Better Error Message or Block?

IMPORTANT NOTIFICATION - FORUM MOVES TO HTTPS://FORUM.PYDIO.COM

Dear Pydio Community,
This forum will be soon made readonly, as we are transitioning to Discourse. To start on a fresh basis, we decided NOT TO MIGRATE the current threads to the new platform.
As a result, please be kind enough to register there and post your messages at the new location, and if you have an open thread, please do re-open it on Discourse!

Thank you and sorry for the inconvenience
Pydio Team

Home Forums Troubleshooting Generic Help Better Error Message or Block?

Tagged: , ,

This topic contains 6 replies, has 2 voices, and was last updated by Profile photo of Andrew UnifiedStorageYeah 1 month, 2 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #118500
    Profile photo of Andrew
    UnifiedStorageYeah
    Participant

    So I managed to get the groups OU and filter drilled down enough I think so that people without workspaces won’t get access. I denied everything in the root role and set up another role to override. However,

    1) Is there a better way to do this or what is the expected way?
    2) Is there a way to make a pretty error message rather than an empty XML message saying no workspaces are assigned?
    3) Did I just misread the docs and just kludged my way through this?

    Thanks!


    #118837
    Profile photo of tropicalmango
    tropicalmango
    Participant

    Hi,

    It’s not correct approche. Try to use ldap filter to filter people.


    #118853
    Profile photo of Andrew
    UnifiedStorageYeah
    Participant

    That is actually part of the mix. I created a filter that goes directly to the AD user group that contains ten people. They are the only ones who show in roles and people page. BUT Anyone inside the Groups OU was able to log on and see the Pydio welcome page (empty, but still made them think they could use it), which was not the desired result.

    So now the LDAP filter is the same, the groups our is down as low as I can make it (the lets call it admin access OU, so, anyone outside that is now blocked (they get the ugly error message, any way to fix that?).

    The way to block them all out also required using the Root role and explicitly denying everything. Seems to me something is not working right, but the LDAP filter did not restrict access to the application, it seems to me it was a nice way for the Admin to find the groups he needs to associate with Workspaces.


    #118869
    Profile photo of tropicalmango
    tropicalmango
    Participant

    It could be more clear if you post the boostrap.json in (…/plugins/boot.conf/bootstrap.json)
    > Note: remove password(s)

    The boostrap.json contents all config of auth plugins included ldap plugins configs


    #118870
    Profile photo of Andrew
    UnifiedStorageYeah
    Participant

    Thanks. OK.

    “core.auth”:{
    “ENABLE_USERS”:true,
    “CASE_SENSITIVE”:false,
    “ALLOW_GUEST_BROWSING”:false,
    “PASSWORD_MINLENGTH”:”XX”,
    “SESSION_SET_CREDENTIALS”:false,
    “SECURE_LOGIN_FORM”:false,
    “ENABLE_FORGOT_PASSWORD”:false,
    “FORGOT_PASSWORD_ACTION”:”reset-password-ask”,
    “DISABLE_BRUTE_FORCE_CHECK”:false,
    “MASTER_INSTANCE_CONFIG”:{
    “instance_name”:”auth.ldap”,
    “TEST_USER”:”XXXXXXXXXXXXXXXXXXXXXXXXXXXX”,
    “SQL_DRIVER”:{
    “core_driver”:”core”
    },
    “MAPPING_LOCAL_TYPE_2″:”plugin_param”,
    “MAPPING_LOCAL_TYPE_1″:”plugin_param”,
    “MAPPING_LOCAL_TYPE”:”role_id”,
    “MAPPING_LOCAL_PARAM_2″:”core.conf\/USER_DISPLAY_NAME”,
    “MAPPING_LOCAL_PARAM_1″:”core.conf\/email”,
    “MAPPING_LOCAL_PARAM”:””,
    “MAPPING_LDAP_PARAM_2″:”displayName”,
    “MAPPING_LDAP_PARAM_1″:”mail”,
    “MAPPING_LDAP_PARAM”:”memberOf”,
    “LDAP_VALUE_MEMBERATTR_IN_GROUP”:”true”,
    “LDAP_USERATTR”:”sAMAccountName”,
    “LDAP_USER”:”XXXXXXXXXXXXXXX\\XXXXXXXXXXXXXXXX”,
    “LDAP_URL”:”XXXXXXXXXXXXXXXXXXXXXXXX”,
    “LDAP_PROTOCOL”:”ldaps”,
    “LDAP_PORT”:””,
    “LDAP_PASSWORD”:”XXXXXXXXX”,
    “LDAP_PAGE_SIZE”:”500″,
    “LDAP_GROUP_PREFIX”:”ldap_”,
    “LDAP_GROUP_FILTER”:””,
    “LDAP_GROUPATTR”:”cn”,
    “LDAP_GDN”:”ou=App Groups,dc=ds,dc=XXXXXXXXX,dc=com”,
    “LDAP_FILTER”:”(&(objectClass=user)(memberOf=CN=PYDIO-USERS,OU=Applications,OU=Sec Groups,OU=App Groups,DC=XX,DC=XXXXX,DC=COM))”,
    “LDAP_DN”:”DC=ds,DC=XXXXXXXXX,dc=com”,
    “LDAP_COUNT_CACHE_TTL”:1,
    “group_switch_value”:”auth.ldap”
    },
    “MULTI_MODE”:{
    “instance_name”:”MASTER_SLAVE”,
    “CACHE_MASTER_USERS_TO_SLAVE”:”true”,
    “group_switch_value”:”MASTER_SLAVE”
    },
    “instance_name”:”USER_CHOICE”,
    “CACHE_MASTER_USERS_TO_SLAVE”:true,
    “MULTI_USER_ID_SEPARATOR”:”_-_”,
    “MULTI_MASTER_LABEL”:”Company Users”,
    “MULTI_SLAVE_LABEL”:”Guest Users”,
    “SLAVE_INSTANCE_CONFIG”:{
    “instance_name”:”auth.sql”,
    “SQL_DRIVER”:{
    “core_driver”:”core”,
    “group_switch_value”:”core”
    },
    “group_switch_value”:”auth.sql”
    },
    “MULTI_USER_BASE_DRIVER”:”master”,
    “UNIQUE_INSTANCE_CONFIG”:{
    “instance_name”:”cache.doctrine”,
    “SQL_DRIVER”:{
    “core_driver”:”core”
    },
    “DRIVER”:{
    “driver”:”apc”
    }
    },


    #118878
    Profile photo of tropicalmango
    tropicalmango
    Participant

    “LDAP_FILTER”:”(&(objectClass=user)(memberOf=CN=PYDIO-USERS,OU=Applications,OU=Sec Groups,OU=App Groups,DC=XX,DC=XXXXX,DC=COM))”

    there is no error on this string. It’s correct. But it’s strange if user who are not member of this group can login to Pydio. !!

    Try to add “LDAP_GROUP_FILTER”:”” (but Im not sure)
    to “LDAP_GROUP_FILTER”:”OU=Applications,OU=Sec Groups,OU=App Groups,DC=XX,DC=XXXXX,DC=COM”,


    #118879
    Profile photo of Andrew
    UnifiedStorageYeah
    Participant

    I think I did… I will have to try again…. I’ve also got support on email now and have referenced this thread.

    Thanks tropical….


Viewing 7 posts - 1 through 7 (of 7 total)

The forum ‘Generic Help’ is closed to new topics and replies.