LDAP - Anonymous Search

Similar Messages

• LDAP advanced search

  I am using IBM tivoli, in my java programming I need get the members from several DNs per the login user. I had several trips to LDAP to make this happen which is slow. Is it possible in LDAp can do one call to get everything back?
  now my LDAp tree structure is like this:
  I have a list groups, inside group has list members, when a user login, I need to check if this user related to any groups, that is my first LDAp call to get the group DNS, then I have another call to get all members per these list dns.
  So, is there any possible for one trip doing all of this?
  Thanks in advance!

  Hi Jose,
  Try maintaning the parameter 2050 as YES and check once.
  Kindly, also make refer to  the below list of SAP notes:
  1757906 - GRC 10.0 - LDAP user search does not work in NWBC
  1745370 - LDAP search in GRC does not work anonymously
  1718242- UAM: User search not working in Access Request.
  Regards,
  Neeraj Agarwal

• Hiding users from anonymous searches

  Hi,
  I am trying to hide certain users from anonymous searches. To be specific, I don't want certain users to show up in global address book searches from UWC and/or outlook or other anonymous searches. It was suggested on another forum to add an attribute like privateuser=true for those users and then build an ACI to not display them for anonymous searches. Could anyone provide some advice on how to build such an ACI.
  Thanks,
  Darren

  (targetattr = "*") (target = "ldap:///ou=testOU,dc=pooh,dc=com") (targetfilter = privateuser=true) (version 3.0;acl "testACI";deny (all)(userdn = "ldap:///anyone");)

• Ldap anonymous directory access

  I have a PCI vulnerability titled "LDAP Anonymous Directory Access permitted" which I need to fix. I disabled anonymous binds in the props of the ldap server object in question. However I guess this was not the fix.
  Is there a difference between anonymous binds and anonymous directory access? I was being told this is my problem - that bind is different than directory access so I fixed the wrong thing. I thought ldap was the directory access protocol, and bind was the connection being made to the directory using ldap. Ok. I'll quit typing now. any help is appreciated.
  Stacie White

  I would recommend this forum: novell.support.edirectory.netware
  Far more traffic.
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Support Forums Volunteer Sysop
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.
  "StacieWhite" <[email protected]> wrote in message
  news:[email protected]..
  >
  > I have a PCI vulnerability titled "LDAP Anonymous Directory Access
  > permitted" which I need to fix. I disabled anonymous binds in the props
  > of the ldap server object in question. However I guess this was not the
  > fix.
  >
  > Is there a difference between anonymous binds and anonymous directory
  > access? I was being told this is my problem - that bind is different
  > than directory access so I fixed the wrong thing. I thought ldap was
  > the directory access protocol, and bind was the connection being made
  > to the directory using ldap. Ok. I'll quit typing now. any help is
  > appreciated.
  >
  > Stacie White
  >
  >
  > --
  > StacieWhite
  > ------------------------------------------------------------------------
  > StacieWhite's Profile: http://forums.novell.com/member.php?userid=1719
  > View this thread: http://forums.novell.com/showthread.php?t=331489
  >

• Ldap Persistent Search client/application

  Hi,
  As per the ldap Persistent Search explained in the internet draft
  www.ietf.org/internet-drafts/draft-ietf-ldapext-psearch-03.txt
  do you know any ldap client or ldap application which make use of this
  feature on the client side.
  Thanks in advance
  Baiju

  iPlanet Meta-Directory does for one.

• LDAP web search not working on AD LDS instance

  Hello all !
  Let me explain the goal before the problem :
  We need to setup a directory service in our DMZ so our web portal can provide an address book without having to connect to the AD. We setup (this is all in the lab environment for now) an AD LDS instance in the DMZ with ADAMSYNC gathering the AD info, plus
  LDIFDE commands to insert non-AD users into the same instance. The web portal will do LDAP queries to the LDS instance to provide all the users information (AD and non-AD users).
  Now the ADAMSYNC works great. The LDIFDE commands work perfectly as well, and through ADSIEDIT or LDP.exe I can see the users with all their attributes.
  Now for the problem :
  Trying to query the directory using a browser with the
  LDAP://LDS_server gives the following message
  An error occurred while performing the search.
  Your computer, your Internet service provider, or the specified directory service may be disconnected. Check your connections and try again.
  Operations Error
  This is on the same computer that successfully accessed the LDS directory with ADSIEDIT.msc and LDP.exe
  I also tried opening the address book from Outlook, and I got a very similar message.
  Am I missing something ? I noticed that on the LDS server, the service Active Directory Web Services is up and running...

