I am trying to retrieve internal attributes from openldap server. More specifically I need to retrieve entryUUID attribute of an object. In LDAP, objectGUID is being fetched from server but couldn't retrieve similar field from openldap.
SCOPE_SUBTREE is being used to retrieve attributes.
Anyone knows way out? Thanks in advance.
It was probably downvoted because it is recommended to use this attribute as a means of uniquely identifying an entry. For example,
"'entryUUID' operational
attribute and associated matching rules and syntax. The attribute
holds a server-assigned Universally Unique Identifier (UUID) for the
object. Directory clients may use this attribute to distinguish
objects identified by a distinguished name or to locate an object
after renaming."
from the offical Open Ldap documentation.
Internal or operational attributes can be requested using '+', which will return operational attributes for a Ldap entry including the entryuuid.
It's an operational attribute, so you have to request it explicitly, or include "+" in the attributes to be returned.
However you should not be using this for your own purposes. It's none of your business. It can change across backup/restore, for example.
Related
I am trying to use the AWS SSO SCIM API in order to retrieve the AWS SSO groups for a particular user.
Looking at the documentation https://docs.aws.amazon.com/singlesignon/latest/developerguide/listgroups.html
It mentions the following
To see group info for a certain member, call ListGroup with a member filter
If you're using the member filter, you have to use the id filter (refer to supported filter combinations).
It appears that the id filter, is the group ID, because of this note: Note that the use of id as an individual filter, while valid, should be avoided as there is already a getGroup endpoint available.
Also, at https://docs.aws.amazon.com/singlesignon/latest/developerguide/limitations.html next to the members attribute it mentions that it is supported, but cannot be read in a response.
I have been playing with the API but could not get any group info for a user regardless of the combination of the parameters.
Based on the above, I conclude that the API does not support retrieving group data for a user. Would you agree?
I don't have access to an AWS SSO SCIM endpoint, but from looking at the documentation I suspect one of the two approaches may be possible:
GET /users/id and look at the value for "groups" - this one seems questionable as the limitations page says they support the user resource's "groups" attribute, but there's also a note about not supporting multi-valued user attributes. You may need to explicitly add the ?attributes=groups parameter to your GET to ask for that attribute to be returned, if it is in fact supported.
GET /groups?filter=members[value eq "userId"] or some variation of that depending on what syntax they allow. This isn't listed as supported, but if it works, I expect that you would get a list of groups in response that did not contain the "members" attribute - but that each group returned would match the query.
There's some amount of uncertainty with both of these, but with the information available those seem like the two most likely paths to successfully accomplish what you are aiming for. If neither of those work, it may not be possible - but a support case with AWS would probably be helpful to confirm there.
As #ZollnerdMSFT recommended, I raised an AWS support request. AWS support responded that the AWS SSO SCIM API does not support retrieving the groups associated with a user. They have submitted this as a feature request internally, however, cannot provide an estimate as to when it will be implemented.
I am working on some systems that needs to use Access and Refresh tokens.
In my process now, I save tokens in registry, and I update them when they need to be updated. But sometimes, I get an error because one of my process tries to retrieve a token, but this token has been changed just before (like a lock in the registry).
What is the best way to store, update and retrieve that kind of informations ?
I tried to use a class mediator which stores properties in a Hashmap, but WSO2 always create a new instance of my custom class, so a new instance of my hashmap.
Any idea ? Thank you !
The usual practice to store the token is in the registry. This is used in the connector implementation [1] in the ESB server. Could you elaborate more on the issue? What is the ESB server version? What is the error stack trace? Have you used a similar implementation as in [1]?
Further to answer your question regarding the class mediator, you can use a static variable in the class mediator to share the token among the objects created. But then again, static variables are not thread-safe.
[1]-https://github.com/wso2-extensions/esb-connector-gmail/blob/master/src/main/resources/config/getAccessTokenFromRefreshToken.xml
I'm using the registry for reading / storing data, and here is some issue..
