One of the new requirements for our database application is to synchronize the contents of the user table with the users in Active Directory. So basically I need to connect to the Active Directory server and retrieve a list of user names, from within a plsql procedure.
What I have achieved so far is connect to the active directory server, using my own credentials, and query some attributes.
Example:
ldap_password := '****';
ldap_user := 'cn=me,OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
ldap_base := 'OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
search_filter := '(&(objectClass=Person)!((sn=him)(cn=me)))';
res_attrs(1) := 'displayName';
res_attrs(2) := 'cn';
res_attrs(3) := 'telephoneNumber';
It seems I can only query my own attributes or somebody else's if I already know who that someone else is.
How do I get a list of usernames?
Is this possible using any account or does this require an account with the proper privileges?
I got my script working. The scope setting prevented me from seeing all data.
DBMS_LDAP.SCOPE_SUBTREE
Rene,
You can do all searched in Active directory via Oracle's LDAP components that it seems you have already touched upon. While I am no expert on LDAP/AD, I believe that you may need rights to perform these actions or better yet get an ID/Password created that has the rights (this way you can keep your id/psw out of the system and allow either an unexpiring pswrd or pswrd that is supported by the AD administrators. I know that I have always had full query access to AD, not sure if that is how I am set up or out-of-the-box functionality.
But look # this site
http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i.php
as the article demonstrates, I would recommend paring back your searchFilter (get more then whittle it down until it suits your needs)
l_attrs(1) := '*'; -- retrieve all attributes
l_retval :=
DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => 'objectclass=*',
attrs => l_attrs,
attronly => 0,
res => l_message);
Active Directory has about 4 naming attributes.
sAMAccountName (aka Pre-Windows2000 name) is a 20 or so character short name that must be unique within each domain.
userPrinicipalName, usually sAMAccountName#domain.name, but it turns out AD will honour almost any string. (I know this experimentally as we once accidentally reset 2000 out of 6000 such values in a running AD domain.
displayName, that which shows up in ADUC (dsa.msc, Active Directory Users and Computers)
The CN= part of the DN. Using ADUC, the CN is usually the Display Name. However it too can be anything legal in an LDAP name.
So which 'name' are you looking for? Basically query for any of those attributes in the list and see what you get.
As for seeing other objects, yes, you would need an account with sufficient rights to see those attributes for users.
Related
I'm working with validate_doc_update function. I've heard about userCtx, but simply calling log(userCtx); helps no way: there's no records in the log.
How determine in validation is current user logged or not and maybe perform some checks to verify against user rights (which may be made by simple fields like role:editor in _users database)?
The user context is accessible under req.userCtx.
A common check of the loggedIn-status is if (req.userCtx.name !== null)
The access right roles of a user doc are accessible under req.userCtx.roles. The corresponding settings for a doc can be included hard-coded in the validate_doc_update function or in the doc itself.
I have a User model, for login and registration, its email field is used (everything vanilla from the devise gem).
I want (other) users to be able to e.g. add Users to a team, with the email-address as the identifier.
That is fine when the User is already existing (pseudo #team.users.add(User.find_by(email: other_users_email))) but I am unsure how to handle situations where the user does not yet exist (did not [yet] register).
When a (new) User sets up a new account, for the example above after successfull registration current_user.teams should show up correctly.
I do not want to force these potentially new users to use the system (e.g. using devise_invitable) and bother them with an email.
I followed the path of creating the User when a user with the given email does not yet exist, but then when the user actually tries to setup an account, it fails (email not unique).
Alternatively, I could remodel the TeamMember-part and let it optionally either store an email-adress or the reference to an existing User. Then what I would need is to check for "open" TeamMembers directly after User-Account-creation (so, TeamMembers with the given email). I could also do this on each requst, but that looks too expensive to me. There might be race conditions, but I could live with that (and check for the every-now-in-a-millenia-gap with a cron-job).
Any pointers? I am sure this is not that unusual.
