RE: LDAP Query Performance question

[Burns, John D]

Mike-

When you do this is this a loop that runs 5500 queries or 1 query that
updates 5500 records? Just curious what the impact is for each
connection.

John

-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 3:45 PM
To: cf-talk
Subject: RE: LDAP Query Performance question

Oh, by the way, regarding my earlier message.  We have about 5,500
accounts that I update on a daily basis.  Performance isn't really an
issue, however, I have plans to cut this down from taking several
minutes, to just a few dozen seconds.

Mike 

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 12:03 PM
To: cf-talk
Subject: RE: LDAP Query Performance question

It's just a nightly task but it may have 300-400 results each time it
runs. I don't think it'll bring down the house or anything it just
brought up the question to see if there was a more elegant way of doing
it.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314769
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query Performance question

[Dawson, Michael]

My current process is to query AD using CFLDAP.  That returns about
5,500 user objects.

Then, I loop over those results and perform a CFQUERY to a SQL 2005
database.  Our SQL server is pretty beefy, so we haven't had any
performance issues.

My goal of this process is to compare names, titles, phones, addresses,
etc, from AD to the daily-updated information in SQL.  If any one of the
data attributes is different, then I perform an LDAP update to refresh
that particular user object.

It does take a few minutes to run, however, I have found a faster method
of connecting AD directly to SQL Server.

When I get some time, I'm going to rewrite this process to actually join
AD and the SQL table and compare the data in one swoop rather than
thousands of swoops.

Then, I will be able to schedule this as a SQL job and take the full
load of of ColdFusion.  Until then, it doesn't hurt a thing.

Mike

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 03, 2008 9:19 AM
To: cf-talk
Subject: RE: LDAP Query Performance question

Mike-

When you do this is this a loop that runs 5500 queries or 1 query that
updates 5500 records? Just curious what the impact is for each
connection.

John

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314770
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Query Performance question

[Burns, John D]

See, I'm doing the opposite. I'm getting a list of accounts from a SQL
database and trying to then perform a read query to get those user
accounts from AD. However, I can't find an elegant way to do that in 1
query so I'm looping over my results and doing individual queries to the
AD for each account. I'm definitely looking into this AD/SQL linking
which I had never heard of before. Thanks for the help!

John

-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 03, 2008 10:27 AM
To: cf-talk
Subject: RE: LDAP Query Performance question

My current process is to query AD using CFLDAP.  That returns about
5,500 user objects.

Then, I loop over those results and perform a CFQUERY to a SQL 2005
database.  Our SQL server is pretty beefy, so we haven't had any
performance issues.

My goal of this process is to compare names, titles, phones, addresses,
etc, from AD to the daily-updated information in SQL.  If any one of the
data attributes is different, then I perform an LDAP update to refresh
that particular user object.

It does take a few minutes to run, however, I have found a faster method
of connecting AD directly to SQL Server.

When I get some time, I'm going to rewrite this process to actually join
AD and the SQL table and compare the data in one swoop rather than
thousands of swoops.

Then, I will be able to schedule this as a SQL job and take the full
load of of ColdFusion.  Until then, it doesn't hurt a thing.

Mike

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 03, 2008 9:19 AM
To: cf-talk
Subject: RE: LDAP Query Performance question

Mike-

When you do this is this a loop that runs 5500 queries or 1 query that
updates 5500 records? Just curious what the impact is for each
connection.

John



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314771
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query Performance question

[Dawson, Michael]

Would it help if you used some sort of group membership?

For example, your SQL query would add all accounts to a domain group, or
remove accounts, as needed.  Then, you would just pull all members of
that group in one CFLDAP query.

I do something similar to this every morning.  My process determines who
is an active employee, faculty or student.

I have a SSIS job that pulls current employment information from our HR
system.  It then checks to see if each employee is a member of our
Current Employees domain group.  If it is not a member, it adds them.

Conversely, it also checks to see if any group members are no longer
employed.  If not, they are removed from the domain group.

The result is the domain group is competely updated every morning.
Performance is high, because group membership does not change greatly on
a daily basis.  You may add/drop a member here and there, but the entire
group is usually not completely changed.

mike 

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 03, 2008 9:31 AM
To: cf-talk
Subject: RE: LDAP Query Performance question

See, I'm doing the opposite. I'm getting a list of accounts from a SQL
database and trying to then perform a read query to get those user
accounts from AD. However, I can't find an elegant way to do that in 1
query so I'm looping over my results and doing individual queries to the
AD for each account. I'm definitely looking into this AD/SQL linking
which I had never heard of before. Thanks for the help!

John

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314773
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: LDAP Query Performance question

[Shannon Peevey]

Here is a link to information about optimizing and profiling ldap queries to
AD:
http://robbieallen.com/downloads/RAllen_LDAP_Searching.ppt

On Fri, Oct 31, 2008 at 11:25 AM, Burns, John D [EMAIL PROTECTED] wrote:

 I have a query of a SQL table that returns to me a bunch of usernames.
 From that, I need to query some information out of Active Directory for
 each user. Right now I have it looping over each row in the result from
 the SQL query and doing a separate LDAP query to the AD. This just
 doesn't seem like the best way to do things. Does anyone know if there's
 a syntax within LDAP querying of the AD to do something like an IN
 keyword where I could give the whole list of usernames I want to query
 and get a single result set back from one query instead of doing
 individual queries? There's no commonality amongst the user accounts in
 the AD except for the fact that their usernames are all in this external
 SQL table. Let me know if you have any ideas. Or maybe the single LDAP
 queries aren't as intensive as bad as what I'm thinking. I just know I
 always try to avoid multiple queries in SQL whenever possible. Here's
 the syntax I'm using now when querying the AD:

cfldap action=QUERY
   name=GetEmployeeIDByUsername
   attributes=cn,displayName,givenName,extensionAttribute1
   start=dc=domain,dc=com
   scope=subtree
   filter=((objectCategory=Person)(cn=#myQuery.username#))
   server=domaincontroller.mydomain.com
   username=#ADUsername#
   password=#ADPassword#

 Thanks in advance for any help.


 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314681
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: LDAP Query Performance question

[Tom Chiverton]

On Friday 31 Oct 2008, Burns, John D wrote:
 I have a query of a SQL table that returns to me a bunch of usernames.
 From that, I need to query some information out of Active Directory for
 each user. Right now I have it looping over each row in the result from

Firstly, how many is a bunch, how up-to-date does the result for each need to 
be,and how often is the AD data updated (and how) ?

It maybe you can just cache the result, or have the new data for a person 
pushed to you.
-- 
Tom Chiverton
Helping to efficiently incentivize visionary intuitive six-generation 
environments





This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England and 
Wales under registered number OC307980 whose registered office address is at 
Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list 
of members is available for inspection at the registered office. Any reference 
to a partner in relation to Halliwells LLP means a member of Halliwells LLP.  
Regulated by The Solicitors Regulation Authority.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and may be 
confidential or legally privileged.  If you are not the addressee you must not 
read it and must not use any information contained in nor copy it nor inform 
any person other than Halliwells LLP or the addressee of its existence or 
contents.  If you have received this email in error please delete it and notify 
Halliwells LLP IT Department on 0870 365 2500.

For more information about Halliwells LLP visit www.halliwells.com.

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314682
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query Performance question

[Burns, John D]

It's just a nightly task but it may have 300-400 results each time it
runs. I don't think it'll bring down the house or anything it just
brought up the question to see if there was a more elegant way of doing
it.

-Original Message-
From: Tom Chiverton [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 12:51 PM
To: cf-talk
Subject: Re: LDAP Query Performance question

On Friday 31 Oct 2008, Burns, John D wrote:
 I have a query of a SQL table that returns to me a bunch of usernames.
 From that, I need to query some information out of Active Directory
for
 each user. Right now I have it looping over each row in the result
from

Firstly, how many is a bunch, how up-to-date does the result for each
need to 
be,and how often is the AD data updated (and how) ?

It maybe you can just cache the result, or have the new data for a
person 
pushed to you.
-- 
Tom Chiverton
Helping to efficiently incentivize visionary intuitive six-generation 
environments





This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England
and Wales under registered number OC307980 whose registered office
address is at Halliwells LLP, 3 Hardman Square, Spinningfields,
Manchester, M3 3EB.  A list of members is available for inspection at
the registered office. Any reference to a partner in relation to
Halliwells LLP means a member of Halliwells LLP.  Regulated by The
Solicitors Regulation Authority.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and
may be confidential or legally privileged.  If you are not the addressee
you must not read it and must not use any information contained in nor
copy it nor inform any person other than Halliwells LLP or the addressee
of its existence or contents.  If you have received this email in error
please delete it and notify Halliwells LLP IT Department on 0870 365
2500.

For more information about Halliwells LLP visit www.halliwells.com.



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314684
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query Performance question

[Dawson, Michael]

First, do you have SQL Server 200x?  If so, create a link to Active
Directory and then you can join the two datasources just as you would
join two tables.

If not, retrieve all your AD accounts, using a single CFLDAP query and
store them in a SQL database.  From there, you can join the data as
needed.

If you have a beefy domain controller, you should not have any problems
hitting the directory hundreds, or thousands, of times.  I do this on an
almost-daily basis.

You could build your LDAP filter to retrieve multiple accounts, however,
I wouldn't have it return more than a couple dozen, at a time.

Try changing your filter to be something like:

((objectCategory=Person)(|(cn=user_1)(cn=user_2)(cn=user_n)))

Personally, I'd just hit the domain controllers as you are doing now and
be happy in the simplicity of the solution.

Mike

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 11:26 AM
To: cf-talk
Subject: LDAP Query Performance question

I have a query of a SQL table that returns to me a bunch of usernames.
From that, I need to query some information out of Active Directory for
each user. Right now I have it looping over each row in the result from
the SQL query and doing a separate LDAP query to the AD. This just
doesn't seem like the best way to do things. Does anyone know if there's
a syntax within LDAP querying of the AD to do something like an IN
keyword where I could give the whole list of usernames I want to query
and get a single result set back from one query instead of doing
individual queries? There's no commonality amongst the user accounts in
the AD except for the fact that their usernames are all in this external
SQL table. Let me know if you have any ideas. Or maybe the single LDAP
queries aren't as intensive as bad as what I'm thinking. I just know I
always try to avoid multiple queries in SQL whenever possible. Here's
the syntax I'm using now when querying the AD:

cfldap action=QUERY
   name=GetEmployeeIDByUsername
   attributes=cn,displayName,givenName,extensionAttribute1
   start=dc=domain,dc=com
   scope=subtree
   filter=((objectCategory=Person)(cn=#myQuery.username#))
   server=domaincontroller.mydomain.com
   username=#ADUsername#
   password=#ADPassword#

Thanks in advance for any help.

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314700
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query Performance question

[Dawson, Michael]

Oh, by the way, regarding my earlier message.  We have about 5,500
accounts that I update on a daily basis.  Performance isn't really an
issue, however, I have plans to cut this down from taking several
minutes, to just a few dozen seconds.

Mike 

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 12:03 PM
To: cf-talk
Subject: RE: LDAP Query Performance question

It's just a nightly task but it may have 300-400 results each time it
runs. I don't think it'll bring down the house or anything it just
brought up the question to see if there was a more elegant way of doing
it.

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314701
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: LDAP Query Performance question

[Shannon Peevey]

LDAP is optimized for reading, so I would assume that tens of thousands of
requests per second shouldn't phase it.  (OpenLDAP 2.4 can handle 32,000 per
second, (I can't seem to find a number for Active Directory)).

speeves

On Fri, Oct 31, 2008 at 2:45 PM, Dawson, Michael [EMAIL PROTECTED]wrote:

 Oh, by the way, regarding my earlier message.  We have about 5,500
 accounts that I update on a daily basis.  Performance isn't really an
 issue, however, I have plans to cut this down from taking several
 minutes, to just a few dozen seconds.

 Mike

 -Original Message-
 From: Burns, John D [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 31, 2008 12:03 PM
 To: cf-talk
 Subject: RE: LDAP Query Performance question

 It's just a nightly task but it may have 300-400 results each time it
 runs. I don't think it'll bring down the house or anything it just
 brought up the question to see if there was a more elegant way of doing
 it.

 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314704
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query Performance question

[Dawson, Michael]

AD can handle 32,001

;^)

-Original Message-
From: Shannon Peevey [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 3:06 PM
To: cf-talk
Subject: Re: LDAP Query Performance question

LDAP is optimized for reading, so I would assume that tens of thousands
of requests per second shouldn't phase it.  (OpenLDAP 2.4 can handle
32,000 per second, (I can't seem to find a number for Active
Directory)).

speeves

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314705
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: LDAP Query Performance question

[Shannon Peevey]

My point exactly :)

On Fri, Oct 31, 2008 at 3:17 PM, Dawson, Michael [EMAIL PROTECTED]wrote:

 AD can handle 32,001

 ;^)

 -Original Message-
 From: Shannon Peevey [mailto:[EMAIL PROTECTED]
 Sent: Friday, October 31, 2008 3:06 PM
 To: cf-talk
 Subject: Re: LDAP Query Performance question

 LDAP is optimized for reading, so I would assume that tens of thousands
 of requests per second shouldn't phase it.  (OpenLDAP 2.4 can handle
 32,000 per second, (I can't seem to find a number for Active
 Directory)).

 speeves

 

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314707
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query for group members

[Dawson, Michael]

There are a couple of solutions to this issue, however, one is the best.
I'll save that for last, of course.

Member is a multi-value attribute in Active Directory.  By default, it
is a comma-delimited value.  As you have found, distinguished names are
also comma-delimted by nature.

You can solve this issue by using CFLDAP's SEPARATOR attribute.  If you
specify a tab char, chr(9), you will get back a tab-separated list of
member distinguished names.  You can then use CFLOOP to loop over each
member.  However, if you want to know the member's first name, you would
have to perform another LDAP query for each member.  That could, and
will, be very slow, if you have a large group.

You will also have a limitation of 1000 members.  Active Directory
returns only 1000 values in a multi-value attribute.  There is a
workaround for this, but it really sucks.  I don't even want to talk
about it.

Basically, this will get you close to what you are doing now, with the
only improvement of a tab-separated list of members.

The best solution comes now...  It is so simple, it will make you
giggle.

Rather than query a group's members, you are better off querying all
users who are a member of a group.

Basically, you will set your filter to be:
((objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain,
DC=com))

Also, you need to specify the DELIMITER attribute in the CFLDAP tag.
Set it to a tab character chr(9).  You won't be passing any tabs in your
filter, however, this prevents any errors because of the commas in the
group's distinguished name.

Then, in your CFLDAP tag, you can specify all of the user attributes
that you need: givenName, sn, title, department, telephoneNumber, etc.
You will get it all back in one CF query object.

The best part is that you are not limited to the 1000-value limit that
you would have hit by using the first method.

However, you may hit another limit in the number of records that Active
Directory returns via LDAP queries.  By default, I think it may be 1000,
but you can modify your domain controllers to increase that limit.  I
increased our limit to 10,000 records.

If you have this problem, Google ntdsutil and maxpagesize or just
click here: http://support.microsoft.com/kb/315071

m!ke

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 22, 2008 9:30 AM
To: CF-Talk
Subject: LDAP Query for group members

I'm trying to find out if there's a simpler way to do this than what I'm
doing. Currently, I'm querying a group from LDAP and retrieving the
attribute called Member which gives me this ugly result set of one
record with all of these domain users' distinguished names instead of
just the AD username. I can parse this, but it's a mess because the
names look like this: CN=User.Name, OU=Users, OU=Location,
OU=Organization, DC=domain, DC=com, CN=User2.Name, OU=Users,.

The ldap code looks like this currently:

cfldap action=QUERY
   name=GetGroupMembers
   attributes=Member
   start=dc=[domain],dc=com
   scope=subtree
   filter=((objectclass=group)(samaccountname=[groupI'mTryingtoGet]))
   server=[myDomainController]
   username=[username]
   password=[password]

I'd like to find a way to query the names and have them return as a
result set with one row for each user. Obviously, the parsing of the
file would be difficult because of all the commas in a single record but
it's possible because of each record starting with CN. Anyone have a
better way of doing this? Is there some sort of LDAP function you can
pass to get it to return just the username instead of the full DN?
Eventually, I'm assuming I'll hit the same roadblock on querying a
user's groups to see if they're in a specific group. Any information to
make my life easier would be greatly appreciated. Thanks!

John Burns

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299722
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query for group members

[Dawson, Michael]

Also, you need to specify the DELIMITER attribute in the CFLDAP tag.
Set it to a tab character chr(9).  You won't be passing any tabs in your
filter, however, this prevents any errors because of the commas in the
group's distinguished name.

Ignore this part of my message.  This is only needed if you are
specifying a distinguished name in the ATTRIBUTES attribute.  Since you
are specifying the group's DN in the FILTER attribute, you don't need
the DELIMITER attribute.

