LISTSERVLDAPDocumentation
ldapserver 时间:2021-05-01 阅读:(
)
L‐SoftSwedenAB200728November2007OverviewLISTSERVversion15.
5caninterfacetoLDAPserverstoauthenticateuserlogins,toinsertLDAPattributesinmail‐mergedistributionsaswellastoimplementDynamicQueries,anewfeaturedescribedinaseparatedocument.
ThefollowingdiagramshowstheLISTSERV15.
5LDAParchitecture,inrelationtoothercomponents:Forclarity,DynamicQueryfunctionshavebeenomittedfromthediagram,buttheyalsointerfacewiththenewLDAPfunctionality.
TheLDAPinterfaceisatthesamelevelastheDBMSinterface–notatthelevelofthevendor‐specificSQLdrivers.
Quitesimply,LDAPserversdonot"speak"SQL.
TosupportLDAP,wehadtoteachthemail‐mergeandauthenticationmodulesto"speak"LDAP.
ThisiswhythereisanewsyntaxforeveryLDAP‐relatedfunction.
Atthispoint,LISTSERVonlyqueriesLDAPdirectories.
Itwillnevertrytomakeanychanges,soitshouldnotbegivenwriteaccesstothedirectory.
LDAPDBMS(SQL)FlatFileListStorageLayerMail‐Merge(DISTRIBUTE)ListManagementAuthenticationInternalPasswords.
.
.
ODBCOCICLI1ConfiguringLDAPinLISTSERVThefirststepinusingLDAPwithLISTSERVistoaddoneormoreLDAPserversintheLISTSERVsiteconfiguration.
ThiscanbedoneviatheLISTSERVwebadministrationinterface(thepreferredmethod),oralternatelybyaddingtheentriesmanuallytoSITE.
CFGor'go'.
EachLDAPserverisgivenanicknameintheLISTSERVconfiguration,similarlytoDBMSdatasources.
YoucanalsoconfigureoneunnamedLDAPserver,againlikewithDBMSdatasources,butitisprobablylessconfusingtoassignanicknametoeveryLDAPserver.
ThreeconfigurationvariablesmustbedefinedforeveryLDAPserver:LDAP_SERVER_nickname=hostname[:port]ThehostnameandoptionalportoftheLDAPserver.
TheexactformatdependsonyouroperatingsystemandLDAPlibrary;LISTSERVpassesthisstringtotheLDAPlibraryasitis.
Onunix,SSLencryptionisrequestedbyprepending'ldaps://'tothehostname.
OnWindows,the'ldaps://'prefixisnotavailable,butsettingtheportto636automaticallyrequestsSSL.
LDAP_UID_nickname=useridLDAP_AUTH_nickname=passwordTheuseridandpasswordthatLISTSERVshoulduseinordertologintotheLDAPserver.
TheexactformatoftheuseriddependsonyourLDAPserver.
LISTSERVdoesnotattempttoparseorreformatthesevariables.
Ifthepasswordistheemptystring,mostLDAPserverswillperformananonymouslogin.
Ifbothuseridandpasswordaretheemptystring,LISTSERVwillattemptadefaultlogin,asdefinedbytheLDAPlibraryforyouroperatingsystem.
UnderWindows,LISTSERVwillbeloggedinwithitscurrentdomaincredentials(assumingitisconnectingtoanActiveDirectoryserver),andthisusuallyprovidessufficientaccess–tryitbeforeconfiguringauseridandpassword.
IftheLDAPserveristobeusedtoauthenticateLISTSERVusers,thefollowingvariablesmustalsobedefined:LDAP_PW_BASE_nickname=DNThe'distinguishedname'thatshouldbethe'base'forsearcheswhenLISTSERVlooksforauseraccount(seebelowforanexplanationoftheauthenticationprocess).
ThiscanbeusedtorestrictLISTSERVaccesstoaparticularorganizationalunitwithintheenterprise.
Ifomitted,LISTSERVtriestoguesstheDNthatwilladmitanyActiveDirectoryWindowsaccount,butthisisadifficultguesstomake,andofcourseyoumaynotevenbeconnectingtoActiveDirectory.