  Re-opening the thread since I'm back on this LDAP solution.
  So... LDS instance created and I imported a bunch of users in CN=USERS,DC=TEST,DC=COM
  Under ADSIEdit.msc I can see all users with no problem. Under LDF.exe I can connect and bind to the instance and do a "tree" view of the USERS container.
  I changed the dsHeuristics attribute with a value of "0000002" and also set the server's
  ANONYMOUS LOGON in the "Readers" role.
  At this point, Outlook can successfully list the users when I set an LDAP address book with the searchbase CN=USERS,DC=TEST,DC=COM.
  Now the problem that comes back and haunts me :
  I removed the attribute in dsHeuristics and removed ANONYMOUS LOGON from the "Readers" role. I want to have a username/password setup so that users would need to know the credentials to view the address book.
  When I added the user to the "Readers" role, I changed the settings in Outlook accordingly (added the user, check the "SPA" box) and
  never changed the SearchBase string.
  Now the answer I'm getting is "No such object. Possibly your specified Search Base is invalid."
  I did not change the SearchBase setting !!!
  I've tried setting up a local user, a domain user, even a user created in the LDS instance as members of the "Readers" role and nothing changed.
  Please note that I've always restarted the instance's service between each modification.
  So basically my need is to provide a LDAP address book in Outlook with authentication (not through AD since the address book will be published in our DMZ).

• Blocking anonymous search if bind fails

  Using DS 5.2 SP4
  I have a group that outsourced some apps that are performing LDAP authentication. They do an anonymous bind to find the user's DN and then initiate a new connection, binding as the user and searching for an attribute.
  The problem I have is that the app isn't not well coded and does not check for successful bind, but just for a 0 return code. Since they are binding and searching immediately, the DS is sometimes returning the search results prior to the bind results. Since anonymous bind is allowed, the search will be successful whether or not the bind is.
  While I see this as an application problem, we are looking at least temporarily for a DS solution. Is there a way to either ensure the bind results are returned first or to deny anonymous access on bind failure? Or are there other alternatives?
  We have thought of having the app query an restricted attribute, so if the bind fails the search would as well, but that requires app changes.
  At least one of the apps is using Oracle to perform the LDAP authentication, if that helps.
  Thanks.

  If I understand your issue, you are trying to prevent searches to specific attributes if the user is not authenticated?
  If this is it, you can modify your ACI to only allow access to those attributes for authenticated users (be sure to allow "all" users, not "any" user).

• Java & LDAP, "anonymous unbind" = err=80

  Dear experts,
  I've found something strange in my performance tests against DSEE 6.3
  Please see below some explanations about this "issue":
  I use a simple Java code to test my newly created directory server. When I use a search request with the anonymous user (i.e. Context.SECURITY_AUTHENTICATION="none")...I can notice that a connection code & an error code (A1 - Client aborted connection AND err=80 (unknown error)) are always present in the corresponding logs of this request!
  When I use the ldapsearch command line to "simulate" the same request (anonymous), I can see that the logs are completely different (connection code is different AND there is no error code (err=80)), that is: "U1 - Connection closed by unbind client" ; Those last logs are really as expected!
  When I use a bind user (Context.SECURITY_AUTHENTICATION="simple") instead of anonymous, both tests (Java and ldapsearch) produce the same result, and the connection code is always the same, that is: U1 - Connection closed by unbind client
  Here are the two connection codes:
  U1: The server closed the client connection because client sent an UNBIND request.
  A1: The client has closed the connection without performing an UNBIND.
  I've found this article (http://java.sun.com/docs/books/tutorial/jndi/ldap/operations.html) about "How LDAP Operations Map to JNDI APIs"....
  We can see that the UNBIND operation correspond to the (Java) procedure: context.close()....this procedure being of course in my code!
  Is there a way in Java to "bypass" this issue for the anonymous user?
  Thanks a lot in advance.
  Regards,
  -Franck

