LISTSERVLDAPDocumentation
ldapserver 时间:2021-05-01 阅读:()
L‐SoftSwedenAB200728November2007OverviewLISTSERVversion15.
5caninterfacetoLDAPserverstoauthenticateuserlogins,toinsertLDAPattributesinmail‐mergedistributionsaswellastoimplementDynamicQueries,anewfeaturedescribedinaseparatedocument.
ThefollowingdiagramshowstheLISTSERV15.
5LDAParchitecture,inrelationtoothercomponents:Forclarity,DynamicQueryfunctionshavebeenomittedfromthediagram,buttheyalsointerfacewiththenewLDAPfunctionality.
TheLDAPinterfaceisatthesamelevelastheDBMSinterface–notatthelevelofthevendor‐specificSQLdrivers.
Quitesimply,LDAPserversdonot"speak"SQL.
TosupportLDAP,wehadtoteachthemail‐mergeandauthenticationmodulesto"speak"LDAP.
ThisiswhythereisanewsyntaxforeveryLDAP‐relatedfunction.
Atthispoint,LISTSERVonlyqueriesLDAPdirectories.
Itwillnevertrytomakeanychanges,soitshouldnotbegivenwriteaccesstothedirectory.
LDAPDBMS(SQL)FlatFileListStorageLayerMail‐Merge(DISTRIBUTE)ListManagementAuthenticationInternalPasswords.
.
.
ODBCOCICLI1ConfiguringLDAPinLISTSERVThefirststepinusingLDAPwithLISTSERVistoaddoneormoreLDAPserversintheLISTSERVsiteconfiguration.
ThiscanbedoneviatheLISTSERVwebadministrationinterface(thepreferredmethod),oralternatelybyaddingtheentriesmanuallytoSITE.
CFGor'go'.
EachLDAPserverisgivenanicknameintheLISTSERVconfiguration,similarlytoDBMSdatasources.
YoucanalsoconfigureoneunnamedLDAPserver,againlikewithDBMSdatasources,butitisprobablylessconfusingtoassignanicknametoeveryLDAPserver.
ThreeconfigurationvariablesmustbedefinedforeveryLDAPserver:LDAP_SERVER_nickname=hostname[:port]ThehostnameandoptionalportoftheLDAPserver.
TheexactformatdependsonyouroperatingsystemandLDAPlibrary;LISTSERVpassesthisstringtotheLDAPlibraryasitis.
Onunix,SSLencryptionisrequestedbyprepending'ldaps://'tothehostname.
OnWindows,the'ldaps://'prefixisnotavailable,butsettingtheportto636automaticallyrequestsSSL.
LDAP_UID_nickname=useridLDAP_AUTH_nickname=passwordTheuseridandpasswordthatLISTSERVshoulduseinordertologintotheLDAPserver.
TheexactformatoftheuseriddependsonyourLDAPserver.
LISTSERVdoesnotattempttoparseorreformatthesevariables.
Ifthepasswordistheemptystring,mostLDAPserverswillperformananonymouslogin.
Ifbothuseridandpasswordaretheemptystring,LISTSERVwillattemptadefaultlogin,asdefinedbytheLDAPlibraryforyouroperatingsystem.
UnderWindows,LISTSERVwillbeloggedinwithitscurrentdomaincredentials(assumingitisconnectingtoanActiveDirectoryserver),andthisusuallyprovidessufficientaccess–tryitbeforeconfiguringauseridandpassword.
IftheLDAPserveristobeusedtoauthenticateLISTSERVusers,thefollowingvariablesmustalsobedefined:LDAP_PW_BASE_nickname=DNThe'distinguishedname'thatshouldbethe'base'forsearcheswhenLISTSERVlooksforauseraccount(seebelowforanexplanationoftheauthenticationprocess).
ThiscanbeusedtorestrictLISTSERVaccesstoaparticularorganizationalunitwithintheenterprise.
