LISTSERVLDAPDocumentation
ldapserver 时间:2021-05-01 阅读:()
L‐SoftSwedenAB200728November2007OverviewLISTSERVversion15.
5caninterfacetoLDAPserverstoauthenticateuserlogins,toinsertLDAPattributesinmail‐mergedistributionsaswellastoimplementDynamicQueries,anewfeaturedescribedinaseparatedocument.
ThefollowingdiagramshowstheLISTSERV15.
5LDAParchitecture,inrelationtoothercomponents:Forclarity,DynamicQueryfunctionshavebeenomittedfromthediagram,buttheyalsointerfacewiththenewLDAPfunctionality.
TheLDAPinterfaceisatthesamelevelastheDBMSinterface–notatthelevelofthevendor‐specificSQLdrivers.
Quitesimply,LDAPserversdonot"speak"SQL.
TosupportLDAP,wehadtoteachthemail‐mergeandauthenticationmodulesto"speak"LDAP.
ThisiswhythereisanewsyntaxforeveryLDAP‐relatedfunction.
Atthispoint,LISTSERVonlyqueriesLDAPdirectories.
Itwillnevertrytomakeanychanges,soitshouldnotbegivenwriteaccesstothedirectory.
LDAPDBMS(SQL)FlatFileListStorageLayerMail‐Merge(DISTRIBUTE)ListManagementAuthenticationInternalPasswords.
.
.
ODBCOCICLI1ConfiguringLDAPinLISTSERVThefirststepinusingLDAPwithLISTSERVistoaddoneormoreLDAPserversintheLISTSERVsiteconfiguration.
ThiscanbedoneviatheLISTSERVwebadministrationinterface(thepreferredmethod),oralternatelybyaddingtheentriesmanuallytoSITE.
CFGor'go'.
EachLDAPserverisgivenanicknameintheLISTSERVconfiguration,similarlytoDBMSdatasources.
YoucanalsoconfigureoneunnamedLDAPserver,againlikewithDBMSdatasources,butitisprobablylessconfusingtoassignanicknametoeveryLDAPserver.
ThreeconfigurationvariablesmustbedefinedforeveryLDAPserver:LDAP_SERVER_nickname=hostname[:port]ThehostnameandoptionalportoftheLDAPserver.
TheexactformatdependsonyouroperatingsystemandLDAPlibrary;LISTSERVpassesthisstringtotheLDAPlibraryasitis.
Onunix,SSLencryptionisrequestedbyprepending'ldaps://'tothehostname.
OnWindows,the'ldaps://'prefixisnotavailable,butsettingtheportto636automaticallyrequestsSSL.
LDAP_UID_nickname=useridLDAP_AUTH_nickname=passwordTheuseridandpasswordthatLISTSERVshoulduseinordertologintotheLDAPserver.
TheexactformatoftheuseriddependsonyourLDAPserver.
LISTSERVdoesnotattempttoparseorreformatthesevariables.
Ifthepasswordistheemptystring,mostLDAPserverswillperformananonymouslogin.
Ifbothuseridandpasswordaretheemptystring,LISTSERVwillattemptadefaultlogin,asdefinedbytheLDAPlibraryforyouroperatingsystem.
UnderWindows,LISTSERVwillbeloggedinwithitscurrentdomaincredentials(assumingitisconnectingtoanActiveDirectoryserver),andthisusuallyprovidessufficientaccess–tryitbeforeconfiguringauseridandpassword.
IftheLDAPserveristobeusedtoauthenticateLISTSERVusers,thefollowingvariablesmustalsobedefined:LDAP_PW_BASE_nickname=DNThe'distinguishedname'thatshouldbethe'base'forsearcheswhenLISTSERVlooksforauseraccount(seebelowforanexplanationoftheauthenticationprocess).
ThiscanbeusedtorestrictLISTSERVaccesstoaparticularorganizationalunitwithintheenterprise.
