sp_indsuspect  sp_listener

Chapter 1: System Procedures

sp_ldapadmin

Description

Creates an LDAP URL search string, lists an LDAP URL search string, or verifies an LDAP URL search string or login.

Syntax

sp_ldapadmin { set_primary_url, ‘ldapurl’ | 
	set_secondary_url, { ‘ldapurl’ | null } |
	set_access_acct, account_distinguished_name, account_password |
	set_dn_lookup_url, distinguished_name_url |
	list_urls | check_url, ‘ldapurl’ |
	check_login, ‘login_name’ }

Parameters

set_primary_url, ‘ldapurl

creates the specified search string ldapurl. Exactly one primary search string can be created.

The syntax for ldapurl is:

ldapurl::=ldap://host:port/node?attributes?base | one | sub?filter

where:

set_secondary_url, { ‘ldapurl’ | null }

creates the specified secondary search string ldapurl or no secondary search string. Exactly one secondary search string can be created.

set_access_acct, account_distinguished_name, account_password

specifies the identity and password that Adaptive Server uses to conduct searches and other read-only adminstrative actions. The identity is in the form of a distinguished name. Use account_distinguished_name to authenticate this user with the LDAP server. Both account_distinguished_name and account_password are limited to 255 characters each.

set_dn_lookup_url, distinguished_name_url

uses the searched distinguished name algorithm to authenticate the login with an LDAP directory server when you set set_dn_lookup_url to a non-NULL value.

distinguished_name_url has a maximum length of 255 characters and is used to search for a distinguished name associated with the login name.

list_urls

displays LDAP URL search strings.

check_url, ‘ldapurl

verifies an LDAP URL search string. Can also verify the existence of a user account, but it does not authenticate the user.

check_login, login_name

verifies a user account for the existing LDAP URL search strings. It does not authenticate the user.

base | one | sub

qualifies the search criteria. base specifies a search of the base node; one specifies a search of node and one sublevel below node; and sub specifies a search of node and all node sublevels.

Examples

Example 1

Creates an LDAP URL search string for the LDAP SunONE Directory Server.

sp_ldapadmin set_primary_url,'ldap://voyager:389/
    ou=People,dc=MyCompany,dc=com??sub?uid=*'

The search string identifies a directory server listening on host name “voyager,” port number 389 (the default LDAP protocol port), the base node to begin the search is within organizational unit (ou) “People,” and the domain is “MyCompany.com.” It returns all attributes that match the filter uid=*. Adaptive Server replaces the wildcard with the Adaptive Server login name that is to be authenticated.

Example 2

Creates an LDAP URL search string defined in OpenLDAP 2.0.25 using the criteria described in Example 1.

sp_ldapadmin set_primary_url,'ldap://voyager:389/
    dc=MyCompany,dc=com??sub?cn=*'

Example 3

Sets the secondary LDAP URL search string to null, indicating no failover and no secondary LDAP server.

sp_ldapadmin set_secondary_url, null

Example 4

Creates an LDAP URL search string with a compound filrer.

sp_ldapadmin set_primary_url, 'ldap://voyager:389/
    ou=people,dc=siroe,dc=com??sub?(&(uid=*)
    (ou=accounting))

Example 5

Uses the default Microsoft Active Directory schema found on Windows 2000 controllers:

1> sp_ldapadmin set_access_acct, 'cn=aseadmin, cn=Users, dc=mycompany, 
      dc=com', 'aseadmin secret password'
2> go

1> sp_ldapadmin set_dn_lookup_url,
    'ldap://mydomainhostname:389/cn=Users,dc=mycompany,dc=com?
     distinguishedName?sub?samaccountname=*' 
2> go

1> sp_ldapadmin set_primary_url,'ldap://mydomainhostname:389/'
2> go

The “aseadmin” username is added to the Active Directory server and granted read access to the trees and objects where users are found. The LDAP attribute specified by distinguishedName is obtained and used to authenticate the user. The filter specifies a search on attribute samaccountname=*; the * wildcard is replaced with the name from the Adaptive Server login record.

For example, “samaccountname=jqpublic” returns DN attribute “distinguishedName” with value “cn=John Q. Public, cn=Users,dc=mycompany, dc=com” to Adaptive Server. Adaptive Server uses this string to bind to ldap://mydomainhostname:389. If the bind is successful, authentication succeeds.

Usage

Permissions

Only the System Security Officer can execute sp_ldapadmin.

Auditing

Values in event and extrainfo columns from the sysaudits table are:

Event

Audit option

Command or access audited

Information in extrainfo

38

exec_procedure

Execution of a procedure

  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information – All input parameters

  • Proxy information – Original login name, if set proxy in effect





Copyright © 2005. Sybase Inc. All rights reserved. sp_listener

View this book as PDF