I am creating a django application that need to authenticate against our organization's LDAP server which I have successfully done using django-auth-ldap. After authentication, I need to authorize each authenticated user against a local database to check if they have privileges to use the application. How do I go about doing this? I've tried to go through the documentation for django-auth-ldap but cannot find anything relevant.
In you login view I would check the local database and add permissions programmatically after the user has been authenticated, see https://docs.djangoproject.com/en/dev/topics/auth/default/#topic-authorization
if user.is_active:
login(request, user)
#your code to query database and add permissions
_check_and_set_permissions(request)
return redirect('login_success')
If the database you need to check differs from the database you specified for use by the Django ORM
DATABASES = {
'default': {
'NAME': 'DEMODATABASE',
'ENGINE': 'sqlserver_ado',
'HOST': '127.0.0.1',
}
}
Then just create a connection to the database using your favorite driver/SQL expression language (pymssql, SA, pyMySQLdb, etc.) and query the table containing the permissions you need.
Related
I'm working on a existing Parse server, and I am currently adding an OAuth system, so that external apps can connect in the name of Parse.User.
I created different classes for codes and tokens, and now my external apps can send requests with an accessToken, corresponding to their application and user (who granted access).
I'm looking for a way to inform the Parse server that the "logged in user" in requests is the end user that authorized the OAuth application. For this, I have created an express middleware handling request before the Parse server middleware, extracting the access token from the request, getting the correct User and Application, and then I wanted to create a Parse.Session programmatically, get the token, and set it in the request as x-parse-session-token. This way, the next handler, Parse, would treat the request as authenticated and performed by the end user.
My problem here is that I cannot find a way to create a session programmatically, I'm aware of the Parse.User.logIn, but that works only with a password.
I've tried the following:
const oAuthSession = await new Parse.Session().save({
user: user // user got from Parse.Query(Parse.User) with masterKey
}, { useMasterKey: true })
But get a Cannot modify readonly attribute user error.
Any hidden method to programmatically create a Parse.Session without a password ?
As pointed out by #DaviMacêdo in the community forum: https://community.parseplatform.org/t/create-new-parse-session-programmatically-for-a-user-without-their-password/1751
We can inject the user directly in the request field, and it will be picked up by Parse: https://github.com/parse-community/parse-server/blob/f6a41729a7a3adc6bd5310cefb3458835b4abb58/src/middlewares.js#L199
const user = await new Parse.Query(Parse.User).get(‘idOfUser’);
req.userFromJWT = user;
I want to simulate the password reset service for service now users from an external application and I have installed Password Reset - Orchestration Add-on plugin on my servicenow developer instance. Along with this I can see a list of Pwd Reset APIs on my REST explorer (e.g pwd_init, pwd_verify, etc). I went through the documentation available on this documentation page but I'm at a loss to understand what the request payload would be like if I'm trying to call these APIs from an external service like Postman. I wanted something similar this api documentation.
Can anyone help me with this?
Use the Table APIs to do this.
In order to reset a user's password, you basically want to update the user_password field of the user record from sys_user table.
Method: PUT/PATCH
http://<instance>/api/now/table/{tableName}/{sys_id}
here tableName will be sys_user and sys_id will be the sys_id of the user's record in sys_user table.
The body of the API request should be something like this:
{
"user_password": "resetpasswordtext"
}
Bear in mind that this will reset the user's password but the new password will not be "resetpasswordtext". So the user will not be able to login using "resetpasswordtext".
To actually set the password for a user via API, same table API as above can be used. But in order to store the password properly encrypted in the database, below query parameter should be added in the request URL to set the password.
sysparm_input_display_value=true
So the API call will be
Method: PUT/PATCH
http://<instance>/api/now/table/{tableName}/{sys_id}?sysparm_input_display_value=true
BODY: {
"user_password": "newpassword"
}
Now the text "newpassword" can be used by the user to login to the instance.
hope it helps in your use case.
so, my use case did not involve using the Password reset API, but for those of you interested in generating a new password externally, then making an api call to set that as the new password for that user, then here is acode sample that is based on Milind's answer above:
Python3
def change_password_snow(user, pwd, new_pwd, snow_url, sys_id):
# Set the request parameters
url = snow_url + sys_id
# Set proper headers
headers = {"Content-Type":"application/xml","Accept":"application/json"}
# Set query params
params = {"sysparm_input_display_value": "true", "sysparm_fields": "user_password"}
# Do the HTTP request
response = requests.patch(url, auth=(user, pwd), headers=headers, params=params, data=f"<request><entry><user_password>{new_pwd}</user_password></entry></request>")
return response
Setup on ServiceNow
For this to work, the user you are authenticating with in ServiceNow needs to have Admin privileges.
Either that, or modify the sys_user.user_password ACLs to allow non admin users to read and write to that field if they have a role that you select. For my use case, I created a custom role and attached it to that user.
My requirement is authenticate the login request to the Active Directory LDAP and to the local db as the user may be created manually or by the LDAP.
I am loading all the users i my database in a users table but i want to make the dynamic login to LDAP for the ldap users if user did not get authenticated by LDAP with invalid login or invalid user then only i need to authenticate it to the db.
Am not certain on this, so obviously please confirm, but in your Spring security.xml, set up two authentication providers under your authentication manager, first your ldap one and then your database one. A failure with the LDAP authentication should cause the DB one to activate and give the user a second chance to authenticate with the same credentials. Also see this article for some testing I had done earlier with Active Directory and Spring Security.
UAA currently seems to save passwords for all users in the users table in the CloudFoundry's UAA db schema, whether it is authenticated within UAA or by an external identity provider such as LDAP.
Is there a way to disable passwords being saved for users when they are authenticated via LDAP (origin = LDAP).
My current setup is using cloudfoundy-uaa version 2.7.1 and the datastore as PostgresSQL.
The LDAP configuration in uaa.yaml is
ldap:
profile:
file: ldap/ldap-search-and-bind.xml
base:
url: 'ldap://dev.local:389/'
mailAttributeName: mail
userDn: 'cn=manager,ou=admin,dc=company,dc=com'
password: 'password'
searchBase: 'ou=people,dc=company,dc=com'
searchFilter: 'cn={0}'
groups:
file: ldap/ldap-groups-map-to-scopes.xml
searchBase: 'ou=groups,dc=company,dc=com'
searchSubtree: true
groupSearchFilter: 'member={0}'
maxSearchDepth: 10
autoAdd: true
Passwords are not saved/managed when using LDAP or SAML as the user stores. We delegate over the Authentication & User Management entirely to the external user store.
It simply appears as there is a password stored in the DB.
When you look at it, it is just an empty string "" that is stored, but never used.
I would like to create a custom user authentification with LDAP - this is how it should work:
User enters his credentials - I'll check with LDAP is the user exists, if yes I'll create a session in a database and return a valid token for a request. The token handler is not the problem, but I'm not sure about the LDAP Authentification.
What I've already done:
activated php_ldap extension
Installed the php-ldap-module for L5 with the description from here:
http://packalyst.com/packages/package/strebl/l5-ldap-auth
So now I've got my new Authentification Provider, but when I'll try with:
if (Auth::attempt(['email' => 'user', 'password' => 'password']))
{
.....
}
Nothing happens - no error, no warning. Can I use now Auth::attempt, or is that another function for checking if a user exists in my LDAP Directory. Is it still email and password as properties for the login attempt?
Is there somebody who is working with this extension and can give me some more information about the usage?
Thanks in advance
You can try to follow these instructions:
laravel-simple-ldap-auth
There it is explained how to create a custom LDAP authentication in Laravel 5.