Ifomitted,LISTSERVtriestoguesstheDNthatwilladmitanyActiveDirectoryWindowsaccount,butthisisadifficultguesstomake,andofcourseyoumaynotevenbeconnectingtoActiveDirectory.
LDAP_PW_FILTER_nickname=filterTheLDAP'filter'thatshouldbeusedwhenlookingupuseraccounts(ifthisfilterreturnsatleastoneentry,LISTSERVallowstheusertotryandlogin;otherwise,theloginisrejected,eveniftheuserwouldotherwisebeabletologintotheLDAPserverwiththesuppliedcredentials).
Anyoccurrencesof'%s'arereplacedwiththeuser'sfulle‐mailaddress,while'%u'expandstojusttheuseridand'%h'expandstothehostname.
Ifomitted,LISTSERVusesafilterthatissuitableformostActiveDirectoryinstallations.
2Inaddition,thefollowingoptionalvariablescanbedefined:LDAP_DEFAULT_EMAIL_nickname=attributeThenameoftheattributethatordinarilyspecifiesauser'se‐mailaddressinthisdirectory.
Thisisusedasadefaultvalueinsearchesandcanbeoverridden.
Ifomitted,itdefaultsto'mail'(suitableforActiveDirectory).
LDAP_DEFAULT_NAME_nickname=attributeThenameoftheattributethatordinarilycontainstheuser'sfullname.
Defaultsto'name'.
UsingLDAPformailmergeBecauseofitscomplex,machine‐friendlysyntax,LDAPisprimarilysuitedforscripting.
Whileitisrelativelyeasyforaprogrammertowriteascriptthatsendsaweeklynoticetoeverymemberofaparticulardepartment,itisnotrealistictoexpectordinarylistownersorend‐userstounderstandtheintricaciesofLDAPanddeviseworkingsearchfilters.
Forinstance,toselectallusersinanExchangedatabase,onewouldhavetousethefollowingfilter:(&(!
(Alias=$null))(|(&(ObjectCategory=person)(ObjectClass=user)(Database=$null)(ServerLegacyDN=$null))(&(ObjectCategory=person)(ObjectClass=user)(!
(Database=$null))(!
(ServerLegacyDN=$null)))))))L‐SoftexpectsthatLDAP‐baseddistributionswillbecreatedbycustomer‐developedscripts–eitherintranetwebscriptsortraditional'cron'jobsorscheduledtasks.
Atthispoint,therearenoplanstoprovideawebinterfacepageintowhichrawLDAPsearchfilterscouldbeentered.
TocreateanLDAP‐baseddistribution,ascriptusestheDISTRIBUTEcommandandspecifiesanLDAPkeywordasfollows:DISTRIBUTE…LDAP=YES(SERVER=nickname,E‐MAIL=attribute,PARTS=attribute)ThesyntaxofthiskeywordisessentiallythesameasforSQL‐baseddistributions("DBMS="):SERVER=nicknameidentifiestheLDAPservertobequeried.
Ifomitted,thedefault(unnamed)LDAPserverisused.
E‐MAIL=attributeidentifiesthenameofthedirectoryattributecontainingtherecipient'se‐mailaddress.
Ifomitted,thevalueofLDAP_DEFAULT_EMAIL_nicknameisused.
PARTS=attributeisthenameofanoptionaldirectoryattributecontainingalistofmessagepartsthattherecipientsubscribesto.
Althoughthismail‐mergefeatureisunlikelytobeusedwithLDAP,itisavailableifdesired.
SimilarlytoSQL‐baseddistributions,the'TO'DDcontainsalistofLDAPsearchstatements,ratherthanalistofactualrecipients.
Eachlineinthe'TO'DDcanbeoneofthefollowingstatements:BASEDNThe'distinguishedname'ofthe'base'oftheLDAPsearch.
Mandatory.
3FILTERsearch_filterTheLDAPsearchfilterforthesearch.
Mandatory.
ATTRSattr1[attr2[…]]Alistofdirectoryattributesofinterest(usedinthemail‐merge).
