Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
46
Web Server - Ask For Help / Re: NetLDAP bug in SetUser procedure
« on: May 06, 2023, 04:53:55 PM »
Thanks for confirming, Sean.
Up until now, all our UPNs have been default - matching the Active Directory domain name.
We're confronting needing to change our AD logins to jane@theEmailDomain.com rather than jane@theADdomain.local for some kind of integrated SSO security system our IT is looking at adopting.
I've changed my UPN to the proposed domain name (jane@theEmailDomain.com) and done some experimenting.
On an existing NetTalk app, I was not able to log in and get group membership when using
jane
theADdomain\jane
jane@theEmailDomain.com
Problems I found:
1. The backslash issue. Thanks for confirming that that's not intended. That was making theADdomain\jane fail.
2. Login default -
NetLDAP.Start sets self.DomainType = NetLDAP:UserPrincipalName
So for a login that I (and most of our users) typically do with just the sAMAccountName
jane
NetLDAP.SetUser uses self.DomainType , which means I have become jane@theADdomain.local (rather than the correct UPN that is set in AD).
NetLDAP.SetAuthUser ignores selfDomainType and hard codes it to NetLDAP:UserPrincipalName (i.e., jane@theADdomain.local)
In the 20+ years I've worked on AD networks I haven't been part of one where the UPN didn't match the AD domain name until now. (Lucky me.)
What I've discovered about UPNs is
a. The UPN specified for the user is primary. (In my case, jane@theEmailDomain.com )
b. BUT the default UPN (jane@theADdomain.local)
WILL also work for user login
WILL NOT work to look up group memberships or attributes
c. So having NetLDAP set the UPN to jane@theADdomain.local for a simple 'jane' login bolloxes things.
Basic login works because of the implicit UPN
Group lookups do not work.
For the plain 'jane' login I can compensate by putting
net.domainType = NetLDAP:sAMAccountName
before calling net.UserInGroup()
(I think this problem of defaulting to NetLDAP:UserPrincipalName is actually my doing. In discussing with Bruce years ago the various login names users can enter I think I suggested defaulting to creating a UPN. Shame on me... sigh...)
3. NetLDAP.Search is out to get me. (Actually, UserInGroup when pActiveDirectory is set to TRUE)
The ActiveDirectory_UserInGroup procedure in the LDAP demo calls net.SetDomain()
So when I use jane@theEmailDomain.com, net.SetDomain helpfully splits that into dc=theEmailDomain,dc=com
This domain does not exist in Active Directory.
If pActiveDirectory is TRUE, then what is produced from NetLDAP.UserInGroup() is
pFilter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Jane Fleming,OU=SysAdmin Users,OU=CHC SysAdmin,DC=theAdDomain,DC=local)) -- which is correct.
BUT the pBase parm fed into NetLDAP.Search is dc=theEmailDomain,dc=com
WHICH IS WRONG because that domain does not exist in AD.
If I manually look up the DistinguishedName and set that before calling net.UserInGroup(), then the recursive call (which sets the incorrect domain name) doesn't happen and I'm good.
So I think I can code around all my issues in my calling procedures (except for the extraneous backslash - which I edited in NetLDAP.clw.) I made a dedicated proc to get the DN before calling UserInGroup.
Or I might try just overriding NetLDAP.SetDomain so that it always uses the domain being used by AuthUser.
And I'm guessing that not a lot of people will be using a different UPN suffix in Active Directory situations. But perhaps good to be aware of the challenges in case anybody else goes that route.
Thanks for your input, Sean!
Cheers,
Jane
Up until now, all our UPNs have been default - matching the Active Directory domain name.
We're confronting needing to change our AD logins to jane@theEmailDomain.com rather than jane@theADdomain.local for some kind of integrated SSO security system our IT is looking at adopting.
I've changed my UPN to the proposed domain name (jane@theEmailDomain.com) and done some experimenting.
