LISTSERVLDAPDocumentation

ldapserver  时间:2021-05-01  阅读:()
L‐SoftSwedenAB200728November2007OverviewLISTSERVversion15.
5caninterfacetoLDAPserverstoauthenticateuserlogins,toinsertLDAPattributesinmail‐mergedistributionsaswellastoimplementDynamicQueries,anewfeaturedescribedinaseparatedocument.
ThefollowingdiagramshowstheLISTSERV15.
5LDAParchitecture,inrelationtoothercomponents:Forclarity,DynamicQueryfunctionshavebeenomittedfromthediagram,buttheyalsointerfacewiththenewLDAPfunctionality.
TheLDAPinterfaceisatthesamelevelastheDBMSinterface–notatthelevelofthevendor‐specificSQLdrivers.
Quitesimply,LDAPserversdonot"speak"SQL.
TosupportLDAP,wehadtoteachthemail‐mergeandauthenticationmodulesto"speak"LDAP.
ThisiswhythereisanewsyntaxforeveryLDAP‐relatedfunction.
Atthispoint,LISTSERVonlyqueriesLDAPdirectories.
Itwillnevertrytomakeanychanges,soitshouldnotbegivenwriteaccesstothedirectory.
LDAPDBMS(SQL)FlatFileListStorageLayerMail‐Merge(DISTRIBUTE)ListManagementAuthenticationInternalPasswords.
.
.
ODBCOCICLI1ConfiguringLDAPinLISTSERVThefirststepinusingLDAPwithLISTSERVistoaddoneormoreLDAPserversintheLISTSERVsiteconfiguration.
ThiscanbedoneviatheLISTSERVwebadministrationinterface(thepreferredmethod),oralternatelybyaddingtheentriesmanuallytoSITE.
CFGor'go'.
EachLDAPserverisgivenanicknameintheLISTSERVconfiguration,similarlytoDBMSdatasources.
YoucanalsoconfigureoneunnamedLDAPserver,againlikewithDBMSdatasources,butitisprobablylessconfusingtoassignanicknametoeveryLDAPserver.
ThreeconfigurationvariablesmustbedefinedforeveryLDAPserver:LDAP_SERVER_nickname=hostname[:port]ThehostnameandoptionalportoftheLDAPserver.
TheexactformatdependsonyouroperatingsystemandLDAPlibrary;LISTSERVpassesthisstringtotheLDAPlibraryasitis.
Onunix,SSLencryptionisrequestedbyprepending'ldaps://'tothehostname.
OnWindows,the'ldaps://'prefixisnotavailable,butsettingtheportto636automaticallyrequestsSSL.
LDAP_UID_nickname=useridLDAP_AUTH_nickname=passwordTheuseridandpasswordthatLISTSERVshoulduseinordertologintotheLDAPserver.
TheexactformatoftheuseriddependsonyourLDAPserver.
LISTSERVdoesnotattempttoparseorreformatthesevariables.
Ifthepasswordistheemptystring,mostLDAPserverswillperformananonymouslogin.
Ifbothuseridandpasswordaretheemptystring,LISTSERVwillattemptadefaultlogin,asdefinedbytheLDAPlibraryforyouroperatingsystem.
UnderWindows,LISTSERVwillbeloggedinwithitscurrentdomaincredentials(assumingitisconnectingtoanActiveDirectoryserver),andthisusuallyprovidessufficientaccess–tryitbeforeconfiguringauseridandpassword.
IftheLDAPserveristobeusedtoauthenticateLISTSERVusers,thefollowingvariablesmustalsobedefined:LDAP_PW_BASE_nickname=DNThe'distinguishedname'thatshouldbethe'base'forsearcheswhenLISTSERVlooksforauseraccount(seebelowforanexplanationoftheauthenticationprocess).
ThiscanbeusedtorestrictLISTSERVaccesstoaparticularorganizationalunitwithintheenterprise.
Ifomitted,LISTSERVtriestoguesstheDNthatwilladmitanyActiveDirectoryWindowsaccount,butthisisadifficultguesstomake,andofcourseyoumaynotevenbeconnectingtoActiveDirectory.
LDAP_PW_FILTER_nickname=filterTheLDAP'filter'thatshouldbeusedwhenlookingupuseraccounts(ifthisfilterreturnsatleastoneentry,LISTSERVallowstheusertotryandlogin;otherwise,theloginisrejected,eveniftheuserwouldotherwisebeabletologintotheLDAPserverwiththesuppliedcredentials).
Anyoccurrencesof'%s'arereplacedwiththeuser'sfulle‐mailaddress,while'%u'expandstojusttheuseridand'%h'expandstothehostname.
Ifomitted,LISTSERVusesafilterthatissuitableformostActiveDirectoryinstallations.