Ifomitted,alldirectoryattributesaremadeavailable.
Attributenamesarenotcase‐sensitive.
Themainpurposeofthisstatementistoimprovesearchperformanceiftherearemanyirrelevantattributesinthedirectory.
NotethattheE‐MAILand(ifenabled)PARTSattributesmustbespecifiedorthedistributionwillfail.
SCOPEBASE|ONELEVEL|SUBTREEOptionallychangesthescopeofthesearchfromthedefault(SUBTREE).
SEARCHStartsthesearch.
ThiscommandallowsmultipleLDAPsearchestobeperformedinthesamedistribution.
Ifthereisonlyonesearch,thiscommandisoptional–LISTSERVautomaticallystartsthesearchwhenitreachestheendofthe'TO'DD.
Forinstance,thissearchwillselectallWindowsusersintheEXAMPLE.
COMdomainwithavalide‐mailaddress:BASECN=Users,DC=EXAMPLE,DC=COMFILTER(&(objectcategory=person)(objectclass=user))ATTRSNameMailPhoneSEARCHUsingLDAPforauthenticationLISTSERVcanbeconfiguredtouseoneorseveralLDAPserversforauthentication(userlogin).
YoucanchoosetoallowuserswithoutanLDAPaccounttologinwithaninternalLISTSERVpassword,ortorestrictaccesstouserswithanLDAPaccount.
LDAPauthenticationisenabledbydefiningthefollowingconfigurationvariables:LDAP_PW_SERVERS=nickname1[nickname2[…]]ThelistofLDAPserverstobequeried(inthespecifiedorder)foruseraccounts.
Besuretoenterservernicknames,nothostnames.
LDAP_PW_ONLY=0or1(default:0)Ifsetto1,onlyuserswithanLDAPaccountareallowedtologintoLISTSERV;otheruserswillonlybeabletoaccessLISTSERVanonymously.
MakesuretotestyourLDAPsettingsbeforeenablingthisoption,oryouwillnotbeabletoundoitfromthewebinterface!
Enablingthisoptiononaserverthatpreviouslyhadexternalusersislikelytoresultinsignificantconfusionfortheexternalusers,whosepasswordswillnolongerwork.
LDAP_PW_REQUIRE_SSL=0or1(default:1)WhetherornotLISTSERVshouldacceptLDAPpasswordstransmittedtothewebinterfaceinplaintext.
Bydefault,LISTSERVwillonlyattempttoverifypasswordstransmittedoverSSL.
Note4thatthisoptiondoesnotcontrolLISTSERV'sownuseofSSLwhencommunicatingwiththeLDAPserver.
SeetheLDAP_SERVER_nicknamevariable.
SIGNUP_REQUIRE_SSL=0or1(default:0)Similartotheabove,butaffectsallLISTSERVpasswords,whetherLDAPorinternal.
CanbeusedwithoutenablingLDAPauthentication.
TheLDAPauthenticationprocessWhenLDAPisenabled,LISTSERVgoesthroughthefollowingstepstologinauser:1.
TheserverslistedinLDAP_PW_SERVERSareexaminedinturn,intheorderinwhichtheywerelisted.
Foreachserver,LISTSERVexecutesthesearchconfiguredwiththeLDAP_PW_BASE_nicknameandLDAP_PW_FILTER_nicknamevariables.
LISTSERVstopsatthefirstsuccessfulsearch,orwhentherearenomoreLDAPserverstoquery.
2.
Ifnoneofthesearchesweresuccessful(noLDAPaccountexistsforthisuser),LISTSERV:a.
RejectstheloginifLDAP_PW_ONLY=1.
b.
Switchestointernal(non‐LDAP)loginifLDAP_PW_ONLY=0.
Theloginwillbevalidatedagainsttheuser'sinternalLISTSERVpassword,ifany,ortheuserwillbepromptedtocreateaLISTSERVpassword.
3.
