Chapter 12: Changes to Global Variables, Commands, and Stored Procedures

sp_ldapadmin

Description

Creates an LDAP URL search string, lists an LDAP URL search string, or verifies an LDAP URL search string or login.

Syntax

sp_ldapadmin { set_primary_url, ‘ldapurl’ | 
	set_secondary_url, { ‘ldapurl’ | null } |
	set_access_acct, account_distinguished_name, 	account_password 
	set_dn_lookup_url, ldapurl
	list_urls | check_url, ‘ldapurl’ |
	check_login, ‘login_name’ }

ldapurl::=ldap://host:port/node/?attributes?base | one | sub?filter

Parameters

set_primary_url, ‘ldapurl’: creates the specified search string ldapurl. Exactly one primary search string can be created.

set_secondary_url, { ‘ldapurl’ | null }: creates the specified secondary search string ldapurl or no secondary search string. Exactly one secondary search string can be created.

set_access_acct: allows you to perform administrative searches using account, distinguished name, and password information.

account_distintuished_name: distinguished name of the directory services account.

distintuished_name: a distinguished name is the name that uniquely identitifies an entry at a specific level of the hierarchy and describes the path of names that trace the entry back to the root of the hierachical tree.

account_password: password associated with the distinguished name.

set_dn_lookup_url: specifies an LDAP URL in which to search for the distinguished name. Setting this URL causes Adaptive Server to use an alternative authentication algorithm.

ldapurl: URL of the string in which you are searching for the distinguished name associated with a user. The default attribute name is entrydn

list_urls: displays LDAP URL search strings.

check_url, ‘ldapurl’: verifies an LDAP URL search string. Can also verify the existence of a user account, but it does not authenticate the user.

check_login, login_name: verifies a user account for the existing LDAP URL search strings. It does not authenticate the user.

host: is the host name of the LDAP server.

port: is the port number of the LDAP server.

node: specifies the node in the object hierarchy at which to start the search.

attributes: is a list of attributes to return in the result set. Each LDAP server may support a different list of attributes.

base | one | sub: qualifies the search criteria. base specifies a search of the base node; one specifies a search of node and one sublevel below node; sub specifies a search of node and all node sublevels.

filter: specifies the attribute or attributes to be authenticated. The filter can be simple, such as “uid=*,” or compound, such as “(uid=*)(ou=group).” The syntax is LDAP server dependent and uses a wildcard (*) to describe the login name.

Examples

Example 1

Creates an LDAP URL search string for the LDAP SunONE Directory Server.

sp_ldapadmin set_primary_url,'ldap://voyager:389/
    ou=People,dc=MyCompany,dc=com??sub?uid=*'

The search string identifies a directory server listening on host name “voyager,” port number 389 (the default LDAP protocol port), the base node to begin the search is within organizational unit (ou) “People,” and the domain is “MyCompany.com.” It returns all attributes that match the filter uid=*. Adaptive Server replaces the wildcard with the Adaptive Server login name that is to be authenticated.

Example 2

Creates an LDAP URL search string defined in OpenLDAP 2.0.25 using the criteria described in Example 1.

sp_ldapadmin set_primary_url,'ldap://voyager:389/
    dc=MyCompany,dc=com??sub?cn=*'

Example 3

Sets the secondary LDAP URL search string to null, indicating no failover and no secondary LDAP server.

sp_ldapadmin set_secondary_url, null

Example 4

Creates an LDAP URL search string with a compound filter.

sp_ldapadmin set_primary_url, 'ldap://voyager:389/
    ou=people,dc=siroe,dc=com??sub?(&(uid=*)
    (ou=accounting))

Example 5

Specify the access account for searches.

sp_ldapadmin set_access_acct, 'cn=admin, ou=People, dc=mycompany, dc=com', 'admin secret password'

Example 6

Specifies the URL to search for an account’s distinguished name. In this example, entrydn specifies the attribute’s name whose value is the distinguished name. It uses a wildcard search (uid=*) for the user ID.

sp_ldapadmin set_dn_lookup_url, 'ldap://myhost:389/ou=People,dc= mycompany,dc=com?entrydn?sub?uid=*'

Example 7

The following uses the active directory feature as the LDAP directory server (available only on Adaptive Server version 12.5.2 or later). This example comprises a series of steps using the alternative authentication algorithm, and sets the account information needed to search for a user’s distinguished names:

Set the account information:

sp_ldapadmin set_access_acct, 'cn=Admin Account, cn=Users, dc=mycompany, dc=com', 'Admin Account secret password'

Set the primary URL:

sp_ldapadmin set_primary_url,  'ldap://hostname:389/'

Set the distinguished name URL search:

sp_ldapadmin set_dn_lookup_url, 'ldap://hostname:389/cn=Users,dc=
mycompany,dc=com?distinguishedName?one?samaccountname=*'

Specify the account name with the client connection:
```
% isql -Umylogin -Pmypassword
```
Adaptive Server authenticates the account name against the distinguished name returned by the LDAP search (specified by the distinguished name URL search) and your client connection password when you log in to the server.
The samaccountname attribute name of the URL filter parameter is the account login for both Windows and Adaptive Server. The following search returns the distinguishedName parameter:
```
'CN=MyGivenname MySurname,CN=Users,DC=mycompany,DC=com'
```
This distinguishedName parameter is used to bind the LDAP server to authenticate the user.

Usage

The LDAP vendor determines the syntax of the search string. In all cases, the search string specifies the attribute name that uniquely identifies the user in the form “attribute=wildcard” as in “cn=*.”
The first attribute in a compound filter must define the Relative Distinguished Name (for example, ...sub?(uid=*)(ou=group)). Otherwise, the authentication fails.
If you set the distinguished name and password for the set_access_acct parameter to NULL, set_access_account may bind anonymously, if the LDAP server allows this.
The primary function of the account search string is to perform LDAP searches to locate and return a user’s full distinguished name.
If set_dn_lookup_url finds more than one match to its search, only the first one is used for authentication.
The maximum length of the account distinguished name parameter is 255 characters.
The maximum length of the account password parameter is 64 characters.
If more than one attribute value is returned from a set_dn_lookup_url search, only the first one is used to attempt the authentication bind.
When a search string is added, Adaptive Server verifies that it uses valid LDAP URL syntax and that it references an existing node. To ensure that the valid string returns expected values, carefully choose and verify the search string when configuring Adaptive Server.
The secondary URL search string enables failover to another LDAP server. Adaptive Server uses the primary URL search string unless the LDAP Server is not active or the search string is invalid. In this event, Adaptive Server uses the secondary URL search string for authentication.

Permissions

Only the System Security Officer can execute sp_ldapadmin.

View this book as PDF