Ifomitted,LISTSERVtriestoguesstheDNthatwilladmitanyActiveDirectoryWindowsaccount,butthisisadifficultguesstomake,andofcourseyoumaynotevenbeconnectingtoActiveDirectory.
LDAP_PW_FILTER_nickname=filterTheLDAP'filter'thatshouldbeusedwhenlookingupuseraccounts(ifthisfilterreturnsatleastoneentry,LISTSERVallowstheusertotryandlogin;otherwise,theloginisrejected,eveniftheuserwouldotherwisebeabletologintotheLDAPserverwiththesuppliedcredentials).
Anyoccurrencesof'%s'arereplacedwiththeuser'sfulle‐mailaddress,while'%u'expandstojusttheuseridand'%h'expandstothehostname.
Ifomitted,LISTSERVusesafilterthatissuitableformostActiveDirectoryinstallations.
2Inaddition,thefollowingoptionalvariablescanbedefined:LDAP_DEFAULT_EMAIL_nickname=attributeThenameoftheattributethatordinarilyspecifiesauser'se‐mailaddressinthisdirectory.
Thisisusedasadefaultvalueinsearchesandcanbeoverridden.
Ifomitted,itdefaultsto'mail'(suitableforActiveDirectory).
LDAP_DEFAULT_NAME_nickname=attributeThenameoftheattributethatordinarilycontainstheuser'sfullname.
Defaultsto'name'.
UsingLDAPformailmergeBecauseofitscomplex,machine‐friendlysyntax,LDAPisprimarilysuitedforscripting.
Whileitisrelativelyeasyforaprogrammertowriteascriptthatsendsaweeklynoticetoeverymemberofaparticulardepartment,itisnotrealistictoexpectordinarylistownersorend‐userstounderstandtheintricaciesofLDAPanddeviseworkingsearchfilters.
Forinstance,toselectallusersinanExchangedatabase,onewouldhavetousethefollowingfilter:(&(!
(Alias=$null))(|(&(ObjectCategory=person)(ObjectClass=user)(Database=$null)(ServerLegacyDN=$null))(&(ObjectCategory=person)(ObjectClass=user)(!
(Database=$null))(!
(ServerLegacyDN=$null)))))))L‐SoftexpectsthatLDAP‐baseddistributionswillbecreatedbycustomer‐developedscripts–eitherintranetwebscriptsortraditional'cron'jobsorscheduledtasks.
Atthispoint,therearenoplanstoprovideawebinterfacepageintowhichrawLDAPsearchfilterscouldbeentered.
TocreateanLDAP‐baseddistribution,ascriptusestheDISTRIBUTEcommandandspecifiesanLDAPkeywordasfollows:DISTRIBUTE…LDAP=YES(SERVER=nickname,E‐MAIL=attribute,PARTS=attribute)ThesyntaxofthiskeywordisessentiallythesameasforSQL‐baseddistributions("DBMS="):SERVER=nicknameidentifiestheLDAPservertobequeried.
Ifomitted,thedefault(unnamed)LDAPserverisused.
E‐MAIL=attributeidentifiesthenameofthedirectoryattributecontainingtherecipient'se‐mailaddress.
Ifomitted,thevalueofLDAP_DEFAULT_EMAIL_nicknameisused.
PARTS=attributeisthenameofanoptionaldirectoryattributecontainingalistofmessagepartsthattherecipientsubscribesto.
Althoughthismail‐mergefeatureisunlikelytobeusedwithLDAP,itisavailableifdesired.
SimilarlytoSQL‐baseddistributions,the'TO'DDcontainsalistofLDAPsearchstatements,ratherthanalistofactualrecipients.
Eachlineinthe'TO'DDcanbeoneofthefollowingstatements:BASEDNThe'distinguishedname'ofthe'base'oftheLDAPsearch.
Mandatory.
3FILTERsearch_filterTheLDAPsearchfilterforthesearch.
Mandatory.
ATTRSattr1[attr2[…]]Alistofdirectoryattributesofinterest(usedinthemail‐merge).
