I am using Google Apps Directory Sync to provision users into Google Apps from an LDAP directory. We have specified a unique identifier attribute from our directory to detect and track user renames. The attribute values are eight-character strings, and not, say, the LDAP objectID. Example: "bcdf1234".
When retrieving users from the Directory API, I am not finding our unique identifier value in the response. Is there a way to get the Directory API to return our unique identifier?
Related: is our unique identifier displayed anywhere in the Admin Console when viewing a user?
I don't have a current GADS implementation to confirm but I remember that GADS used a local database on the machine it was installed on. There was an internal table there of the unique ids on the customer side of GADS, mapping them to the user account ids on the Google side.
So to answer your question: Those customer side ids would not need to be pushed up to Google so they will not be able to be retrieved via the Directory API.
Options:
You could perhaps push them up to the Google side with GADS itself if you mapped them to a Google side attribute.
You could also sync them up to Google via the Directory API itself by updating the user resource with say an externalId if you knew the current user id (email address) to get and update.
Related
I'm using WSO2 Identity Server 5.10.0 configured in order to use ActiveDirectory as UserStore
I don't have the oportunity to add custom properties to the ActiveDirectory so I'm facing several issues in claims configuration.
To solve the issue I was thinking to user ActiveDirectory as primary UserStore and configure WSO2 claims in order to be stored and retrieved from a secondary userstore (a JDBC user store).
I configured all what I needed but I can't make it working. When I start the WSO IS ti complains because it can't find mapped claims.
More exactly I have:
system error while authenticating/authorizing user : cannot find suitable mapped attribute for local claim http://wso2.org/claims/userid
Once I slve userid it gives to me other claims till I return all to the primary user store.
I'm wondering if my idea is feasible. If I can select from where to take claims.. why do I get this kind of error?
Actually, configuring the Active Directory as the Primary userstore will not have any difference when it comes to attribute mappings. Because all the userstores in the system should to have correct mapped attributes for these meta claim set and other claims which are marked as "Supported by Default".
The solution would be updating the mapped attributes for local claims with correct exciting attributes from your active directory. If you are having multiple userstoes, you can have different mapped attributes for each userstore domain. Refer this document for more info.
You may find a list of mandatory meta claims which we must have correct mappings to create users in this document.
My company has decided to use FreeIPA in order to make available Single Sign On feature for our employees. I am not familiar at all with Kerberos/LDAP and similar because i have never used those technologies before.
We have 70 users - they have Windows OS machines and SSO should be used for several Python (Django) web apps, WordPress web sites and possibly for Roundcube web email and OpenVPN access. They don't have access to web servers at all so SSH accounts are not important for this story.
Our python web app has database table with users' data which is in relation with some other tables and it is very important for us to have every single user added to those tables (via our web app interface) because otherwise our app will not work properly.
Having that in mind, i would like to know if there is a way somehow to reference user from FreeIPA's database to our web app's and wordpress' databases, example below:
Not every user has access to every web app and not every user has the same privileges in those apps.
We have already defined user privileges in every web app separately and everything works perfect, so main aim is just to make avaliable SSO for our users. I don't want to bother with user groups and privileges in FreeIPA system, will be i able to avoid that?
When user gets Kerberos ticket i want those web apps to recognize his/her account which is referenced to corresponding user account in FreeIPA database, and so has certain privileges in those apps.
In this scenario it is obvious that i will have to add every new user two times - in FreeIPA database and in web app's database, but that's not a problem, i just want to connect/reference those user accounts somehow.
EDIT to Michael Ströder's answer:
As i see, i would have to add every existing user manually to FreeIPA with "--uid" command because FreeIPA gives those attributes to every user automatically. I agree, i would not use user names for UID but only integers. So, i have imagined to make it like this - i would have to link every user's uid number to application's DB user's table ID column. Let say, if John has UID #7 he should also have ID #7 in WordPress wp_users table, and that looks fine to me. I think i could easily manage this in my custom python app, but i'm unsure how to manage this in WordPress, is there some plugin that could be use for such things? I've found AuthLDAP but i'm not sure if that is the right way to do it? Thanks in advance
The usual way is to have unique and persistent user names (String), usually stored in attribute uid in FreeIPA (or other LDAP servers) and use this as key in your application's DB table.