LDAP_PW_FILTER_nickname=filterTheLDAP'filter'thatshouldbeusedwhenlookingupuseraccounts(ifthisfilterreturnsatleastoneentry,LISTSERVallowstheusertotryandlogin;otherwise,theloginisrejected,eveniftheuserwouldotherwisebeabletologintotheLDAPserverwiththesuppliedcredentials).
Anyoccurrencesof'%s'arereplacedwiththeuser'sfulle‐mailaddress,while'%u'expandstojusttheuseridand'%h'expandstothehostname.
Ifomitted,LISTSERVusesafilterthatissuitableformostActiveDirectoryinstallations.
2Inaddition,thefollowingoptionalvariablescanbedefined:LDAP_DEFAULT_EMAIL_nickname=attributeThenameoftheattributethatordinarilyspecifiesauser'se‐mailaddressinthisdirectory.
Thisisusedasadefaultvalueinsearchesandcanbeoverridden.
Ifomitted,itdefaultsto'mail'(suitableforActiveDirectory).
LDAP_DEFAULT_NAME_nickname=attributeThenameoftheattributethatordinarilycontainstheuser'sfullname.
Defaultsto'name'.
UsingLDAPformailmergeBecauseofitscomplex,machine‐friendlysyntax,LDAPisprimarilysuitedforscripting.
Whileitisrelativelyeasyforaprogrammertowriteascriptthatsendsaweeklynoticetoeverymemberofaparticulardepartment,itisnotrealistictoexpectordinarylistownersorend‐userstounderstandtheintricaciesofLDAPanddeviseworkingsearchfilters.
Forinstance,toselectallusersinanExchangedatabase,onewouldhavetousethefollowingfilter:(&(!
(Alias=$null))(|(&(ObjectCategory=person)(ObjectClass=user)(Database=$null)(ServerLegacyDN=$null))(&(ObjectCategory=person)(ObjectClass=user)(!
(Database=$null))(!
(ServerLegacyDN=$null)))))))L‐SoftexpectsthatLDAP‐baseddistributionswillbecreatedbycustomer‐developedscripts–eitherintranetwebscriptsortraditional'cron'jobsorscheduledtasks.
Atthispoint,therearenoplanstoprovideawebinterfacepageintowhichrawLDAPsearchfilterscouldbeentered.
TocreateanLDAP‐baseddistribution,ascriptusestheDISTRIBUTEcommandandspecifiesanLDAPkeywordasfollows:DISTRIBUTE…LDAP=YES(SERVER=nickname,E‐MAIL=attribute,PARTS=attribute)ThesyntaxofthiskeywordisessentiallythesameasforSQL‐baseddistributions("DBMS="):SERVER=nicknameidentifiestheLDAPservertobequeried.
Ifomitted,thedefault(unnamed)LDAPserverisused.
E‐MAIL=attributeidentifiesthenameofthedirectoryattributecontainingtherecipient'se‐mailaddress.
Ifomitted,thevalueofLDAP_DEFAULT_EMAIL_nicknameisused.
PARTS=attributeisthenameofanoptionaldirectoryattributecontainingalistofmessagepartsthattherecipientsubscribesto.
Althoughthismail‐mergefeatureisunlikelytobeusedwithLDAP,itisavailableifdesired.
SimilarlytoSQL‐baseddistributions,the'TO'DDcontainsalistofLDAPsearchstatements,ratherthanalistofactualrecipients.
Eachlineinthe'TO'DDcanbeoneofthefollowingstatements:BASEDNThe'distinguishedname'ofthe'base'oftheLDAPsearch.
Mandatory.
3FILTERsearch_filterTheLDAPsearchfilterforthesearch.
Mandatory.
ATTRSattr1[attr2[…]]Alistofdirectoryattributesofinterest(usedinthemail‐merge).
Ifomitted,alldirectoryattributesaremadeavailable.
Attributenamesarenotcase‐sensitive.
Themainpurposeofthisstatementistoimprovesearchperformanceiftherearemanyirrelevantattributesinthedirectory.
NotethattheE‐MAILand(ifenabled)PARTSattributesmustbespecifiedorthedistributionwillfail.
SCOPEBASE|ONELEVEL|SUBTREEOptionallychangesthescopeofthesearchfromthedefault(SUBTREE).
SEARCHStartsthesearch.
ThiscommandallowsmultipleLDAPsearchestobeperformedinthesamedistribution.