Ifomitted,alldirectoryattributesaremadeavailable.
Attributenamesarenotcase‐sensitive.
Themainpurposeofthisstatementistoimprovesearchperformanceiftherearemanyirrelevantattributesinthedirectory.
NotethattheE‐MAILand(ifenabled)PARTSattributesmustbespecifiedorthedistributionwillfail.
SCOPEBASE|ONELEVEL|SUBTREEOptionallychangesthescopeofthesearchfromthedefault(SUBTREE).
SEARCHStartsthesearch.
ThiscommandallowsmultipleLDAPsearchestobeperformedinthesamedistribution.
Ifthereisonlyonesearch,thiscommandisoptional–LISTSERVautomaticallystartsthesearchwhenitreachestheendofthe'TO'DD.
Forinstance,thissearchwillselectallWindowsusersintheEXAMPLE.
COMdomainwithavalide‐mailaddress:BASECN=Users,DC=EXAMPLE,DC=COMFILTER(&(objectcategory=person)(objectclass=user))ATTRSNameMailPhoneSEARCHUsingLDAPforauthenticationLISTSERVcanbeconfiguredtouseoneorseveralLDAPserversforauthentication(userlogin).
YoucanchoosetoallowuserswithoutanLDAPaccounttologinwithaninternalLISTSERVpassword,ortorestrictaccesstouserswithanLDAPaccount.
LDAPauthenticationisenabledbydefiningthefollowingconfigurationvariables:LDAP_PW_SERVERS=nickname1[nickname2[…]]ThelistofLDAPserverstobequeried(inthespecifiedorder)foruseraccounts.
Besuretoenterservernicknames,nothostnames.
LDAP_PW_ONLY=0or1(default:0)Ifsetto1,onlyuserswithanLDAPaccountareallowedtologintoLISTSERV;otheruserswillonlybeabletoaccessLISTSERVanonymously.
MakesuretotestyourLDAPsettingsbeforeenablingthisoption,oryouwillnotbeabletoundoitfromthewebinterface!
Enablingthisoptiononaserverthatpreviouslyhadexternalusersislikelytoresultinsignificantconfusionfortheexternalusers,whosepasswordswillnolongerwork.
LDAP_PW_REQUIRE_SSL=0or1(default:1)WhetherornotLISTSERVshouldacceptLDAPpasswordstransmittedtothewebinterfaceinplaintext.
Bydefault,LISTSERVwillonlyattempttoverifypasswordstransmittedoverSSL.
Note4thatthisoptiondoesnotcontrolLISTSERV'sownuseofSSLwhencommunicatingwiththeLDAPserver.
SeetheLDAP_SERVER_nicknamevariable.
SIGNUP_REQUIRE_SSL=0or1(default:0)Similartotheabove,butaffectsallLISTSERVpasswords,whetherLDAPorinternal.
CanbeusedwithoutenablingLDAPauthentication.
TheLDAPauthenticationprocessWhenLDAPisenabled,LISTSERVgoesthroughthefollowingstepstologinauser:1.
TheserverslistedinLDAP_PW_SERVERSareexaminedinturn,intheorderinwhichtheywerelisted.
Foreachserver,LISTSERVexecutesthesearchconfiguredwiththeLDAP_PW_BASE_nicknameandLDAP_PW_FILTER_nicknamevariables.
LISTSERVstopsatthefirstsuccessfulsearch,orwhentherearenomoreLDAPserverstoquery.
2.
Ifnoneofthesearchesweresuccessful(noLDAPaccountexistsforthisuser),LISTSERV:a.
RejectstheloginifLDAP_PW_ONLY=1.
b.
Switchestointernal(non‐LDAP)loginifLDAP_PW_ONLY=0.
Theloginwillbevalidatedagainsttheuser'sinternalLISTSERVpassword,ifany,ortheuserwillbepromptedtocreateaLISTSERVpassword.
3.