IfanLDAPaccountwasfoundforthisuser,LISTSERV:a.
RejectstheloginifLDAP_PW_REQUIRE_SSL=1andtheloginrequestdidnotcomeoveranSSLsession.
Inthiscase,LISTSERVdoesnoteventrytoverifythepassword.
b.
VerifiesthepasswordagainsttheLDAPserverwheretheaccountwasfound,andacceptsorrejectstheloginasappropriate.
Anoteonthe"requireSSL"optionThepurposeofthe"requireSSL"optionistopreventordinary,non‐malicioususersfromjeopardizingtheirlogincredentialsfortheirpersonalconvenience,forinstancebytypingclear‐textpasswordsine‐mailrequestsbecauseitisfasterthanwaitingforaconfirmation'cookie'attheparticularInternetcaféwheretheyarereadingtheirmail.
The"requireSSL"optioneffectivelydisablestheseloginattemptsandforcesuserstologinusingthewebinterfaceandSSL.
AsLISTSERVdoesnotdirectlyprocessSSLsessions,ithasnofirst‐handknowledgeastowhetherSSLwasusedtoencrypttheloginsessionornot.
ItisthewebserverthathandlestheSSLsessionwiththeuser'sbrowser,notifiestheLISTSERVwebinterfacethatSSLwasused,andthewebinterfacescriptinturnnotifiesLISTSERVthatthepasswordwasnotsentincleartext.
LISTSERVhasnowaytoverifythisrepresentationorguaranteethatSSLwasinfactusedtotransmitthepassword.
Thisbeingsaid,thereisnoadvantageforamalicioususerinloggingintoLISTSERVwithhisowncredentialsoveranunencryptedconnection.
Themalicioususer'sinterestisforother,non‐malicioususerstoexposetheirpasswordsbysendingthemincleartext,sothatthemalicioususermaygatherthem.
5DynamicQueryfeatureAlthoughDynamicQueriesareprimarilybasedontheLDAPinterface,theyaredescribedinaseparatedocumentastheysupportbothLDAPandDBMSdatastores.
KnownissuesandrestrictionsThefollowingknownissuesandrestrictionsexist:Someunixsystemsnotsupported.
Atthispoint,LDAPfunctionalityisnotavailableforTru64orHP‐UX.
OpenLDAPlibraryrequiredtore‐linkonunix.
Customerswishingtore‐link'lsv'onunixwillhavetoinstalltheOPENLDAPlibrary(exceptonTru64andHP‐UX),eveniftheydonotwanttouseLDAP.
Staticlibrarysupportnottestedonallunixbrands.
OurgoalisforunixbuildswithLDAPfunctionalitytoworkontargetsystemsthatdonothavethedynamicLDAPlibrary,butwehavenottestedthisoneverysystem.
6
5caninterfacetoLDAPserverstoauthenticateuserlogins,toinsertLDAPattributesinmail‐mergedistributionsaswellastoimplementDynamicQueries,anewfeaturedescribedinaseparatedocument.
ThefollowingdiagramshowstheLISTSERV15.
5LDAParchitecture,inrelationtoothercomponents:Forclarity,DynamicQueryfunctionshavebeenomittedfromthediagram,buttheyalsointerfacewiththenewLDAPfunctionality.
TheLDAPinterfaceisatthesamelevelastheDBMSinterface–notatthelevelofthevendor‐specificSQLdrivers.
Quitesimply,LDAPserversdonot"speak"SQL.
TosupportLDAP,wehadtoteachthemail‐mergeandauthenticationmodulesto"speak"LDAP.
ThisiswhythereisanewsyntaxforeveryLDAP‐relatedfunction.
Atthispoint,LISTSERVonlyqueriesLDAPdirectories.
Itwillnevertrytomakeanychanges,soitshouldnotbegivenwriteaccesstothedirectory.
LDAPDBMS(SQL)FlatFileListStorageLayerMail‐Merge(DISTRIBUTE)ListManagementAuthenticationInternalPasswords.
