The following new options have been added to sp_ldapadmin to support the new DN search algorithm:
To allow users to specify an account that Adaptive Server can use for administrative searches, use:
sp_ldapadmin set_access_acct, account_distinguished_name, account_password
The maximum length of account_distinguished_name is 255 characters. The maximum length of account_password is 64 characters and is encrypted using 3DES when stored on disk.
To specify an alternative authentication algorithm, use:
sp_ldapadmin set_dn_lookup_url,
<LDAP URL string for distinguished name lookup>
When set_dn_lookup_url is set to a non-NULL value, the alternative algorithm is used to authenticate the login with an LDAP Directory Server.
The URL string has a maximum length of 255 characters and
is used to search for a distinguished name associated with the login
name. The attribute name in the LDAP URL string should be set to
obtain a DN, and the default is entrydn.
When more than one object is returned, only the first object is used. Authentication for a user login is done by binding the DN to the Directory Server specified by the primary or secondary LDAP URL. Set the LDAP URLs by issuing set_primary_url and set_secondary_url.
For example:
sp_ldapadmin set_access_acct, "cn=admin, ou=People, dc=mycompany, dc=com", "admin_password" sp_ldapadmin set_dn_lookup_url, "ldap://myhost:398/ou=People,dc=mycompany, dc=com?entrydn?sub?uid=*" sp_ldapadmin set_primary_url, "ldap://myhost:389/"
For a complete description of sp_ldapadmin, see Chapter 12, “Changes to Global Variables, Commands, and Stored Procedures.”
This example uses the default Microsoft Active Directory schema found on Windows 2000 controllers.
1> sp_ldapadmin set_access_acct, 'cn=aseadmin, cn=Users, dc=mycompany, dc=com', aseadmin secret password 2> go 1> sp_ldapadmin set_dn_lookup_url, 'ldap://mydomainhostname:389/cn=Users,dc=mycompany, dc=com?distinguishedName?sub?samaccountname=*' 2> go 1> sp_ldapadmin set_primary_url,ldap://mydomainhostname:389/ 2> go
The “aseadmin” user name has been added to the Active Directory server and granted read access to the trees and objects where users are found. The LDAP attribute specified by “distinguishedName” is obtained and used to authenticate the user. The filter specifies a search on attribute “samaccountname=*”; the * wildcard is replaced with the name from the Adaptive Server login record.
For example, “samaccountname=jqpublic” returns DN attribute “distinguishedName” with value “cn=John Q. Public, cn=Users,dc=mycompany, dc=com” to Adaptive Server. Adaptive Server uses this string to bind to ldap://mydomainhostname:389. If the bind is successful, authentication succeeds.
| Copyright © 2004. Sybase Inc. All rights reserved. |
|
|