IfanLDAPaccountwasfoundforthisuser,LISTSERV:a.
RejectstheloginifLDAP_PW_REQUIRE_SSL=1andtheloginrequestdidnotcomeoveranSSLsession.
Inthiscase,LISTSERVdoesnoteventrytoverifythepassword.
b.
VerifiesthepasswordagainsttheLDAPserverwheretheaccountwasfound,andacceptsorrejectstheloginasappropriate.
Anoteonthe"requireSSL"optionThepurposeofthe"requireSSL"optionistopreventordinary,non‐malicioususersfromjeopardizingtheirlogincredentialsfortheirpersonalconvenience,forinstancebytypingclear‐textpasswordsine‐mailrequestsbecauseitisfasterthanwaitingforaconfirmation'cookie'attheparticularInternetcaféwheretheyarereadingtheirmail.
The"requireSSL"optioneffectivelydisablestheseloginattemptsandforcesuserstologinusingthewebinterfaceandSSL.
AsLISTSERVdoesnotdirectlyprocessSSLsessions,ithasnofirst‐handknowledgeastowhetherSSLwasusedtoencrypttheloginsessionornot.
ItisthewebserverthathandlestheSSLsessionwiththeuser'sbrowser,notifiestheLISTSERVwebinterfacethatSSLwasused,andthewebinterfacescriptinturnnotifiesLISTSERVthatthepasswordwasnotsentincleartext.
LISTSERVhasnowaytoverifythisrepresentationorguaranteethatSSLwasinfactusedtotransmitthepassword.
Thisbeingsaid,thereisnoadvantageforamalicioususerinloggingintoLISTSERVwithhisowncredentialsoveranunencryptedconnection.
Themalicioususer'sinterestisforother,non‐malicioususerstoexposetheirpasswordsbysendingthemincleartext,sothatthemalicioususermaygatherthem.
5DynamicQueryfeatureAlthoughDynamicQueriesareprimarilybasedontheLDAPinterface,theyaredescribedinaseparatedocumentastheysupportbothLDAPandDBMSdatastores.
KnownissuesandrestrictionsThefollowingknownissuesandrestrictionsexist:Someunixsystemsnotsupported.
Atthispoint,LDAPfunctionalityisnotavailableforTru64orHP‐UX.
OpenLDAPlibraryrequiredtore‐linkonunix.
Customerswishingtore‐link'lsv'onunixwillhavetoinstalltheOPENLDAPlibrary(exceptonTru64andHP‐UX),eveniftheydonotwanttouseLDAP.
Staticlibrarysupportnottestedonallunixbrands.
OurgoalisforunixbuildswithLDAPfunctionalitytoworkontargetsystemsthatdonothavethedynamicLDAPlibrary,butwehavenottestedthisoneverysystem.
6
5caninterfacetoLDAPserverstoauthenticateuserlogins,toinsertLDAPattributesinmail‐mergedistributionsaswellastoimplementDynamicQueries,anewfeaturedescribedinaseparatedocument.
ThefollowingdiagramshowstheLISTSERV15.
5LDAParchitecture,inrelationtoothercomponents:Forclarity,DynamicQueryfunctionshavebeenomittedfromthediagram,buttheyalsointerfacewiththenewLDAPfunctionality.
TheLDAPinterfaceisatthesamelevelastheDBMSinterface–notatthelevelofthevendor‐specificSQLdrivers.
Quitesimply,LDAPserversdonot"speak"SQL.
TosupportLDAP,wehadtoteachthemail‐mergeandauthenticationmodulesto"speak"LDAP.
ThisiswhythereisanewsyntaxforeveryLDAP‐relatedfunction.
Atthispoint,LISTSERVonlyqueriesLDAPdirectories.
Itwillnevertrytomakeanychanges,soitshouldnotbegivenwriteaccesstothedirectory.
LDAPDBMS(SQL)FlatFileListStorageLayerMail‐Merge(DISTRIBUTE)ListManagementAuthenticationInternalPasswords.
