I am using ruby's net/ldap library for this problem but in reality the driver language shouldn't really matter. I need to find a way to be able to get all the users from a system and find out which users do not have emails assigned to the account. Is it possible?
I can connect to and even create new records through LDAP, and can return queries by using wildcard entries to filter results.
given i create a filter to find the cn that begins with three 9's:
filter = Net::LDAP::Filter.eq("cn", "999*")
#connection.search(:base => "cn=Manager, dc=foo, dc=bar, dc=biz",
:filter => filter)
then my result count might be 42.
given i create the same filter but request only 1 nine, the query fails and returns false
filter = Net::LDAP::Filter.eq("cn", "9*")
#connection.search(:base => "cn=Manager, dc=foo, dc=bar, dc=biz",
:filter => filter)
and this is the same if I request just "cn", "*" which to me should say "give me all the cn's out there.
".
So the short answer to the question is that it all depends on how your schema is setup. If you are setting up an LDAP schema, you need to have several groups of records with various cn (common name) identifiers, eg cn=activeUsers and cn=inactiveUsers which will allow you to query down the list much deeper than in my situation.
I think that you have an issue with time limit set on search operations at the LDAP server.
If you have a really big search that takes much time, the LDAP server returns an error 'Time limit exceeded' and no data.
Ruby-Ldap in such a case raises an exception LDAP::ResultError. I don't know how Net-Ldap behaves however.
Try to raise the time limit at your LDAP server or use a tighter search filter such as '(&(cn=9*)(active=TRUE))'. Substitute here 'active=TRUE' with your criteria for active users.
Related
I need to make a web directory from an AD. However, I must exclude a portion of the tree in my results.
To schematize the structure:
-Telephony
----Special
----Users
----Other
I would like to exclude OU=Special. Or target OU=Users and OU=Other, but without having to write a line by "OU".
I went round and round about the query options, I'm here but that does not exclude the group.
$ldap = Ldap::create('ext_ldap', array(
'host' => 'XXX.XXX.XXX.XXX',
));
$ldap->bind('dn', 'password');
$query = $ldap->query('ou=Telephony,ou=XXXX,dc=XXXX,dc=XXXX,dc=XXXX,dc=XXXX', '(cn=*)', ['filter' => '|(ou=Users*)(ou=Other*)']);
But I still get the data from Special.
How can I make this filter?
Thank's for help
That depends.
Defined in LDAPv3 RFC 2254 an ExtensibleMatch search filter requires LDAP servers to recognize a search element called an extensible match filter.
A ExtensibleMatch search filter would allow this however, ExtensibleMatch search filter is NOT supported by all LDAP Vendors. (Microsoft Active Directory as one example).
For your example, a filter similar to:
(&(|(ou:dn:=Users)(ou:dn:=Others))(objectclass=inetorgperson)(sn=willeke))
May work.
I'm trying to get a list of Terms from a termvectorresponse in an elasticsearch plugin. I want to get access to all of the statistics which are tied to the terms and am having trouble figuring out how to do that.
After making a TermVectorsRequest...
TermVectorsRequest tvReq = new TermVectorsRequest(request.param("index"), request.param("type"), request.param("id"));
tvReq.termStatistics(true);
tvReq.selectedFields(request.param("field"));
and getting a response from the client...
TermVectorsResponse tvResponse = client.termVectors(tvReq).get();
I can get access to the id, index, etc. In the fields I get "contents" which is the field name that I want. From there though it looks like I can run...
tvResponse.getFields().terms("some term here")
in which the Terms object this returns has access to the stats I want.
I have a few issues with this though. One is that only "contents" seems to be non null. In the termvectors endpoint in elastic I get several different terms of which I've tried plugging into here. Two, is I want to get a list of terms rather than having to type in which term I want.
How can I go about doing this?
Thanks
Figured it out. Theres an interator on terms you can use. on .terms you have to pass it the field and you'll get the Terms object back. From that you can use the .iterator to get each individual term and do whatever you want with them.
I'm using Grails with an Oracle database. Most of the data in my application is part of a hierarchy that goes something like this (each item containing the following one):
Direction
Group
Building site
Contract
Inspection
Non-conformity
Data visible to a user is filtered according to his accesses which can be at the Direction, Group or Building Site level depending on user role.
We easily accomplished this by creating a listWithSecurity method for the BuildingSite domain class which we use instead of list across most of the system. We created another listWithSecurity method for Contract. It basically does a Contract.findAllByContractIn(BuildingSite.listWithSecurity). And so on with the other classes. This has the advantage of keeping all the actual access logic in BuildingSite.listWithsecurity.