Sorry for the confusion.  I'm doing this from memory since I'm on a very
slow dial-up connection through my Treo and I don't have access to my
servers from here.

m!ke

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299724
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Query for group members

[Burns, John D]

Michael-

AWESOME! Thank you so much for the help. Is it as simple to add users to
the group using the same method? Did you come up with this on your own
or find this info somewhere? Any other tips of things I can look out for
as I'm working with CFLDAP?

John

-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 22, 2008 12:08 PM
To: CF-Talk
Subject: RE: LDAP Query for group members

There are a couple of solutions to this issue, however, one is the best.
I'll save that for last, of course.

Member is a multi-value attribute in Active Directory.  By default, it
is a comma-delimited value.  As you have found, distinguished names are
also comma-delimted by nature.

You can solve this issue by using CFLDAP's SEPARATOR attribute.  If you
specify a tab char, chr(9), you will get back a tab-separated list of
member distinguished names.  You can then use CFLOOP to loop over each
member.  However, if you want to know the member's first name, you would
have to perform another LDAP query for each member.  That could, and
will, be very slow, if you have a large group.

You will also have a limitation of 1000 members.  Active Directory
returns only 1000 values in a multi-value attribute.  There is a
workaround for this, but it really sucks.  I don't even want to talk
about it.

Basically, this will get you close to what you are doing now, with the
only improvement of a tab-separated list of members.

The best solution comes now...  It is so simple, it will make you
giggle.

Rather than query a group's members, you are better off querying all
users who are a member of a group.

Basically, you will set your filter to be:
((objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain,
DC=com))

Also, you need to specify the DELIMITER attribute in the CFLDAP tag.
Set it to a tab character chr(9).  You won't be passing any tabs in your
filter, however, this prevents any errors because of the commas in the
group's distinguished name.

Then, in your CFLDAP tag, you can specify all of the user attributes
that you need: givenName, sn, title, department, telephoneNumber, etc.
You will get it all back in one CF query object.

The best part is that you are not limited to the 1000-value limit that
you would have hit by using the first method.

However, you may hit another limit in the number of records that Active
Directory returns via LDAP queries.  By default, I think it may be 1000,
but you can modify your domain controllers to increase that limit.  I
increased our limit to 10,000 records.

If you have this problem, Google ntdsutil and maxpagesize or just
click here: http://support.microsoft.com/kb/315071

m!ke

-Original Message-
From: Burns, John D [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 22, 2008 9:30 AM
To: CF-Talk
Subject: LDAP Query for group members

I'm trying to find out if there's a simpler way to do this than what I'm
doing. Currently, I'm querying a group from LDAP and retrieving the
attribute called Member which gives me this ugly result set of one
record with all of these domain users' distinguished names instead of
just the AD username. I can parse this, but it's a mess because the
names look like this: CN=User.Name, OU=Users, OU=Location,
OU=Organization, DC=domain, DC=com, CN=User2.Name, OU=Users,.

The ldap code looks like this currently:

cfldap action=QUERY
   name=GetGroupMembers
   attributes=Member
   start=dc=[domain],dc=com
   scope=subtree
   filter=((objectclass=group)(samaccountname=[groupI'mTryingtoGet]))
   server=[myDomainController]
   username=[username]
   password=[password]

I'd like to find a way to query the names and have them return as a
result set with one row for each user. Obviously, the parsing of the
file would be difficult because of all the commas in a single record but
it's possible because of each record starting with CN. Anyone have a
better way of doing this? Is there some sort of LDAP function you can
pass to get it to return just the username instead of the full DN?
Eventually, I'm assuming I'll hit the same roadblock on querying a
user's groups to see if they're in a specific group. Any information to
make my life easier would be greatly appreciated. Thanks!

John Burns



~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299740
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Query for group members

[Burns, John D]

AWESOME! Thank you so much for the help. Is it as simple to add users to
the group using the same method? Did you come up with this on your own
or find this info somewhere? Any other tips of things I can look out for
as I'm working with CFLDAP?

John

-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 22, 2008 12:08 PM
To: CF-Talk
Subject: RE: LDAP Query for group members

There are a couple of solutions to this issue, however, one is the best.
I'll save that for last, of course.

Member is a multi-value attribute in Active Directory.  By default, it
is a comma-delimited value.  As you have found, distinguished names are
also comma-delimted by nature.

You can solve this issue by using CFLDAP's SEPARATOR attribute.  If you
specify a tab char, chr(9), you will get back a tab-separated list of
member distinguished names.  You can then use CFLOOP to loop over each
member.  However, if you want to know the member's first name, you would
have to perform another LDAP query for each member.  That could, and
will, be very slow, if you have a large group.

You will also have a limitation of 1000 members.  Active Directory
returns only 1000 values in a multi-value attribute.  There is a
workaround for this, but it really sucks.  I don't even want to talk
about it.

Basically, this will get you close to what you are doing now, with the
only improvement of a tab-separated list of members.

The best solution comes now...  It is so simple, it will make you
giggle.

Rather than query a group's members, you are better off querying all
users who are a member of a group.

Basically, you will set your filter to be:
((objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain,
DC=com))

Also, you need to specify the DELIMITER attribute in the CFLDAP tag.
Set it to a tab character chr(9).  You won't be passing any tabs in your
filter, however, this prevents any errors because of the commas in the
group's distinguished name.

Then, in your CFLDAP tag, you can specify all of the user attributes
that you need: givenName, sn, title, department, telephoneNumber, etc.
You will get it all back in one CF query object.

The best part is that you are not limited to the 1000-value limit that
you would have hit by using the first method.

However, you may hit another limit in the number of records that Active
Directory returns via LDAP queries.  By default, I think it may be 1000,
but you can modify your domain controllers to increase that limit.  I
increased our limit to 10,000 records.

If you have this problem, Google ntdsutil and maxpagesize or just
click here: http://support.microsoft.com/kb/315071

m!ke

~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299741
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Query for group members

[Dawson, Michael]

Glad to help.
 
Regarding group membership, check back through the archives on this list. 
Specifically, look on Thurs, Jan 17, 2008 at 9:12 AM.
 
I posted a reply with the subject of RE: CFLdap.  This reply contains the 
code that uses CFLDAP to add and remove domain group members.
 
If you can't find it, let me know and I'll repost it for you.
 
I learned most of this by combining Active Directory Users and Computers with 
LDAP.  I would make a change in ADUC, then output all attributes via LDAP.  
Then, I would see which values would change.  That is how I mapped-out many of 
the attributes.
 
MSDN helped quite a bit, as well.  I also picked up some obscure help by 
Googling.
 
Other than knowing the multi-value attributes, and an odd binary attribute here 
and there, LDAP with Active Directory is cake.
 
I would suggest that you install the Active Directory Schema MMC plug in on a 
domain controller.  You can browse the schema and see which attributes are 
multi-values, which are indexed and find out the datatype/length of the 
attributes.
 
I you have any other LDAP questions, let me know.
 
M!ke

  _  

From: Burns, John D [mailto:[EMAIL PROTECTED]
Sent: Fri 2/22/2008 1:09 PM
To: CF-Talk
Subject: RE: LDAP Query for group members



Michael-

AWESOME! Thank you so much for the help. Is it as simple to add users to
the group using the same method? Did you come up with this on your own
or find this info somewhere? Any other tips of things I can look out for
as I'm working with CFLDAP?

John




~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299768
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: LDAP

[Dave Ross]

in general, no, I would say it's not a great idea, but sometimes requirements 
dictate that it has to be done. I've seen directories replicated out to a DMZ 
server to insulate things a bit, but I honestly don't see that as really 
improving security much, unless you are replicating non-sensitive information.

for starters you should not open port 389 and instead open port 636 (and do 
LDAP over SSL/TLS).

In addition, you could open a different port on the firewall (say 6636) and 
forward that to 636 on the inside.

Also, if the rule is for traffic originating from a specific IP, that is much 
better than allowing anything in.

I think a lot of this depends on how secure your LDAP servers are... in reality 
you shouldn't be able to do anything destructive without the necessary 
credentials. Even though the transmission of credentials will be encrypted, it 
doesn't change the fact that your server could be compromised and passwords 
sniffed before they go over the wire.

I think there's a lot of variables to consider - if it *must* be done it tends 
to make admins more comfortable if the LDAP client is in a DMZ segment, thus 
under a bit more control (and can have IDS, etc) rather than a random server 
out on the Internet.

Dave Ross
http://www.coldspringframework.org



 Have an app that is remote from a network that is your standard 
 LDAP/AD
 dealthe client's folks really want the remote app to authenticate
 back via LDAP.
 
 
 
 
 Now, I don't want to open up 389 in the firewall at all; so for you
 great CF minds out thereis it even remotely advisable to setup a
 firewall rule to accept 389 LDAP requests from a single IP
 address.so this CF app can do its thing??
 
 
 
 
 I always err on the side of no in these situationsbut limiting it 
 to
 a specific IP is decent...but relies on that system being correct and
 free of breachhas others seen this go on?
 
 
 
 
 Thanks
 
 
 
 
 Eric
 
 
 
 
 Eric J. Hoffman
 Managing Partner
 1940 Greeley Street South
 Suite 102
 StillwaterMN55082
 mail: [EMAIL PROTECTED]
 www: http://www.ejhassociates.com
 tel: 651.717.4105
 fax: 651.717.4101
 mob: 651.245.2717
 Adobe Solutions Partner
 Microsoft Certified Partner
 
 
 
 This message contains confidential information and is intended only 
 for [EMAIL PROTECTED] If you are not [EMAIL PROTECTED]
 com you should not disseminate, distribute or copy this e-mail. Please 
 notify [EMAIL PROTECTED] immediately by e-mail if you have 
 received this e-mail by mistake and delete this e-mail from your 
 system. E-mail transmission cannot be guaranteed to be secure or 
 error-free as information could be intercepted, corrupted, lost, 
 destroyed, arrive late or incomplete, or contain viruses. Eric J. 
 Hoffman therefore does not accept liability for any errors or 
 omissions in the contents of this message, which arise as a result of 
 e-mail transmission. If verification is required please request a 
 hard-copy version.
 


~|
Get the answers you are looking for on the ColdFusion Labs
Forum direct from active programmers and developers.
http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72catid=648

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285419
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: LDAP

[Jochem van Dieten]

Eric J. Hoffman wrote:
 Have an app that is remote from a network that is your standard LDAP/AD
 dealthe client's folks really want the remote app to authenticate
 back via LDAP.

Is LDAP a means or an end here? Do they specifically want LDAP or do they want 
something that allows single sign on and ties into AD and is LDAP just the 
first thing that came to their mind?


 Now, I don't want to open up 389 in the firewall at all; so for you
 great CF minds out thereis it even remotely advisable to setup a
 firewall rule to accept 389 LDAP requests from a single IP
 address.so this CF app can do its thing??

If they really want LDAP, you are going to have to give them LDAP. You can 
argue a security baseline and require IPSec, TLS, server hardening etc., but in 
the end the client is king.


 I always err on the side of no in these situationsbut limiting it to
 a specific IP is decent...but relies on that system being correct and
 free of breachhas others seen this go on?

If they really want LDAP the entire security of the AD can be breached. The 
problem with LDAP authentication is that the users enter their credentials on 
the remote application, and the remote application checks the credentials with 
the LDAP server. If the remote application is breached, the credentials are 
breached because they pass through the remote application.
What you really want is a Trusted Third Party setup where the users enter their 
credentials at the AD, and then the AD guarantees the identity to the remote 
application without revealing the credentials. If the remote application is 
breached, only the remote application is breached, not the credentials. If you 
want to do this right you should use something like Kerberos, A-Select, 
Shibboleth.

Jochem


~|
Download the latest ColdFusion 8 utilities including Report Builder,
plug-ins for Eclipse and Dreamweaver updates.
http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285421
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: LDAP Anyone?

[Vince Collins (NHJobs.com)]

I am now updating images within LDAP by using CFHTTP to call an ASP page...
 As you say, it appears something might be lost in translation between cfldap 
 and the underlying Java code.
   
While looking into Java for a solution, a smart co-worker (thanks Peter 
Jacoby!) wrote a .NET script that updates the photo directly in its 
binary form.

COLDFUSION CODE:

cfif Trim(seljpegPhoto) neq 
cftry
!--- upload image ---
cffile action=upload filefield=seljpegPhoto 
destination=#root#\update\upload nameconflict=overwrite
!--- cfhttp call passes file name to update.aspx which updates the 
photo ---
cfhttp 
url=#webroot#qry/update.aspx?CN=#qry_get_one_emp.cn#photo=#file.serverfile# 
method=GET/cfhttp

cfcatch type = Any
  cfset err = #err#liThere was an LDAP error updating your 
image./libr
/cfcatch
/cftry
!--- we print a 1 in update.aspx page if successful ---
cfif IsDefined(cfhttp.fileContent) and Trim(cfhttp.fileContent) neq 1
  cfset err = #err#liThere was an LDAP error updating your 
image./libr
/cfif
/cfif

UPDATE.ASPX CODE:
% @Page Language=C# Debug=true 
CompilerOptions='/R:c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll'%

%@ Import Namespace=System.DirectoryServices %
script runat=server
void Page_Load(object sender, EventArgs e)
{
//_LDAPSERVER_ is your server and _LDAPUSERNAME_  
_LDAPPASSWORD_ is a username/password that has rights to update the 
binary attribute
System.Drawing.Image imgInFile = 
System.Drawing.Image.FromFile(Server.MapPath(../update/upload/ + 
Request.QueryString[photo]));
System.IO.MemoryStream ms = new System.IO.MemoryStream();
imgInFile.Save(ms, System.Drawing.Imaging.ImageFormat.Jpeg);
DirectoryEntry personInfo = new 
DirectoryEntry(LDAP://_LDAPSERVER_/CN= + Request.QueryString[CN] + 
,OU=NA,OU=Employees,O=Teleatlas,C=Global, _LDAPUSERNAME_, 
_LDAPPASSWORD_, AuthenticationTypes.None);
try
{
personInfo.Properties[jpegPhoto][0] = ms.ToArray();
personInfo.CommitChanges();
Response.Write (1);
}
catch
{
Response.Write (ERROR: Cannot find employee  + 
Request.QueryString[CN]);
ms.Close();
imgInFile = null;
Response.End();
}
ms.Close();
imgInFile = null;
}
/script

Thanks everyone for your help on this.  I'm disappointed that CF 
couldn't do it.  Or maybe I should reword that as I'm disappointed I 
couldn't figure out a CF-only solution. 

CF Wish list:  CFLDAP with a file option like...

  cfldap action=modify
   DN=#qry_get_one_emp.distinguishedName#
   attributes=jpegPhoto
   files=#file.serverfile#
   modifytype=replace
   server=#LDAPServer#
   username=#LDAPUsername#
   password=#LDAPPassword#

At any rate, I can now move on with my development and I thank everyone 
for their help on this.  Especially Peter Jacoby!

-Vince



~|
Upgrade to Adobe ColdFusion MX7
The most significant release in over 10 years. Upgrade  see new features.
http://www.adobe.com/products/coldfusion?sdid=RVJR

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273966
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: LDAP Anyone?

[Leitch, Oblio]

I second this.  Remember, because CF is typeless, when it tries to
write to output binary in the cfldap tage, it might be expecting a
string, not binary.  How they've chosen to output the attributes, I
don't know, but that might cause it to fail.

I would double (triple?) check that the data sent through LDAP is, in
fact, binary or encoded (base64 or hex or uuencode, etc).  I wouldn't
use a tool to do that as it might be altering results.  Rather, try a
packet sniffer to see what the actual contents are.  If it's encoded,
your life will be easier.  If not, then you're probably going to have to
investigate some Java-based alternative.

My experience: I wanted a way to compress data. Specifically, I thought
there should be a way to feed data through a CF function and get a
compressed result.  Since there's nothing that does it natively, I
turned to Java.  Java has a native GZipDataStream - very slick.  The
trouble was getting the data from CF -- it could only come and go as a
String.  I ended up requiring it to be base64 encoded to and from, and
decode it once it was inside Java.  (now I have a tag that will compress
a datastream without writing to disk.  I use it for squashing wddx
packets for storage in a database)

I think it was the interface they've written for custom CFX that's the
limiter.

-Original Message-
From: Dinner [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 22, 2007 7:42 PM
To: CF-Talk
Subject: Re: LDAP Anyone?

On a totally different note:

Why not use some java solution?  I bet you could even do something
along the lines of cfmail, where CF has javamail (iirc), which totally
rocks, but of which CF exposes only a tiny bit.

Find what CF uses for LDAP, research it, and call it yourself using
createObject(), if even just for the image upload stuff.

Whenever I've run into a problem like that (IMAP stuff, in my case),
I've found using the underlying java will do what CF couldn't, if in
fact CF can't.