2Inaddition,thefollowingoptionalvariablescanbedefined:LDAP_DEFAULT_EMAIL_nickname=attributeThenameoftheattributethatordinarilyspecifiesauser'se‐mailaddressinthisdirectory.
Thisisusedasadefaultvalueinsearchesandcanbeoverridden.
Ifomitted,itdefaultsto'mail'(suitableforActiveDirectory).
LDAP_DEFAULT_NAME_nickname=attributeThenameoftheattributethatordinarilycontainstheuser'sfullname.
Defaultsto'name'.
UsingLDAPformailmergeBecauseofitscomplex,machine‐friendlysyntax,LDAPisprimarilysuitedforscripting.
Whileitisrelativelyeasyforaprogrammertowriteascriptthatsendsaweeklynoticetoeverymemberofaparticulardepartment,itisnotrealistictoexpectordinarylistownersorend‐userstounderstandtheintricaciesofLDAPanddeviseworkingsearchfilters.
Forinstance,toselectallusersinanExchangedatabase,onewouldhavetousethefollowingfilter:(&(!
(Alias=$null))(|(&(ObjectCategory=person)(ObjectClass=user)(Database=$null)(ServerLegacyDN=$null))(&(ObjectCategory=person)(ObjectClass=user)(!
(Database=$null))(!
(ServerLegacyDN=$null)))))))L‐SoftexpectsthatLDAP‐baseddistributionswillbecreatedbycustomer‐developedscripts–eitherintranetwebscriptsortraditional'cron'jobsorscheduledtasks.
Atthispoint,therearenoplanstoprovideawebinterfacepageintowhichrawLDAPsearchfilterscouldbeentered.
TocreateanLDAP‐baseddistribution,ascriptusestheDISTRIBUTEcommandandspecifiesanLDAPkeywordasfollows:DISTRIBUTE…LDAP=YES(SERVER=nickname,E‐MAIL=attribute,PARTS=attribute)ThesyntaxofthiskeywordisessentiallythesameasforSQL‐baseddistributions("DBMS="):SERVER=nicknameidentifiestheLDAPservertobequeried.
Ifomitted,thedefault(unnamed)LDAPserverisused.
E‐MAIL=attributeidentifiesthenameofthedirectoryattributecontainingtherecipient'se‐mailaddress.
Ifomitted,thevalueofLDAP_DEFAULT_EMAIL_nicknameisused.
PARTS=attributeisthenameofanoptionaldirectoryattributecontainingalistofmessagepartsthattherecipientsubscribesto.
Althoughthismail‐mergefeatureisunlikelytobeusedwithLDAP,itisavailableifdesired.
SimilarlytoSQL‐baseddistributions,the'TO'DDcontainsalistofLDAPsearchstatements,ratherthanalistofactualrecipients.
Eachlineinthe'TO'DDcanbeoneofthefollowingstatements:BASEDNThe'distinguishedname'ofthe'base'oftheLDAPsearch.
Mandatory.
3FILTERsearch_filterTheLDAPsearchfilterforthesearch.
Mandatory.
ATTRSattr1[attr2[…]]Alistofdirectoryattributesofinterest(usedinthemail‐merge).
Ifomitted,alldirectoryattributesaremadeavailable.
Attributenamesarenotcase‐sensitive.
Themainpurposeofthisstatementistoimprovesearchperformanceiftherearemanyirrelevantattributesinthedirectory.
NotethattheE‐MAILand(ifenabled)PARTSattributesmustbespecifiedorthedistributionwillfail.
SCOPEBASE|ONELEVEL|SUBTREEOptionallychangesthescopeofthesearchfromthedefault(SUBTREE).
SEARCHStartsthesearch.
ThiscommandallowsmultipleLDAPsearchestobeperformedinthesamedistribution.
Ifthereisonlyonesearch,thiscommandisoptional–LISTSERVautomaticallystartsthesearchwhenitreachestheendofthe'TO'DD.
Forinstance,thissearchwillselectallWindowsusersintheEXAMPLE.
COMdomainwithavalide‐mailaddress:BASECN=Users,DC=EXAMPLE,DC=COMFILTER(&(objectcategory=person)(objectclass=user))ATTRSNameMailPhoneSEARCHUsingLDAPforauthenticationLISTSERVcanbeconfiguredtouseoneorseveralLDAPserversforauthentication(userlogin).
YoucanchoosetoallowuserswithoutanLDAPaccounttologinwithaninternalLISTSERVpassword,ortorestrictaccesstouserswithanLDAPaccount.
LDAPauthenticationisenabledbydefiningthefollowingconfigurationvariables:LDAP_PW_SERVERS=nickname1[nickname2[…]]ThelistofLDAPserverstobequeried(inthespecifiedorder)foruseraccounts.
Besuretoenterservernicknames,nothostnames.