The problem came when we started getting real data in the system. We quickly hit the "ora-01795 maximum number of expressions in a list is 1000" error. Fair enough, passing a list of over 1000 literals is not the most efficient thing to do so I tried other ways even though it meant I would have to deport the security logic to each controller.
The obvious way seemed to use a criteria such as this (I only put the Direction level access here for simplicity):
def c = NonConformity.createCriteria()
def listToReturn = c.list(max:params.max, offset: params.offset?.toInteger() ?: 0)
{
inspection {
contract {
buildingSite {
group {
'in'("direction",listOfOneOrTwoDirections)
}
}
}
}
}
I was expecting Grails to generate a single query with joins that would avoid the ora-01795 error but it seems to be calling a separate query for each level and passing the result back to Oracle as literal in an 'in' to query the other level. In other words, it does exactly what I was doing so I get the same error.
Actually, it might be optimising a bit. It seems to be solving the problem but only for one level. In the previous example, I wouldn't get an error for 1001 inspections but I would get it for 1001 contracts or building sites.
I also tried to do basically the same thing with findAll and a single HQL where statement to which I passed a single direction to get the nonConformities in one query. Same thing. It solves the first levels but I get the same error for other levels.
I did manage to patch it by splitting my 'in' criteria into many 'in' inside an 'or' so no single list of literals is more than 1000 long but that's profoundly ugly code. A single findAllBy[…]In becomes over 10 lines of code. And in the long run, it will probably cause performance problems since we're stuck doing queries with a very large amount of parameters.
Has anyone encountered and solved this problem in a more elegant and efficient way?
This won't win any efficiency awards but I thought I'd post it as an option if you just plainly need to query a list of more than 1000 items none of the more efficient options are available/appropriate. (This stackoverflow question is at the top of Google search results for "grails oracle 1000")
In a grails criteria you can make use of Groovy's collate() method to break up your list...
Instead of this:
def result = MyDomain.createCriteria().list {
'in'('id', idList)
}
...which throws this exception:
could not execute query
org.hibernate.exception.SQLGrammarException: could not execute query
at grails.orm.HibernateCriteriaBuilder.invokeMethod(HibernateCriteriaBuilder.java:1616)
at TempIntegrationSpec.oracle 1000 expression max in a list(TempIntegrationSpec.groovy:21)
Caused by: java.sql.SQLSyntaxErrorException: ORA-01795: maximum number of expressions in a list is 1000
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:440)
You'll end up with something like this:
def result = MyDomain.createCriteria().list {
or { idList.collate(1000).each { 'in'('id', it) } }
}
It's unfortunate that Hibernate or Grails doesn't do this for you behind the scenes when you try to do an inList of > 1000 items and you're using an Oracle dialect.
I agree with the many discussions on this topic of refactoring your design to not end up with 1000+ item lists but regardless, the above code will do the job.
Along the same lines as Juergen's comment, I've approached a similar problem by creating a DB view that flattens out user/role access rules at their most granular level (Building Site in your case?) At a minimum, this view might contain just two columns: a Building Site ID and a user/group name. So, in the case where a user has Direction-level access, he/she would have many rows in the security view - one row for each child Building Site of the Direction(s) that the user is permitted to access.
Then, it would be a matter of creating a read-only GORM class that maps to your security view, joining this to your other domain classes, and filtering using the view's user/role field. With any luck, you'll be able to do this entirely in GORM (a few tips here: http://grails.1312388.n4.nabble.com/Grails-Domain-Class-and-Database-View-td3681188.html)
You might, however, need to have some fun with Hibernate: http://grails.org/doc/latest/guide/hibernate.html
One of the new requirements for our database application is to synchronize the contents of the user table with the users in Active Directory. So basically I need to connect to the Active Directory server and retrieve a list of user names, from within a plsql procedure.
What I have achieved so far is connect to the active directory server, using my own credentials, and query some attributes.
Example:
ldap_password := '****';
ldap_user := 'cn=me,OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
ldap_base := 'OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
search_filter := '(&(objectClass=Person)!((sn=him)(cn=me)))';
res_attrs(1) := 'displayName';
res_attrs(2) := 'cn';
res_attrs(3) := 'telephoneNumber';
It seems I can only query my own attributes or somebody else's if I already know who that someone else is.
How do I get a list of usernames?
Is this possible using any account or does this require an account with the proper privileges?
I got my script working. The scope setting prevented me from seeing all data.
