I have an issue while changing password as a user and I cannot find anything in documentation metioning changing password as a user without admin priviliges.
I am logged as user abc and I execute:
set password for "abc" = 'abc'
I receive:
ERR: error authorizing query: abc not authorized to execute statement 'SET PASSWORD FOR abc = [REDACTED]', requires admin privilege
Is it possible to change password as a user not as admin?
That is true, it should not be done by the standard user. You are able to change your password, you should not be able to change other's password if no admin privileges set.
Let say there is testuser standard user with no admin privileges and another user named admin with admin privileges.
if you login with admin then you should be able to change anyone's password with CLI:
set password for "testuser" = 'testing'
logging with testuser and changing admins password will through en error of course:
set password for "admin" = 'adminpass'
response:
ERR: error authorizing query: testuser not authorized to execute statement 'SET PASSWORD FOR admin = [REDACTED]', requires admin privilege
even if you run show users with testuser, it will not let you see other users and it is admin privileges.
ERR: error authorizing query: testuser not authorized to execute statement 'SHOW USERS', requires admin privilege
Solution for changing anyone's password:
CREATE USER "someuser" WITH PASSWORD 'somepassword' WITH ALL PRIVILEGES
but it requires admin privileges.
Related
Need to obtain the list of all tokens in organization.
Used the token to make a call to https://vssps.dev.azure.com/{organization}/_apis/tokens/pats?api-version=6.1-preview.1
My permission in DevOps are set as the Collection Administrator.
Received response was:
{“$id”:“1”,“innerException”:null,“message”:“The requested operation is not allowed.”,“typeName”:“Microsoft.TeamFoundation.Framework.Server.InvalidAccessException, Microsoft.TeamFoundation.Framework.Server”,“typeKey”:“InvalidAccessException”,“errorCode”:0,“eventId”:3000}
Is there some lack of permissions or do I need to set up something else to get list of tokens in organization?
You don't mention how you get your token, and criteria for authentication flow but I will share my adventure that started similarly yours.
I got your exact error while following this guide: https://learn.microsoft.com/en-gb/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops
The token I got from that python code just didn't work.
Then I found this code instead: https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token#--username-password-flow-programmatic
While using the same app registration from the link above, I copied my scope and tenantID from the dysfunctional code into this new code, and then go to your app registration --> authentication --> Allow public client flows to yes, see screenshot.
I ran the script after giving the credentials and now the token worked.
Dumping the code for future reference:
# Given the client ID and tenant ID for an app registered in Azure,
# along with an Azure username and password,
# provide an Azure AD access token and a refresh token.
# If the caller is not already signed in to Azure, the caller's
# web browser will prompt the caller to sign in first.
# pip install msal
from msal import PublicClientApplication
import sys
# You can hard-code the registered app's client ID and tenant ID here,
# along with the Azure username and password,
# or you can provide them as command-line arguments to this script.
client_id = '<client-id>'
tenant_id = '<tenant-id>'
username = '<username>'
password = '<password>'
# Do not modify this variable. It represents the programmatic ID for
# Azure Databricks along with the default scope of '/.default'.
scope = [ '2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default' ]
# Check for too few or too many command-line arguments.
if (len(sys.argv) > 1) and (len(sys.argv) != 5):
print("Usage: get-tokens-for-user.py <client ID> <tenant ID> <username> <password>")
exit(1)
# If the registered app's client ID and tenant ID along with the
# Azure username and password are provided as command-line variables,
# set them here.
if len(sys.argv) > 1:
client_id = sys.argv[1]
tenant_id = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
app = PublicClientApplication(
client_id = client_id,
authority = "https://login.microsoftonline.com/" + tenant_id
)
acquire_tokens_result = app.acquire_token_by_username_password(
username = username,
password = password,
scopes = scope
)
if 'error' in acquire_tokens_result:
print("Error: " + acquire_tokens_result['error'])
print("Description: " + acquire_tokens_result['error_description'])
else:
print("Access token:\n")
print(acquire_tokens_result['access_token'])
print("\nRefresh token:\n")
print(acquire_tokens_result['refresh_token'])
How can I fetch the logged in AD user in my ROR application.
I have tried:
Etc.getlogin - It gives me the username of where the server is running
system(`WhoAmI`) - returns false
ENV["USERNAME"], ENV["USER"], ENV["USERID"] - Doesn't return anything
And how to check if the User is logged in or not ?
I am using Net::LDAP for this:
a = Net::LDAP::Filter.eq("sAMAccountName", "username")
ldap.search(:filter => a)
It return me the data of the user as :
#myhash=
{:dn=>["CN=Test Windows,CN=Users,DC=example,DC=local"],
:objectclass=>["top", "person", "organizationalPerson", "user"],
:cn=>["Test Windows"],
:sn=>["Windows"],
:givenname=>["Test"],
:distinguishedname=>["CN=Test Windows,CN=Users,DC=example,DC=local"],
:instancetype=>["4"],
:whencreated=>["20211004113850.0Z"],
:whenchanged=>["20211004124559.0Z"],
:displayname=>["Test Windows"],
:usncreated=>["16489"],
:usnchanged=>["16525"],
:name=>["Test Windows"],
:objectguid=>["Some ID"],
:useraccountcontrol=>["22038"],
:badpwdcount=>["0"],
:codepage=>["0"],
:countrycode=>["0"],
:badpasswordtime=>["0"],
:lastlogoff=>["0"],
:lastlogon=>["0"],
:pwdlastset=>["1327782117765465"],
:primarygroupid=>["213"],
:objectsid=>["Some ID"],
:accountexpires=>["9223876536854775807"],
:logoncount=>["0"],
:samaccountname=>["username"],
:samaccounttype=>["93806368"],
:userprincipalname=>["username#example.local"],
:objectcategory=>["CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local"],
:dscorepropagationdata=>["16010101000000.0Z"],
:mail=>["abc#abc.com"]}>]
But here how to know if the user is logged in ?
lastlogoff & lastlogon is always "0"
Thanks.