LDAP_PW_ONLY=0or1(default:0)Ifsetto1,onlyuserswithanLDAPaccountareallowedtologintoLISTSERV;otheruserswillonlybeabletoaccessLISTSERVanonymously.
MakesuretotestyourLDAPsettingsbeforeenablingthisoption,oryouwillnotbeabletoundoitfromthewebinterface!
Enablingthisoptiononaserverthatpreviouslyhadexternalusersislikelytoresultinsignificantconfusionfortheexternalusers,whosepasswordswillnolongerwork.
LDAP_PW_REQUIRE_SSL=0or1(default:1)WhetherornotLISTSERVshouldacceptLDAPpasswordstransmittedtothewebinterfaceinplaintext.
Bydefault,LISTSERVwillonlyattempttoverifypasswordstransmittedoverSSL.
Note4thatthisoptiondoesnotcontrolLISTSERV'sownuseofSSLwhencommunicatingwiththeLDAPserver.
SeetheLDAP_SERVER_nicknamevariable.
SIGNUP_REQUIRE_SSL=0or1(default:0)Similartotheabove,butaffectsallLISTSERVpasswords,whetherLDAPorinternal.
CanbeusedwithoutenablingLDAPauthentication.
TheLDAPauthenticationprocessWhenLDAPisenabled,LISTSERVgoesthroughthefollowingstepstologinauser:1.
TheserverslistedinLDAP_PW_SERVERSareexaminedinturn,intheorderinwhichtheywerelisted.
Foreachserver,LISTSERVexecutesthesearchconfiguredwiththeLDAP_PW_BASE_nicknameandLDAP_PW_FILTER_nicknamevariables.
LISTSERVstopsatthefirstsuccessfulsearch,orwhentherearenomoreLDAPserverstoquery.
2.
Ifnoneofthesearchesweresuccessful(noLDAPaccountexistsforthisuser),LISTSERV:a.
RejectstheloginifLDAP_PW_ONLY=1.
b.
Switchestointernal(non‐LDAP)loginifLDAP_PW_ONLY=0.
Theloginwillbevalidatedagainsttheuser'sinternalLISTSERVpassword,ifany,ortheuserwillbepromptedtocreateaLISTSERVpassword.
3.
IfanLDAPaccountwasfoundforthisuser,LISTSERV:a.
RejectstheloginifLDAP_PW_REQUIRE_SSL=1andtheloginrequestdidnotcomeoveranSSLsession.
Inthiscase,LISTSERVdoesnoteventrytoverifythepassword.
b.
VerifiesthepasswordagainsttheLDAPserverwheretheaccountwasfound,andacceptsorrejectstheloginasappropriate.
Anoteonthe"requireSSL"optionThepurposeofthe"requireSSL"optionistopreventordinary,non‐malicioususersfromjeopardizingtheirlogincredentialsfortheirpersonalconvenience,forinstancebytypingclear‐textpasswordsine‐mailrequestsbecauseitisfasterthanwaitingforaconfirmation'cookie'attheparticularInternetcaféwheretheyarereadingtheirmail.
The"requireSSL"optioneffectivelydisablestheseloginattemptsandforcesuserstologinusingthewebinterfaceandSSL.
AsLISTSERVdoesnotdirectlyprocessSSLsessions,ithasnofirst‐handknowledgeastowhetherSSLwasusedtoencrypttheloginsessionornot.
ItisthewebserverthathandlestheSSLsessionwiththeuser'sbrowser,notifiestheLISTSERVwebinterfacethatSSLwasused,andthewebinterfacescriptinturnnotifiesLISTSERVthatthepasswordwasnotsentincleartext.
LISTSERVhasnowaytoverifythisrepresentationorguaranteethatSSLwasinfactusedtotransmitthepassword.
Thisbeingsaid,thereisnoadvantageforamalicioususerinloggingintoLISTSERVwithhisowncredentialsoveranunencryptedconnection.
Themalicioususer'sinterestisforother,non‐malicioususerstoexposetheirpasswordsbysendingthemincleartext,sothatthemalicioususermaygatherthem.
5DynamicQueryfeatureAlthoughDynamicQueriesareprimarilybasedontheLDAPinterface,theyaredescribedinaseparatedocumentastheysupportbothLDAPandDBMSdatastores.
KnownissuesandrestrictionsThefollowingknownissuesandrestrictionsexist:Someunixsystemsnotsupported.
Atthispoint,LDAPfunctionalityisnotavailableforTru64orHP‐UX.
OpenLDAPlibraryrequiredtore‐linkonunix.
Customerswishingtore‐link'lsv'onunixwillhavetoinstalltheOPENLDAPlibrary(exceptonTru64andHP‐UX),eveniftheydonotwanttouseLDAP.
Staticlibrarysupportnottestedonallunixbrands.
OurgoalisforunixbuildswithLDAPfunctionalitytoworkontargetsystemsthatdonothavethedynamicLDAPlibrary,butwehavenottestedthisoneverysystem.
6