.
.
ODBCOCICLI1ConfiguringLDAPinLISTSERVThefirststepinusingLDAPwithLISTSERVistoaddoneormoreLDAPserversintheLISTSERVsiteconfiguration.
ThiscanbedoneviatheLISTSERVwebadministrationinterface(thepreferredmethod),oralternatelybyaddingtheentriesmanuallytoSITE.
CFGor'go'.
EachLDAPserverisgivenanicknameintheLISTSERVconfiguration,similarlytoDBMSdatasources.
YoucanalsoconfigureoneunnamedLDAPserver,againlikewithDBMSdatasources,butitisprobablylessconfusingtoassignanicknametoeveryLDAPserver.
ThreeconfigurationvariablesmustbedefinedforeveryLDAPserver:LDAP_SERVER_nickname=hostname[:port]ThehostnameandoptionalportoftheLDAPserver.
TheexactformatdependsonyouroperatingsystemandLDAPlibrary;LISTSERVpassesthisstringtotheLDAPlibraryasitis.
Onunix,SSLencryptionisrequestedbyprepending'ldaps://'tothehostname.
OnWindows,the'ldaps://'prefixisnotavailable,butsettingtheportto636automaticallyrequestsSSL.
LDAP_UID_nickname=useridLDAP_AUTH_nickname=passwordTheuseridandpasswordthatLISTSERVshoulduseinordertologintotheLDAPserver.
TheexactformatoftheuseriddependsonyourLDAPserver.
LISTSERVdoesnotattempttoparseorreformatthesevariables.
Ifthepasswordistheemptystring,mostLDAPserverswillperformananonymouslogin.
Ifbothuseridandpasswordaretheemptystring,LISTSERVwillattemptadefaultlogin,asdefinedbytheLDAPlibraryforyouroperatingsystem.
UnderWindows,LISTSERVwillbeloggedinwithitscurrentdomaincredentials(assumingitisconnectingtoanActiveDirectoryserver),andthisusuallyprovidessufficientaccess–tryitbeforeconfiguringauseridandpassword.
IftheLDAPserveristobeusedtoauthenticateLISTSERVusers,thefollowingvariablesmustalsobedefined:LDAP_PW_BASE_nickname=DNThe'distinguishedname'thatshouldbethe'base'forsearcheswhenLISTSERVlooksforauseraccount(seebelowforanexplanationoftheauthenticationprocess).
ThiscanbeusedtorestrictLISTSERVaccesstoaparticularorganizationalunitwithintheenterprise.
Ifomitted,LISTSERVtriestoguesstheDNthatwilladmitanyActiveDirectoryWindowsaccount,butthisisadifficultguesstomake,andofcourseyoumaynotevenbeconnectingtoActiveDirectory.
LDAP_PW_FILTER_nickname=filterTheLDAP'filter'thatshouldbeusedwhenlookingupuseraccounts(ifthisfilterreturnsatleastoneentry,LISTSERVallowstheusertotryandlogin;otherwise,theloginisrejected,eveniftheuserwouldotherwisebeabletologintotheLDAPserverwiththesuppliedcredentials).
Anyoccurrencesof'%s'arereplacedwiththeuser'sfulle‐mailaddress,while'%u'expandstojusttheuseridand'%h'expandstothehostname.
Ifomitted,LISTSERVusesafilterthatissuitableformostActiveDirectoryinstallations.
2Inaddition,thefollowingoptionalvariablescanbedefined:LDAP_DEFAULT_EMAIL_nickname=attributeThenameoftheattributethatordinarilyspecifiesauser'se‐mailaddressinthisdirectory.
Thisisusedasadefaultvalueinsearchesandcanbeoverridden.
Ifomitted,itdefaultsto'mail'(suitableforActiveDirectory).
LDAP_DEFAULT_NAME_nickname=attributeThenameoftheattributethatordinarilycontainstheuser'sfullname.
Defaultsto'name'.