HIH, and if you have questions about how to leverage some java
package, feel free to ask.  Maybe jldap ( openldap.org)?  Eh...

Force be with you!

This email message may contain privileged and/or confidential information. If 
you are not the intended recipient(s), you are hereby notified that any 
dissemination, distribution, or copying of this email message is strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender and delete this email message from your computer.

CAUTION: The Agency of Human Services cannot ensure the confidentiality or 
security of email transmissions.

~|
Deploy Web Applications Quickly across the enterprise with ColdFusion MX7  
Flex 2
Free Trial 
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273496
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: LDAP Anyone?

[Vince Collins (NHJobs.com)]

Thanks Dinner,

Looking under the hood of CF sounds a bit scary but only because I have 
never done it before. I very much appreciate your suggestion and may 
have questions along the way.




Dinner wrote:
 On a totally different note:

 Why not use some java solution?  I bet you could even do something
 along the lines of cfmail, where CF has javamail (iirc), which totally
 rocks, but of which CF exposes only a tiny bit.

 Find what CF uses for LDAP, research it, and call it yourself using
 createObject(), if even just for the image upload stuff.

 Whenever I've run into a problem like that (IMAP stuff, in my case),
 I've found using the underlying java will do what CF couldn't, if in
 fact CF can't.

 HIH, and if you have questions about how to leverage some java
 package, feel free to ask.  Maybe jldap ( openldap.org)?  Eh...

 Force be with you!

 On 3/22/07, Vince C wrote:
   
 Thanks again Michael,

 I guess that's the question.  Can ColdFusion do this now?  In 6.1 or
 7.0?  I think it probably can but I don't know if there is some switch
 or other that can be passed along with this update that tells LDAP so.

 
 


 

~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2  MX7 integration  create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273504
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: LDAP Anyone?

[Vince Collins (NHJobs.com)]

I was told when I began this project by the LDAP administrator that it 
is storing images in base64.  So I just encoded the binary file as 
toBase64() and the database took it just fine but it actually wasn't 
just fine.  All images uploaded my my tool where corrupt.  By using a 
third party tool, the images showed as corrupt with errors like may be 
partially truncated or otherwise invalid.  Using a third party tool it 
also qualified my newly uploaded images at Text Attributes while the 
other good images were qualified as Binary Attributes. 

As you say, it appears something might be lost in translation between 
cfldap and the underlying Java code.

I have never worked with Java before and am a bit nervous venturing into 
it today but at this point, if I'm going to call myself a programmer, I 
suppose I better attempt to actually be one and take this challenge on.

Thanks for your help, I will now look into trying to figure out what 
CFLDAP is calling and go from there.

Best Regards,



Leitch, Oblio wrote:
 I second this.  Remember, because CF is typeless, when it tries to
 write to output binary in the cfldap tage, it might be expecting a
 string, not binary.  How they've chosen to output the attributes, I
 don't know, but that might cause it to fail.

 I would double (triple?) check that the data sent through LDAP is, in
 fact, binary or encoded (base64 or hex or uuencode, etc).  I wouldn't
 use a tool to do that as it might be altering results.  Rather, try a
 packet sniffer to see what the actual contents are.  If it's encoded,
 your life will be easier.  If not, then you're probably going to have to
 investigate some Java-based alternative.

 My experience: I wanted a way to compress data. Specifically, I thought
 there should be a way to feed data through a CF function and get a
 compressed result.  Since there's nothing that does it natively, I
 turned to Java.  Java has a native GZipDataStream - very slick.  The
 trouble was getting the data from CF -- it could only come and go as a
 String.  I ended up requiring it to be base64 encoded to and from, and
 decode it once it was inside Java.  (now I have a tag that will compress
 a datastream without writing to disk.  I use it for squashing wddx
 packets for storage in a database)

 I think it was the interface they've written for custom CFX that's the
 limiter.

 -Original Message-
 From: Dinner [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 22, 2007 7:42 PM
 To: CF-Talk
 Subject: Re: LDAP Anyone?

 On a totally different note:

 Why not use some java solution?  I bet you could even do something
 along the lines of cfmail, where CF has javamail (iirc), which totally
 rocks, but of which CF exposes only a tiny bit.

 Find what CF uses for LDAP, research it, and call it yourself using
 createObject(), if even just for the image upload stuff.

 Whenever I've run into a problem like that (IMAP stuff, in my case),
 I've found using the underlying java will do what CF couldn't, if in
 fact CF can't.

 HIH, and if you have questions about how to leverage some java
 package, feel free to ask.  Maybe jldap ( openldap.org)?  Eh...

 Force be with you!

 This email message may contain privileged and/or confidential information. If 
 you are not the intended recipient(s), you are hereby notified that any 
 dissemination, distribution, or copying of this email message is strictly 
 prohibited. If you have received this message in error, please immediately 
 notify the sender and delete this email message from your computer.

 CAUTION: The Agency of Human Services cannot ensure the confidentiality or 
 security of email transmissions.

 

~|
Create robust enterprise, web RIAs.
Upgrade  integrate Adobe Coldfusion MX7 with Flex 2
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273505
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Anyone?

[Dawson, Michael]

There are methods for storing binaries/images in a database field.  You
could also convert the binary information to text, then store the text
in a database.

You could do something similar with LDAP.  Just create a new attribute
that can hold a large text value.  Treat your LDAP server just like you
would a database.

M!ke 

-Original Message-
From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 22, 2007 3:53 PM
To: CF-Talk
Subject: LDAP Anyone?

It appears from the lack of response on this mail list to my question
that none of you have any idea.  I'm bummed and feel now I must look
elsewhere besides ColdFusion to solve this problem.

I will post this one last time in the hopes that someone will respond
with an idea or suggestion:

- - - - - - - -
I have been asked to write a web-based editor to allow users to edit
individual attributes themselves directly.  I have done this and it is
working for text attributes however it is not working for images.

I have written the code to upload and READASBINARY the file.  Then when
putting the new file back into ldap I use
jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images
for LDAP were stored in base64 (Let me know if I'm wrong) but it appears
to not work for me.  Is there some sort of switch you pass to LDAP when
your code is updating an image attribute to somehow flag it as a binary
attribute?

I've been looking for an answer and have posted questions on more then
20 forums and blogs over the past week.  You all may have detected that
I am a bit frustrated and desperate  :(

 cffile action=READBINARY 
file=#root#\update\upload\#file.serverfile# 
variable=BinaryImageContent
 cfldap action=modify
  DN=#qry_get_one_emp.distinguishedName#
  attributes=jpegPhoto=#toBase64(BinaryImageContent)#
  modifytype=replace
  server=#LDAPServer#
  username=#LDAPUsername#
  password=#LDAPPassword#

Changing this
attributes=jpegPhoto=#toBase64(BinaryImageContent)#
to this
attributes=jpegPhoto=#BinaryImageContent#
also errors since it appears that CFLDAP or http does not allow you to
use binary directly in the call.
- - - - - - -

I'm at a loss and looking for any help possible.  I really don't want to
tell my client that ColdFusion can not do this.  I'd much rather say
that I didn't know how and the ColdFusion community were able to help
me.

~|
ColdFusion MX7 by Adobe®
Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. 
Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273450
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: LDAP Anyone?

[Vince Collins (NHJobs.com)]

Thanks Michael,

I am treating it like a database and all is well except for images.  
Text for example updates just fine.  The directory has thousands of 
users which means thousands of images.  Each image is stored in the 
directory as a binary attribute.  I need to adhere to that field.

Other tools use the existing images as they are stored currently (as 
binary).  I can update the images using for example 
http://www-unix.mcs.anl.gov/~gawor/ldap/ which is an excellent 
java-based editor.  It allows me to browse to my image and then it 
uploads it and all is well.  Stored as a binary.  However, if I change 
the way I store it because ColdFusion has to store it in a different way 
then all other tools such as that ldap browser/editor won't work and all 
the locations they are displaying it elsewhere would break.

I'm hoping to find a way to update this existing binary attribute using 
CFLDAP or other tool.




Dawson, Michael wrote:
 There are methods for storing binaries/images in a database field.  You
 could also convert the binary information to text, then store the text
 in a database.

 You could do something similar with LDAP.  Just create a new attribute
 that can hold a large text value.  Treat your LDAP server just like you
 would a database.

 M!ke 

 -Original Message-
 From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 22, 2007 3:53 PM
 To: CF-Talk
 Subject: LDAP Anyone?

 It appears from the lack of response on this mail list to my question
 that none of you have any idea.  I'm bummed and feel now I must look
 elsewhere besides ColdFusion to solve this problem.

 I will post this one last time in the hopes that someone will respond
 with an idea or suggestion:

 - - - - - - - -
 I have been asked to write a web-based editor to allow users to edit
 individual attributes themselves directly.  I have done this and it is
 working for text attributes however it is not working for images.

 I have written the code to upload and READASBINARY the file.  Then when
 putting the new file back into ldap I use
 jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images
 for LDAP were stored in base64 (Let me know if I'm wrong) but it appears
 to not work for me.  Is there some sort of switch you pass to LDAP when
 your code is updating an image attribute to somehow flag it as a binary
 attribute?

 I've been looking for an answer and have posted questions on more then
 20 forums and blogs over the past week.  You all may have detected that
 I am a bit frustrated and desperate  :(

  cffile action=READBINARY 
 file=#root#\update\upload\#file.serverfile# 
 variable=BinaryImageContent
  cfldap action=modify
   DN=#qry_get_one_emp.distinguishedName#
   attributes=jpegPhoto=#toBase64(BinaryImageContent)#
   modifytype=replace
   server=#LDAPServer#
   username=#LDAPUsername#
   password=#LDAPPassword#

 Changing this
 attributes=jpegPhoto=#toBase64(BinaryImageContent)#
 to this
 attributes=jpegPhoto=#BinaryImageContent#
 also errors since it appears that CFLDAP or http does not allow you to
 use binary directly in the call.
 - - - - - - -

 I'm at a loss and looking for any help possible.  I really don't want to
 tell my client that ColdFusion can not do this.  I'd much rather say
 that I didn't know how and the ColdFusion community were able to help
 me.

 

~|
Upgrade to Adobe ColdFusion MX7
The most significant release in over 10 years. Upgrade  see new features.
http://www.adobe.com/products/coldfusion?sdid=RVJR

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273453
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Anyone?

[Dawson, Michael]

Ah. I gotcha now.  You don't want to break convention just for
ColdFusion.

I'm not sure how else I can help other than part of the functionality
is there with the RETURNASBINARY attribute.  However, I know of no
corresponding send-type attribute.  You should be able to get the image
using ColdFusion, but no way to put an image into the directory.

You might want to Google Damon Cooper and send him a message asking
about this.  They might be able to add this as part of Scorpio.

M!ke 

-Original Message-
From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 22, 2007 4:13 PM
To: CF-Talk
Subject: Re: LDAP Anyone?

Thanks Michael,

I am treating it like a database and all is well except for images.  
Text for example updates just fine.  The directory has thousands of
users which means thousands of images.  Each image is stored in the
directory as a binary attribute.  I need to adhere to that field.

Other tools use the existing images as they are stored currently (as
binary).  I can update the images using for example
http://www-unix.mcs.anl.gov/~gawor/ldap/ which is an excellent
java-based editor.  It allows me to browse to my image and then it
uploads it and all is well.  Stored as a binary.  However, if I change
the way I store it because ColdFusion has to store it in a different way
then all other tools such as that ldap browser/editor won't work and all
the locations they are displaying it elsewhere would break.

I'm hoping to find a way to update this existing binary attribute using
CFLDAP or other tool.




Dawson, Michael wrote:
 There are methods for storing binaries/images in a database field.
You
 could also convert the binary information to text, then store the text
 in a database.

 You could do something similar with LDAP.  Just create a new attribute
 that can hold a large text value.  Treat your LDAP server just like
you
 would a database.

 M!ke 

 -Original Message-
 From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 22, 2007 3:53 PM
 To: CF-Talk
 Subject: LDAP Anyone?

 It appears from the lack of response on this mail list to my question
 that none of you have any idea.  I'm bummed and feel now I must look
 elsewhere besides ColdFusion to solve this problem.

 I will post this one last time in the hopes that someone will respond
 with an idea or suggestion:

 - - - - - - - -
 I have been asked to write a web-based editor to allow users to edit
 individual attributes themselves directly.  I have done this and it is
 working for text attributes however it is not working for images.

 I have written the code to upload and READASBINARY the file.  Then
when
 putting the new file back into ldap I use
 jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images
 for LDAP were stored in base64 (Let me know if I'm wrong) but it
appears
 to not work for me.  Is there some sort of switch you pass to LDAP
when
 your code is updating an image attribute to somehow flag it as a
binary
 attribute?

 I've been looking for an answer and have posted questions on more then
 20 forums and blogs over the past week.  You all may have detected
that
 I am a bit frustrated and desperate  :(

  cffile action=READBINARY 
 file=#root#\update\upload\#file.serverfile# 
 variable=BinaryImageContent
  cfldap action=modify
   DN=#qry_get_one_emp.distinguishedName#
   attributes=jpegPhoto=#toBase64(BinaryImageContent)#
   modifytype=replace
   server=#LDAPServer#
   username=#LDAPUsername#
   password=#LDAPPassword#

 Changing this
 attributes=jpegPhoto=#toBase64(BinaryImageContent)#
 to this
 attributes=jpegPhoto=#BinaryImageContent#
 also errors since it appears that CFLDAP or http does not allow you to
 use binary directly in the call.
 - - - - - - -

 I'm at a loss and looking for any help possible.  I really don't want
to
 tell my client that ColdFusion can not do this.  I'd much rather say
 that I didn't know how and the ColdFusion community were able to help
 me.

 

~|
Create Web Applications With ColdFusion MX7  Flex 2. 
Build powerful, scalable RIAs. Free Trial
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273458
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: LDAP Anyone?

[Vince Collins (NHJobs.com)]

Thanks again Michael,

I guess that's the question.  Can ColdFusion do this now?  In 6.1 or 
7.0?  I think it probably can but I don't know if there is some switch 
or other that can be passed along with this update that tells LDAP so.

That's the question, can it be done now?  I guess it may be the case 
that I am the only person on planet ColdFusion that has tried to update 
an image using CFLDAP?

UGH!

I'll give Damon Cooper a shot.  Please folks, don't give up on me.  I'm 
hoping someone is on vacation and will read this when they get back and 
enlighten me :)





Dawson, Michael wrote:
 Ah. I gotcha now.  You don't want to break convention just for
 ColdFusion.

 I'm not sure how else I can help other than part of the functionality
 is there with the RETURNASBINARY attribute.  However, I know of no
 corresponding send-type attribute.  You should be able to get the image
 using ColdFusion, but no way to put an image into the directory.

 You might want to Google Damon Cooper and send him a message asking
 about this.  They might be able to add this as part of Scorpio.

 M!ke 

 -Original Message-
 From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 22, 2007 4:13 PM
 To: CF-Talk
 Subject: Re: LDAP Anyone?

 Thanks Michael,

 I am treating it like a database and all is well except for images.  
 Text for example updates just fine.  The directory has thousands of
 users which means thousands of images.  Each image is stored in the
 directory as a binary attribute.  I need to adhere to that field.

 Other tools use the existing images as they are stored currently (as
 binary).  I can update the images using for example
 http://www-unix.mcs.anl.gov/~gawor/ldap/ which is an excellent
 java-based editor.  It allows me to browse to my image and then it
 uploads it and all is well.  Stored as a binary.  However, if I change
 the way I store it because ColdFusion has to store it in a different way
 then all other tools such as that ldap browser/editor won't work and all
 the locations they are displaying it elsewhere would break.

 I'm hoping to find a way to update this existing binary attribute using
 CFLDAP or other tool.




 Dawson, Michael wrote:
   
 There are methods for storing binaries/images in a database field.
 
 You
   
 could also convert the binary information to text, then store the text
 in a database.

 You could do something similar with LDAP.  Just create a new attribute
 that can hold a large text value.  Treat your LDAP server just like
 
 you
   
 would a database.

 M!ke 

 -Original Message-
 From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 22, 2007 3:53 PM
 To: CF-Talk
 Subject: LDAP Anyone?

 It appears from the lack of response on this mail list to my question
 that none of you have any idea.  I'm bummed and feel now I must look
 elsewhere besides ColdFusion to solve this problem.

 I will post this one last time in the hopes that someone will respond
 with an idea or suggestion:

 - - - - - - - -
 I have been asked to write a web-based editor to allow users to edit
 individual attributes themselves directly.  I have done this and it is
 working for text attributes however it is not working for images.

 I have written the code to upload and READASBINARY the file.  Then
 
 when
   
 putting the new file back into ldap I use
 jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images
 for LDAP were stored in base64 (Let me know if I'm wrong) but it
 
 appears
   
 to not work for me.  Is there some sort of switch you pass to LDAP
 
 when
   
 your code is updating an image attribute to somehow flag it as a
 
 binary
   
 attribute?