.
.
ODBCOCICLI1ConfiguringLDAPinLISTSERVThefirststepinusingLDAPwithLISTSERVistoaddoneormoreLDAPserversintheLISTSERVsiteconfiguration.
ThiscanbedoneviatheLISTSERVwebadministrationinterface(thepreferredmethod),oralternatelybyaddingtheentriesmanuallytoSITE.
CFGor'go'.
EachLDAPserverisgivenanicknameintheLISTSERVconfiguration,similarlytoDBMSdatasources.
YoucanalsoconfigureoneunnamedLDAPserver,againlikewithDBMSdatasources,butitisprobablylessconfusingtoassignanicknametoeveryLDAPserver.
ThreeconfigurationvariablesmustbedefinedforeveryLDAPserver:LDAP_SERVER_nickname=hostname[:port]ThehostnameandoptionalportoftheLDAPserver.
TheexactformatdependsonyouroperatingsystemandLDAPlibrary;LISTSERVpassesthisstringtotheLDAPlibraryasitis.
Onunix,SSLencryptionisrequestedbyprepending'ldaps://'tothehostname.
OnWindows,the'ldaps://'prefixisnotavailable,butsettingtheportto636automaticallyrequestsSSL.
LDAP_UID_nickname=useridLDAP_AUTH_nickname=passwordTheuseridandpasswordthatLISTSERVshoulduseinordertologintotheLDAPserver.
TheexactformatoftheuseriddependsonyourLDAPserver.
LISTSERVdoesnotattempttoparseorreformatthesevariables.
Ifthepasswordistheemptystring,mostLDAPserverswillperformananonymouslogin.
Ifbothuseridandpasswordaretheemptystring,LISTSERVwillattemptadefaultlogin,asdefinedbytheLDAPlibraryforyouroperatingsystem.
UnderWindows,LISTSERVwillbeloggedinwithitscurrentdomaincredentials(assumingitisconnectingtoanActiveDirectoryserver),andthisusuallyprovidessufficientaccess–tryitbeforeconfiguringauseridandpassword.
IftheLDAPserveristobeusedtoauthenticateLISTSERVusers,thefollowingvariablesmustalsobedefined:LDAP_PW_BASE_nickname=DNThe'distinguishedname'thatshouldbethe'base'forsearcheswhenLISTSERVlooksforauseraccount(seebelowforanexplanationoftheauthenticationprocess).
ThiscanbeusedtorestrictLISTSERVaccesstoaparticularorganizationalunitwithintheenterprise.
Ifomitted,LISTSERVtriestoguesstheDNthatwilladmitanyActiveDirectoryWindowsaccount,butthisisadifficultguesstomake,andofcourseyoumaynotevenbeconnectingtoActiveDirectory.
LDAP_PW_FILTER_nickname=filterTheLDAP'filter'thatshouldbeusedwhenlookingupuseraccounts(ifthisfilterreturnsatleastoneentry,LISTSERVallowstheusertotryandlogin;otherwise,theloginisrejected,eveniftheuserwouldotherwisebeabletologintotheLDAPserverwiththesuppliedcredentials).
Anyoccurrencesof'%s'arereplacedwiththeuser'sfulle‐mailaddress,while'%u'expandstojusttheuseridand'%h'expandstothehostname.
Ifomitted,LISTSERVusesafilterthatissuitableformostActiveDirectoryinstallations.
2Inaddition,thefollowingoptionalvariablescanbedefined:LDAP_DEFAULT_EMAIL_nickname=attributeThenameoftheattributethatordinarilyspecifiesauser'se‐mailaddressinthisdirectory.
Thisisusedasadefaultvalueinsearchesandcanbeoverridden.
Ifomitted,itdefaultsto'mail'(suitableforActiveDirectory).
LDAP_DEFAULT_NAME_nickname=attributeThenameoftheattributethatordinarilycontainstheuser'sfullname.
Defaultsto'name'.
