I have an issue accessing a directory using <cfdirectory> in ColdFusion. I'm a bit new in ColdFusion, if I issue:
<cfset mPath = "\\192.168.0.18\share\Pol\">
<cfdirectory directory="#mPath#" action="list" name="dir" sort="#url.sort#">
This code can list the directory and all of it's folders.
But when I chose a password protected drive over the network it can't display anything. The results are empty, but I actually have folders inside in this drive.
We are running under Windows Domain Controller. My account is allowed full access control and also the ColdFusionserver IP or account as well.
<cfset mPath = "\\192.168.0.21\hse_scan">
<cfdirectory directory="#mPath#" action="list" name="dir" sort="#url.sort#">
No folders and subfolders detected in ColdFusion.
Is there anything I could set in the ColdFusion Server settings?
You said your account has full access, but ColdFusion - by default - will not be starting up using your account, it'll be using the local system account (check this in the Services control panel). TO access network resources, ColdFusion will also need to run using a domain account. I suspect this is your problem.
Related
I am using CFLDAP in a ColdFusion application.
Currently, the SERVER, USERNAME, and PASSWORD are hard-coded in the application.cfc as application scope variables.
<cfscript>
application.ldapserver = "servername";'
application.ldapuser = "username";'
application.ldappwd = "password";'
</cfscript>
Later in my code, I am using CFLDAP:
<CFLDAP ="GetLDAPinfo" action="query"
server = "#application.ldapserver#"
username = "#application.ldapuser#"
password = "#application.password#"
....
</CFLDAP>
How can I get around using a hard-coded username and password ?
I was hoping to find something to configure in the ColdFusion Administrator similar to how e-mail is set up, but I didn't find anything.
Thanks.
Environment variables are commonly used for storing credentials on a server. Maybe this article will help: Reading Environment Variables In ColdFusion
Using the environment variables approach with plain text files is an accepted practice. You don't store that file in source control, but manage the per-environment settings in a secure location.
Local devs get local credentials (ideally unique per developer), but they don't see credentials for higher environments. Those should only be accessible by the appropriate users.
Here's an example of using .env files with NodeJS.
Alternatively, you could store the credentials in the database and retrieve them on application start. But even then, do the local developers have access to that environment's database? And you can always dump the application scope to view the values. Or you could use something like AWS Secrets Manager, but I don't know how well that works with non-AWS systems.
Since the current credentials are hardcoded, they'll always be in source control history. Make sure
you're rotating those credentials as part of this effort
creating credentials per environment
rotating them all on a regular basis
I'm moving a PHP app from IIS7 to IIS8.5 on Win2012 R2. The app runs in its own application pool (MyPortal) and needs write permission on a sub-folder to create PDFs. So I assign Modify or Full Control permissions to IIS AppPool\MyPortal on the local machine, however the app is still unable to write to the folder. The only way I have found to allow it to do so is by giving Modify access to the local USERS group, which I'd rather not do (although I have no choice ATM).
The php-cgi.exe process is running under the MyPortal identity, but somehow isn't picking up the permissions I have assigned to the MyPortal user on the folder. The PHP process is doing a simple fopen command $file = fopen($tmp_filename,"w");.
I saw this similar post https://serverfault.com/questions/570033/iis-iusrs-and-defaultapppool-permissions-do-not-work which suggested it may be a permissions caching issue, solved by a reboot, but that's not worked in this instance.
Any suggestions as to what's wrong?
You've got it #Jan Reinlink. Anonymous Authentication needed setting to 'Application identity pool'. I had assumed that because the PHP process was running as MyPortal it was using the same permissions.
I am working on an intranet enhancement that will allow the user to open the latest instance(most recently modified or created) of a file within a given directory.