MSAL API should let us know the username that is currently logged in so that we don't have to create a separate cookie and manage this cookie and logic.
getAllAcounts should give us all the accounts.
getAccount should give us the account that it is currently signed in/active.
Here is how you can check if user is loggedIn or not:
cdef raw_info
#raw_info ||= access_token.get('/me').parse
Then you can check if the token is valid or not. If it is valid then the user is loggedIn otherwise not.
I'm running AzerothCore in Docker but am unable to sign in with any of the test accounts. I am using the default password of 'a' and have not changed any of the passwords.
When trying to log in on the WotLK client, I get the 'the information you have entered is not valid' box pop up. I can see from my authserver log that it is receiving the username I put in:
Added realm "AzerothCore" at 127.0.0.1:3306.
Authserver listening to 0.0.0.0:3724
'172.18.0.1:56942' Accepting connection
[4 ms] SQL(p): DELETE FROM ip_banned WHERE unbandate<>bandate AND unbandate<=UNIX_TIMESTAMP()
[4 ms] SQL(p): SELECT * FROM ip_banned WHERE ip = '172.18.0.1'
[0 ms] SQL(p): SELECT a.id, a.locked, a.lock_country, a.last_ip, aa.gmlevel, a.salt, a.verifier, a.token_key FROM account a LEFT JOIN account_access aa ON (a.id = aa.id) WHERE a.username = 'TEST1'
[AuthChallenge] Account 'TEST1' is not locked to ip
[AuthChallenge] Account 'TEST1' is not locked to country
[1 ms] SQL(p): UPDATE account_banned SET active = 0 WHERE active = 1 AND unbandate<>bandate AND unbandate<=UNIX_TIMESTAMP()
[0 ms] SQL(p): SELECT bandate, unbandate FROM account_banned WHERE id = 1 AND active = 1
I have also tried changing my authserver.conf file to set WrongPass.Logging = 1 but neither my log or database reflect a failed login attempt.
I think the fact that it's telling me the account test1 is not locked to an IP or country means it is successfully communicating with the database, but I can't figure out what my problem is here. Any help in understanding what's going on here would be much appreciated.
I am also unable to log in with "test1" and "a", but it is quite easy to reset the passwords.
In your worldserver console, paste this in:
account set password test1 thisisthenewpassword thisisthenewpassword
account set password test2 thisisthenewpassword thisisthenewpassword
account set password test3 thisisthenewpassword thisisthenewpassword
account set password test4 thisisthenewpassword thisisthenewpassword
account set password test5 thisisthenewpassword thisisthenewpassword
account set password test6 thisisthenewpassword thisisthenewpassword
account set password test7 thisisthenewpassword thisisthenewpassword
account set password test8 thisisthenewpassword thisisthenewpassword
account set password test9 thisisthenewpassword thisisthenewpassword
account set password test10 thisisthenewpassword thisisthenewpassword
You can also create a new account for yourself with full GM privileges with these commands:
account create yourusername yourpassword
account set gmlevel yourusername 3 -1
I have already migrate Jenkins to use LDAP login, and have no problem.
But when I tried to migrate phabricator to use LDAP, I got "Username or password are incorrect." every time, and I'm sure the same username and passwd can login Jenkins. I was using the same OpenLDAP server, and the LDAP has a readonly DN: cn=readonly,dc=my-company,dc=com. Phabricator configurations list below:
Allow: "Allow Login"
LDAP Hostname & Port: exactly the same with my Jenkins configuration
Base Distinguished Name: ou=user,dc=my-company,dc=com (while Jenkins root DN was dc=my-company,dc=com)
Search Attributes: empty
Always Search: unchecked
Anonymous Username: cn=readonly, dc=my-company, dc=com (same with Jenkins Manager DN)
Anonymous Password: the password (same with Jenkins Manager password)
Username Attribute: uid
Realname Attributes: empty
LDAP Version: 3
This has block me two days, is there something I missed?
Thanks for your answer~
Oh, I figure it out. Phabricator has a different LDAP login mechanism with Jenkins. Phabricator always bind LDAP with the user's DN and password (to verify login), then search the user's DN itself. Below is the comment in the LDAP login code:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
So, LDAP users must have search acl, like:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
I didn't have 'by users search' option, so login failed.
It's pretty easy to create an administrator user on the BlackBerry Administrator API, following the documentation. All administrator users have to be assigned a role, and roles are easy to look up (Example using python and suds):
organisation_id = 0
locale = 'en_US'
display_name = 'Mac Chapman'
username = 'maccy'
password = 'password'
role_id = None
for role in ws.service.findRoles(organisation_id, locale).roles:
if role.localeNameAndDescription[0].name == 'Security Administrator':
role_id = role.roleId
print ws.service.createBASAuthenticatedAdministratorUser(organisation_id, display_name, role_id, username, password)
But I cannot for the life of me figure out how to create a new role within the API. Is it possible?