UsingLDAPformailmergeBecauseofitscomplex,machine‐friendlysyntax,LDAPisprimarilysuitedforscripting.
Whileitisrelativelyeasyforaprogrammertowriteascriptthatsendsaweeklynoticetoeverymemberofaparticulardepartment,itisnotrealistictoexpectordinarylistownersorend‐userstounderstandtheintricaciesofLDAPanddeviseworkingsearchfilters.
Forinstance,toselectallusersinanExchangedatabase,onewouldhavetousethefollowingfilter:(&(!
(Alias=$null))(|(&(ObjectCategory=person)(ObjectClass=user)(Database=$null)(ServerLegacyDN=$null))(&(ObjectCategory=person)(ObjectClass=user)(!
(Database=$null))(!
(ServerLegacyDN=$null)))))))L‐SoftexpectsthatLDAP‐baseddistributionswillbecreatedbycustomer‐developedscripts–eitherintranetwebscriptsortraditional'cron'jobsorscheduledtasks.
Atthispoint,therearenoplanstoprovideawebinterfacepageintowhichrawLDAPsearchfilterscouldbeentered.
TocreateanLDAP‐baseddistribution,ascriptusestheDISTRIBUTEcommandandspecifiesanLDAPkeywordasfollows:DISTRIBUTE…LDAP=YES(SERVER=nickname,E‐MAIL=attribute,PARTS=attribute)ThesyntaxofthiskeywordisessentiallythesameasforSQL‐baseddistributions("DBMS="):SERVER=nicknameidentifiestheLDAPservertobequeried.
Ifomitted,thedefault(unnamed)LDAPserverisused.
E‐MAIL=attributeidentifiesthenameofthedirectoryattributecontainingtherecipient'se‐mailaddress.
Ifomitted,thevalueofLDAP_DEFAULT_EMAIL_nicknameisused.
PARTS=attributeisthenameofanoptionaldirectoryattributecontainingalistofmessagepartsthattherecipientsubscribesto.
Althoughthismail‐mergefeatureisunlikelytobeusedwithLDAP,itisavailableifdesired.
SimilarlytoSQL‐baseddistributions,the'TO'DDcontainsalistofLDAPsearchstatements,ratherthanalistofactualrecipients.
Eachlineinthe'TO'DDcanbeoneofthefollowingstatements:BASEDNThe'distinguishedname'ofthe'base'oftheLDAPsearch.
Mandatory.
3FILTERsearch_filterTheLDAPsearchfilterforthesearch.
Mandatory.
ATTRSattr1[attr2[…]]Alistofdirectoryattributesofinterest(usedinthemail‐merge).
Ifomitted,alldirectoryattributesaremadeavailable.
Attributenamesarenotcase‐sensitive.
Themainpurposeofthisstatementistoimprovesearchperformanceiftherearemanyirrelevantattributesinthedirectory.
NotethattheE‐MAILand(ifenabled)PARTSattributesmustbespecifiedorthedistributionwillfail.
SCOPEBASE|ONELEVEL|SUBTREEOptionallychangesthescopeofthesearchfromthedefault(SUBTREE).
SEARCHStartsthesearch.
ThiscommandallowsmultipleLDAPsearchestobeperformedinthesamedistribution.
Ifthereisonlyonesearch,thiscommandisoptional–LISTSERVautomaticallystartsthesearchwhenitreachestheendofthe'TO'DD.
Forinstance,thissearchwillselectallWindowsusersintheEXAMPLE.
COMdomainwithavalide‐mailaddress:BASECN=Users,DC=EXAMPLE,DC=COMFILTER(&(objectcategory=person)(objectclass=user))ATTRSNameMailPhoneSEARCHUsingLDAPforauthenticationLISTSERVcanbeconfiguredtouseoneorseveralLDAPserversforauthentication(userlogin).
YoucanchoosetoallowuserswithoutanLDAPaccounttologinwithaninternalLISTSERVpassword,ortorestrictaccesstouserswithanLDAPaccount.