 I've been looking for an answer and have posted questions on more then
 20 forums and blogs over the past week.  You all may have detected
 
 that
   
 I am a bit frustrated and desperate  :(

  cffile action=READBINARY 
 file=#root#\update\upload\#file.serverfile# 
 variable=BinaryImageContent
  cfldap action=modify
   DN=#qry_get_one_emp.distinguishedName#
   attributes=jpegPhoto=#toBase64(BinaryImageContent)#
   modifytype=replace
   server=#LDAPServer#
   username=#LDAPUsername#
   password=#LDAPPassword#

 Changing this
 attributes=jpegPhoto=#toBase64(BinaryImageContent)#
 to this
 attributes=jpegPhoto=#BinaryImageContent#
 also errors since it appears that CFLDAP or http does not allow you to
 use binary directly in the call.
 - - - - - - -

 I'm at a loss and looking for any help possible.  I really don't want
 
 to
   
 tell my client that ColdFusion can not do this.  I'd much rather say
 that I didn't know how and the ColdFusion community were able to help
 me.


 

 

~|
Upgrade to Adobe ColdFusion MX7
The most significant release in over 10 years. Upgrade  see new features.
http://www.adobe.com

Re: LDAP Anyone?

[Dinner]

On a totally different note:

Why not use some java solution?  I bet you could even do something
along the lines of cfmail, where CF has javamail (iirc), which totally
rocks, but of which CF exposes only a tiny bit.

Find what CF uses for LDAP, research it, and call it yourself using
createObject(), if even just for the image upload stuff.

Whenever I've run into a problem like that (IMAP stuff, in my case),
I've found using the underlying java will do what CF couldn't, if in
fact CF can't.

HIH, and if you have questions about how to leverage some java
package, feel free to ask.  Maybe jldap ( openldap.org)?  Eh...

Force be with you!

On 3/22/07, Vince C wrote:

 Thanks again Michael,

 I guess that's the question.  Can ColdFusion do this now?  In 6.1 or
 7.0?  I think it probably can but I don't know if there is some switch
 or other that can be passed along with this update that tells LDAP so.




~|
ColdFusion MX7 and Flex 2 
Build sales  marketing dashboard RIA’s for your business. Upgrade now
http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273470
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Weidness

[Dawson, Michael]

Can you ping/resolve this address from your web server's command
line/prompt? 

-Original Message-
From: Charles E. Heizer [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 27, 2006 12:17 PM
To: CF-Talk
Subject: LDAP Weidness

Hello,
I'm doing a ldap query and I'm running into a weird issue. If I use the
FQDN ldap.llnl.gov it does not work (Connection to LDAP Server
failed). But, if I use the IP it works fine. Now, I know cfldap can
work with using a FQDN since I'm connecting to another directory using
the name not the IP.

Has anyone seen this and if so how did you fix it?

Thanks,
- charles

~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258299
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Ldap -- structure = Not String and Not Object

[Dawson, Michael]

lol.  So you are saying the *friend* is buggy, not CF?  ;^) 

-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 25, 2006 6:54 PM
To: CF-Talk
Subject: Re: Ldap -- structure = Not String and Not Object

I also recommend that you stop asking that particular friend about CF
- the only buggy thing here is that person's understanding of CF syntax.

So I asked a friend of mine and he suggested adding the ## and maybe
putting the column in the variable name because he found CF to be a bit
buggy in situations like these.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238753
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Ldap -- structure = Not String and Not Object

[James Holmes]

hehe. Well, CF does have some bugs, but this was not one of them.

On 4/26/06, Dawson, Michael [EMAIL PROTECTED] wrote:
 lol.  So you are saying the *friend* is buggy, not CF?  ;^)

 -Original Message-
 From: James Holmes [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, April 25, 2006 6:54 PM
 To: CF-Talk
 Subject: Re: Ldap -- structure = Not String and Not Object

 I also recommend that you stop asking that particular friend about CF
 - the only buggy thing here is that person's understanding of CF syntax.

 So I asked a friend of mine and he suggested adding the ## and maybe
 putting the column in the variable name because he found CF to be a bit
 buggy in situations like these.

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238764
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Ldap -- structure = Not String and Not Object

[Dawson, Michael]

The first thing I would do is CFDUMP the LDAP query.  That will show you
what you are getting back from the CFLDAP tag.

It is possible to store different types of items in an LDAP directory.
Our Active Directory stores binary information related to our voicemail
system.

However, if you are only using uid and displayName, I don't see where
the problem lies.  CFDUMP will help.

M!ke 

-Original Message-
From: Joelle Tegwen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 25, 2006 10:38 AM
To: CF-Talk
Subject: Ldap -- structure = Not String and Not Object

I posted this on the newbie list and didn't get much of a response so
I'm trying here. 

The goal is to take the ldap response and move it from a query object
into a structure. I'm searching on a primary key so I know I'll only get
0 or 1 responses.

My code says this:
cfldap action=QUERY attributes=uid,displayName name=ldap
scope=SUBTREE start=o=University of Minnesota, c=US
filter=((cn=*#x500ID#*)) server=ldap.umn.edu port=389 

cfloop list=#ldap.ColumnList# index=column
cfset thisColumn=#column#
cfset args[#thisColumn#]=ldap[#thisColumn#] /
cfoutput#args[thisColumn]#/cfoutput !--- for debugging ---
/cfloop

Which gives me this error: Complex object types cannot be converted to
simple values.

And I said huh, I didn't expect that to be an object So I asked a
friend of mine and he suggested adding the ## and maybe putting the
column in the variable name because he found CF to be a bit buggy in
situations like these. So I tried:

cfloop list=#ldap.ColumnList# index=column
cfset thisColumn=#column#
cfset args[#thisColumn#]=ldap[#thisColumn#] /
cfoutput#args[thisColumn]#/cfoutput !--- for debugging ---
/cfloop

I get the same error. So I say fine be that way and I try this:

cfloop list=#ldap.ColumnList# index=column
cfset thisColumn=#column#
cfset args[#thisColumn#]=ldap[#ldap[thisColumn.value]#] /
cfoutput#args[thisColumn]#/cfoutput !--- for debugging ---
/cfloop


Then the error is: You have attempted to dereference a scalar variable
of type class java.lang.String as a structure with members.

Which (seems to me) to be a direct contradiction of the previous error. 
How do I make this work?

Thanks in advance
Joelle Tegwen

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238624
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Ldap -- structure = Not String and Not Object

[Joelle Tegwen]

The dump looks like this:
query - Top 1 of 1 Rows
DISPLAYNAME UID
1   Joelle Tegwen   tegwe002


So to me it looks like ldap.displayName is a string. (and it really 
should be)
Is there something I'm missing? I'm pretty new to CF so it could be 
something totally obvious.

Thanks
Joelle Tegwen


Dawson, Michael wrote:
 The first thing I would do is CFDUMP the LDAP query.  That will show you
 what you are getting back from the CFLDAP tag.

 It is possible to store different types of items in an LDAP directory.
 Our Active Directory stores binary information related to our voicemail
 system.

 However, if you are only using uid and displayName, I don't see where
 the problem lies.  CFDUMP will help.

 M!ke 

   

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238636
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Ldap -- structure = Not String and Not Object

[Ian Skinner]

cfloop list=#ldap.ColumnList# index=column
cfset thisColumn=#column#
cfset args[#thisColumn#]=ldap[#thisColumn#] /
cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- 
/cfloop

You are missing the row value of the ldap query.  Thus your are not getting to 
the value of the field.

When accessing a query with the structure syntax it is queryname[column][row].

So try using ldap[thisColumn][1], you do not need the quotes and pound signs.  
Also, only use this when you know you have at least one row, and that the first 
row is the one you want.


--
Ian Skinner
Web Programmer
BloodSource
www.BloodSource.org
Sacramento, CA

-
| 1 |   |
-  Binary Soduko
|   |   |
-
 
C code. C code run. Run code run. Please!
- Cynthia Dunning

Confidentiality Notice:  This message including any
attachments is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the
intended recipient, please contact the sender and
delete any copies of this message. 




~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238650
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Ldap -- structure = Not String and Not Object

[Ian Skinner]

cfloop list=#ldap.ColumnList# index=column
cfset thisColumn=#column#
cfset args[#thisColumn#]=ldap[#thisColumn#] /
cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- 
/cfloop


Oh just to clean all this up.  And I have doing this exact type of functions 
for over two years, and have never had any ColdFusion problems.  The cfset 
thisColumn is completly redundant and one does not need all the quotes and 
pound signs.

cfloop list=#ldap.ColumnList# index=column
cfset args[column]=ldap[column] /
/cfloop

cfdump var=#args# !--- For debugging of the entire loop at one time. ---


--
Ian Skinner
Web Programmer
BloodSource
www.BloodSource.org
Sacramento, CA

-
| 1 |   |
-  Binary Soduko
|   |   |
-
 
C code. C code run. Run code run. Please!
- Cynthia Dunning

Confidentiality Notice:  This message including any
attachments is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the
intended recipient, please contact the sender and
delete any copies of this message. 




~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238651
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Ldap -- structure = Not String and Not Object

[Ian Skinner]

cfloop list=#ldap.ColumnList# index=column
  cfset args[column]=ldap[column] /
/cfloop
cfdump var=#args# !--- For debugging of the entire loop at one time. ---

Ahh crud, now I forgot the row index.  Corrected code below:

cfloop list=#ldap.ColumnList# index=column
  cfset args[column]=ldap[column][1] /
/cfloop


~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238660
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Ldap -- structure = Not String and Not Object

[Joelle Tegwen]

Oh thank you! It worked wonderfully. I figured it was something simple.
Thanks! (and thanks for being thorough.)
Joelle

Ian Skinner wrote:
 cfloop list=#ldap.ColumnList# index=column
   cfset args[column]=ldap[column] /
 /cfloop
 cfdump var=#args# !--- For debugging of the entire loop at one time. ---

 Ahh crud, now I forgot the row index.  Corrected code below:

 cfloop list=#ldap.ColumnList# index=column
   cfset args[column]=ldap[column][1] /
 /cfloop


 

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238672
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Ldap -- structure = Not String and Not Object

[James Holmes]

I also recommend that you stop asking that particular friend about CF
- the only buggy thing here is that person's understanding of CF
syntax.

So I asked a friend of mine and he suggested adding the ## and
maybe putting the column in the variable name because he found CF to
be a bit buggy in situations like these.

On 4/26/06, Joelle Tegwen [EMAIL PROTECTED] wrote:
 Oh thank you! It worked wonderfully. I figured it was something simple.
 Thanks! (and thanks for being thorough.)
 Joelle

 Ian Skinner wrote:
  cfloop list=#ldap.ColumnList# index=column
cfset args[column]=ldap[column] /
  /cfloop
  cfdump var=#args# !--- For debugging of the entire loop at one time. 
  ---
 
  Ahh crud, now I forgot the row index.  Corrected code below:
 
  cfloop list=#ldap.ColumnList# index=column
cfset args[column]=ldap[column][1] /
  /cfloop

--
CFAJAX docs and other useful articles:
http://jr-holmes.coldfusionjournal.com/

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238740
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Help

[David Anderson]

I fixed it by adding a delimiter and doing modify/modifytype=add
instead.  

Final code for all those interested:

 cfldap action=modify
  modifytype=add
  delimiter=|
attributes=RevSubscriber=CN=Anderson
User,CN=Users,DC=ATCAgency,DC=com
dn=CN=_Help Desk,CN=Users,DC=ATCAgency,DC=com
server=serverIPAddress
username=David Anderson
password=mypassword
 

-Original Message-
From: David Anderson [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 09, 2005 12:50 PM
To: CF-Talk
Subject: LDAP Help

Hi guys, I'm trying to add a user attribute (RevSubscriber) to a group
in our Active Directory. I'm getting the following error when trying to
execute the CF below.  Basically, I'm trying to add a member to the
group, but call it RevSubscriber.

  cfldap action=add
attributes=RevSubscriber=CN=Anderson
User,CN=Users,DC=ATCAgency,DC=com
dn=CN=_Help Desk,CN=Users,DC=ATCAgency,DC=com
server=serverIPAddress
username=David Anderson
password=mypassword

Here's the error:

An error has occured while trying to execute add :[LDAP: error code 65 -
207B: UpdErr: DSID-03050C04, problem 6002 (OBJ_CLASS_VIOLATION),
data 0 ]. 

Any ideas would be greatly appreciated!

Thanks,
 David Anderson 
  

David Anderson
Chief Information Officer
(760) 233-7630
America's Vacation Center / American Express


Call us 7 days a week, 6am to 9pm Pacific United States/Canada:
1-800-788-0970 United Kingdom: 0-800-652-2559 Everywhere else:
001-760-233-7635

 
 
Click here to view our hand-picked deals:
http://www.AmericasVacationCenter.com/Deals
Please be advised that pricing can fluctuate within the same day and
that all promotions and quotes are subject to change without notice. As
a result, prices and quotes will not be guaranteed until booked with
payment. 
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank you.  
 
 



~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217850
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Authentication

[Dawson, Michael]

Yes, we need to know which ldap server.  If it's Windows Active
Directory, you don't need to run two queries.  You only need to pass the
username/password to the cfldap tag.  Windows, by default, allows any
authenticated user to query the directory.  If the query works, you have
a valid user.  If the query fails, you don't.

For Windows AD, the username should be formatted as one of:
[EMAIL PROTECTED] or domain\username

Other ldap servers may work differently and that is probably why
Macromedia's docs say to run two queries.

M!ke 

-Original Message-
From: Douglas Knudsen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 10, 2005 7:34 PM
To: CF-Talk
Subject: Re: LDAP Authentication

In my experience, typically you run two LDAP queries for authentication.
In the first you use the UID filed, depends on your LDAP server, to get
teh users DN. THe second query you use this DN and the users password,
if this binds you authed. What LDAP server are you using?
 DK

 On 5/10/05, David Critchley [EMAIL PROTECTED] wrote: 
 
 I was wondering if anyone knows anything about LDAP authentication. 
 Examples from macromedia on this subject are very sketchy and I cant 
 seem to get mine to work properly. I can query the LDAP server, but I 
 am unable to authenticate. Here is my tag info:
 CFLDAP server=ldapserver port=389 action=QUERY name=userauth 
 attributes=uid start=ou=employees,o=server.com http://server.com

 maxrows=1
 
 

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206426
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Authentication

[David Critchley]

It's not my server, we only have access to it.  I believe it is not a windows 
server, more than likely it is running on a UNIX server.  Could be Netscape.  I 
work for a large organization, so we have access to it, but have no control 
over it.  Neither are we privy to any specs.  :-S

Yes, we need to know which ldap server.  If it's Windows Active
Directory, you don't need to run two queries.  You only need to pass the
username/password to the cfldap tag.  Windows, by default, allows any
authenticated user to query the directory.  If the query works, you have
a valid user.  If the query fails, you don't.

For Windows AD, the username should be formatted as one of:
[EMAIL PROTECTED] or domain\username

Other ldap servers may work differently and that is probably why
Macromedia's docs say to run two queries.

M!ke 

-Original Message-
From: Douglas Knudsen [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 10, 2005 7:34 PM
To: CF-Talk
Subject: Re: LDAP Authentication

In my experience, typically you run two LDAP queries for authentication.
In the first you use the UID filed, depends on your LDAP server, to get
teh users DN. THe second query you use this DN and the users password,
if this binds you authed. What LDAP server are you using?
 DK

 On 5/10/05, David Critchley [EMAIL PROTECTED] wrote: 
 
 I was wondering if anyone knows anything about LDAP authentication. 
 Examples from macromedia on this subject are very sketchy and I cant 
 seem to get mine to work properly. I can query the LDAP server, but I 
 am unable to authenticate. Here is my tag info:
 CFLDAP server=ldapserver port=389 action=QUERY name=userauth 
 attributes=uid start=ou=employees,o=server.com http://server.com

 maxrows=1
 


~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206445
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Authentication

[Dawson, Michael]

One of the biggest issues is how the username (the unique identifier, in
other words) is stored in the directory.  Once you have that syntax, you
are pretty much set.

M!ke

-Original Message-
From: David Critchley [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 11, 2005 1:37 PM
To: CF-Talk
Subject: RE: LDAP Authentication

It's not my server, we only have access to it.  I believe it is not a
windows server, more than likely it is running on a UNIX server.  Could
be Netscape.  I work for a large organization, so we have access to it,
but have no control over it.  Neither are we privy to any specs.  :-S

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206452
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Authentication

[David Critchley]

If you look at my original post I give an example of my query, some info has 
been changed as I cant actually display live info.  But the query works, I can 
query any uid and get info back through CFLDAP.

