How to enumerate nested groups across domains? - winapi

I am using MemberOf Attribute to enumerate nested groups. I have 2 domains, 2 groups and one user. Please see below for configuration:
Domain DOMAIN-A has domain global group GROUP-A and USER-A.
Domain DOMAIN-B has domain local group GROUP-B.
USER-A is member of GROUP-A.
GROUP-A is member of GROUP-B.
Ideally, GROUP-A should contain GROUP-B in MemberOf Attribute but it does not even have a MemberOf attribute. (I am using an Softerra LDAP Browser 2.6)
Will it be populated after replication? If yes, how to change replication interval? I want to have instant replication.
Thanks

What you want to use is a special attribute called tokenGroups. If you're on FX3.5 you can use this sample - http://dunnry.com/blog/2007/08/01/GettingActiveDirectoryGroupMembershipInNET35.aspx.
If you're wanting to use an older version of .Net or have some control over the process, you can parse out the attribute manually with something like this - http://dunnry.com/blog/EnumeratingTokenGroupsTokenGroupsInNET.aspx.
Finally, your service account or whatever context you're connecting to AD with will need to be in the Windows Authorization Access group if you use tokenGroupsGlobalAndUniversal.

Related

Azure optional claim return object Id - need Group name

i have tried to get user group name as value in auth/me URL, but it returns only objectId of group.
How to get the group name instead of objectId.
In my manifest i have added
"groupMembershipClaims": "SecurityGroup"
optional claims also added
i don't have any onpremises AD connect
I need the manifest configuration to get the group name in auth/me url
I have tried this in my lab and it is working for me.
This option is available only if you select "groups assigned to the application" option.
If you select any other option apart from this, "cloud-only group display names (preview)" it will be greyed out.
Since this option is still in preview, there is some enhancements going on at backend.
For more information, you can also refer this documentation Configure group claims for applications.
I tried to reproduce the same in my environment:
Manifest:
"given_name": "kav",
"groups": [
"xxxf-94bc-xxxxxx7d",
"xxxx-2459exx5a"
],
The jwt cannot contain group name but it gets Id’s of the groups
You can customize group claim name following Configure group claims but it required Onpremise AD which you mentioned is not there as sAMAccountName option is the option present on Group objects synced from Active Directory.
Else You can check all the default properties using Microsoft graph Api Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph
https://graph.microsoft.com/v1.0/groups/<groupId>

How to use spatie / laravel-multitenancy with single database?

I want to convert my existing app to multi-tenant and don't want to use multiple databases. just read that the given package is allowing that.
https://github.com/spatie/laravel-multitenancy
I have read the single database documentation here: https://spatie.be/docs/laravel-multitenancy/v2/installation/using-a-single-database
But what's next ??
Let's say right now users are storing into users' tables, and by using this package I want to store users tenant-specific.
I don't found the real example anywhere. so better if anyone already implemented Spatie Multi-tenant by using a single Database, please help me here.
Thanks in advance.
Although spatie/laravel-multitenancy supporting single databases, it doesn't come with query scopes (and seems like there are no plans to add them, as you can see here: https://github.com/spatie/laravel-multitenancy/issues/124), so you would need to create them manually.
So, you need to:
add the tenant_id to your tenant-specific tables
add an observer to save the tenant_id when creating a new register in the table
add a global query scope to always filter the data using the current tenant id
You can see something similar in this video: https://www.youtube.com/watch?v=nCiNqboYFVQ
The difference is that you will use the current tenant returned by spatie/laravel-multitenancy instead of the logged user id to get the tenant data.
If you want a package that already brings the query scopes ready to use, you may try Tenancy for Laravel: https://tenancyforlaravel.com/docs/v3/single-database-tenancy
Or, if your application has a very simple multi-tenancy strategy (for example, the tenant is the logged user or his team) you can just create some query scopes without the need to use packages, exactly as the video above teaches, as it is much more simple to identify the tenant by the user_id or team_id, even in terminal commands and queue jobs (but seems that is not your case, as you need the users to belongs to a tenant).
I hope it helps you to select the correct package and strategy for your project.

Trusted domains in IDsObjectPicker

Suppose I have two domains with trusted relationshaip between each other. I initialize IDsObjectPicker to select users and I want to see users from both of the domains, but it shows me users only from the domain the local computer is joined to.
I.e. under "Entire directory" in "Location" I see only current domain.
Which scope should I use to display users from all trusted domains?
I have tried to specify DSOP_SCOPE_TYPE_ENTERPRISE_DOMAIN, DSOP_SCOPE_TYPE_GLOBAL_CATALOG, DSOP_SCOPE_TYPE_EXTERNAL_UPLEVEL_DOMAIN, DSOP_SCOPE_TYPE_EXTERNAL_DOWNLEVEL_DOMAIN, but it didn't help at all.
Using DsEnumerateDomainTrusts with DS_DOMAIN_DIRECT_INBOUND flag I can enumerate all trusted domains - it works, but IDsObjectPicker doesn't show me them.
Logged on user is a member of the domain the local computer is joined to.
Finally solved my problem. By some mistical circumstances DSOP_SCOPE_INIT_INFO with fType set to DSOP_SCOPE_TYPE_EXTERNAL_UPLEVEL_DOMAIN | DSOP_SCOPE_TYPE_EXTERNAL_DOWNLEVEL_DOMAIN didn't work properly.
The solution is to use two corresponding DSOP_SCOPE_INIT_INFO instances inside of a DSOP_INIT_INFO.

Create Mesos role via REST API

Is there a way to create Mesos role using roles endpoint? I've tried different combinations of PUT / POST requests to http://mesos_master_url:5050/roles with different JSON body messages like
{
"frameworks":[],
"name":"new-role",
"resources":{
"cpus":0,
"disk":0,
"gpus":0,
"mem":0
},
"weight":1.0
}
but with no success. The docs itself are not that useful.
Roles is a part of resource definition and it must be done on node level. New role is declared when there is at least one resource attached to it.
To assign resource to specific role put role name after the resource in brackets. For example we want to run roles development and test on one cluster. We want to distinguish ports offered to these roles. The development tasks will be run on ports 31000-32000 and be tested on 41000-42000. To do it we define following resources.
ports(develop):[31000-32000]; ports(test):[41000-42000]
See Roles documentation and resources
Also, roles are actually created on the mesos masters.
Generally, the config lives in /etc/mesos-master/roles and the content is like this:
role1,role2,role3,role4,role5,...,roleN

What is equivalent LDAP attributes for Active Directory

What is equivalent LDAP attributes for Active Directory
I am looking for password using Net::LDAP.
I dont know to how to set the user password using Net::LDAP
Here is a helpful article from Microsoft with some sample code that you might be able to adapt: https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through
The essential attribute, it seems is: unicodePwd
(a.k.a. Unicode-Pwd
https://msdn.microsoft.com/en-us/library/ms680513(v=vs.85).aspx
)
Also note some cautions and advice from this answer: https://serverfault.com/questions/423345/changing-active-directory-password-over-ldap-using-passwd-ldappasswd-samba
AD attribute names with cross reference of LDAP attribute names
https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx

Resources