On an existing NetTalk app, I was not able to log in and get group membership when using
jane
theADdomain\jane
jane@theEmailDomain.com
Problems I found:
1. The backslash issue. Thanks for confirming that that's not intended. That was making theADdomain\jane fail.
2. Login default -
NetLDAP.Start sets self.DomainType = NetLDAP:UserPrincipalName
So for a login that I (and most of our users) typically do with just the sAMAccountName
jane
NetLDAP.SetUser uses self.DomainType , which means I have become jane@theADdomain.local (rather than the correct UPN that is set in AD).
NetLDAP.SetAuthUser ignores selfDomainType and hard codes it to NetLDAP:UserPrincipalName (i.e., jane@theADdomain.local)
In the 20+ years I've worked on AD networks I haven't been part of one where the UPN didn't match the AD domain name until now. (Lucky me.)
What I've discovered about UPNs is
a. The UPN specified for the user is primary. (In my case, jane@theEmailDomain.com )
b. BUT the default UPN (jane@theADdomain.local)
WILL also work for user login
WILL NOT work to look up group memberships or attributes
c. So having NetLDAP set the UPN to jane@theADdomain.local for a simple 'jane' login bolloxes things.
Basic login works because of the implicit UPN
Group lookups do not work.
For the plain 'jane' login I can compensate by putting
net.domainType = NetLDAP:sAMAccountName
before calling net.UserInGroup()
(I think this problem of defaulting to NetLDAP:UserPrincipalName is actually my doing. In discussing with Bruce years ago the various login names users can enter I think I suggested defaulting to creating a UPN. Shame on me... sigh...)
3. NetLDAP.Search is out to get me. (Actually, UserInGroup when pActiveDirectory is set to TRUE)
The ActiveDirectory_UserInGroup procedure in the LDAP demo calls net.SetDomain()
So when I use jane@theEmailDomain.com, net.SetDomain helpfully splits that into dc=theEmailDomain,dc=com
This domain does not exist in Active Directory.
If pActiveDirectory is TRUE, then what is produced from NetLDAP.UserInGroup() is
pFilter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Jane Fleming,OU=SysAdmin Users,OU=CHC SysAdmin,DC=theAdDomain,DC=local)) -- which is correct.
BUT the pBase parm fed into NetLDAP.Search is dc=theEmailDomain,dc=com
WHICH IS WRONG because that domain does not exist in AD.
If I manually look up the DistinguishedName and set that before calling net.UserInGroup(), then the recursive call (which sets the incorrect domain name) doesn't happen and I'm good.
So I think I can code around all my issues in my calling procedures (except for the extraneous backslash - which I edited in NetLDAP.clw.) I made a dedicated proc to get the DN before calling UserInGroup.
Or I might try just overriding NetLDAP.SetDomain so that it always uses the domain being used by AuthUser.
And I'm guessing that not a lot of people will be using a different UPN suffix in Active Directory situations. But perhaps good to be aware of the challenges in case anybody else goes that route.
Thanks for your input, Sean!
Cheers,
Jane
47
Web Server - Ask For Help / NetLDAP bug in SetUser procedure
« on: May 05, 2023, 12:54:54 PM »
Bruce,
There's a bug in the NetLDAP.SetUser() procedure when the user name is of the format DOMAIN\Jane.Bean
SetUser is called multiple times by NetLdap.UserInGroup().
The first time through, it correctly strips off the domain and backslash and returns
sAMAccountName=Jane.Bean
After the first time, however, it hits the ELSE clause and adds a backslash.
This results in
sAMAccountName=\Jane.Bean
And the group lookup fails.
There's a comment on line 624 where the extraneous backslash is injected.
I don't know when the change was made to NetLDAP, but was testing something yesterday and discovered that this is broken.
That backslash needs to be not inserted.
NT 12.59.
jf
There's a bug in the NetLDAP.SetUser() procedure when the user name is of the format DOMAIN\Jane.Bean
SetUser is called multiple times by NetLdap.UserInGroup().