One of the biggest issues is how the username (the unique identifier, in
other words) is stored in the directory.  Once you have that syntax, you
are pretty much set.

M!ke

-Original Message-
From: David Critchley [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 11, 2005 1:37 PM
To: CF-Talk
Subject: RE: LDAP Authentication

It's not my server, we only have access to it.  I believe it is not a
windows server, more than likely it is running on a UNIX server.  Could
be Netscape.  I work for a large organization, so we have access to it,
but have no control over it.  Neither are we privy to any specs.  :-S

~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206454
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Authentication

[Rebecca Wells]

 It's not my server, we only have access to it.  I believe it is not a 
 windows server, more than likely it is running on a UNIX server.  
 Could be Netscape.  I work for a large organization, so we have access 
 to it, but have no control over it.  Neither are we privy to any specs.  

Then use the 2 query approach. For example:

cfset UserSearchFailed = 0
!--- This filter will look in the objectclass for the user's ID. ---
cfset filter = ((objectclass=person)(uid=  attributes.Username  ))

!--- Query LDAP for the user's DN; used later to authenticate the user. ---
cftry
cfldap action=query
name=userSearch
attributes=dn
start=o=something
scope=SUBTREE
server=myLDAPServer
port=389
filter=#filter#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry

!--- If the user search failed or returns 0 rows abort. ---
cfif NOT userSearch.recordcount OR UserSearchFailed
cfset UserSearchFailed = true
cfset errormsg = UID for   #attributes.Username#   not found.
/cfif

cfif userSearch.recordcount and not UserSearchFailed
!--- Pass user's DN  password to see if the user authenticates. ---
cftry
cfldap action=QUERY
name=auth

attributes=givenname,surname,uid,userid,groupMembership,mail,dn
start=o=something
scope=SUBTREE
server=myLDAPServer
port=389
filter=#filter#
username=#userSearch.dn#
password=#attributes.Password#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry
/cfif

Another recommendation: get a copy of Softerra LDAP Browser 
http://www.ldapbrowser.com/ Version 2.6 is freeware.

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206460
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP Authentication

[Douglas Knudsen]

oh, and do yourself a big favour and head out to 
http://www.ldapadministrator.com/ and get the free LDAP browser. It will 
help you greatly
 DK

 On 5/11/05, Rebecca Wells [EMAIL PROTECTED] wrote: 
 
  It's not my server, we only have access to it. I believe it is not a
  windows server, more than likely it is running on a UNIX server.
  Could be Netscape. I work for a large organization, so we have access
  to it, but have no control over it. Neither are we privy to any specs.
 
 Then use the 2 query approach. For example:
 
 cfset UserSearchFailed = 0
 !--- This filter will look in the objectclass for the user's ID. ---
 cfset filter = ((objectclass=person)(uid=  attributes.Username  
 ))
 
 !--- Query LDAP for the user's DN; used later to authenticate the user. 
 ---
 cftry
 cfldap action=query
 name=userSearch
 attributes=dn
 start=o=something
 scope=SUBTREE
 server=myLDAPServer
 port=389
 filter=#filter#
 cfcatch type=Any
 cfset UserSearchFailed = true
 /cfcatch
 /cftry
 
 !--- If the user search failed or returns 0 rows abort. ---
 cfif NOT userSearch.recordcount OR UserSearchFailed
 cfset UserSearchFailed = true
 cfset errormsg = UID for   #attributes.Username#   not found.
 /cfif
 
 cfif userSearch.recordcount and not UserSearchFailed
 !--- Pass user's DN  password to see if the user authenticates. ---
 cftry
 cfldap action=QUERY
 name=auth
 attributes=givenname,surname,uid,userid,groupMembership,mail,dn
 start=o=something
 scope=SUBTREE
 server=myLDAPServer
 port=389
 filter=#filter#
 username=#userSearch.dn#
 password=#attributes.Password#
 cfcatch type=Any
 cfset UserSearchFailed = true
 /cfcatch
 /cftry
 /cfif
 
 Another recommendation: get a copy of Softerra LDAP Browser 
 http://www.ldapbrowser.com/ Version 2.6 is freeware.
 
 

~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206464
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP Authentication - Resolved

[David Critchley]

We resolved this issue by actually putting the right content in the username 
field. I was connecting to the LDAP server properly, just wasnt able to send 
the username and password.

username=uid=#usern#,ou=active,ou=employees,ou=people,o=#server#
password=#plaintextpassword#

Thanks for all the help.

 If you look at my original post I give an example of my query, some 
 info has been changed as I cant actually display live info.  But the 
 query works, I can query any uid and get info back through CFLDAP.
 
 One of the biggest issues is how the username (the unique identifier, 
 in
 other words) is stored in the directory.  Once you have that syntax, 
 you
 are pretty much set.
 
 M!ke
 
 -Original Message-
 From: David Critchley [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, May 11, 2005 1:37 PM
 To: CF-Talk
 Subject: RE: LDAP Authentication
 
 It's not my server, we only have access to it.  I believe it is not 
 a
 windows server, more than likely it is running on a UNIX server.  
 Could
 be Netscape.  I work for a large organization, so we have access to 
 it,
 but have no control over it.  Neither are we privy to any specs.  
:-S

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206468
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP Authentication

[Douglas Knudsen]

In my experience, typically you run two LDAP queries for authentication. In 
the first you use the UID filed, depends on your LDAP server, to get teh 
users DN. THe second query you use this DN and the users password, if this 
binds you authed. What LDAP server are you using?
 DK

 On 5/10/05, David Critchley [EMAIL PROTECTED] wrote: 
 
 I was wondering if anyone knows anything about LDAP authentication. 
 Examples from macromedia on this subject are very sketchy and I cant seem to 
 get mine to work properly. I can query the LDAP server, but I am unable to 
 authenticate. Here is my tag info:
 CFLDAP server=ldapserver port=389 action=QUERY name=userauth 
 attributes=uid start=ou=employees,o=server.com http://server.com 
 maxrows=1
 
 

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206300
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP passwords

[Damien McKenna]

Yes, the trick is working out permissions and which field stores the
password.  Do some research on the field and you should be fine.  The
password field doesn't show up I guess for security reasons.  LDAP is a
tricky wee beasty to work with.

-- 
Damien McKenna - Web Developer - [EMAIL PROTECTED]
The Limu Company - http://www.thelimucompany.com/ - 407-804-1014
#include stdjoke.h

-Original Message-
From: Paul [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 25, 2005 1:41 PM
To: CF-Talk
Subject: LDAP passwords

Is there any way I can allow my users to change their Active Directory
passwords through CFLDAP?

When I dump the entire record for a user I don't see any column hinting
at
password so I'm assuming the answer no, but I thought I'd throw it out
to
the group before dismissing it entirely.


~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200031
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP passwords

[Dawson, Michael]

You need a SSL certificate to do this securely with LDAP.  I,
personally, think that is overkill.

However, the LDAP attribute is unicodePwd or something similar.

This is how I do it on the Windows platform:
I run ColdFusion as an domain account that is also an Account Operator
(has permissions to change passwords, among other things.)

Then, I use CFEXECUTE to call the NET USER command with the proper
arguments to change the user's password.

It is very easy and works quite well.

When I create new accounts and need to set a password, I use a custom
COM object I built that does it all.

M!ke

-Original Message-
From: Paul [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 25, 2005 12:41 PM
To: CF-Talk
Subject: LDAP passwords

Is there any way I can allow my users to change their Active Directory
passwords through CFLDAP?

 

When I dump the entire record for a user I don't see any column hinting
at password so I'm assuming the answer no, but I thought I'd throw it
out to the group before dismissing it entirely.

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200050
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP passwords

[Paul]

Thanks, that's good information.  I'll explore a bit.

-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 25, 2005 1:51 PM
To: CF-Talk
Subject: RE: LDAP passwords

You need a SSL certificate to do this securely with LDAP.  I,
personally, think that is overkill.

However, the LDAP attribute is unicodePwd or something similar.

This is how I do it on the Windows platform:
I run ColdFusion as an domain account that is also an Account Operator
(has permissions to change passwords, among other things.)

Then, I use CFEXECUTE to call the NET USER command with the proper
arguments to change the user's password.

It is very easy and works quite well.

When I create new accounts and need to set a password, I use a custom
COM object I built that does it all.

M!ke

-Original Message-
From: Paul [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 25, 2005 12:41 PM
To: CF-Talk
Subject: LDAP passwords

Is there any way I can allow my users to change their Active Directory
passwords through CFLDAP?

 

When I dump the entire record for a user I don't see any column hinting
at password so I'm assuming the answer no, but I thought I'd throw it
out to the group before dismissing it entirely.



~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200058
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP passwords

[Douglas Knudsen]

which requires windows and your server belongingt in the correct
domain and all.  In my company the network/sysadmins will not allow
this.  I though you could use the cfldap tag for this.  You have to
have a uid/pwd that has the permissions to do such a thing.  Depending
on your LDAP server, the pwd field maybe different too.

Doug

like this maybe
http://www.houseoffusion.com/cf_lists/index.cfm/method=messagesthreadid=17267forumid=4


On Fri, 25 Mar 2005 14:50:49 -0600, Dawson, Michael [EMAIL PROTECTED] wrote:
 You need a SSL certificate to do this securely with LDAP.  I,
 personally, think that is overkill.
 
 However, the LDAP attribute is unicodePwd or something similar.
 
 This is how I do it on the Windows platform:
 I run ColdFusion as an domain account that is also an Account Operator
 (has permissions to change passwords, among other things.)
 
 Then, I use CFEXECUTE to call the NET USER command with the proper
 arguments to change the user's password.
 
 It is very easy and works quite well.
 
 When I create new accounts and need to set a password, I use a custom
 COM object I built that does it all.
 
 M!ke
 
 -Original Message-
 From: Paul [mailto:[EMAIL PROTECTED]
 Sent: Friday, March 25, 2005 12:41 PM
 To: CF-Talk
 Subject: LDAP passwords
 
 Is there any way I can allow my users to change their Active Directory
 passwords through CFLDAP?
 
 When I dump the entire record for a user I don't see any column hinting
 at password so I'm assuming the answer no, but I thought I'd throw it
 out to the group before dismissing it entirely.
 
 

~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200068
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP passwords

[Dawson, Michael]

First of all, what is the directory server in question?  Active
Directory or something else.  My experience is with AD only, so far.

If you try to set an AD password with CFLDAP, and you have no SSL cert,
you will get an error similar to unwilling to respond, from what I
remember.  (I get that from my wife, too.)

If you are in different domains, there are ways around that, but you
have to have your sys admins' cooperation to trust the domains and give
the CF server domain account the correct permissions. To change
passwords.

If you can't get their help, then SSL is the only way to set a password
in AD.  Again, I only know this about AD.  I don't know other directory
servers.

If you don't mind, please post your solution, whatever it may be.

M!ke

-Original Message-
From: Douglas Knudsen [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 25, 2005 4:57 PM
To: CF-Talk
Subject: Re: LDAP passwords

which requires windows and your server belongingt in the correct domain
and all.  In my company the network/sysadmins will not allow this.  I
though you could use the cfldap tag for this.  You have to have a
uid/pwd that has the permissions to do such a thing.  Depending on your
LDAP server, the pwd field maybe different too.

Doug

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200070
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP passwords

[Dawson, Michael]

 BTW, I will add that it is Windows' security that requires a
certificate to change as password.  ColdFusion could not care less.

M!ke 

-Original Message-
From: Douglas Knudsen [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 25, 2005 4:57 PM
To: CF-Talk
Subject: Re: LDAP passwords

which requires windows and your server belongingt in the correct domain
and all.  In my company the network/sysadmins will not allow this.  I
though you could use the cfldap tag for this.  You have to have a
uid/pwd that has the permissions to do such a thing.  Depending on your
LDAP server, the pwd field maybe different too.

Doug

like this maybe
http://www.houseoffusion.com/cf_lists/index.cfm/method=messagesthreadid
=17267forumid=4


On Fri, 25 Mar 2005 14:50:49 -0600, Dawson, Michael
[EMAIL PROTECTED] wrote:
 You need a SSL certificate to do this securely with LDAP.  I, 
 personally, think that is overkill.
 
 However, the LDAP attribute is unicodePwd or something similar.
 
 This is how I do it on the Windows platform:
 I run ColdFusion as an domain account that is also an Account Operator

 (has permissions to change passwords, among other things.)
 
 Then, I use CFEXECUTE to call the NET USER command with the proper 
 arguments to change the user's password.
 
 It is very easy and works quite well.
 
 When I create new accounts and need to set a password, I use a custom 
 COM object I built that does it all.
 
 M!ke
 
 -Original Message-
 From: Paul [mailto:[EMAIL PROTECTED]
 Sent: Friday, March 25, 2005 12:41 PM
 To: CF-Talk
 Subject: LDAP passwords
 
 Is there any way I can allow my users to change their Active Directory

 passwords through CFLDAP?
 
 When I dump the entire record for a user I don't see any column 
 hinting at password so I'm assuming the answer no, but I thought I'd 
 throw it out to the group before dismissing it entirely.
 
 



~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200071
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP and Active Directory and getting the objectGUID

[Charles Heizer]

Hi Mike,
Thanks for the info, I'm really hoping that Macromedia will fix this.

Thanks again,
- Charles


On 3/18/05 5:05 AM, Dawson, Michael [EMAIL PROTECTED] wrote:

 That is a bug that has yet to be corrected by Macromedia.
 
 You could create a COM object that uses ADSI to pull that value into a
 meaningful state.
 
 M!ke
 
 -Original Message-
 From: Charles Heizer [mailto:[EMAIL PROTECTED]
 Sent: Thursday, March 17, 2005 5:42 PM
 To: CF-Talk
 Subject: LDAP and Active Directory and getting the objectGUID
 
 Hello,
 Does anyone have an example on how to translate the attribute objectGUID
 to a legible string? If I look at it in ADSI edit, it's in hex format,
 but if I use coldfusion is garbage.
 
 Thanks,
 - Charles
 
 

~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:199674
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP and Active Directory and getting the objectGUID

[Dawson, Michael]

That is a bug that has yet to be corrected by Macromedia. 

You could create a COM object that uses ADSI to pull that value into a
meaningful state.

M!ke

-Original Message-
From: Charles Heizer [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 17, 2005 5:42 PM
To: CF-Talk
Subject: LDAP and Active Directory and getting the objectGUID

Hello,
Does anyone have an example on how to translate the attribute objectGUID
to a legible string? If I look at it in ADSI edit, it's in hex format,
but if I use coldfusion is garbage.

Thanks,
- Charles

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:199311
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP

[Cary Gordon]

We use OpenLDAP because it meets our clients first requirement - it is free.
The downside, for LDAP beginners, is that it is not particularly user
friendly, meaning that, if you aren't an LDAP expert, and you don't know
precisely how your organization needs to be structured, you will do it
wrong.  Hopefully, by the third redo, you will have it right.

I used to use the Netscape (now Sun ONE) directory server, which was much
easier, but is now (post Netscape) frighteningly expensive at about
$1.25/user for large, no cash organizations. My client has about 100k users,
and budgets about $0.005 per, which allows for a hefty linux box and a small
stack of LDAP books. 

BTW, add me to the list of happy Softerra LDAPBrowser users.

Cary Gordon
The Cherry Hill Company



-Original Message-
From: Dawson, Michael [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 14, 2005 1:51 PM
To: CF-Talk
Subject: RE: LDAP

It *shouldn't* matter what brand you use, but since they may have their own
implementations, it's helpful to know.

--- snip ---


~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198836
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP

[Duncan]

A bit of code for you to try cfldap:

http://www.sixfive.co.uk/news/?nid=136 


On Tue, 15 Mar 2005 10:27:02 -0800, Cary Gordon [EMAIL PROTECTED] wrote:
 We use OpenLDAP because it meets our clients first requirement - it is free.
 The downside, for LDAP beginners, is that it is not particularly user
 friendly, meaning that, if you aren't an LDAP expert, and you don't know
 precisely how your organization needs to be structured, you will do it
 wrong.  Hopefully, by the third redo, you will have it right.
 
 I used to use the Netscape (now Sun ONE) directory server, which was much
 easier, but is now (post Netscape) frighteningly expensive at about
 $1.25/user for large, no cash organizations. My client has about 100k users,
 and budgets about $0.005 per, which allows for a hefty linux box and a small
 stack of LDAP books.
 
 BTW, add me to the list of happy Softerra LDAPBrowser users.
 
 Cary Gordon
 The Cherry Hill Company
 
 
 -Original Message-
 From: Dawson, Michael [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 14, 2005 1:51 PM
 To: CF-Talk
 Subject: RE: LDAP
 
 It *shouldn't* matter what brand you use, but since they may have their own
 implementations, it's helpful to know.
 
 --- snip ---
 
 

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198916
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP

[Ian Skinner]

KNOW YOUR LDAP CONFIGURATION.