I'd do this:
When a user A adds user B to a team by email, create the object for that user B, but set a flag, something like auto_created_and_inactive: true
When user B signs up on the site, you just have to handle this in your users#create: first, try to find an auto-created record and update it (set a password or whatever; also reset the flag). Or otherwise proceed with the usual route of creating a new record.
I have to admit that I did not yet tried #sergio-tulentsevs approach (implement RegistrationController#create). But to complete what I sketched in my question:
User model can define an after_confirmation method, which is called after ... confirmation! So, if I store every information about a potential user with a reference to his/her email-adress, once he/she registered I can query this information and e.g. complete Team-Memberships.
# app/models/user.rb
def after_confirmation
# (pseudo-code, did not try)
self.teams < TeamMembership.open.where(email: self.email)
end
So i have a Sitecore website that has let's say 10000 users distributed over 2 domains.
I want a solution for retrieving the users from one domain only but fast. Currently it is quite heavy even for the Sitecore User manager to do that.
If that is simple then i want to also query over a field from the user profile.
I have tried something like this:
var allUsers = UserManger.GetUsers().Where(user => user.Domain != null && user.Domain.Name.ToLower().Equals("extranet")).ToArray();
But that can take 30 seconds or more if i add extra filters.
Instead of the code you're running, you can also run the following:
var allUsers = DomainManager.GetDomain("extranet").GetUsers();
So instead of having to go through all users in all domains to check whether they are in the Extranet domain, you'll already have the correct domain
I need to retrieve a list of Active Directory users and their attributes using Delphi 2010.
I've seen a few similar questions on SO (e.g. Delphi - Find primary email address for an Active Directory user), but they all seem to require the user name before any additional information can be retrieved.
I had written an article for [The Delphi Magazine] way back when..... if you have access to a backlog of those magazines, it's in issue no. 62 (October 2000) - unfortunately, it seems those back issues aren't available for purchase anymore :-(
It's too long of an article and a code sample to post here.... basically it's about wrapping the IDirectorySearch interface in a nicer Delphi-like shell. You pass in a base container where to search, you define an LDAP filter, and you define a set of attributes you're interested in - then you search and get back basically an enumerator for the results, which you can get one by one.
In the end, I discovered TJvObjectPickerDialog, part of JVCL. It wraps the Windows Select Object dialog and does everything I need with very little coding. Just set the required properties and call execute. The selected user objects are returned along with the attributes that you set in the 'Attributes' property.
I am using ruby's net/ldap library for this problem but in reality the driver language shouldn't really matter. I need to find a way to be able to get all the users from a system and find out which users do not have emails assigned to the account. Is it possible?
I can connect to and even create new records through LDAP, and can return queries by using wildcard entries to filter results.
given i create a filter to find the cn that begins with three 9's:
filter = Net::LDAP::Filter.eq("cn", "999*")
#connection.search(:base => "cn=Manager, dc=foo, dc=bar, dc=biz",
:filter => filter)
then my result count might be 42.
given i create the same filter but request only 1 nine, the query fails and returns false
filter = Net::LDAP::Filter.eq("cn", "9*")
#connection.search(:base => "cn=Manager, dc=foo, dc=bar, dc=biz",
:filter => filter)
and this is the same if I request just "cn", "*" which to me should say "give me all the cn's out there.
".
So the short answer to the question is that it all depends on how your schema is setup. If you are setting up an LDAP schema, you need to have several groups of records with various cn (common name) identifiers, eg cn=activeUsers and cn=inactiveUsers which will allow you to query down the list much deeper than in my situation.
I think that you have an issue with time limit set on search operations at the LDAP server.
If you have a really big search that takes much time, the LDAP server returns an error 'Time limit exceeded' and no data.
Ruby-Ldap in such a case raises an exception LDAP::ResultError. I don't know how Net-Ldap behaves however.
Try to raise the time limit at your LDAP server or use a tighter search filter such as '(&(cn=9*)(active=TRUE))'. Substitute here 'active=TRUE' with your criteria for active users.