The first time through, it correctly strips off the domain and backslash and returns
sAMAccountName=Jane.Bean
After the first time, however, it hits the ELSE clause and adds a backslash.
This results in
sAMAccountName=\Jane.Bean
And the group lookup fails.
There's a comment on line 624 where the extraneous backslash is injected.
I don't know when the change was made to NetLDAP, but was testing something yesterday and discovered that this is broken.
That backslash needs to be not inserted.
NT 12.59.
jf
48
Web Server - Ask For Help / Re: OT - Are the SV newsgroups still alive?
« on: March 20, 2023, 11:13:07 AM »
If you use Thunderbird for the newsgroups, read this:
https://clarionhub.com/t/softvelocity-newsgroup-not-working-thunderbird-setting-change-required/5293
https://clarionhub.com/t/softvelocity-newsgroup-not-working-thunderbird-setting-change-required/5293
49
Web Server - Ask For Help / Re: Change a static page
« on: March 20, 2023, 11:02:22 AM »
You can also opt to keep the cache on and manually clear it when you change something static - either with the button on the web server (if it's not running as a service and is visible) or with the magic URL.
50
Web Server - Ask For Help / Re: NT12.55 NetDemo Compile Error
« on: March 06, 2023, 09:41:39 AM »
It's getting filled in by a new default in the "Use NetTalk Send Email Controls" template.
You can go into that extension template on the TestEmailSendControlTemplate procedure in the demo program and delete the value for the "OAuth Token" field.
You can go into that extension template on the TestEmailSendControlTemplate procedure in the demo program and delete the value for the "OAuth Token" field.
51
Web Server - Ask For Help / Any SAML wisdom out there?
« on: March 01, 2023, 04:01:07 PM »
Anybody integrated a SAML provider with NetTalk ?
Okta? MS Azure AD? Others?
Any wisdom? Any war stories?
Okta? MS Azure AD? Others?
Any wisdom? Any war stories?
52
Web Server - Ask For Help / Re: Draw (Graph) crashes my web server
« on: February 10, 2023, 01:06:10 PM »
For now modifying the code in draw.clw seems like the way to go.
Sounds good. Draw doesn't get updated very often.
I made a copy for this app and changed one line of code in draw.clw. Works fine.
Thanks, Bruce.
Jane
53
Web Server - Ask For Help / Draw (Graph) crashes my web server
« on: February 09, 2023, 02:52:55 PM »
Subtitle - is there a way I'm missing to override Draw's drwGetTempPath?
It's presently calling GetTempPathA.
I added a graph to a nettalk app, copying one of the examples.
Works fine on my development machine.
Works fine on server when running as a service or run asAdministrator.
Crashes on server when not running as a service when I run the graph procedure. Error (shown in pic) says it's trying to create DrawStore.tmp in a folder that does not exist.
Yes, the app is mostly running as a service. And then it runs fine (using the windows\temp folder).
Or I can manifest the app with a requireAdministrator manifest and it works running as an exe on the server. But then I have to click through the UAC popup on my dev machine each time I compile and run.
It may just be that something is bolluxed on the server. SET says "my" temp path ends with \6
But that folder doesn't exist.
The GUI says my user's temp path just ends with \temp.
But this all seems rather fragile. It would be nice to have an option to tell Draw where to do its thing and not to encounter some servers where it can't make its temp folder work.
(Until, of course, NT 14's javascript graphs!)
Cheers,
Jane, writer of hyperbolic subject lines
It's presently calling GetTempPathA.
I added a graph to a nettalk app, copying one of the examples.
Works fine on my development machine.
Works fine on server when running as a service or run asAdministrator.
Crashes on server when not running as a service when I run the graph procedure. Error (shown in pic) says it's trying to create DrawStore.tmp in a folder that does not exist.
Yes, the app is mostly running as a service. And then it runs fine (using the windows\temp folder).
Or I can manifest the app with a requireAdministrator manifest and it works running as an exe on the server. But then I have to click through the UAC popup on my dev machine each time I compile and run.