The ldap tag is pretty straight forward to use, if you know how your ldap has 
been configured.

We currently use ours to control access based on NT security groups, stored in 
our ldap data.  We currently do not do password verification with ldap, we do 
that directly against NT the NT security CFC from one can get from Macromedia's 
website.


--
Ian Skinner
Web Programmer
BloodSource
www.BloodSource.org
Sacramento, CA
 
C code. C code run. Run code run. Please!
- Cynthia Dunning

-Original Message-
From: Daniel Kessler [mailto:[EMAIL PROTECTED]
Sent: Monday, March 14, 2005 10:32 AM
To: CF-Talk
Subject: LDAP

My boss asked me to hook into our ldap system for password validation
and I'm looking for any heads-up or advice that I could get.  Do
people use cfLDAP for this?  If I have an app and I just want a few
people to have access to it, do I use a DB to store access groups and
names of people and use LDAP to verify the passwords?
How would that normally work?

thanks.

--
Daniel Kessler

Department of Public and Community Health
University of Maryland
Suite 2387 Valley Drive
College Park, MD  20742-2611
301-405-2545 Phone
www.phi.umd.edu



~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198675
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP

[Dawson, Michael]

What brand of LDAP server are you planning on using?  If it's Windows
Active Directory, there are some things to know about.

I use IIS/browser authentication for our intranet, but I use CFLDAP to
connect to Active Directory to get group membership for each user.  I
also pull mailbox-related information for Exchange mailbox size
reporting.

I'm planning on rewriting my intranet so that I can use an html form for
username/password to make it a bit more portable on PDAs and other
mobile devices.

If you have an LDAP server, use it rather than creating a DB to hold
security information.  You can add people to group, add attributes, etc.
LDAP is mainly geared for user-type storage so there is little reason to
rebuild if LDAP will support your requirements.

If you plan on selling this system, then a DB would be a bit more
portable than LDAP.

M!ke 

-Original Message-
From: Daniel Kessler [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 14, 2005 12:32 PM
To: CF-Talk
Subject: LDAP

My boss asked me to hook into our ldap system for password validation
and I'm looking for any heads-up or advice that I could get.  Do people
use cfLDAP for this?  If I have an app and I just want a few people to
have access to it, do I use a DB to store access groups and names of
people and use LDAP to verify the passwords?
How would that normally work?

thanks.

--
Daniel Kessler

Department of Public and Community Health University of Maryland Suite
2387 Valley Drive College Park, MD  20742-2611
301-405-2545 Phone
www.phi.umd.edu



~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198676
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP

[Douglas Knudsen]

we use LDAP for authentication on our intranet apps.  We use a sun ONE
IIRC.  Its fairly easy to use cfldap tag for this.  Googling should
get you an example or three.  I suggest getting the ldap browser tool
from softerra, its free, and it simply rocks.

D


On Mon, 14 Mar 2005 12:50:42 -0600, Dawson, Michael [EMAIL PROTECTED] wrote:
 What brand of LDAP server are you planning on using?  If it's Windows
 Active Directory, there are some things to know about.
 
 I use IIS/browser authentication for our intranet, but I use CFLDAP to
 connect to Active Directory to get group membership for each user.  I
 also pull mailbox-related information for Exchange mailbox size
 reporting.
 
 I'm planning on rewriting my intranet so that I can use an html form for
 username/password to make it a bit more portable on PDAs and other
 mobile devices.
 
 If you have an LDAP server, use it rather than creating a DB to hold
 security information.  You can add people to group, add attributes, etc.
 LDAP is mainly geared for user-type storage so there is little reason to
 rebuild if LDAP will support your requirements.
 
 If you plan on selling this system, then a DB would be a bit more
 portable than LDAP.
 
 M!ke
 
 -Original Message-
 From: Daniel Kessler [mailto:[EMAIL PROTECTED]
 Sent: Monday, March 14, 2005 12:32 PM
 To: CF-Talk
 Subject: LDAP
 
 My boss asked me to hook into our ldap system for password validation
 and I'm looking for any heads-up or advice that I could get.  Do people
 use cfLDAP for this?  If I have an app and I just want a few people to
 have access to it, do I use a DB to store access groups and names of
 people and use LDAP to verify the passwords?
 How would that normally work?
 
 thanks.
 
 --
 Daniel Kessler
 
 Department of Public and Community Health University of Maryland Suite
 2387 Valley Drive College Park, MD  20742-2611
 301-405-2545 Phone
 www.phi.umd.edu
 
 

~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198678
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP

[daniel kessler]

What brand of LDAP server are you planning on using?  If it's Windows
Active Directory, there are some things to know about.

I don't know which LDAP server it is because I didn't realize I needed to know, 
hmmm.  Time to ask.  But it's the University of Maryland so I guess it's 
something that scales well.

If you have an LDAP server, use it rather than creating a DB to hold
security information.  You can add people to group, add attributes, etc.
LDAP is mainly geared for user-type storage so there is little reason to
rebuild if LDAP will support your requirements.

I don't know much about LDAPs.  Are you saying that I can introduce my own 
group type and add existing people too it?  I only want these two people into 
the Admin parts of my app, so could I make a group called myApp_admin and add 
them to it without affecting their current setup?

and I'll look into the softerra tool, thanks.

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198679
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP

[Ian Skinner]

I don't know much about LDAPs.  Are you saying that I can introduce my
own group type and add existing people too it?  I only want these two
people into the Admin parts of my app, so could I make a group called
myApp_admin and add them to it without affecting their current setup?

Exactly, that's pretty much the whole point of ldap.  You can create any kind 
of branches you like, and add new nodes all over the place.  That can be a bit 
of a problem, but it's in the management of the ldap data. 

We are finding that our manager(s) liked to create security groups in several 
different nodes.  It has been a bit interesting.

I second the softerra browswer, once I had that, it became much easier, then 
the old trial and error approach I was first using.

--
Ian Skinner
Web Programmer
BloodSource
www.BloodSource.org
Sacramento, CA
 
C code. C code run. Run code run. Please!
- Cynthia Dunning

-Original Message-
From: daniel kessler [mailto:[EMAIL PROTECTED]
Sent: Monday, March 14, 2005 10:30 AM
To: CF-Talk
Subject: Re: LDAP

What brand of LDAP server are you planning on using?  If it's Windows
Active Directory, there are some things to know about.

I don't know which LDAP server it is because I didn't realize I needed to
know, hmmm.  Time to ask.  But it's the University of Maryland so I guess
it's something that scales well.

If you have an LDAP server, use it rather than creating a DB to hold
security information.  You can add people to group, add attributes, etc.
LDAP is mainly geared for user-type storage so there is little reason to
rebuild if LDAP will support your requirements.

I don't know much about LDAPs.  Are you saying that I can introduce my
own group type and add existing people too it?  I only want these two
people into the Admin parts of my app, so could I make a group called
myApp_admin and add them to it without affecting their current setup?

and I'll look into the softerra tool, thanks.



~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198686
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP

[Dawson, Michael]

+1 on the softerra ldap browser tool. 

-Original Message-
From: Douglas Knudsen [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 14, 2005 1:08 PM
To: CF-Talk
Subject: Re: LDAP

we use LDAP for authentication on our intranet apps.  We use a sun ONE
IIRC.  Its fairly easy to use cfldap tag for this.  Googling should get
you an example or three.  I suggest getting the ldap browser tool from
softerra, its free, and it simply rocks.

D

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198712
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP

[Dawson, Michael]

It *shouldn't* matter what brand you use, but since they may have their
own implementations, it's helpful to know.

Directories are organized into containers named Organizational Units
which are basically sub-directories similar to a file system.  The
admins can create an OU just for you, give you access and then you can
create whatever objects they allow you to create in that OU.

I have an OU just for my intranet site's security groups.  I do use
other domain-related groups for intranet permissions, but if there is a
group that doesn't related to a network share or existing domain group,
I create my own, specialized intranet security group.

Yes, you can create a group and add your web site admins.  Then, on each
admin page, check to see if the current user is a member of that group.
In fact, I store all groups, of which the user is a member, in the
session scope.  Then, I have a simple function that checks to see if the
user is related to that group.  This prevents me from needing an LDAP
call on each page that is secured.

Another nice feature of LDAP is you can add your own attributes to
directory objects.  You can actually treat the LDAP server as a database
of sorts.  For example, you can store the last time someone accessed
your web site in their LDAP user object attributes.  Basically, if it
has to do with a user account or group, you can store it right in the
LDAP directory and not have to create a database object to store the
same information.

Feel free to ask any LDAP questions you may have.  I wouldn't call
myself an expert, but I have a few years of CF - Active Directory
experience.

M!ke 

-Original Message-
From: daniel kessler [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 14, 2005 12:30 PM
To: CF-Talk
Subject: Re: LDAP

What brand of LDAP server are you planning on using?  If it's Windows 
Active Directory, there are some things to know about.

I don't know which LDAP server it is because I didn't realize I needed
to know, hmmm.  Time to ask.  But it's the University of Maryland so I
guess it's something that scales well.

If you have an LDAP server, use it rather than creating a DB to hold 
security information.  You can add people to group, add attributes,
etc.
LDAP is mainly geared for user-type storage so there is little reason 
to rebuild if LDAP will support your requirements.

I don't know much about LDAPs.  Are you saying that I can introduce my
own group type and add existing people too it?  I only want these two
people into the Admin parts of my app, so could I make a group called
myApp_admin and add them to it without affecting their current setup?

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198720
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP question

[Dawson, Michael]

Glad I could help.

What LDAP directory are you using?  Active Directory or something else?

In AD, if there is a user, you should get the CN as you requested.  It
should never be empty.  If there is no user, you will get an empty
query.

Try using attributes=* and see if you get anything back.  Using *
for testing is fine, but I don't recommend using it for real work.
First, it brings back too much data, including binary voicemail
recordings, (if you have Cisco Call Manager, for example) and it only
brings back one value in a multi-value field such as memberOf.

Again, I'm using AD and these things work for me.

Now that I look at your code a bit more, you need to specify the filter
attribute such as:

filter=sAMAccountName=#userName#  (Again, this is AD.)

That is, if the same username for the credentials is the same for the CN
you wish to retrieve.  By not specifying a filter, you are asking for
all kinds of stuff.  One of those stuff probably doesn't have a CN or,
at least, doesn't support returning the CN.

M!ke

-Original Message-
From: Victor Moore [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 23, 2005 9:56 PM
To: CF-Talk
Subject: Re: LDAP question

Modifying the start attribute to Mike's format worked. Hurray!!!
So in may case this works:
cfldap action=query
name=getUser
start=dc=companyName, dc=com
scope=SUBTREE
maxrows=1
server=#serverIP#
   attributes=cn
   username=#userName#
   password=#userPassword#
   port=389

If the user exists will return a query. Unfortunately it's all the time
an empty query, regarding what I put in the attributes list.
For the time being I am OK but I would like very much to be able to
return some info and not just verify that the user exists.

Thanks Mike

Victor

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196295
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[Victor Moore]

Hi Mike,

That's the funny part. If the userID and password I provide exists on
the AD, then I get back an empty query, regarding what attributes I
request in the attributes field. If the user doesn't exists then I get
an error: Inappropriate authentication.
If I  add  * for attributes get an error:
An error has occurred while trying to execute query :Unprocessed
Continuation Reference(s). One or more of the required attributes may
be missing/incorrect or you do not have permissions to execute this
operation on the server

The customer is using the Windows 2003 Server active directory.

I think it's a setup or permission issue on the AD server.

As I said, for the time being I am OK because if I get back a query
(even empty) I assume the user exists if not then the user does not. I
am sure that in the future they will want more things to be done so I
would like to know what are my possibilities. It's obvious that people
are using it and get the proper info back, so I think it's related to
their setup. Unfortunately I don't know enough about AD to be able to
debug and from their point everything is OK.

Thanks again

Victor 


On Thu, 24 Feb 2005 09:04:30 -0600, Dawson, Michael [EMAIL PROTECTED] wrote:
 Glad I could help.
 
 What LDAP directory are you using?  Active Directory or something else?
 
 In AD, if there is a user, you should get the CN as you requested.  It
 should never be empty.  If there is no user, you will get an empty
 query.
 
 Try using attributes=* and see if you get anything back.  Using *
 for testing is fine, but I don't recommend using it for real work.
 First, it brings back too much data, including binary voicemail
 recordings, (if you have Cisco Call Manager, for example) and it only
 brings back one value in a multi-value field such as memberOf.
 
 Again, I'm using AD and these things work for me.
 
 Now that I look at your code a bit more, you need to specify the filter
 attribute such as:
 
 filter=sAMAccountName=#userName#  (Again, this is AD.)
 
 That is, if the same username for the credentials is the same for the CN
 you wish to retrieve.  By not specifying a filter, you are asking for
 all kinds of stuff.  One of those stuff probably doesn't have a CN or,
 at least, doesn't support returning the CN.
 
 M!ke
 
 -Original Message-
 From: Victor Moore [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 23, 2005 9:56 PM
 To: CF-Talk
 Subject: Re: LDAP question
 
 Modifying the start attribute to Mike's format worked. Hurray!!!
 So in may case this works:
 cfldap action=query
name=getUser
start=dc=companyName, dc=com
scope=SUBTREE
maxrows=1
server=#serverIP#
   attributes=cn
   username=#userName#
   password=#userPassword#
   port=389
 
 If the user exists will return a query. Unfortunately it's all the time
 an empty query, regarding what I put in the attributes list.
 For the time being I am OK but I would like very much to be able to
 return some info and not just verify that the user exists.
 
 Thanks Mike
 
 Victor
 
 

~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196298
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP question

[Dawson, Michael]

You might try using the LDAP Browser utility at www.ldapbrowser.com.
They have a freeware ldap browser that may help find the problem.

Also, I would just use a generic account for the username and password.
Preferably those of a domain admin.  Then see what happens.  If it works
at that point, start backing off to a user account that has few
permissions.

If the domain admin account can't access any attributes, you have a
different problem.

M!ke 

-Original Message-
From: Victor Moore [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 24, 2005 9:30 AM
To: CF-Talk
Subject: Re: LDAP question

Hi Mike,

That's the funny part. If the userID and password I provide exists on
the AD, then I get back an empty query, regarding what attributes I
request in the attributes field. If the user doesn't exists then I get
an error: Inappropriate authentication.
If I  add  * for attributes get an error:
An error has occurred while trying to execute query :Unprocessed
Continuation Reference(s). One or more of the required attributes may be
missing/incorrect or you do not have permissions to execute this
operation on the server

The customer is using the Windows 2003 Server active directory.

I think it's a setup or permission issue on the AD server.

As I said, for the time being I am OK because if I get back a query
(even empty) I assume the user exists if not then the user does not. I
am sure that in the future they will want more things to be done so I
would like to know what are my possibilities. It's obvious that people
are using it and get the proper info back, so I think it's related to
their setup. Unfortunately I don't know enough about AD to be able to
debug and from their point everything is OK.

Thanks again

Victor 


On Thu, 24 Feb 2005 09:04:30 -0600, Dawson, Michael
[EMAIL PROTECTED] wrote:
 Glad I could help.
 
 What LDAP directory are you using?  Active Directory or something
else?
 
 In AD, if there is a user, you should get the CN as you requested.  
 It should never be empty.  If there is no user, you will get an empty 
 query.
 
 Try using attributes=* and see if you get anything back.  Using *
 for testing is fine, but I don't recommend using it for real work.
 First, it brings back too much data, including binary voicemail 
 recordings, (if you have Cisco Call Manager, for example) and it only 
 brings back one value in a multi-value field such as memberOf.
 
 Again, I'm using AD and these things work for me.
 
 Now that I look at your code a bit more, you need to specify the 
 filter attribute such as:
 
 filter=sAMAccountName=#userName#  (Again, this is AD.)
 
 That is, if the same username for the credentials is the same for the 
 CN you wish to retrieve.  By not specifying a filter, you are asking 
 for all kinds of stuff.  One of those stuff probably doesn't have a CN

 or, at least, doesn't support returning the CN.
 
 M!ke
 
 -Original Message-
 From: Victor Moore [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 23, 2005 9:56 PM
 To: CF-Talk
 Subject: Re: LDAP question
 
 Modifying the start attribute to Mike's format worked. Hurray!!!
 So in may case this works:
 cfldap action=query
name=getUser
start=dc=companyName, dc=com
scope=SUBTREE
maxrows=1
server=#serverIP#
   attributes=cn
   username=#userName#
   password=#userPassword#
   port=389
 
 If the user exists will return a query. Unfortunately it's all the 
 time an empty query, regarding what I put in the attributes list.
 For the time being I am OK but I would like very much to be able to 
 return some info and not just verify that the user exists.
 