DBMS_LDAP.SCOPE_SUBTREE
Rene,
You can do all searched in Active directory via Oracle's LDAP components that it seems you have already touched upon. While I am no expert on LDAP/AD, I believe that you may need rights to perform these actions or better yet get an ID/Password created that has the rights (this way you can keep your id/psw out of the system and allow either an unexpiring pswrd or pswrd that is supported by the AD administrators. I know that I have always had full query access to AD, not sure if that is how I am set up or out-of-the-box functionality.
But look # this site
http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i.php
as the article demonstrates, I would recommend paring back your searchFilter (get more then whittle it down until it suits your needs)
l_attrs(1) := '*'; -- retrieve all attributes
l_retval :=
DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => 'objectclass=*',
attrs => l_attrs,
attronly => 0,
res => l_message);
Active Directory has about 4 naming attributes.
sAMAccountName (aka Pre-Windows2000 name) is a 20 or so character short name that must be unique within each domain.
userPrinicipalName, usually sAMAccountName#domain.name, but it turns out AD will honour almost any string. (I know this experimentally as we once accidentally reset 2000 out of 6000 such values in a running AD domain.
displayName, that which shows up in ADUC (dsa.msc, Active Directory Users and Computers)
The CN= part of the DN. Using ADUC, the CN is usually the Display Name. However it too can be anything legal in an LDAP name.
So which 'name' are you looking for? Basically query for any of those attributes in the list and see what you get.
As for seeing other objects, yes, you would need an account with sufficient rights to see those attributes for users.
I'm writing some C++/Win32 code to search for a user in an LDAP directory (really I need to validate a username/password is correct, and then verify group membership). I have the username, so I'm hoping something like the following will work:
(&(objectCategory=person)(objectClass=user)(uid={username}))
When I call ldap_search with this search/filter, I have to provide a starting base (node/OU/whatever) to search. But I don't know where to start the search -- all I have is the username. Is there anyway to specify the root of the tree that will work with OpenLDAP, Active Directory, Netscape LDAP, etc, etc?
Also, anyone that can answer that could probably help with this: Is the uid attribute universally supported, or do I need to search on a different attribute depending on what brand of LDAP server I'm talking to? (I've seen references to people needing to search on uid, CN and even SAMAccountName).
Regarding your first question about generically retrieving a search base:
Every LDAP directory server (conforming to the LDAP protocol I think) exposes some operational thingies under a node called RootDSE. One of the things you can retrieve through RootDSE are the namingContexts which essentially can tell you what the different trees are hosted on this server.
So you can retrieve a top-level search base for your username-search. Please be aware: some LDAP (OpenLDAP for example) servers can host multiple trees so you have to come up with a solution when multiple naming contexts are found.
The RootDSE can be retrieved by querying the server for the DN "" (empty string) and specifiyng that you want to get all the operational attributes as well. Just some example for an OpenLDAP server:
ldapsearch -H ldap://ldap.mydomain.com -x -s base -b "" +
# note the + returns operational attributes
This should return something similar to that shown below (from OpenLDAP 2.4.8) - the values in parentheses are added explanations and are not returned by the server:
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=example,dc=com
namingContexts: dc=example,dc=net
monitorContext: cn=Monitor
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 (Contentsync RFC 4530)
[...]
supportedExtension: 1.3.6.1.4.1.4203.1.11.1 (ModifyPassword RFC3088)
[...]
supportedFeatures: 1.3.6.1.1.14 (Modify-Increment RFC4525)
[...]
supportedLDAPVersion: 3
supportedSASLMechanisms: NTLM
[...]
entryDN:
subschemaSubentry: cn=Subschema
(from http://www.zytrax.com/books/ldap/ch3/#operational)
Regarding your second question about the availability of the uid attribute:
I don't think that you should rely on this one as it strongly depends on the schema used for storing user data (although most user-schema-classes will have a uid attribute I think). But that depends on the flexibility you want to put into your program. Perhaps the best way would be to make the user-filter-string configurable by the end-user (you could even do this with the search base which would have some performance advantages (no need to search the whole tree when users are only located in a small subtree and no need to query the RootDSE)).
I would not rely on uid being the proper search attribute for the user entries in LDAP. Many companies will only guarantee the employeeID as being unique within the LDAP DIT.
You need to define what container to start searching in. So this would be something like
"LDAP://" + _ADSPath + ":" + _ADSPort + "/" + _ADSRootContainer
where _ADSPath is the server hostname/ip; _ADSPort is the port number (usually 389 by default); and _ADSRootContainer is the rest of the path to the container (like ou=Users.
The path would depend on the implementation you are searching against. You can start up higher than the container holding the users and set the parameters on the search object to use a multi-level search. But it will be much slower.