From: Mark W. <mew...@un...> - 2000-08-11 15:11:34
|
The only way that I know of to get the type of behavior you wish is to change the server itself, as in rewrite it or extend the server via an API. I don't think this is possible via NDS. Also keep in mind, you probably don't want things like account information going out over just any search. There's a reason why it's harder to get that stuff, it's called security :). If you make it easier, then it's just that much easier to exploit that information. Mark David Bussenschutt wrote: > Actually, what I want to do is change the attributes that are returned so > that it returns what are currently considered by my server to be (I guess) > operational attributes. > > You see, if I do a LDAP search in my NDS tree, I only get a very limited > list of attributes returned when I request '*', but if I request them by > name...no probs. There are many attributes that I would have expected a > normal search to return. (like whether an account is locked or not) > > So, what I want is not to ADD another attribute, and control it's access > with an ACL, but MODIFY existing attributes so that they are more visible. > Is this part of a system ACL too? > > David. > > At 05:58 PM 8/10/00 -0500, you wrote: > >What you want to do should be accomplished via an ACL , not an operational > >attribute. > >From my understanding an operational attribute is one that is determined > >by the sever and is not attatched to the entry. And they can cause a load > >on the server to generate them, thus you don't want them returned unless > >they're specifically requested & you probably don't want them allowed to > >just anyone. > > > >Mark > > > >On Fri, 11 Aug 2000, David Bussenschutt wrote: > > > >> What mechanism does a server use to decide what is an operational > >> attribute, and what is not? Can I add operational attributes? (ie not have > >> them returned in a normal search unless explicitly requested) > >> > >> David. > >> > >> At 05:40 PM 8/10/00 -0500, you wrote: > >> >If you don't provide any attributes to search, you'll get back all > >> >non-operational attributes available to you (of course this depends on the > >> >server's ACLs as to which ones you can actually get). > >> > > >> >If you want operational attributes you must requet them in the search > >> >(sorry I overlooked that yesterday). > >> > > >> >If you want all of the attributes, either list everything in the search, > >> >or do 2 searches, one without listing and one with a listing of all of the > >> >operational attributes. > >> > > >> >Mark > >> > > >> >On Thu, 10 Aug 2000, Bing Du wrote: > >> > > >> >> Thanks all. Ok, I have given up using as_struct. > >> >> > >> >> I saw 'createtimestamp' finally by using $ldcon->search(base => > >> >> $BASEDN, scope => 'sub', filter => $filter,attrs=> > >> >> ["createtimestamp"],typesonly => 0) :). > >> >> > >> >> A new question: > >> >> > >> >> I used to use > >> >> $ldcon->search(base...,scope...,filter...,attrs=>[],typesonly...) to > >> >> retrieve values of all attributes without specificly listing all > >> >> attributes' names in @attrs (e.g. @attrs = ('cn', 'phone','email')), and > >> >> then use attrs=>@attrs in 'search'. By doing this, I do not need to > >> >> change my script whenever new attributes are added in. > >> >> > >> >> But now I have to explicitly specify operational attributes in > >> >> attrs=>[] because I want them. So is there a way to represent all > >> >> other regular attributes still without listing them explicitly? > >> >> > >> >> Thanks, > >> >> > >> >> Bing > >> >> > >> >> >>> Chris Ridd <chr...@me...> 08/10/00 02:34AM >>> > >> >> Mark Wilcox <mew...@un...> wrote: > >> >> > Chris Ridd (who works for Messanging Direct) will be the best one to > >> >> > answer this. But he's leaving on a trip, so I don't know if he's > >> >> online > >> >> > right now. > >> >> > >> >> Still here... > >> >> > >> >> > Have you verified that the attribute is actually there (ie. have you > >> >> > dumped it out with ldapsearch or MD's version of db2ldif?) > >> >> > > >> >> > Mark > >> >> > >> >> The default access controls we have in our directory will only permit > >> >> the > >> >> DSA manager - which Bing is binding as, so that's OK - read access to > >> >> createTimestamp. > >> >> > >> >> As others have pointed out, createTimestamp is an operational > >> >> attribute, so > >> >> will only be returned over LDAP when the client explicitly asks for > >> >> it. > >> >> > >> >> So I suspect the problem is either that you aren't explicitly > >> >> specifying in > >> >> the search operation that you want the createTimestamp back, or the > >> >> way > >> >> you're accessing the entries back via as_struct is wrong. > >> >> > >> >> To check the attributes are really coming back over the network, set > >> >> debug > >> >> => 12 when you create the LDAP object. You will then get a whole load > >> >> of > >> >> output to stderr which is a dump of the raw protocol. Hopefully you'll > >> >> see > >> >> the createTimestamps being returned. > >> >> > >> >> I haven't used as_struct myself, so can't comment on that part. > >> >> > >> >> Cheers, > >> >> > >> >> Chris > >> >> > >> > > >> > > >> > > >> > > >> > >> -------------------------------------------------------------------- > >> David Bussenschutt Email: D.B...@ma... > >> Senior Computing Support Officer & Systems Administrator/Programmer > >> Location: Griffith University. Information Technology Services > >> Brisbane Qld. Aust. (TEN bldg. rm 1.33) Ph: (07)38757079 > >> -------------------------------------------------------------------- > >> > > > > > > > > > > -------------------------------------------------------------------- > David Bussenschutt Email: D.B...@ma... > Senior Computing Support Officer & Systems Administrator/Programmer > Location: Griffith University. Information Technology Services > Brisbane Qld. Aust. (TEN bldg. rm 1.33) Ph: (07)38757079 > -------------------------------------------------------------------- |