 Thanks Mike
 
 Victor
 
 



~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196300
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP question

[Dawson, Michael]

BTW, if their domain admin won't give you an account with domain admin
permissions, you can easily create a form where they can enter their
credentials, to be used for the LDAP connection, and have it mail any
output to you.

-Original Message-
From: Victor Moore [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 24, 2005 9:30 AM
To: CF-Talk
Subject: Re: LDAP question

Hi Mike,

That's the funny part. If the userID and password I provide exists on
the AD, then I get back an empty query, regarding what attributes I
request in the attributes field. If the user doesn't exists then I get
an error: Inappropriate authentication.
If I  add  * for attributes get an error:
An error has occurred while trying to execute query :Unprocessed
Continuation Reference(s). One or more of the required attributes may be
missing/incorrect or you do not have permissions to execute this
operation on the server

The customer is using the Windows 2003 Server active directory.

I think it's a setup or permission issue on the AD server.

As I said, for the time being I am OK because if I get back a query
(even empty) I assume the user exists if not then the user does not. I
am sure that in the future they will want more things to be done so I
would like to know what are my possibilities. It's obvious that people
are using it and get the proper info back, so I think it's related to
their setup. Unfortunately I don't know enough about AD to be able to
debug and from their point everything is OK.

Thanks again

Victor 


On Thu, 24 Feb 2005 09:04:30 -0600, Dawson, Michael
[EMAIL PROTECTED] wrote:
 Glad I could help.
 
 What LDAP directory are you using?  Active Directory or something
else?
 
 In AD, if there is a user, you should get the CN as you requested.  
 It should never be empty.  If there is no user, you will get an empty 
 query.
 
 Try using attributes=* and see if you get anything back.  Using *
 for testing is fine, but I don't recommend using it for real work.
 First, it brings back too much data, including binary voicemail 
 recordings, (if you have Cisco Call Manager, for example) and it only 
 brings back one value in a multi-value field such as memberOf.
 
 Again, I'm using AD and these things work for me.
 
 Now that I look at your code a bit more, you need to specify the 
 filter attribute such as:
 
 filter=sAMAccountName=#userName#  (Again, this is AD.)
 
 That is, if the same username for the credentials is the same for the 
 CN you wish to retrieve.  By not specifying a filter, you are asking 
 for all kinds of stuff.  One of those stuff probably doesn't have a CN

 or, at least, doesn't support returning the CN.
 
 M!ke
 
 -Original Message-
 From: Victor Moore [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, February 23, 2005 9:56 PM
 To: CF-Talk
 Subject: Re: LDAP question
 
 Modifying the start attribute to Mike's format worked. Hurray!!!
 So in may case this works:
 cfldap action=query
name=getUser
start=dc=companyName, dc=com
scope=SUBTREE
maxrows=1
server=#serverIP#
   attributes=cn
   username=#userName#
   password=#userPassword#
   port=389
 
 If the user exists will return a query. Unfortunately it's all the 
 time an empty query, regarding what I put in the attributes list.
 For the time being I am OK but I would like very much to be able to 
 return some info and not just verify that the user exists.
 
 Thanks Mike
 
 Victor
 
 



~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196301
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[Victor Moore]

Modifying the start attribute to Mike's format worked. Hurray!!!
So in may case this works:
cfldap action=query
name=getUser
start=dc=companyName, dc=com
scope=SUBTREE
maxrows=1
server=#serverIP#
   attributes=cn
   username=#userName#
   password=#userPassword#
   port=389

If the user exists will return a query. Unfortunately it's all the
time an empty query, regarding what I put in the attributes list.
For the time being I am OK but I would like very much to be able to
return some info and not just verify that the user exists.

Thanks Mike

Victor



On Fri, 28 Jan 2005 13:26:19 -0600, Dawson, Michael [EMAIL PROTECTED] wrote:
 One other thing, change your START attribute to the following format:
 
 start=dc=domain, dc=com
 
 (Replace domain with the correct domain for this company.)
 
 For example, ours would be:
 start=dc=evansville, dc=edu
 
 As I mentioned in another message, all users, by default, can query the
 Active Directory.  This could change if the domain admins changed this
 functionality.
 
 If this still doesn't work, change the start to an existing OU:
 start=ou=users, dc=domain, dc=com and see if you can query from that
 point.
 
 It may be possible that your user account doesn't have access to the
 root of the directory.
 
 M!ke
 
 

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196269
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[jonese]

what protocol version are they using on the ldap? v2, v3?


On Fri, 28 Jan 2005 12:26:09 -0500, Victor Moore [EMAIL PROTECTED] wrote:
 Hi,
 
 I search all of the previous posts and while I got a ton of info
 nothing that can help me.
 
 This is the scenarios:
 I have to authenticate users, at a customers site, against an ldap. I
 was given remote access to the CFMX 6.1 server and was told that the
 server is on the company domain and can see the ldap server (I can
 ping it). Regarding how I am invoking the cfldap tag I cannot get a
 connection. I am not sure if I need more info and if yes what exactly
 or how to debug the problem. Any help, pointers are greatly
 appreciated.
 
 This is what I have:
 cfldap action=query
  name=getUser
  start=o=#companyName#
  scope=SUBTREE
  maxrows=1
  server=#serverIP#
 attributes=cn
 username=cn=#userName#
 password=#userPassword#
 port=389
 
 I get the following error:
 Inappropriate authentication and the attributes line highlighted.
 I am told that IP, user and password are correct.
 
 Thanks
 Victor
 
 

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192112
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[Victor Moore]

They are not sure. It's the default installation that comes with Windows 2003.


On Fri, 28 Jan 2005 12:49:26 -0500, jonese [EMAIL PROTECTED] wrote:
 what protocol version are they using on the ldap? v2, v3?
 
 
 On Fri, 28 Jan 2005 12:26:09 -0500, Victor Moore [EMAIL PROTECTED] wrote:
  Hi,
 
  I search all of the previous posts and while I got a ton of info
  nothing that can help me.
 
  This is the scenarios:
  I have to authenticate users, at a customers site, against an ldap. I
  was given remote access to the CFMX 6.1 server and was told that the
  server is on the company domain and can see the ldap server (I can
  ping it). Regarding how I am invoking the cfldap tag I cannot get a
  connection. I am not sure if I need more info and if yes what exactly
  or how to debug the problem. Any help, pointers are greatly
  appreciated.
 
  This is what I have:
  cfldap action=query
   name=getUser
   start=o=#companyName#
   scope=SUBTREE
   maxrows=1
   server=#serverIP#
  attributes=cn
  username=cn=#userName#
  password=#userPassword#
  port=389
 
  I get the following error:
  Inappropriate authentication and the attributes line highlighted.
  I am told that IP, user and password are correct.
 
  Thanks
  Victor
 
 
 
 

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192115
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[Rebecca Wells]

Here is the CFC I use to authenticate users. Notice that there are 2 LDAP 
queries, first to see if the user exists, then using the returned username and 
form.password to return their info. This is from the example given on page 369 
of the book Developing ColdFusion MX Applications with CFML.

!---
NOTE: for this to work, this code needs to be in a MX accessible web root.

USAGE: cfinvoke 
component=security 
method=authenticate 
returnVariable=authenticated 
cfcUsername=#form.username# 
cfcPassword=#form.password#
   
---

cfcomponent
cffunction access=public name=authenticate output=0
!--- security authentication function ---

!--- username and password required ---
cfargument name=cfcUsername type=string required=1/
cfargument name=cfcPassword type=string required=1/

cfset UserSearchFailed = 0
!--- This filter will look in the objectclass for the user's ID. ---
cfset filter = ((objectclass=person)(uid=  arguments.cfcUsername  
))

!--- Query LDAP for the user's DN; used later to authenticate the 
user. ---
cftry
cfldap action=query
name=userSearch
attributes=dn
start=o=#companyName#
scope=SUBTREE
server=#serverIP#
port=389
filter=#filter#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry

!--- If the user search failed or returns 0 rows abort. ---
cfif NOT userSearch.recordcount OR UserSearchFailed
cfset UserSearchFailed = true
cfset errormsg = UID for   #arguments.cfcUsername#   not 
found.
/cfif

cfif userSearch.recordcount and not UserSearchFailed
!--- Pass user's DN  password to see if the user authenticates. ---
cftry
cfldap action=QUERY
name=auth

attributes=givenname,surname,uid,userid,groupMembership,mail,dn
start=o=#companyName#
scope=SUBTREE
server=#serverIP#
port=389
filter=#filter#
username=#userSearch.dn#
password=#arguments.cfcPassword#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry
/cfif

cfset User = StructNew()
cfif not UserSearchFailed and auth.recordCount and len(auth.userid) eq 
4
cfif auth.groupMembership IS NOT 
!--- Parse the roles from the group memberships. ---
cfset groupList = Replace(auth.groupMembership, , , 
:, All)
cfloop list=#groupList# index=i delimiters=:
cfset thisRoleStart = FindNoCase(uid=, i)+4
cfset thisRoleEnd = FindNoCase(,, i, 
thisRoleStart)
cfset roles = roles  Mid(i, thisRoleStart, 
thisRoleEnd-thisRoleStart)  ,
/cfloop
/cfif
!--- Trim final comma from the end of the roles variable. ---
cfset roles = RemoveChars(roles, len(roles), 1)

cfscript
StructInsert(User, givenname, auth.givenname);
StructInsert(User, surname, auth.surname);
StructInsert(User, uid, auth.uid);
StructInsert(User, userid, auth.userid);
StructInsert(User, roles, roles);
StructInsert(User, mail, auth.mail);
StructInsert(User, ou, auth.dn);
/cfscript
/cfif
cfreturn User/
/cffunction

/cfcomponent


~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192117
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP question

[Dawson, Michael]

Instead of username=cn=... try using the domain such as:
 username=domain\username, or username=[EMAIL PROTECTED]

Also, try using Softerra's free LDAP browser at:
http://www.ldapbrowser.com/

It may help you with the authentication credentials.

Let us know if this helps or not.

Thanks
MAD

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192118
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP question

[Dawson, Michael]

I would like to add that, for Windows 200x domain controllers, the
two-step process is not necessary.  You can pass the user's username and
password to the CFLDAP query and if it works, you are set, if not, then
the username/password combination was wrong to start with.

Windows allows all domain users to query the Active Directory, by
default.

M!ke 

-Original Message-
From: Rebecca Wells [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 28, 2005 11:40 AM
To: CF-Talk
Subject: Re: LDAP question

Here is the CFC I use to authenticate users. Notice that there are 2
LDAP queries, first to see if the user exists, then using the returned
username and form.password to return their info. This is from the
example given on page 369 of the book Developing ColdFusion MX
Applications with CFML.

!---
NOTE: for this to work, this code needs to be in a MX accessible web
root.

USAGE: cfinvoke 
component=security 
method=authenticate 
returnVariable=authenticated 
cfcUsername=#form.username# 
cfcPassword=#form.password#
   
---

cfcomponent
cffunction access=public name=authenticate output=0
!--- security authentication function ---

!--- username and password required ---
cfargument name=cfcUsername type=string required=1/
cfargument name=cfcPassword type=string required=1/

cfset UserSearchFailed = 0
!--- This filter will look in the objectclass for the user's
ID. ---
cfset filter = ((objectclass=person)(uid= 
arguments.cfcUsername  ))

!--- Query LDAP for the user's DN; used later to authenticate
the user. ---
cftry
cfldap action=query
name=userSearch
attributes=dn
start=o=#companyName#
scope=SUBTREE
server=#serverIP#
port=389
filter=#filter#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry

!--- If the user search failed or returns 0 rows abort. ---
cfif NOT userSearch.recordcount OR UserSearchFailed
cfset UserSearchFailed = true
cfset errormsg = UID for   #arguments.cfcUsername# 
 not found.
/cfif

cfif userSearch.recordcount and not UserSearchFailed
!--- Pass user's DN  password to see if the user
authenticates. ---
cftry
cfldap action=QUERY
name=auth

attributes=givenname,surname,uid,userid,groupMembership,mail,dn
start=o=#companyName#
scope=SUBTREE
server=#serverIP#
port=389
filter=#filter#
username=#userSearch.dn#
password=#arguments.cfcPassword#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry
/cfif

cfset User = StructNew()
cfif not UserSearchFailed and auth.recordCount and
len(auth.userid) eq 4
cfif auth.groupMembership IS NOT 
!--- Parse the roles from the group
memberships. ---
cfset groupList = Replace(auth.groupMembership,
, , :, All)
cfloop list=#groupList# index=i
delimiters=:
cfset thisRoleStart =
FindNoCase(uid=, i)+4
cfset thisRoleEnd = FindNoCase(,, i,
thisRoleStart)
cfset roles = roles  Mid(i,
thisRoleStart, thisRoleEnd-thisRoleStart)  ,
/cfloop
/cfif
!--- Trim final comma from the end of the roles
variable. ---
cfset roles = RemoveChars(roles, len(roles), 1)

cfscript
StructInsert(User, givenname, auth.givenname);
StructInsert(User, surname, auth.surname);
StructInsert(User, uid, auth.uid);
StructInsert(User, userid, auth.userid);
StructInsert(User, roles, roles);
StructInsert(User, mail, auth.mail);
StructInsert(User, ou, auth.dn);
/cfscript
/cfif
cfreturn User/
/cffunction

/cfcomponent




~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client

RE: LDAP question

[Ian Skinner]

I don't know if this will help.  But my experience when I first jumped into 
LDAP for authentication may be similar to yours.

In order to get around a problem with the Java NT security object, if a user 
belongs to groups whose total characters of all names exceeds 512.  I built a 
LDAP solution to get the groups.  Being my first attempt at using LDAP, I ran 
into a lot of trouble like yours.  It seemed to be that the user and permission 
I had did not have permission to return intermediary nodes from the LDAP tree.  
So, I couldn't just start at the top and work my way down to the user step by 
step, because many of those steps would return errors like you are seeing.  I 
had to get the full tree path to the data I needed and had permission to.  

Clear is mud?


--
Ian Skinner
Web Programmer
BloodSource
www.BloodSource.org
Sacramento, CA
 
C code. C code run. Run code run. Please!
- Cynthia Dunning

Confidentiality Notice:  This message including any
attachments is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the
intended recipient, please contact the sender and
delete any copies of this message. 



~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192120
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[Victor Moore]

Thank you. 
I have tried that before but got a different error. I am trying to see
now if all the permissions are set up properly.

This is the error:

An error has occurred while trying to execute query :[LDAP: error code
1 - : LdapErr: DSID-0C0905FF, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece].

One or more of the required attributes may be missing/incorrect or you
do not have permissions to execute this operation on the server

I suspect that I don't have the permissions to execute it. 

Thanks
Victor

On Fri, 28 Jan 2005 13:40:05 -0400, Rebecca Wells
[EMAIL PROTECTED] wrote:
 Here is the CFC I use to authenticate users. Notice that there are 2 LDAP 
 queries, first to see if the user exists, then using the returned username 
 and form.password to return their info. This is from the example given on 
 page 369 of the book Developing ColdFusion MX Applications with CFML.
 
 !---
 NOTE: for this to work, this code needs to be in a MX accessible web root.
 
 USAGE: cfinvoke
component=security
method=authenticate
returnVariable=authenticated
cfcUsername=#form.username#
cfcPassword=#form.password#
   
 ---
 
 cfcomponent
cffunction access=public name=authenticate output=0
!--- security authentication function ---
 
!--- username and password required ---
cfargument name=cfcUsername type=string required=1/
cfargument name=cfcPassword type=string required=1/
 
cfset UserSearchFailed = 0
!--- This filter will look in the objectclass for the user's ID. ---
cfset filter = ((objectclass=person)(uid=  arguments.cfcUsername 
  ))
 
!--- Query LDAP for the user's DN; used later to authenticate the 
 user. ---
cftry
cfldap action=query
name=userSearch
attributes=dn
start=o=#companyName#
scope=SUBTREE
server=#serverIP#
port=389
filter=#filter#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry
 
!--- If the user search failed or returns 0 rows abort. ---
cfif NOT userSearch.recordcount OR UserSearchFailed
cfset UserSearchFailed = true
cfset errormsg = UID for   #arguments.cfcUsername#   not 
 found.
/cfif
 
cfif userSearch.recordcount and not UserSearchFailed
!--- Pass user's DN  password to see if the user authenticates. ---
cftry
cfldap action=QUERY
name=auth

 attributes=givenname,surname,uid,userid,groupMembership,mail,dn
start=o=#companyName#
scope=SUBTREE
server=#serverIP#
port=389
filter=#filter#
username=#userSearch.dn#
password=#arguments.cfcPassword#
cfcatch type=Any
cfset UserSearchFailed = true
/cfcatch
/cftry
/cfif
 
cfset User = StructNew()
cfif not UserSearchFailed and auth.recordCount and len(auth.userid) 
 eq 4
cfif auth.groupMembership IS NOT 
!--- Parse the roles from the group memberships. ---
cfset groupList = Replace(auth.groupMembership, , , 
 :, All)
cfloop list=#groupList# index=i delimiters=:
cfset thisRoleStart = FindNoCase(uid=, i)+4
cfset thisRoleEnd = FindNoCase(,, i, 
 thisRoleStart)
cfset roles = roles  Mid(i, thisRoleStart, 
 thisRoleEnd-thisRoleStart)  ,
/cfloop
/cfif
!--- Trim final comma from the end of the roles variable. ---
cfset roles = RemoveChars(roles, len(roles), 1)
 
cfscript
StructInsert(User, givenname, auth.givenname);
StructInsert(User, surname, auth.surname);
StructInsert(User, uid, auth.uid);
StructInsert(User, userid, auth.userid);
StructInsert(User, roles, roles);
StructInsert(User, mail, auth.mail);
StructInsert(User, ou, auth.dn);
/cfscript
/cfif
cfreturn User/
/cffunction
 
 /cfcomponent
 
 

~|
Logware 

RE: LDAP question

[Dawson, Michael]

One other thing, change your START attribute to the following format:

start=dc=domain, dc=com

(Replace domain with the correct domain for this company.)