  I have updated the ldap java.schema with below entries, it is working fine
  objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
       NAME 'javaContainer'
       DESC 'Container for a Java object'
       SUP top
       STRUCTURAL
       MAY ( o $ cn))

• Using LDAP to search attribute bit flags using attribute OID values

  Hello everyone,
  My question stems from trying to understand the OID and syntax behind this classic LDAP search to find disabled users:
  "(useraccountcontrol:1.2.840.113556.1.4.803:=2)"
  What I am interested in is the value 1.2.840.113556.1.4.803, specifically how it differentiates from the value 1.2.840.113556.1.4.8, which is the OID of the useraccountcontrol attribute:
  http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
  Now, this website below says that the 03 and 04 are designators of the AND and OR operations, respectively, and are added on to the end of the OID:
  https://www.appliedtrust.com/blog/2011/04/keeping-your-active-directory-pantry-order
  However, using this logic, I can't get these 03 and 04 operators to work with other attribute OID's that use flags as values, such as the "searchflags" attribute, e.g. a LDAP search of "(searchflags:=1.2.840.113556.1.2.33404:=0)
  returns nothing, using the OR (04) operation at the end of the "searchflags" OID of 1.2.840.113556.1.2.334.
  So back to my original question, for the useraccountcontrol OID of 1.2.840.113556.1.4.8, is this OID at all related to the bitwise AND extensible match of 1.2.840.113556.1.4.803 (like just adding a 03 to designate an AND operation), or is this
  extensible match
  value of 1.2.840.113556.1.4.803 completely separate from the useraccountcontrol OID of 1.2.840.113556.1.4.8?
  If I have my terms mixed up, please feel free to correct me on what the proper terms are.
  Thanks!

  Hmm yeah I posted that link above in my OP as well, and I was hoping that the OID values of these bitwise filters were somehow related to the shorter OID of the "useraccountcontrol" attribute, but it looks like it's just a coincidence.
  So I wonder if the "useraccountcontrol" section of
  this article from my OP is a little misleading when it says:
  To make a comparison, we either need to use the LDAP_MATCHING_RULE_BIT_AND rule (1.2.840.113556.1.4.803), or the LDAP_MATCHING_RULE_BIT_OR rule (1.2.840.113556.1.4.804) for our attribute OID (the AND rule adds a 03 suffix to denote the AND operation,
  and the OR rule adds a 04 suffix).
  Following this logic, I should be able to use the "03" and "04" in other bitwise operations with different OID's to search "AND" or "OR", but as I pointed out in my OP above, I can't seem to make this work with adding the 
  "03" and "04" onto the end of other OID's. So I will go with Christoffer that these bitwise OID's (1.2.840.113556.1.4.803 and 1.2.840.113556.1.4.804) are unique in themselves, and the fact that they are 2 characters away from the OID of the "useraccountcontrol"
  attribute (1.2.840.113556.1.4.8) is just coincidence.
  This does seem strange however, and it seems like there should be some correlation here....
  If anyone has any more info, I would love to hear it!