阿里云服务器绑定域名的几个流程整理

今天遇到一个网友,他之前一直在用阿里云虚拟主机,我们知道虚拟主机绑定域名是直接在面板上绑定的。这里由于他的网站项目流量比较大,虚拟主机是不够的,而且我看他虚拟主机已经有升级过。这里要说的是,用过阿里云虚拟主机的朋友可能会比较一下价格,实际上虚拟主机价格比云服务器还贵。所以,基于成本和性能的考虑,建议他选择云服务器。毕竟他的备案都接入在阿里云。这里在选择阿里云服务器后,他就蒙圈不知道如何绑定域名。这...

Linode 18周年庆典活动 不断改进产品结构和体验

今天早上相比很多网友和一样收到来自Linode的庆祝18周年的邮件信息。和往年一样,他们会回顾在过去一年中的成绩,以及在未来准备改进的地方。虽然目前Linode商家没有提供以前JP1优化线路的机房,但是人家一直跟随自己的脚步在走,确实在云服务器市场上有自己的立足之地。我们看看过去一年中Linode的成就:第一、承诺投入 100,000 美元来帮助具有社会意识的非营利组织,促进有价值的革新。第二、发...

Hostio€5/月KVM-2GB/25GB/5TB/荷兰机房

Hostio是一家成立于2006年的国外主机商,提供基于KVM架构的VPS主机,AMD EPYC CPU,NVMe硬盘,1-10Gbps带宽,最低月付5欧元起。商家采用自己的网络AS208258,宿主机采用2 x AMD Epyc 7452 32C/64T 2.3Ghz CPU,16*32GB内存,4个Samsung PM983 NVMe SSD,提供IPv4+IPv6。下面列出几款主机配置信息。...

ldapserver为你推荐
迦南server中国零售及电商周讯2016支持ipadthinkphp什么是THINKPHP 和 MVC的概念sqlserver2000挂起SQL server2000 安装为什么老是提示挂起?波音737起飞爆胎飞机会爆胎的吗?字节跳动回应TikTok易主每天每夜要结束了主持人问关于抄袭的问题,权志龙很认真的回答不想说的,想在以后做好的那段话的音乐叫什asp.net网页制作使用ASP.net技术创建一个网页,如何做?360防火墙在哪里电脑或电脑360有联网防火墙吗,在哪里设置生药http
免费二级域名申请 星星海 国外主机 主机点评 vultr美国与日本 2014年感恩节 l5520 godaddy优惠券 火车票抢票攻略 丹弗 太原联通测速平台 空间论坛 789电视网 169邮箱 免费cdn gtt web服务器搭建 云营销系统 中国linux 可外链的相册 更多