When you read using property mediator, for example token - he is also cached for default 15sec. So after read, revoke new one, and store back - you will still get from property mediator the "old" one. This can be bypassed, using script mediator and store registry entry using code, and setting the CachableDurationto 0.
I described this reading storing from registry in my blog, check out especially the Known downside paragraph.
I have a design question of REST URI.
Suppose i have a Car resource (that is mapped in the database with some properties).
If i want update the Car resource with the information of another Car i know that i can call
PUT /base_url/api/cars/1
I update the car with id == 1 with the informations in the request body
But if i want update the car with id == 1 with the information of the car with id == 2? (i'd like to pass only id because the copy is handled internally by the server)
How can i design this type of request in rest?
You should use PATCH instead.
The difference between the PUT and PATCH requests is reflected in
the way the server processes the enclosed entity to modify the
resource identified by the Request-URI. In a PUT request, the
enclosed entity is considered to be a modified version of the
resource stored on the origin server, and the client is requesting
that the stored version be replaced. With PATCH, however, the
enclosed entity contains a set of instructions describing how a
resource currently residing on the origin server should be modified
to produce a new version. The PATCH method affects the resource
identified by the Request-URI, and it also MAY have side effects on
other resources; i.e., new resources may be created, or existing
ones modified, by the application of a PATCH.
PATCH Method for HTTP
Something like this would be okay:
PATCH /base_url/api/cars/1
{template: {id: 2}}
Don't send the id in the query, because it is part of the URI, which is the identifier of your target resource.
I would make a PUT request to this URI: PUT /base_url/api/cars/1?clone=2, and pass information (in JSON body).
In the backend I would find the data for car #2, and merge it with the data I got from the request.
This way you could clone the resource, and modify its attributes at the same time.
I send a POST request to create an object. That object is created successfully on the server, but I cannot receive the response (dropped somewhere), so I try to send the POST request again (and again). The result is there are many duplicated objects on the server side.
What is the official way to handle that issue? I think it is a very common problem, but I don't know its exact name, so cannot google it. Thanks.
In REST terminology, which is how interfaces where POST is used to create an object (and PUT to modify, DELETE to delete and GET to retrieve) are called, the POST operation is attributed un-'safe' and non-'idempotent, because the second operation of every other type of petition has no effect in the collection of objects.
I doubt there is an "official" way to deal with this, but there are probably some design patterns to deal with it. For example, these two alternatives may solve this problem in certain scenarios:
Objects have unicity constraints. For example, a record that stores a unique username cannot be duplicated, since the database will reject it.
Issue an one-time use token to each client before it makes the POST request, usually when the client loads the page with the input form. The first POST creates an object and marks the token as used. The second POST will see that the token is already used and you can answer with a "Yes, yes, ok, ok!" error or success message.
Useful link where you can read more about REST.
It is unreliable to fix these issues on the client only.
In my experience, RESTful services with lots of traffic are bound to receive duplicate incoming POST requests unintentionally - e.g. sometimes a user will click 'Signup' and two requests will be sent simultaneously; this should be expected and handled by your backend service.
When this happens, two identical users will be created even if you check for uniqueness on the User model. This is because unique checks on the model are handled in-memory using a full-table scan.
Solution: these cases should be handled in the backend using unique checks and SQL Server Unique Indices.
I am currently working on a project where I need to query Active Directory to determine group membership of a user. I initially was locating the user and retrieving the memberOf attribute. The problem with this is that there is a domain and a child domain. The groups are universal groups so they can be used in both domains and they don't show up in the memberOf attribute. Unfortunately there doesn't seem to be much info around for Active Directory access with C++. Is there anyway to determine group membership in this case in C++?
If you are using managed C++, you can use UserPrincipal.GetAuthorizationGroups.
If you are not using managed C++, to solve this particular problem, you should bind to Global Catalog and do a LDAP search on the member attribute of the group object to find out which Universal Group containing the user. You should limit your search by specifing the groupType, objectCategory and objectClass.
However, like I mentioned in another post , group enumeration in general is very hard to do it right. If you just need to find out all the groups a user belongs to, your best bet is to use S4USelf