Ifthereisonlyonesearch,thiscommandisoptional–LISTSERVautomaticallystartsthesearchwhenitreachestheendofthe'TO'DD.
Forinstance,thissearchwillselectallWindowsusersintheEXAMPLE.
COMdomainwithavalide‐mailaddress:BASECN=Users,DC=EXAMPLE,DC=COMFILTER(&(objectcategory=person)(objectclass=user))ATTRSNameMailPhoneSEARCHUsingLDAPforauthenticationLISTSERVcanbeconfiguredtouseoneorseveralLDAPserversforauthentication(userlogin).
YoucanchoosetoallowuserswithoutanLDAPaccounttologinwithaninternalLISTSERVpassword,ortorestrictaccesstouserswithanLDAPaccount.
LDAPauthenticationisenabledbydefiningthefollowingconfigurationvariables:LDAP_PW_SERVERS=nickname1[nickname2[…]]ThelistofLDAPserverstobequeried(inthespecifiedorder)foruseraccounts.
Besuretoenterservernicknames,nothostnames.
LDAP_PW_ONLY=0or1(default:0)Ifsetto1,onlyuserswithanLDAPaccountareallowedtologintoLISTSERV;otheruserswillonlybeabletoaccessLISTSERVanonymously.
MakesuretotestyourLDAPsettingsbeforeenablingthisoption,oryouwillnotbeabletoundoitfromthewebinterface!
Enablingthisoptiononaserverthatpreviouslyhadexternalusersislikelytoresultinsignificantconfusionfortheexternalusers,whosepasswordswillnolongerwork.
LDAP_PW_REQUIRE_SSL=0or1(default:1)WhetherornotLISTSERVshouldacceptLDAPpasswordstransmittedtothewebinterfaceinplaintext.
Bydefault,LISTSERVwillonlyattempttoverifypasswordstransmittedoverSSL.
Note4thatthisoptiondoesnotcontrolLISTSERV'sownuseofSSLwhencommunicatingwiththeLDAPserver.
SeetheLDAP_SERVER_nicknamevariable.
SIGNUP_REQUIRE_SSL=0or1(default:0)Similartotheabove,butaffectsallLISTSERVpasswords,whetherLDAPorinternal.
CanbeusedwithoutenablingLDAPauthentication.
TheLDAPauthenticationprocessWhenLDAPisenabled,LISTSERVgoesthroughthefollowingstepstologinauser:1.
TheserverslistedinLDAP_PW_SERVERSareexaminedinturn,intheorderinwhichtheywerelisted.
Foreachserver,LISTSERVexecutesthesearchconfiguredwiththeLDAP_PW_BASE_nicknameandLDAP_PW_FILTER_nicknamevariables.
LISTSERVstopsatthefirstsuccessfulsearch,orwhentherearenomoreLDAPserverstoquery.
2.
Ifnoneofthesearchesweresuccessful(noLDAPaccountexistsforthisuser),LISTSERV:a.
RejectstheloginifLDAP_PW_ONLY=1.
b.
Switchestointernal(non‐LDAP)loginifLDAP_PW_ONLY=0.
Theloginwillbevalidatedagainsttheuser'sinternalLISTSERVpassword,ifany,ortheuserwillbepromptedtocreateaLISTSERVpassword.
3.
IfanLDAPaccountwasfoundforthisuser,LISTSERV:a.
RejectstheloginifLDAP_PW_REQUIRE_SSL=1andtheloginrequestdidnotcomeoveranSSLsession.
Inthiscase,LISTSERVdoesnoteventrytoverifythepassword.
b.
VerifiesthepasswordagainsttheLDAPserverwheretheaccountwasfound,andacceptsorrejectstheloginasappropriate.
Anoteonthe"requireSSL"optionThepurposeofthe"requireSSL"optionistopreventordinary,non‐malicioususersfromjeopardizingtheirlogincredentialsfortheirpersonalconvenience,forinstancebytypingclear‐textpasswordsine‐mailrequestsbecauseitisfasterthanwaitingforaconfirmation'cookie'attheparticularInternetcaféwheretheyarereadingtheirmail.
The"requireSSL"optioneffectivelydisablestheseloginattemptsandforcesuserstologinusingthewebinterfaceandSSL.