LDAPauthenticationisenabledbydefiningthefollowingconfigurationvariables:LDAP_PW_SERVERS=nickname1[nickname2[…]]ThelistofLDAPserverstobequeried(inthespecifiedorder)foruseraccounts.
Besuretoenterservernicknames,nothostnames.
LDAP_PW_ONLY=0or1(default:0)Ifsetto1,onlyuserswithanLDAPaccountareallowedtologintoLISTSERV;otheruserswillonlybeabletoaccessLISTSERVanonymously.
MakesuretotestyourLDAPsettingsbeforeenablingthisoption,oryouwillnotbeabletoundoitfromthewebinterface!
Enablingthisoptiononaserverthatpreviouslyhadexternalusersislikelytoresultinsignificantconfusionfortheexternalusers,whosepasswordswillnolongerwork.
LDAP_PW_REQUIRE_SSL=0or1(default:1)WhetherornotLISTSERVshouldacceptLDAPpasswordstransmittedtothewebinterfaceinplaintext.
Bydefault,LISTSERVwillonlyattempttoverifypasswordstransmittedoverSSL.
Note4thatthisoptiondoesnotcontrolLISTSERV'sownuseofSSLwhencommunicatingwiththeLDAPserver.
SeetheLDAP_SERVER_nicknamevariable.
SIGNUP_REQUIRE_SSL=0or1(default:0)Similartotheabove,butaffectsallLISTSERVpasswords,whetherLDAPorinternal.
CanbeusedwithoutenablingLDAPauthentication.
TheLDAPauthenticationprocessWhenLDAPisenabled,LISTSERVgoesthroughthefollowingstepstologinauser:1.
TheserverslistedinLDAP_PW_SERVERSareexaminedinturn,intheorderinwhichtheywerelisted.
Foreachserver,LISTSERVexecutesthesearchconfiguredwiththeLDAP_PW_BASE_nicknameandLDAP_PW_FILTER_nicknamevariables.
LISTSERVstopsatthefirstsuccessfulsearch,orwhentherearenomoreLDAPserverstoquery.
2.
Ifnoneofthesearchesweresuccessful(noLDAPaccountexistsforthisuser),LISTSERV:a.
RejectstheloginifLDAP_PW_ONLY=1.
b.
Switchestointernal(non‐LDAP)loginifLDAP_PW_ONLY=0.
Theloginwillbevalidatedagainsttheuser'sinternalLISTSERVpassword,ifany,ortheuserwillbepromptedtocreateaLISTSERVpassword.
3.
IfanLDAPaccountwasfoundforthisuser,LISTSERV:a.
RejectstheloginifLDAP_PW_REQUIRE_SSL=1andtheloginrequestdidnotcomeoveranSSLsession.
Inthiscase,LISTSERVdoesnoteventrytoverifythepassword.
b.
VerifiesthepasswordagainsttheLDAPserverwheretheaccountwasfound,andacceptsorrejectstheloginasappropriate.
Anoteonthe"requireSSL"optionThepurposeofthe"requireSSL"optionistopreventordinary,non‐malicioususersfromjeopardizingtheirlogincredentialsfortheirpersonalconvenience,forinstancebytypingclear‐textpasswordsine‐mailrequestsbecauseitisfasterthanwaitingforaconfirmation'cookie'attheparticularInternetcaféwheretheyarereadingtheirmail.
The"requireSSL"optioneffectivelydisablestheseloginattemptsandforcesuserstologinusingthewebinterfaceandSSL.
AsLISTSERVdoesnotdirectlyprocessSSLsessions,ithasnofirst‐handknowledgeastowhetherSSLwasusedtoencrypttheloginsessionornot.
ItisthewebserverthathandlestheSSLsessionwiththeuser'sbrowser,notifiestheLISTSERVwebinterfacethatSSLwasused,andthewebinterfacescriptinturnnotifiesLISTSERVthatthepasswordwasnotsentincleartext.
