I have a requirement to mask user IDs in log files if the user ID is an email address. I can't access the code to the software we are using, so logback.xml is the only option I have to try and mask the e-mail address -- they want user1234#mycompany.org to show up as u******4#mycompany.org, so they can still search the logs if they need to find entries for someone. To complicate matters, there are other outputs to the logs that have the pattern something#something.com that aren't user IDs, so I need to find some keywords ahead of the e-mail address. Here are a couple of examples:
Initiating save of object; type: [User], id: [steven#verizon.net]
Cleaning user record; user: [steven#verizon.net]
And to further complicate things.... they also want to mask the E-mail in rest calls:
Request ended; method: [POST], uri: [/api/v2/token/validate?aid=web_demo&uid=steven%40verizon.net]
I've been trying to get something like this to work, capturing the strings that should prefix an email address or user ID, but I'm banging my head against the wall...
<maskRegex>(?:"user: ["|"[User], id: ["|"uid ["|"savedUser: "|"email_address"|"user"|"uid")\([a-zA-Z0-9]{1}([a-zA-Z0-9\+\.\_\-]{1,128}).#.*)"</maskRegex>
<maskRegex>(?:user: [|[User], id: [|uid [|savedUser: |email_address|user:|uid:)([a-zA-Z0-9]{1}([a-zA-Z0-9\+\.\_\-]{1,128}).#.*)</maskRegex>
We have a WSO2 Identity Server 5.8.0 currently setup and running. By default it looks like the apostrophe isn’t acceptable in the username or email address for the user.
Three places give me errors with the current configuration:
In the Home > Add New User: I get a “Username pattern policy
violated”
In the Home > Update Profile: I get a “Email is not valid”
In the API to POST: api/identity/user/v1.0/validate-username I get Invalid = 60002
Where do I change the setting to allow apostrophe in username and email address?
Looking in documentation it seems like I should be able to change the User Store > Username Regex but when changed I get “Error occurred while updating user stories”
Also checked Identity > Claims > List but it seems strange to update the claim regex?
Any help appreciated.
Yes, Apostrophe is not supported by default and need to change the username regex to allow that. For IS 5.8 and older versions, we need to change the following regex props in /repository/conf/user-mgt.xml
1.
<Property name="UsernameJavaRegEx">{Regex}</Property>
To change the regular expression to validate usernames (In BE). By default, strings having a length of 5 to 30 between non-empty characters are allowed.
<Property name="UsernameJavaScriptRegEx">{Regex}</Property>
To change the regular expression used by the front-end components for username validation.
You can find the WSO2 recommendation for username regex here https://is.docs.wso2.com/en/latest/references/usernames-in-identity-server/#best-practices-for-username-creation
Using flask-ldap3-login to query AD for my web app logins. Works for everyone; but, for users who have "()" in their First name in AD. Here's the Debug log.
UN-SUCCESSFULL LOGIN
DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser#mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser#mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=ebadu))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Badu\, ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'ebadu'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
ERROR:flask_ldap3_login:malformed filter
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629604c50>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628eabf98>
SUCCESFULL LOGIN
DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser#mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser#mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=mpeters))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'mpeters'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629683828>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628e91048>
The AD logs says "An account was successfully logged on"; however, the user does not log in to the app. The user has no issues login in with the AD credentials anywhere else.
What might be the issue?
This is the flask-ldap3-login code:
LDAP_USER_RDN_ATTR = 'cn'
LDAP_USER_LOGIN_ATTR = 'sAMAccountName'
LDAP_BASE_DN = 'DC=mydomain,DC=com'
LDAP_REQUIRED_GROUP = 'ou=helpdesk,dc=mydomain,dc=com'
LDAP_USER_SEARCH_SCOPE = 'SUBTREE'
But "malformed filter" usually means that the LDAP query sent to AD isn't valid somehow. I asked about odd characters on the account, since if some special characters are not encoded properly, they can be misinterpreted as special characters used in LDAP queries.
It could be a bug in your code, or a bug in flask-ldap3-login. If you show your code, I might be able to give you some pointers.
Also, see if you can enable debug logging. It may tell you what the actual filter is that made it bomb. I'm not familiar with flask-ldap3-login, but, looking at the documentation, this might do it?:
app.config['DEBUG'] = True
SOLVED! Seems to be solved in the latest version of flask-ldap3-login. I did not upgrade but modified existing code:
Replaced this:
`search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format('`
`group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`
`members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`
`user_dn=dn`
with this:
`safe_dn = ldap3.utils.conv.escape_filter_chars(dn)`
`search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format(`
`group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`
`members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`
`user_dn=safe_dn`
I'm trying to create a discussion list sender using SES. The 'receive' part is fine, but when I send, I want to preserve the user's "from" address. Aside from some subject rewriting, here's what I'm doing to the headers; VERIFIED_FROM is my mailing list alias. This is py3.6, but it shouldn't matter.
msg['Reply-To'] = VERIFIED_FROM_EMAIL
msg['Return-Path'] = VERIFIED_FROM_EMAIL
When I call sendRawEmail, I get an error like this, brackets for scrubbed entries:
[ERROR] [timestamp] [request id] Client error while forwarding email for <[VERIFIED_FROM_EMAIL]> to <[all emails on list]>: An error occurred (MessageRejected) when calling the SendRawEmail operation: Email address is not verified. The following identities failed the check in region US-WEST-2: ["user who sent the message" user#domain.com]
I can't put all users on the verified list. I could set the 'from' to my list address, but then I lose the identity of the sender.
I'm sure this has been done with SES- but how?
The reply-to field and the return-path field are fields that require a validated email address. [1]
With each email you relay, you can create a unique email address for people to reply to (e.g. abcdef123#yourdomain.com) which you can then relay back to the same threads using the Message-ID and In-Reply-To headers.
You can also modify what the name looks like for the message using the Name <email#yourdomain.com> header too.
[1] https://forums.aws.amazon.com/message.jspa?messageID=221703
deploying an internal (corporate) API manager 2.0.0 we found a limitation - the email address validation apparently enforces email validation with 2-4 email :
/store/site/themes/wso2/templates/ui/validation/custom-validation.js:
$.validator.addMethod('validEmail', function(value, element) {
var emailRegex = /^([A-Za-z0-9_\-\.])+\#([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/;
return emailRegex.test(value);
}, i18n.t('Invalid email address'));
However - email addresses today may have even long last domain name (e.g. someuser#stad.gent, otheruse#my.internal.corporation)
I see the validation logic is implemented in the followinf file:
repository/deployment/server/jaggeryapps/store/site/themes/wso2/templates/ui/validation/custom-validation.js
Question: is the file the only place where the email format is enforced? (Users are managed in AD, so the default user view / management UI doesn't concern us too much atm)
Seems the only place where the email is validated is the script:
repository/deployment/server/jaggeryapps/store/site/themes/wso2/templates/ui/validation/custom-validation.js