AsLISTSERVdoesnotdirectlyprocessSSLsessions,ithasnofirst‐handknowledgeastowhetherSSLwasusedtoencrypttheloginsessionornot.
ItisthewebserverthathandlestheSSLsessionwiththeuser'sbrowser,notifiestheLISTSERVwebinterfacethatSSLwasused,andthewebinterfacescriptinturnnotifiesLISTSERVthatthepasswordwasnotsentincleartext.
LISTSERVhasnowaytoverifythisrepresentationorguaranteethatSSLwasinfactusedtotransmitthepassword.
Thisbeingsaid,thereisnoadvantageforamalicioususerinloggingintoLISTSERVwithhisowncredentialsoveranunencryptedconnection.
Themalicioususer'sinterestisforother,non‐malicioususerstoexposetheirpasswordsbysendingthemincleartext,sothatthemalicioususermaygatherthem.
5DynamicQueryfeatureAlthoughDynamicQueriesareprimarilybasedontheLDAPinterface,theyaredescribedinaseparatedocumentastheysupportbothLDAPandDBMSdatastores.
KnownissuesandrestrictionsThefollowingknownissuesandrestrictionsexist:Someunixsystemsnotsupported.
Atthispoint,LDAPfunctionalityisnotavailableforTru64orHP‐UX.
OpenLDAPlibraryrequiredtore‐linkonunix.
Customerswishingtore‐link'lsv'onunixwillhavetoinstalltheOPENLDAPlibrary(exceptonTru64andHP‐UX),eveniftheydonotwanttouseLDAP.
Staticlibrarysupportnottestedonallunixbrands.
OurgoalisforunixbuildswithLDAPfunctionalitytoworkontargetsystemsthatdonothavethedynamicLDAPlibrary,butwehavenottestedthisoneverysystem.
6
LOCVPS(全球云)发布了新上韩国机房KVM架构主机信息,提供流量和带宽方式,适用全场8折优惠码,优惠码最低2G内存套餐月付仅44元起。这是一家成立较早的国人VPS服务商,目前提供洛杉矶MC、洛杉矶C3、和香港邦联、香港沙田电信、香港大埔、日本东京、日本大阪、新加坡、德国和荷兰等机房VPS主机,基于KVM或者XEN架构。下面分别列出几款韩国机房KVM主机配置信息。韩国KVM流量型套餐:KR-Pl...
LOCVPS发来了针对元旦新年的促销活动,除了全场VPS主机8折优惠外,针对德国/荷兰KVM #1/美国KVM#2 VPS提供终身7折优惠码(限量50名,先到先得)。LOCVPS是一家成立于2012年的国人VPS服务商,提供中国香港、韩国、美国、日本、新加坡、德国、荷兰、俄罗斯等地区VPS服务器,基于KVM或XEN架构(推荐优先选择KVM),均选择直连或者优化线路,国内延迟低,适合建站或远程办公使...
轻云互联怎么样?轻云互联,广州轻云网络科技有限公司旗下品牌,2018年5月成立以来,轻云互联以性价比的价格一直为提供个人,中大小型企业/团队云上解决方案。本次轻云互联送上的是美国圣何塞cn2 vps(免费50G集群防御)及香港沙田cn2 vps(免费10G集群防御)促销活动,促销产品均为cn2直连中国大陆线路、采用kvm虚拟技术架构及静态内存。目前,轻云互联推出美国硅谷、圣何塞CN2GIA云服务器...
ldapserver为你推荐
uctools新浪UC下载地址phpcms模板PHPCMS V9模板centos6.5怎么用u盘安装centos6.5ipad代理苹果官网购买ipad要几天文档下载怎样把手机里的文件直接下载或复制到U盘里三友网三友联众集团怎么样?电子商务世界世界第一的电子商务网站???中国保健养猪网最具权威的养猪信息网站是哪个 啊免费代理加盟怎样免费加盟代理淘宝discuz伪静态Discuz! X3.0 到底能不能伪静态?门户怎么伪静态?
合肥虚拟主机 主机屋 搬瓦工官网 cloudstack payoneer suspended 好玩的桌面 mysql主机 韩国网名大全 150邮箱 太原联通测速平台 免费防火墙 泉州移动 电信主机 多线空间 吉林铁通 彩虹云 移动服务器托管 lamp的音标 国内空间 更多