UsingLDAPformailmergeBecauseofitscomplex,machine‐friendlysyntax,LDAPisprimarilysuitedforscripting.
Whileitisrelativelyeasyforaprogrammertowriteascriptthatsendsaweeklynoticetoeverymemberofaparticulardepartment,itisnotrealistictoexpectordinarylistownersorend‐userstounderstandtheintricaciesofLDAPanddeviseworkingsearchfilters.
Forinstance,toselectallusersinanExchangedatabase,onewouldhavetousethefollowingfilter:(&(!
(Alias=$null))(|(&(ObjectCategory=person)(ObjectClass=user)(Database=$null)(ServerLegacyDN=$null))(&(ObjectCategory=person)(ObjectClass=user)(!
(Database=$null))(!
(ServerLegacyDN=$null)))))))L‐SoftexpectsthatLDAP‐baseddistributionswillbecreatedbycustomer‐developedscripts–eitherintranetwebscriptsortraditional'cron'jobsorscheduledtasks.
Atthispoint,therearenoplanstoprovideawebinterfacepageintowhichrawLDAPsearchfilterscouldbeentered.
TocreateanLDAP‐baseddistribution,ascriptusestheDISTRIBUTEcommandandspecifiesanLDAPkeywordasfollows:DISTRIBUTE…LDAP=YES(SERVER=nickname,E‐MAIL=attribute,PARTS=attribute)ThesyntaxofthiskeywordisessentiallythesameasforSQL‐baseddistributions("DBMS="):SERVER=nicknameidentifiestheLDAPservertobequeried.
Ifomitted,thedefault(unnamed)LDAPserverisused.
E‐MAIL=attributeidentifiesthenameofthedirectoryattributecontainingtherecipient'se‐mailaddress.
Ifomitted,thevalueofLDAP_DEFAULT_EMAIL_nicknameisused.
PARTS=attributeisthenameofanoptionaldirectoryattributecontainingalistofmessagepartsthattherecipientsubscribesto.
Althoughthismail‐mergefeatureisunlikelytobeusedwithLDAP,itisavailableifdesired.
SimilarlytoSQL‐baseddistributions,the'TO'DDcontainsalistofLDAPsearchstatements,ratherthanalistofactualrecipients.
Eachlineinthe'TO'DDcanbeoneofthefollowingstatements:BASEDNThe'distinguishedname'ofthe'base'oftheLDAPsearch.
Mandatory.
3FILTERsearch_filterTheLDAPsearchfilterforthesearch.
Mandatory.
ATTRSattr1[attr2[…]]Alistofdirectoryattributesofinterest(usedinthemail‐merge).
Ifomitted,alldirectoryattributesaremadeavailable.
Attributenamesarenotcase‐sensitive.
Themainpurposeofthisstatementistoimprovesearchperformanceiftherearemanyirrelevantattributesinthedirectory.
NotethattheE‐MAILand(ifenabled)PARTSattributesmustbespecifiedorthedistributionwillfail.
SCOPEBASE|ONELEVEL|SUBTREEOptionallychangesthescopeofthesearchfromthedefault(SUBTREE).
SEARCHStartsthesearch.
ThiscommandallowsmultipleLDAPsearchestobeperformedinthesamedistribution.
Ifthereisonlyonesearch,thiscommandisoptional–LISTSERVautomaticallystartsthesearchwhenitreachestheendofthe'TO'DD.
Forinstance,thissearchwillselectallWindowsusersintheEXAMPLE.
COMdomainwithavalide‐mailaddress:BASECN=Users,DC=EXAMPLE,DC=COMFILTER(&(objectcategory=person)(objectclass=user))ATTRSNameMailPhoneSEARCHUsingLDAPforauthenticationLISTSERVcanbeconfiguredtouseoneorseveralLDAPserversforauthentication(userlogin).
YoucanchoosetoallowuserswithoutanLDAPaccounttologinwithaninternalLISTSERVpassword,ortorestrictaccesstouserswithanLDAPaccount.