It may just be that something is bolluxed on the server. SET says "my" temp path ends with \6
But that folder doesn't exist.
The GUI says my user's temp path just ends with \temp.
But this all seems rather fragile. It would be nice to have an option to tell Draw where to do its thing and not to encounter some servers where it can't make its temp folder work.
(Until, of course, NT 14's javascript graphs!)
Cheers,
Jane, writer of hyperbolic subject lines
54
Web Server - Ask For Help / Re: open submenu indented?
« on: January 14, 2023, 11:41:42 AM »
If you're trying to do what's shown in the first pic, Sean, what I've found works is to set each of the "calling" menu items to open to the right (second pic).
jf
jf
56
Web Server - Ask For Help / Hiding password (etc) in web server log
« on: December 24, 2022, 06:56:40 PM »
Grinchly Greetings, Obi Wan!
I was interested in the solution you worked out for masking passwords in the web server log display during this week's webinar.
What you showed mostly works.
BUT? it still leaks passwords BEFORE they get to the AddLog section of code.
As soon as you move around in the log and then come back to the POST, the value has been masked by the code you added in AddLog. But initially it displays on the screen.
If there were an embed available in StartNewThread, before the ?web:LastPost is first displayed, that initial display of sensitive data could be avoided.
[Edited to add - would you add an embed before that DISPLAY statement ? ]
Of course, that requires running the filtering code twice
Holiday Cheers,
Jane
I was interested in the solution you worked out for masking passwords in the web server log display during this week's webinar.
What you showed mostly works.
BUT? it still leaks passwords BEFORE they get to the AddLog section of code.
As soon as you move around in the log and then come back to the POST, the value has been masked by the code you added in AddLog. But initially it displays on the screen.
If there were an embed available in StartNewThread, before the ?web:LastPost is first displayed, that initial display of sensitive data could be avoided.
[Edited to add - would you add an embed before that DISPLAY statement ? ]
Of course, that requires running the filtering code twice
Holiday Cheers,
Jane
57
Web Server - Ask For Help / Re: Load balancing
« on: December 21, 2022, 09:04:52 AM »
Thanks, Don.
Coincidentally, Gordon did a ClarionLive webinar last Friday where he showed an overview of his current architecture.
As Bruce indicated, Gordon has moved a lot of stuff into the javascript app in the browser (which is something like 300K lines of code) to minimize use of the session queue.
What session queue he IS using is on a separate database. https://www.youtube.com/live/6x1wvtstK74?t=2806
But he also has a large-ish team of programmers and many years of coding underlying the app.
Coincidentally, Gordon did a ClarionLive webinar last Friday where he showed an overview of his current architecture.
As Bruce indicated, Gordon has moved a lot of stuff into the javascript app in the browser (which is something like 300K lines of code) to minimize use of the session queue.
What session queue he IS using is on a separate database. https://www.youtube.com/live/6x1wvtstK74?t=2806
But he also has a large-ish team of programmers and many years of coding underlying the app.
58
Web Server - Ask For Help / Re: Load balancing
« on: December 20, 2022, 10:43:51 AM »It does not address sessions.
So how do you deal with that, Don?
Does Nginx just always direct session xyz to the same instance that session used for the previous call(s) ?
Cheers,
Jane
59
Web Server - Ask For Help / Re: Load balancing
« on: December 19, 2022, 12:02:36 PM »but how would it be done with one of the existing tools? do you have example, documentation or webminar?Gordon Holfelder did a webinar on this for the CIDC 2019 conference, which is still online if you purchased that conference:
https://www.cidc2019.com/Presentations#LoadBalancingaWebserverAcrossMultipleInstances
As I recall, one of his challenges was sharing session values across multiple web servers.
The Net Sessions interface that Bruce introduced in NT 12 should make sharing session values easier.
60
Web Server - Ask For Help / Re: My tip broke my menu
« on: December 07, 2022, 05:39:42 PM »
Thanks!