LISTSERVhasnowaytoverifythisrepresentationorguaranteethatSSLwasinfactusedtotransmitthepassword.
Thisbeingsaid,thereisnoadvantageforamalicioususerinloggingintoLISTSERVwithhisowncredentialsoveranunencryptedconnection.
Themalicioususer'sinterestisforother,non‐malicioususerstoexposetheirpasswordsbysendingthemincleartext,sothatthemalicioususermaygatherthem.
5DynamicQueryfeatureAlthoughDynamicQueriesareprimarilybasedontheLDAPinterface,theyaredescribedinaseparatedocumentastheysupportbothLDAPandDBMSdatastores.
KnownissuesandrestrictionsThefollowingknownissuesandrestrictionsexist:Someunixsystemsnotsupported.
Atthispoint,LDAPfunctionalityisnotavailableforTru64orHP‐UX.
OpenLDAPlibraryrequiredtore‐linkonunix.
Customerswishingtore‐link'lsv'onunixwillhavetoinstalltheOPENLDAPlibrary(exceptonTru64andHP‐UX),eveniftheydonotwanttouseLDAP.
Staticlibrarysupportnottestedonallunixbrands.
OurgoalisforunixbuildswithLDAPfunctionalitytoworkontargetsystemsthatdonothavethedynamicLDAPlibrary,butwehavenottestedthisoneverysystem.
6
- LISTSERVLDAPDocumentation相关文档
- localhostldapserver
- Simplifiedldapserver
- instructorsldapserver
- contentsldapserver
- 思科ldapserver
- 单点ldapserver
香港最便宜的vps要多少钱?最便宜的香港vps能用吗?
香港最便宜的vps要多少钱?最便宜的香港vps能用吗?香港vps无需备案,整体性能好,而且租用价格便宜,使用灵活,因为备受站长喜爱。无论是个人还是企业建站,都比较倾向于选择香港VPS。最便宜的香港vps能用吗?正因为有着诸多租用优势,香港VPS在业内颇受欢迎,租用需求量也在日益攀升。那么,对于新手用户来说,香港最便宜的vps租用有四大要点是务必要注意的,还有易探云香港vps租用最便宜的月付仅18元...
Hosteons - 限时洛杉矶/达拉斯/纽约 免费升级至10G带宽 低至年$21
Hosteons,一家海外主机商成立于2018年,在之前还没有介绍和接触这个主机商,今天是有在LEB上看到有官方发送的活动主要是针对LEB的用户提供的洛杉矶、达拉斯和纽约三个机房的方案,最低年付21美元,其特点主要在于可以从1G带宽升级至10G,而且是免费的,是不是很吸引人?本来这次活动是仅仅在LEB留言提交账单ID才可以,这个感觉有点麻烦。不过看到老龚同学有拿到识别优惠码,于是就一并来分享给有需...
friendhosting:(优惠55%)大促销,全场VPS降价55%,9个机房,不限流量
每年的7月的最后一个周五是全球性质的“系统管理员日”,据说是为了感谢系统管理员的辛苦工作....friendhosting决定从现在开始一直到9月8日对其全球9个数据中心的VPS进行4.5折(优惠55%)大促销。所有VPS基于KVM虚拟,给100M带宽,不限制流量,允许自定义上传ISO...官方网站:https://friendhosting.net比特币、信用卡、PayPal、支付宝、微信、we...
ldapserver为你推荐
-
诊断sns深圳市福田区国民经济和社会发展操作httpflashfxp用Flashfxp上传网站的具体步骤linux防火墙设置如何在Linux中启动/停止和启用/禁用FirewallD和Iptables防火墙asp.net什么叫ASP.NET?cuteftpcuteFTP的使用方法?申请支付宝账户申请支付宝账号注册ldapserver怎样打开DWA文件?请说详细点?360免费建站搭建卡盟分站(卡乐购系统,免费360网站收录)只要29元,想建的找2208647548!