LDAPauthenticationisenabledbydefiningthefollowingconfigurationvariables:LDAP_PW_SERVERS=nickname1[nickname2[…]]ThelistofLDAPserverstobequeried(inthespecifiedorder)foruseraccounts.
Besuretoenterservernicknames,nothostnames.
LDAP_PW_ONLY=0or1(default:0)Ifsetto1,onlyuserswithanLDAPaccountareallowedtologintoLISTSERV;otheruserswillonlybeabletoaccessLISTSERVanonymously.
MakesuretotestyourLDAPsettingsbeforeenablingthisoption,oryouwillnotbeabletoundoitfromthewebinterface!
Enablingthisoptiononaserverthatpreviouslyhadexternalusersislikelytoresultinsignificantconfusionfortheexternalusers,whosepasswordswillnolongerwork.
LDAP_PW_REQUIRE_SSL=0or1(default:1)WhetherornotLISTSERVshouldacceptLDAPpasswordstransmittedtothewebinterfaceinplaintext.
Bydefault,LISTSERVwillonlyattempttoverifypasswordstransmittedoverSSL.
Note4thatthisoptiondoesnotcontrolLISTSERV'sownuseofSSLwhencommunicatingwiththeLDAPserver.
SeetheLDAP_SERVER_nicknamevariable.
SIGNUP_REQUIRE_SSL=0or1(default:0)Similartotheabove,butaffectsallLISTSERVpasswords,whetherLDAPorinternal.
CanbeusedwithoutenablingLDAPauthentication.
TheLDAPauthenticationprocessWhenLDAPisenabled,LISTSERVgoesthroughthefollowingstepstologinauser:1.
TheserverslistedinLDAP_PW_SERVERSareexaminedinturn,intheorderinwhichtheywerelisted.
Foreachserver,LISTSERVexecutesthesearchconfiguredwiththeLDAP_PW_BASE_nicknameandLDAP_PW_FILTER_nicknamevariables.
LISTSERVstopsatthefirstsuccessfulsearch,orwhentherearenomoreLDAPserverstoquery.
2.
Ifnoneofthesearchesweresuccessful(noLDAPaccountexistsforthisuser),LISTSERV:a.
RejectstheloginifLDAP_PW_ONLY=1.
b.
Switchestointernal(non‐LDAP)loginifLDAP_PW_ONLY=0.
Theloginwillbevalidatedagainsttheuser'sinternalLISTSERVpassword,ifany,ortheuserwillbepromptedtocreateaLISTSERVpassword.
3.
IfanLDAPaccountwasfoundforthisuser,LISTSERV:a.
RejectstheloginifLDAP_PW_REQUIRE_SSL=1andtheloginrequestdidnotcomeoveranSSLsession.
Inthiscase,LISTSERVdoesnoteventrytoverifythepassword.
b.
VerifiesthepasswordagainsttheLDAPserverwheretheaccountwasfound,andacceptsorrejectstheloginasappropriate.
Anoteonthe"requireSSL"optionThepurposeofthe"requireSSL"optionistopreventordinary,non‐malicioususersfromjeopardizingtheirlogincredentialsfortheirpersonalconvenience,forinstancebytypingclear‐textpasswordsine‐mailrequestsbecauseitisfasterthanwaitingforaconfirmation'cookie'attheparticularInternetcaféwheretheyarereadingtheirmail.
The"requireSSL"optioneffectivelydisablestheseloginattemptsandforcesuserstologinusingthewebinterfaceandSSL.
AsLISTSERVdoesnotdirectlyprocessSSLsessions,ithasnofirst‐handknowledgeastowhetherSSLwasusedtoencrypttheloginsessionornot.
ItisthewebserverthathandlestheSSLsessionwiththeuser'sbrowser,notifiestheLISTSERVwebinterfacethatSSLwasused,andthewebinterfacescriptinturnnotifiesLISTSERVthatthepasswordwasnotsentincleartext.
