Use sp_ldapadmin to create or list an LDAP URL search string, verify an LDAP URL search string or login, and specify the access accounts and tunable LDAP user authentication (LDAPUA) related parameters. You must have the SSO role to execute sp_ldapadmin.
See the Reference Manual: Commands.
If you use a simple LDAP server topology and schema, you can use a composed DN algorithm for user authentication. If you use commercially available schemas (for example, iPlanet Directory Servers or OpenLDAP Directory Servers), users are created as objects in the same container in the LDAP server tree, and Adaptive Server determines the user’s DN from the object’s location. However, there are restrictions on the LDAP server’s schema:
You must specify the filter with the attribute name that uniquely identifies the user to be authenticated.
You must specify the filter with the attribute name=*
.
The asterisk is a wildcard character. The appropriate attribute
name to use in the filter depends on the schema used by the LDAP
server.
The Adaptive Server login name is the same as the short user name for example, a UNIX user name.
The DN uses the short user name rather than a full name with embedded spaces or punctuation. For example, jqpublic meets the restriction for a DN, but “John Q. Public” does not.
LDAP vendors may use different object names, schema, and attributes than those used in these examples. There are many possible LDAP URL search strings, and valid sites may also extend schemas locally or use them in ways that differ from each other:
This example uses the uid=*
filter.
To compose the DN, Adaptive Server replaces the wildcard with the
Adaptive Server login name to be authenticated, and appends the
resulting filter to the node parameter in the LDAP URL. The resulting
DN is:
uid=myloginname,ou=People,dc=mycomany,dc=com
After a successful bind operation, Adaptive Server
uses the connection to search for attribute names, such as uid
,
that are equal to the login name:
sp_ldapadmin set_primary_url, 'ldap://myhost:389/ou=People,dc=mycompany,dc=com??sub?uid=*'
This example uses the schema defined in OpenLDAP
2.0.25, with an attribute name of cn
.
The composed DN is cn=myloginname,dc=mycompany,dc=com
:
sp_ldapadmin set_primary_url, 'ldap://myhost:389/dc=mycompany,dc=com??sub?cn=*'
Use the searched DN to use an Active Directory server or other LDAP server environment that does not meet the restrictions to use the composed DN algorithm.
Perform these steps for an Active Directory server using a commercially available user schema from a Windows 2000 Server.
Set the access account information:
sp_ldapadmin set_access_acct, 'cn=Admin Account, cn=Users, dc=mycompany, dc=com', 'Admin Account secret password'
Set the primary URL:
sp_ldapadmin set_primary_url, 'ldap://hostname:389/
Set the DN lookup URL search string:
sp_ldapadmin set_dn_lookup_url, 'ldap://hostname:389/cn=Users,dc=mycompany,dc=com?distinguishedName?one?samaccountname=*'
On Windows 2000, the short name is typically referred to as
the “User Logon Name” and is given the attribute
name samaccountname in the default schema. This
is the attribute name used to match the Adaptive Server login name.
The DN for a user contains a full name with punctuation and embedded
spaces (for example, cn=John Q. Public,
cn=Users, dc=mycomany, dc=com
.
The DN on Windows does not use the short name, so the searched DN
algorithm is appropriate for sites using the Active Directory schema
(the default) as the LDAP server. The primary URL does not specify
a search. Instead, it relies on the bind operation for authentication.
You can use LDAP URL search strings to restrict access to
groups of users on LDAP servers. For example, to restrict logins
to users in an accounting group. use a compound filter to restrict
access to the group of users where attribute group=accounting
.
The following LDAP URL string uses the composed DN algorithm for an iPlanet server:
sp_ldapadmin set_primary_url, 'ldap://myhost:389/ou=People,dc=mycompany, dc=com??sub?(&(uid=*)(group=accounting))'
Adaptive Server binds with DN uid=mylogin,ou=People,dc=mycompany,dc=com
.
After successfully binding with this identity, it searches for:
"ou=People,dc=mycompany,dc=com??sub?(&(uid=mylogin)(group=accounting))"
Authentication succeeds if this search returns any objects.
These examples use LDAP URL strings with compound filters:
sp_ldapadmin set_primary_url, 'ldap://myhost:389/ou=people,dc=mycompany,dc=com??sub?(&(uid=*)(ou=accounting) (l=Santa Clara))'
sp_ldapadmin, set_primary_url, 'ldap://myhost:389/ou=people,dc=mycompany,dc=com??sub?(&(uid=*)(ou=Human%20Resources))'