• Glassfish LDAP group search results in Exception

  I'm trying to get my group search running but I keep getting the same exception
  java.lang.NullPointerException
       at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.groupSearch(LDAPRealm.java:705)
       at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
       at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:108)
       at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
       at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
  There's only on post on the web with the same problem and there is is not fixed.
  This is the domain.xml
  <auth-realm name="EpsLdapRealm" classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
  <property name="directory" value="ldap://myldap:389"></property>
  <property name="base-dn" value="ou=Users,o=xxx"></property>
  <property name="jaas-context" value="ldapRealm"></property>
  <property name="search-bind-dn" value="cn=saepsman,ou=Users,ou=e-Directory,ou=Services,o=xxx"></property>
  <property name="search-bind-password" value="xxxxx"></property>
  <property name="search-filter" value="(&amp;(objectClass=user)(uid=%s))"></property>
  <property description="null" name="assign-groups" value="USER"></property>
  <property name="group-search-filter" value="(&amp;(objectClass=groupOfNames)(member=%d))"></property>
  <property name="group-base-dn" value="ou=AccessControl,o=xxx"></property>
  </auth-realm>
  Authentication works fine, but group assignments do not work. When I remove the group-search-filter I get no error but then also no groups are assigned.
  The group I am trying to map is
  cn=cug-EPSManager-Administrators,ou=AccessControl,o=xxx
  And I do the following mapping in glassfish-web.xml
  <security-role-mapping>
            <role-name>ADMIN</role-name>
            <group-name>cug-EPSManager-Administrators</group-name>
       </security-role-mapping>
  I also have used
  -Djava.naming.referral=follow
  EDIT:
  I also get the following log message indicating that the search-bin-dn and password are OK. I can also browse the LDAP tree with the credentials in Softerra LDAP Browser.
  Error during LDAP search with filter [(&(objectClass=groupOfNames)(member=cn=cdamen,ou=Users,o=xxx))].|#]
  When I look at the look at the LDAPRealm source code I see it is failing on the following statement
  int sz = grpAttr.size();
  This looks like to me that it means that some group was found but there are no group attributes. But there are when I query with Softerra, strange...
  * Search for group membership using the given connection.
  private List groupSearch(DirContext ctx, String baseDN,
  String filter, String target)
  List groupList = new ArrayList();
  try {
  String[] targets = new String[1];
  targets[0] = target;
  SearchControls ctls = new SearchControls();
  ctls.setReturningAttributes(targets);
  ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
  NamingEnumeration e = ctx.search(baseDN,
  filter.replaceAll(Matcher.quoteReplacement("\\"), Matcher.quoteReplacement("\\\\")), ctls);
  while(e.hasMore()) {
  SearchResult res = (SearchResult)e.next();
  Attribute grpAttr = res.getAttributes().get(target);
  int sz = grpAttr.size();
  for (int i=0; i<sz; i++) {
  String s = (String)grpAttr.get(i);
  groupList.add(s);
  } catch (Exception e) {
  _logger.log(Level.WARNING, "ldaprealm.searcherror", filter);
  _logger.log(Level.WARNING, "security.exception", e);
  return groupList;
  Hope anyone knows the solution.
  Coen

  Hi Jeong
  Can you explain exactly what you're tyring to achieve.
  Howard
  http://www.avoka.com

• ARQ:  Does LDAP User Search action require any special authorization for requester???

  Hi All,
  I was wondering if requester need to be given any special authorization to search users in LDAP?
  Because, I have noticed that a requester can not search users from LDAP. However, another user who is a super user in GRC system and has SAP_ALL profile assigned, can search users from LDAP easily!
  I have noticed only this change between these two users and not sure what authorizations should be granted to requester to search users from LDAP. I have tried to search relevant auth. object in his role "SAP_GRAC_ACCESS_REQUESTER" but could not find. I also check security guide for this but did not get any details.
  Can anyone advise?
  Regards,
  Faisal

  Alessandro,
  I switched on trace using ST01 for one of the requesters and viewed its details later. I found RC=4 or 12 for some of the auth. objects.
  For example:
  I opened of of the records and could see above details. I am unable to interpret it further. Can you please assist in this?
  Regards,
  Faisal

• LDAP (OID) search fails on binary data

  Hi People,
  I am trying to perform OID search with filter like this:
  "(&(cn=test*)(usercertificate=*))" and getting error:
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Function Not Implemented]; remaining name ''
  (if perform programmatically)
  and
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  (if use ldapsearch utility).
  If I remove "(usercertificate=*)" part, everything works fine. I also works for any asterick combinations for text values.
  Looks like it doesn't work only for underlying binary data.
  Is it? Or I am wrong somewhere?
  How to deal with it?
  Did anybody else have this problem before?
  Please help.
  Thanks
  Konstantin Teslenko
  [email protected]