LISTSERVhasnowaytoverifythisrepresentationorguaranteethatSSLwasinfactusedtotransmitthepassword.
Thisbeingsaid,thereisnoadvantageforamalicioususerinloggingintoLISTSERVwithhisowncredentialsoveranunencryptedconnection.
Themalicioususer'sinterestisforother,non‐malicioususerstoexposetheirpasswordsbysendingthemincleartext,sothatthemalicioususermaygatherthem.
5DynamicQueryfeatureAlthoughDynamicQueriesareprimarilybasedontheLDAPinterface,theyaredescribedinaseparatedocumentastheysupportbothLDAPandDBMSdatastores.
KnownissuesandrestrictionsThefollowingknownissuesandrestrictionsexist:Someunixsystemsnotsupported.
Atthispoint,LDAPfunctionalityisnotavailableforTru64orHP‐UX.
OpenLDAPlibraryrequiredtore‐linkonunix.
Customerswishingtore‐link'lsv'onunixwillhavetoinstalltheOPENLDAPlibrary(exceptonTru64andHP‐UX),eveniftheydonotwanttouseLDAP.
Staticlibrarysupportnottestedonallunixbrands.
OurgoalisforunixbuildswithLDAPfunctionalitytoworkontargetsystemsthatdonothavethedynamicLDAPlibrary,butwehavenottestedthisoneverysystem.
6
- LISTSERVLDAPDocumentation相关文档
- localhostldapserver
- Simplifiedldapserver
- instructorsldapserver
- contentsldapserver
- 思科ldapserver
- 单点ldapserver
10gbiz($2.36/月),香港/洛杉矶CN2 GIA线路VPS,香港/日本独立服务器
10gbiz发布了9月优惠方案,针对VPS、独立服务器、站群服务器、高防服务器等均提供了一系列优惠方面,其中香港/洛杉矶CN2 GIA线路VPS主机4折优惠继续,优惠后最低每月仅2.36美元起;日本/香港独立服务器提供特价款首月1.5折27.43美元起;站群/G口服务器首月半价,高防服务器永久8.5折等。这是一家成立于2020年的主机商,提供包括独立服务器租用和VPS主机等产品,数据中心包括美国洛...
美得云(20元)香港特价将军澳CTG+CN2云服务器
美得云成立于2021年,是一家云产品管理服务商(cloud)专业提供云计算服务、DDOS防护、网络安全服务、国内海外数据中心托管租用等业务、20000+用户的选择,43800+小时稳定运行香港特价将军澳CTG+CN2云服务器、采用高端CPU 优质CN2路线 SDD硬盘。香港CTG+CN22核2G3M20G数据盘25元点击购买香港CTG+CN22核2G5M30G数据盘39元点击购买香港CTG+CN...
GeorgeDatacenter:洛杉矶/达拉斯/芝加哥/纽约vps云服务器;2核/8GB/250GB/2TB流量/1Gbps端口,$84/年
georgedatacenter怎么样?GeorgeDatacenter是一家2017年成立的美国商家,正规注册公司(REG: 10327625611),其实是oneman。现在有优惠,有几款特价VPS,基于Vmware。支持Paypal付款。GeorgeDatacenter目前推出的一款美国vps,2核/8GB内存/250GB NVMe空间/2TB流量/1Gbps端口/Vmware/洛杉矶/达拉...
ldapserver为你推荐
-
采用360操作httpcisco2960cisco2960接入层交换机360免费建站我用的360免费建站,但自己买的一级域名要先备案,360不提供备案,我要怎么做才能把我的域名绑定网站啊?flashfxp注册码谁有~FLASHfxp V3.0.2的注册码~~谢谢哦!!要现在能用的!!!!大飞资讯单仁资讯的黄功夫是何许人?颁发的拼音大致的致的拼音闪拍网关于闪拍网骗人的情况?温州都市报招聘劳务市场找工作可靠吗qq头像上传失败我怎么总是QQ上传头像失败,