Unfortunately, the cfdirectory tag (and a few others) are blocked by the hosting provider. I essentially need to mimic the functionality of this piece of code without using cfdirectory:
<cfdirectory action="list" directory="\\SERVERABC\FILEDIR" name="myDirectory">
<cfloop query="mydirectory">
<cfoutput>
<cfif mydirectory.dateLastModified EQ DateFormat(Now(),'mm/dd/yy')>
<!--- ..display link to file for user to download --->
</cfif>
</cfoutput>
</cfloop>
The FileExists() function is available. But the default ColdFusion user would not have access to all the network locations that might be available to the actual user within the application itself.
You need to ask your host to give you a security sandbox so you can use those tags. The only reason they couldn't do this is if they are running the CF Standard Edition, and not Enterprise. If that is the case, case you are out of luck as all file i/o tags will be unavailable. No professional CF host runs the Standard Edition.
On this page, it talks about Windows NT, 2000, XP and 2003. Fortunately, I have a Windows 7 machine.
The very first line says:
In User Manager for Domains, create a local user for the ColdFusion
service to log in as.
I don't see a "User Manager for Domains", so do they mean just "Add a new user"?
If it DOES mean that, can I use my own user account as the ColdFusion user, or should I specifically create a new account just for ColdFusion?
If you are creating a domain account it has to be created ON the domain - using user manager for domains connected to your domain controllers. If that's what you need then a sys admin has to help.
If you are doing a "local" user on a windows 7 I always end up hunting around for the right view of user manager before I get it right :) Here are the steps that I use:
Search from start and open the "user accounts" cpl.
Click on "Manage User Accounts"
Click on the "advanced" tab
Click on the "advanced" buttton.
This takes me to the mmc-like view of users that I'm accustomed to where I can add a user, change membership, set passwords etc.
Hope this helps :)
You can use your own username or you can create one for CF to run as. Creating a user to run CF as probably more closely replicates your production environment ( an assumption ) so if production for example writes to a UNC path the coldfusion user must have acces. You could
Mimic this locally.
You can use either an account local to the OS where ColdFusion is running, or a domain account if the OS is joined to a domain. In your case, you can just create a local user on your Windows 7 OS and run the ColdFusion Application Service as that user. The user account will need access to ColdFusion's installation folder, as well as read access to the webroot.
The whole idea is to run the ColdFusion service as a user with the minimum privileges necessary to handle requests and prevent access to other resources in the event of a data breach or remote code execution (e.g. someone exploits an upload form and manages to get their own CF code to run on your server; it's not pretty but can be somewhat restricted by running the CF service under a user account with restricted access).
As someone else mentioned, if CF needs access to other network resources, the user account will need to be granted access to those resources as well (either by using a domain account or having a local account with the same username and password on the remote system).
Just did this on Windows 2008 R2 with CF 10. The trick was to change the ownership of the c:\windows and c:\windows\system32 directories as outlined here.
change ownership from trustedInstaller
I have a form field “Names” that gets populated from an Active Directory.
I am using CFLDP to connect to the Active Directory.
<cfldap action="QUERY"
name="results"
attributes="cn,sn,dn,department,mail,userid,etc."
start="dc=##,dc=##,dc=##"
filter="##=##"
server="00.00.0004"
username="me"
password="mePASWD">
<cfdump var="#results#">
When I see the result it throws the data(CN, DEPARTMENT ,DN ,MAIL, SN, USERID , UUSERID
) only for the Username="me" AND Password="mePASWD". WHERE AS I WAS HOPING IT WILL LIST THE DETAILS OF ALL THE USERS IN THE ACTIVE DIRECTORY.
ULtimatelyt I want to list theses “names” as a list and enable The user to select any “Name/Names”.
Please help how to populate all the data from Active directory rather than only a single userid or username.
I am using CF8 and Windows Server 2003 AD/LDAP standard.
Thanks
It appears that your user account only has access to your own record.
You will need to use a username and password for an account with wider access to the directory.
Alternatively, you may be able to use an anonymous bind depending on what your system administrator has enabled.
I find it useful to use a standalone LDAP browser to troubleshoot ldap issues.