Menu
▾
▴
Re: createTimestamp?
|
From: Mark W. <mew...@un...> - 2000-08-11 15:11:34
|
The only way that I know of to get the type of behavior you wish is to change the
server itself, as in rewrite it or extend the server via an API. I don't think
this is possible via NDS.
Also keep in mind, you probably don't want things like account information going
out over just any search. There's a reason why it's harder to get that stuff, it's
called security :). If you make it easier, then it's just that much easier to
exploit that information.
Mark
David Bussenschutt wrote:
> Actually, what I want to do is change the attributes that are returned so
> that it returns what are currently considered by my server to be (I guess)
> operational attributes.
>
> You see, if I do a LDAP search in my NDS tree, I only get a very limited
> list of attributes returned when I request '*', but if I request them by
> name...no probs. There are many attributes that I would have expected a
> normal search to return. (like whether an account is locked or not)
>
> So, what I want is not to ADD another attribute, and control it's access
> with an ACL, but MODIFY existing attributes so that they are more visible.
> Is this part of a system ACL too?
>
> David.
>
> At 05:58 PM 8/10/00 -0500, you wrote:
> >What you want to do should be accomplished via an ACL , not an operational
> >attribute.
> >From my understanding an operational attribute is one that is determined
> >by the sever and is not attatched to the entry. And they can cause a load
> >on the server to generate them, thus you don't want them returned unless
> >they're specifically requested & you probably don't want them allowed to
> >just anyone.
> >
> >Mark
> >
> >On Fri, 11 Aug 2000, David Bussenschutt wrote:
> >
> >> What mechanism does a server use to decide what is an operational
> >> attribute, and what is not? Can I add operational attributes? (ie not have
> >> them returned in a normal search unless explicitly requested)
> >>
> >> David.
> >>
> >> At 05:40 PM 8/10/00 -0500, you wrote:
> >> >If you don't provide any attributes to search, you'll get back all
> >> >non-operational attributes available to you (of course this depends on the
> >> >server's ACLs as to which ones you can actually get).
> >> >
> >> >If you want operational attributes you must requet them in the search
> >> >(sorry I overlooked that yesterday).
> >> >
> >> >If you want all of the attributes, either list everything in the search,
> >> >or do 2 searches, one without listing and one with a listing of all of the
> >> >operational attributes.
> >> >
> >> >Mark
> >> >
> >> >On Thu, 10 Aug 2000, Bing Du wrote:
> >> >
> >> >> Thanks all. Ok, I have given up using as_struct.
> >> >>
> >> >> I saw 'createtimestamp' finally by using $ldcon->search(base =>
> >> >> $BASEDN, scope => 'sub', filter => $filter,attrs=>
> >> >> ["createtimestamp"],typesonly => 0) :).
> >> >>
> >> >> A new question:
> >> >>
> >> >> I used to use
> >> >> $ldcon->search(base...,scope...,filter...,attrs=>[],typesonly...) to
> >> >> retrieve values of all attributes without specificly listing all
> >> >> attributes' names in @attrs (e.g. @attrs = ('cn', 'phone','email')), and
> >> >> then use attrs=>@attrs in 'search'. By doing this, I do not need to
> >> >> change my script whenever new attributes are added in.
> >> >>
> >> >> But now I have to explicitly specify operational attributes in
> >> >> attrs=>[] because I want them. So is there a way to represent all
> >> >> other regular attributes still without listing them explicitly?
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Bing
> >> >>
> >> >> >>> Chris Ridd <chr...@me...> 08/10/00 02:34AM >>>
> >> >> Mark Wilcox <mew...@un...> wrote:
> >> >> > Chris Ridd (who works for Messanging Direct) will be the best one to
> >> >> > answer this. But he's leaving on a trip, so I don't know if he's
> >> >> online
> >> >> > right now.
> >> >>
> >> >> Still here...
> >> >>
> >> >> > Have you verified that the attribute is actually there (ie. have you
> >> >> > dumped it out with ldapsearch or MD's version of db2ldif?)
> >> >> >
> >> >> > Mark
> >> >>
> >> >> The default access controls we have in our directory will only permit
> >> >> the
> >> >> DSA manager - which Bing is binding as, so that's OK - read access to
> >> >> createTimestamp.
> >> >>
> >> >> As others have pointed out, createTimestamp is an operational
> >> >> attribute, so
> >> >> will only be returned over LDAP when the client explicitly asks for
> >> >> it.
> >> >>
> >> >> So I suspect the problem is either that you aren't explicitly
> >> >> specifying in
> >> >> the search operation that you want the createTimestamp back, or the
> >> >> way
> >> >> you're accessing the entries back via as_struct is wrong.
> >> >>
> >> >> To check the attributes are really coming back over the network, set
> >> >> debug
> >> >> => 12 when you create the LDAP object. You will then get a whole load
> >> >> of
> >> >> output to stderr which is a dump of the raw protocol. Hopefully you'll
> >> >> see
> >> >> the createTimestamps being returned.
> >> >>
> >> >> I haven't used as_struct myself, so can't comment on that part.
> >> >>
> >> >> Cheers,
> >> >>
> >> >> Chris
> >> >>
> >> >
> >> >
> >> >
> >> >
> >>
> >> --------------------------------------------------------------------
> >> David Bussenschutt Email: D.B...@ma...
> >> Senior Computing Support Officer & Systems Administrator/Programmer
> >> Location: Griffith University. Information Technology Services
> >> Brisbane Qld. Aust. (TEN bldg. rm 1.33) Ph: (07)38757079
> >> --------------------------------------------------------------------
> >>
> >
> >
> >
> >
>
> --------------------------------------------------------------------
> David Bussenschutt Email: D.B...@ma...
> Senior Computing Support Officer & Systems Administrator/Programmer
> Location: Griffith University. Information Technology Services
> Brisbane Qld. Aust. (TEN bldg. rm 1.33) Ph: (07)38757079
> --------------------------------------------------------------------
|