  I stumbled upon this one just recently...
  (and it worked on e-Directory ldap ;))
  It complains about this because attribute is not indexed. Look in the docs for Catalog Management tool (catalog.sh)

• Locked LDAP user search

  Hi,
  I want to a list of users (we are fatching from LDAP) that are locked(Acount Locked) in portal.
  I tried advance search, but no elements found there. But there are lots of users (account)locked.
  Thanks,
  Anumit

  You can use the ICE utility for command line execution of LDAP scripts, exports, imports LDIF's etc. ICE is in the ConsoleOne folder on a server sys: volume.
  I dont think you can export passwords though. If pwds come out they'll ptobably be hashed up in their MD5 hashes. I only ever did this once and that was between two NDS trees.
  For password sync you'll need something else like Novells Identity Manager or else don't sync but direct all auths into the LDAP repository.
  N.

• LDAP Contact searches failing via wireless

  I am able to consistantly search our 10.5.7 Open Directory in Contacts via WiFi but rarely via AT&T Wireless, unless I enable our VPN. Same LDAP settings, different transport, different results.
  I have confirmed remote LDAP access from another external host. I have verified our network firewall settings and the server firewall and emond/ipfw services. Using tcpdump on the network firewall and server confirms that my phone is not reaching the server.
  Are there known issues with AT&T blocking or mishandling LDAP?

  LDAPeople also exhibited the same behavior. Since LDAPeople can be configured to use an alternate port, I configured LDAPeople to use port 3389 and our firewall to redirect port 3899 to 389 and observed the following.
  LDAPeople was often able to initially connect on port 389 or 3899 on the server (let's just call it ldap.example.com), and continued to connect while the app was running, but quitting the app and restarting it intermittently resulted in a "Can't contact LDAP server" error. Using PortScan on the iPhone, I was unable to connect to either port 389 or 3899 on ldap.example.com.
  I then used Safari on the iPhone to connect to the ldap.example.com:3899 and then was able to connect to ldap.example.com:3899 via LDAPeople and PortScan. This does not work with ldap.example.com:389 and Contacts, as Contacts is limited to port 389 and Safari uses WebKit which returns “Not allowed to use restricted network port” when accessing port 389; which is a programming decision, not an error.
  During this time, I was monitoring the external interface of our firewall. I was able to observe connections from my iPhone (from nnn-nnn-nnn-nnn.mobile.mymmode.com) to ldap.example.com when LDAPeople and PortScan were able to connect, and observed no traffic when they could not.
  It appears that AT&T is inspecting and blocking certain types of traffic dependent upon application but independent of port number. My iPhone is not on an Enterprise Data Plan, but I am unaware of LDAP being limited by this.

• Registry LDAP - Multiple search bases x single search base

  Hi all,
  I have a doubt, in my scenario I have two LDAP domains and isn't clear to me if I need to use the Oracle Registry configured to multiple search or single search. In the documentation the explanation is: To use single configuration when you have one single search base and to use multiple configuration when you hava multiple search bases, besides that, the Registry documentation says multiple search bases scenario it will looking for a user in all domains, in case a domain isn't specified by the user. The questions are what the diference between single and multiple configuration and what is a search base?
  Any idea,
  Afonso

  Hi BBCR,
  I'm not sure if the use of groups provides a solution to this requirement. One way to do it would be to define attribute access controls using a filter with substitution syntax. For example, you could have a filter for Modify access on a user's attributes defined like:
  (&(o=$o$)(admin=true))
  which means that anyone who has a value of the "o" attribute the same as the target user AND has a value of "true" for the admin attribute can write to those attributes. You can also add Self as a role so that users can view/modify their own attributes.
  The above filter means that instead of defining group membership and group admin membership, you manipulate attribute values in users profiles to say whether or not a user is an admin, and which users they administer (all users which share the same value of the "o" attribute, in the above case).
  Would something like this be an option?
  Regards,
  Colin