Note that uid does not contain the POSIX-UID (Integer) which is actually stored in attribute uidNumber.
I'd strongly recommend not to derive user names stored in uid from personal names because these often change. Also you should never reuse user names.
FreeIPA also has attribute nsUniqueId which contains a UUID generated during creation of the entry. It will not be modified during life-time of the entry. If you want to use that you have to take care that entries are not deleted/re-created by an external identity management systems all the time.
(Other LDAP servers are using standard attribute entryUUID).
Is anyone aware of any Google API with the user scope (NOT the Admin API in the Directory SDK) that allows you to retrieve the custom employee attributes?
The G+ API seems to skip these
https://developers.google.com/+/web/api/rest/latest/people#resource
Our issue is that we don't want to grant access to the developer console, but rather do this PER-USER. I.E. a user logs into our app and we display to her the custom attributes for her G Suite account, but we do this as her (not as an approved API scope via the dev console).
Leaving this answer for anyone like me who finds this question.
The Directory API allows a user to query the custom attributes for their account even without any admin permissions at all.
https://developers.google.com/admin-sdk/directory/v1/reference/users/get
You need to ensure that projection is set to full and viewType is set to domain_public.
You may need to check the permissions for reading the custom attributes to ensure that a user is allowed to see theirs. We do this in the Google Cloud Directory Sync.
Our website is using DocCheck, an external authentication provider, to authenticate and identify contacts. We use the DocCheck ID, which comes as the request parameter "uniquekey", as contact identifier, so that the contact, when logging in on another device, can be re-identified. These users are then authenticated in Sitecore via a virtual user.
Tracker.Current.CurrentPage.Session.Identify(Page.Request.QueryString["uniquekey"]);
In addition to that, we're planning an own user management with registration, login etc. The users will be logged in via email address and password. The email address should now be used as another identifier to identify the contacts loggin in with these credentials.
The users should then be able to use both DocCheck and our own login for different parts of our website, so that we have DocCheck contacts and our own users.
Is it possible to combine these two identifiers to identify as one contact?
Thank you and kind regards
Torsten
At the moment you can only use a single value to identify a user within xDB. This is potentially going to change in the future however for now you can only use one.
xDB is just a mongo database so how about persisting an additional collection that contains the relationship between identifiers. An example would be:
CustomContact
- _id: the xDB identifier
- alternativeIdentifiers: [docCheckId, formsAuthId, etc] - if this is indexed the lookup will be quick
Then when you come to identify the user you lookup in your custom collection your identifier, find the actual xDB id and then identify with that.
To find the item in the array look at elemMatch or in:
https://docs.mongodb.org/manual/reference/operator/projection/elemMatch/
and some examples on
https://stackoverflow.com/a/18149149/1065332
I manage a domain of users and would like to be able to transfer all the documents of a user to another user. As far as I understand the best way to achieve that is to find the fileID's of all files belonging to one user and transfer them to another user. However, I have problem constructing a query.
UPDATE:
So the correct query to retrieve the list of files would be:
response = drive_service.files().list(q="'user#company.com' in owners").execute()
However, it only works for me as an admin. If I try to retrieve the list of files for any other user in my domain it returns an empty list.
Files.list will retrieve all the user's files, in this case it will get all your own files. In order for that query to work would be only if that user is also owner one(or more) of your files.
Even as an admin you cannot access users files directly.
To access other user's files, as an admin you need to impersonate the users and then perform actions in their behalf.
This is achieved by using a service account with domain wide delegation of authority.
Here you can find more information on that as well as a python example.
Hope it helps.
If you want to transfer all the files of one user into another user's Drive, the easiest way would be to use the Data Transfer API provided by Google. This way you don't have to list the files and transfer them one by one. Also you only need the admin access token and wouldn't need domain wide delegation either. You can get the official documentation here