either user's e-mail, facebook id or device id from where user was created.
As for reusable parts, this is currently being implemented with authentication being part of that.
For example, I have a field that give user to type their domain, the user can type any domain on this, but I don't valid this domain is belong that user. Of course, I can generate a random number text file for user to upload, and when I get the random number text file, if it is match, I can just treat it as a valid domain holder. But, except from this method, is that anyway to do so? Thanks.
Options I have seen:
Have user Create a Text file in document root, check for it
Send Email to contacts listed in whois (Or other ROLE type accounts (postmaster, hostmaster, etc...), with token they need to
return
Have them create an 'A' record in their DNS that is unique and you can query for.
There really isn't any other way of telling if they have control over the domain. Using whois information isn't 100% accurate as people don't update it, or their info isn't registered to them, or is hidden behind something like domains by proxy. There is no standard information in DNS, that can tell you ownership. Since google uses the DNS method and the text file method (I think), you can probably safely assume that is a good way to verify it.
I've been through a few similar posts,
Facebook Like Custom Profile URL PHP
Custom URL / Apache URL Rewriting
But its still not clear, the actual method/process is not available..
Guys , little more guidance would do a lot..
I would like to put forward the questions here:
Users should have a chance to decide what is their url, Just like in case of fb, twitter
for example: www.facebook.com/harry.inaction
I am using the linux, apache, mysql, php environment for this.
Users are identified based on their user id's which get created automatically when they join in
And I fail at the very first step, seriously I don't know get started.
Thanks
It's going to be impossible to put any details as an answer because you've got to build this system of yours and there's more than one way to do it. Design decisions will need to be made based on the way you want things to work and what you already have (they're going to have to work together in some way).
Say you've already got a system for creating users (and it sounds like you do) and you already have a system for viewing profiles. You'll need to extend this system so that you store an extra "my_vanity_url" field in your user table in your database. This field needs to be unique. When a user edits their profile, they have the option of changing this to whatever they want (limiting it to only letters and numbers and dashes for simplicity).
Next, when you display this profile, say it is via /profile.php, your code needs to check a few things.
First it needs to check how it's called, looking at $_SERVER['REQUEST_URI'] you can see either /user/some-vanity-name or /profile.php?u=1234.
If it's the latter, you need to redirect the browser, do a database lookup to see who the user with user_id 1234 is.
Pull the "my_vanity_url" column out of the database for this user and redirect the browser to /user/my_vanity_url_value (replacing my_vanity_url_value with the value of that column).
So now, if you go to http://your.domain.com/profile.php?u=1234, your browser gets redirected and the URL address bar will say http://your.domian.com/user/my_name.
Next, you need to be able to take that unique name and turn it back into the old ugly looking profile page. Two things need to happen here:
You need to extend your profile.php once more to take an optional vanity name as opposed to a user_id
You need to use mod_rewrite to internally route vanity names to /profile.php
For the first thing, you simply look for a different $_GET[] parameter instead of whatever it is for a user_id. Say it's called name: so look at $_GET['name'], see if it exists, if it does lookup the user in the user table whose vanity url name is $_GET['name']. Return the profile of that user.
For the second thing, you just need to put this in the appropriate place in your htaccess file in your document root:
RewriteEngine On
RewriteRule ^/?user/([A-Za-z0-9-]+)/?$ /profile.php?name=$1 [L]
This is just an example for how to implement something like this. It may be completely inapplicable for what you have, but it should give you an idea of what you need to do.
When working with the Blogger API the user ID is expected to be numeric. I found out my numeric ID by looking at the URL for my Blogger profile page. However, I want my users to be able to use their usual Blogger user name. So:
Is there a way to convert Blogger
user names to numeric user IDs?
Is there a way to pass in user names
instead of IDs to the Blogger API?
Thanks!
It depends on what you are trying to do, but in most use cases you don't need to explicitly know this information because the authToken will take care of resolving these issues for you if you use the default URLs with the API. But, in the interest of providing an answer in case you really do need to know this:
After the user authenticates, just request some information, like the list of blogs, and you'll be able to extract the ID number from your choice of several places in the response.
Not really, except that during login you use the username. Otherwise you need to use either default, assuming an active authToken, or the ID to reference a particular user's Blogger content.