For example, ours would be:
start=dc=evansville, dc=edu

As I mentioned in another message, all users, by default, can query the
Active Directory.  This could change if the domain admins changed this
functionality.

If this still doesn't work, change the start to an existing OU:
start=ou=users, dc=domain, dc=com and see if you can query from that
point.

It may be possible that your user account doesn't have access to the
root of the directory.
 
M!ke

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192123
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP question

[Victor Moore]

Pretty much I have tried all kind of variances, all with no avail. I
suspect that some settings are not done properly, but I don't have
enough knowledge of ldap to be able to walk them through or determine
if the right permissions have been given. I will install
http://www.ldapbrowser.com/ and see if I can get more info.

Thanks
Victor.

On Fri, 28 Jan 2005 13:26:19 -0600, Dawson, Michael [EMAIL PROTECTED] wrote:
 One other thing, change your START attribute to the following format:
 
 start=dc=domain, dc=com
 
 (Replace domain with the correct domain for this company.)
 
 For example, ours would be:
 start=dc=evansville, dc=edu
 
 As I mentioned in another message, all users, by default, can query the
 Active Directory.  This could change if the domain admins changed this
 functionality.
 
 If this still doesn't work, change the start to an existing OU:
 start=ou=users, dc=domain, dc=com and see if you can query from that
 point.
 
 It may be possible that your user account doesn't have access to the
 root of the directory.
 
 M!ke
 


~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192125
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP and Active Directory Problem

[James Holmes]

If things are configured for any sort of security, you don't get the
password back at all. You perform a login via LDAP by doing an LDAP bind
(passing the user's username and password in the query). I'd use the DN to
identify the user in the directory.

-Original Message-
From: Duncan I Loxton [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 13 January 2005 8:04 
To: CF-Talk
Subject: LDAP and Active Directory Problem

I am trying to use cfldap to query AD and get the username and password of
the users and some other personal details out.

[snip]

~|
Purchase Dreamweaver with Homesite Plus from House of Fusion, a Macromedia 
Authorized Affiliate and support the CF community.
http://www.houseoffusion.com/banners/view.cfm?bannerid=54

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190178
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

Re: LDAP and Active Directory Problem

[Duncan I Loxton]

I managed to work out a solution, and I posted it here:

http://www.sixfive.co.uk/news/?nid=136




On Thu, 13 Jan 2005 09:51:02 +0800, James Holmes
[EMAIL PROTECTED] wrote:
 If things are configured for any sort of security, you don't get the
 password back at all. You perform a login via LDAP by doing an LDAP bind
 (passing the user's username and password in the query). I'd use the DN to
 identify the user in the directory.
 
 -Original Message-
 From: Duncan I Loxton [mailto:[EMAIL PROTECTED]
 Sent: Thursday, 13 January 2005 8:04
 To: CF-Talk
 Subject: LDAP and Active Directory Problem
 
 I am trying to use cfldap to query AD and get the username and password of
 the users and some other personal details out.
 
 [snip]
 
 

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190181
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP and Active Directory Problem

[James Holmes]

Yes, the cftry block is exactly the right way to do it. 

-Original Message-
From: Duncan I Loxton [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 13 January 2005 10:14 
To: CF-Talk
Subject: Re: LDAP and Active Directory Problem

I managed to work out a solution, and I posted it here:

http://www.sixfive.co.uk/news/?nid=136

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190182
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations  Support: http://www.houseoffusion.com/tiny.cfm/54

RE: LDAP inconstancies

[Dawson, Michael]

You might try using Softterra's LDAP Browser product.It's free and
very nice.It could help narrow down where the problem actually lies.

 
M!ke



From: Ian Skinner [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 05, 2004 10:41 AM
To: CF-Talk
Subject: RE: LDAP inconstancies

What seems to be the problem?I don't know the guts of it, but I have a
bit of experience with LDAP and Active Directory.

Well, it is not really a Problem since all the groups we need for the
web are consistently returned.But for some reason we get a different
lists of groups for specific users when the login code, using cfldap
to get their groups from active directory, is installed on different
servers.The servers are set up on the same network, and use the exact
same ldap code connecting to the same active directory repository with
the same user and password.

As I said the groups we need are consistently returned by both servers,
but our QA department needs to know why there is a difference and I
don't know enough about active directory to explain the differences.
--
Ian Skinner
Web Programmer
BloodSource
file:///C:\Documents%20and%20Settings\iskinner\Application%20Data\Micro
soft\Signatures\www.BloodSource.org www.BloodSource.org
http://www.BloodSource.orgSacramento 
Sacramento, CA

C code. C code run. Run code run. Please!
- Cynthia Dunning

Confidentiality Notice:This message including any
attachments is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the
intended recipient, please contact the sender and
delete any copies of this message. 

 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]
 [Donations and Support]

RE: LDAP inconstancies

[Ian Skinner]

What seems to be the problem?I don't know the guts of it, but I have a
bit of experience with LDAP and Active Directory.

Well, it is not really a Problem since all the groups we need for the web are consistently returned.But for some reason we get a different lists of groups for specific users when the login code, using cfldap to get their groups from active directory, is installed on different servers.The servers are set up on the same network, and use the exact same ldap code connecting to the same active directory repository with the same user and password.

 
As I said the groups we need are consistently returned by both servers, but our QA department needs to know why there is a difference and I don't know enough about active directory to explain the differences.
--
Ian Skinner
Web Programmer
BloodSource
file:///C:\Documents%20and%20Settings\iskinner\Application%20Data\Microsoft\Signatures\www.BloodSource.org www.BloodSource.org http://www.BloodSource.orgSacramento 
Sacramento, CA

C code. C code run. Run code run. Please!
- Cynthia Dunning

Confidentiality Notice:This message including any
attachments is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the
intended recipient, please contact the sender and
delete any copies of this message.
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]
 [Donations and Support]

RE: LDAP inconstancies

[Dawson, Michael]

What seems to be the problem?I don't know the guts of it, but I have a
bit of experience with LDAP and Active Directory.



From: Ian Skinner [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 04, 2004 6:15 PM
To: CF-Talk
Subject: LDAP inconstancies

Is anybody out there very knowledge of the underpinnings of CFLDAP?We
have modified the ntsecurity.cfc to use LDAP to get the user groups
since we have seemed to run into a limitation of the group's method that
comes with ntsecurity.

But we are experiencing an interesting discrepancy.When the code is
run on different machines but for the same users, us, we get slightly
different results.Neither of us is experienced enough with the ins and
outs of window's networking to reliably explain this.Can anybody help?
TIA
--
Ian Skinner
Web Programmer
BloodSource
file:///C:\Documents%20and%20Settings\iskinner\Application%20Data\Micro
soft\Signatures\www.BloodSource.org www.BloodSource.org
http://www.BloodSource.orgSacramento 
Sacramento, CA

C code. C code run. Run code run. Please!
- Cynthia Dunning

Confidentiality Notice:This message including any
attachments is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the
intended recipient, please contact the sender and
delete any copies of this message. 

 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]
 [Donations and Support]

RE: LDAP server is unwilling to perform

[d.a.collie]

 message of LDAP server is unwilling to perform

How busy is the traffic to the LDAP?Ours refuses connections after a
certain limit over a defined period of time, presumably to stop hack
attempts.

Might be a similar issue.

-- 
dc
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

RE: LDAP, CF5.0 vs CFMX6.1

[Dave Watts]

 I have some code that does some M$ Exchange LDAP lookups that 
 works beautifully on a CFMX6.1 box, but bombs out on a CF5.0 
 box.I'm not using anything that is CFMX specific, AFAIK.
 But here is the code...anyone have any ideas?

I'm no LDAP expert, but I don't see anything wrong with your code. Are you
able to run any LDAP client on that machine and query the LDAP server
successfully?

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

RE: LDAP, CF5.0 vs CFMX6.1

[Douglas.Knudsen]

ah, good point, gonna try to do this.I know this CF5.0 box can connect to an LDAP store, a netscrape one I think.I just can't get it to connect to a M$ Exchange LDAP store.Also, Ihave tried this code on other CF5 boxes in my comapny and it bombs there too.I'm thinking something changed in the cfldap tag code in CFMX.I'm digging in the docs now.

 
The error is not very informative

 
CFLDAP 

Local error 

The error occurred while processing an element with a general identifier of (CFLDAP), occupying document position (54:3) to (90:5) in the template file c:\inetpub\wwwroot\corpdir_old2.cfm.

Doug

-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Friday, December 12, 2003 1:02 PM
To: CF-Talk
Subject: RE: LDAP, CF5.0 vs CFMX6.1

 I have some code that does some M$ Exchange LDAP lookups that 
 works beautifully on a CFMX6.1 box, but bombs out on a CF5.0 
 box.I'm not using anything that is CFMX specific, AFAIK.
 But here is the code...anyone have any ideas?

I'm no LDAP expert, but I don't see anything wrong with your code. Are you
able to run any LDAP client on that machine and query the LDAP server
successfully?

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444 
_
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Re: LDAP Monitoring Utility/Tool/CF Script

[jon hall]

Surely this feature-rich monitoring tool lets you monitor ports 389
and 636 on your LDAP server?

-- 
 jon
 mailto:[EMAIL PROTECTED]

Tuesday, July 15, 2003, 8:49:59 AM, you wrote:
AC Hi,
AC I'm searching for a free LDAP monitoring utility/tool
AC or atleast a script. Basically I want to have an
AC update of the LDAP Server at all times. The
AC utility/script should alert me when something goes
AC wrong (service stops/fails). I am using Nagios. Nagios
AC is a feature-rich network monitoring package. It can
AC also be configured to send alerts and perform other
AC actions when problems are detected.

AC Is there anyone who can help me?
AC Thanks

AC Allan

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. 
http://www.fusionauthority.com/ads.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP Monitoring Utility/Tool/CF Script

[Michael C. Jackson]

Well, aside from just checking the port, I'm sure it would be ideal to
see if searches are actually working.  I see a couple of different ways
to do this (and this is assuming ColdFusion MX):

The ideal way to do it would be to simply use CFLDAP, and query an
object periodically that you know will be there.

Otherwise, find some sort of JDBC driver that can handle LDAP.  The
openldap project has a bridge available that will do this, I believe.
At that point, you just have it run a search periodically.

If you can't do that, I'm sure you can use SNMP - somehow.

If you can't do that, then grab one of the LDAP command tools, like
ldapsearch, and call that via a CFEXECUTE periodically, and parse the
output for what you are expecting.

Pretty? Not really... But it is functional.

I'd be surprised if Nagios didn't have some sort of LDAP monitoring
built in.

Michael Jackson
Systems Engineer
[EMAIL PROTECTED]
http://www.cfxhosting.com/

-Original Message-
From: jon hall [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 15, 2003 09:50 AM
To: CF-Talk
Subject: Re: LDAP Monitoring Utility/Tool/CF Script


Surely this feature-rich monitoring tool lets you monitor ports 389
and 636 on your LDAP server?

Tuesday, July 15, 2003, 8:49:59 AM, you wrote:
AC Hi,
AC I'm searching for a free LDAP monitoring utility/tool
AC or atleast a script. Basically I want to have an
AC update of the LDAP Server at all times. The
AC utility/script should alert me when something goes
AC wrong (service stops/fails). I am using Nagios. Nagios
AC is a feature-rich network monitoring package. It can
AC also be configured to send alerts and perform other
AC actions when problems are detected.

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. 
http://www.fusionauthority.com/signup.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: LDAP binary

[webguy]

using ssl on linux?

-Original Message-
From: Dimo Michailov [mailto:[EMAIL PROTECTED]
Sent: 02 April 2003 17:16
To: CF-Talk
Subject: LDAP  binary


Hello all:

I am trying to extract a JPG binary image from our LDAP server but I get
back only the first 4 bytes, the rest seems truncated. Any help? The
code I use is:

cfldap server=our server here
action=query
name=getUserPhoto
attributes=jpegPhoto
start=our start dn
filter=((uid=userID))

The code above works on CF5 and crashes on MX. In CF5, the length of the
returned getUserPhoto.jpegPhoto is 4 bytes only, not the whole 2KB image.

Any help?

Thanks in advance -

Dimo Michailov


~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89
70.4

Re: LDAP binary

[Dimo Michailov]

ColdFusion running under NT, LDAP under Solaris. No SSL being used.

Again, anyone can help?

Dimo

webguy wrote:
 using ssl on linux?
 
 -Original Message-
 From: Dimo Michailov [mailto:[EMAIL PROTECTED]
 Sent: 02 April 2003 17:16
 To: CF-Talk
 Subject: LDAP  binary
 
 
 Hello all:
 
 I am trying to extract a JPG binary image from our LDAP server but I get
 back only the first 4 bytes, the rest seems truncated. Any help? The
 code I use is:
 
 cfldap server=our server here
 action=query
 name=getUserPhoto
 attributes=jpegPhoto
 start=our start dn
 filter=((uid=userID))
 
 The code above works on CF5 and crashes on MX. In CF5, the length of the
 returned getUserPhoto.jpegPhoto is 4 bytes only, not the whole 2KB image.
 
 Any help?
 
 Thanks in advance -
 
 Dimo Michailov
 
 
 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89
70.4

Re: LDAP Question

[Michael Ross]

Try this
cfldap action=query 
name=auth 
start=cn=Scott Dowling, ou=users, ou=Taxes,ou=Accounting, dc=oag, dc=com 
attributes=dn, cn 
server=MyServer.Mine.gov 
scope=subtree

this is what I use to return all the users in our sub directory (we then have other 
containers to drill through, I am just starting higher up in the tree)

CFLDAP NAME=GetSubEntries
ACTION=Query
SERVER=xxx.xxx.xxx.xxx
ATTRIBUTES=ou, givenname, sn, loginDisabled, telephoneNUMBER
SCOPE=SUBTREE
SORT = #VARIABLES.SORTT#
SORTCONTROL=ASC
START=ou=surg,ou=com,ou=campus,o=osu_mc



 [EMAIL PROTECTED] 02/12/03 03:13PM 
Hi guys. Having a minor problem accessing the active directory using
LDAP. I can connect ok and I can even get the info I need. Problem is
because our directory is broken up and divided into many containers such
as for each division and each section within a division. 

For instance, Im in accounting and within accounting im in taxes. And I
have a container for accounting and within that container I have 4 more
containers for each section one of which is taxes. Well right now I need
my LDAP query to go all the way into both accounting and taxes to find
me. Whereas I need it to be able to look in all the containers in
accounting so anyone in accounting can log in.

cftry
cfldap action=query 
name=auth 
start=cn=Scott Dowling, ou=users, ou=Taxes,
ou=Accounting, dc=oag, dc=com 
attributes=userPrincipalName 
server=MyServer.Mine.gov 
username=Scott Dowling 
password=MyPass 
scope=subtree

cfoutput #Auth.Recordcount# /cfoutput

See in the above query I need to drill down right to my name in the
containers to get a recordcount of 1(meaning a match) If I try to go and
look into just the accounting container it wont find me. How do I get it
to search all the containers in our dc and look for a match? Thanks!

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: LDAP Passwords

[Deanna Schneider]

Hm...I think we use netscape directory services, and I pulled that code
directly from a production app that never gives us problems. I would guess
there are some other attributes set in there (though I'm not positive). I
guess the only thing I could suggest is to set up a dummy ldap account and
do some testing.

-d


Deanna Schneider
Interactive Media Developer
[EMAIL PROTECTED]



~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Re: LDAP Passwords

[Deanna Schneider]

You mean like so:
!--- Change password ---
 cfldap server=#request.ldapserver# port=389 action=modify
  username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension
 password=#request.ldappassword# attributes=userpassword=#form.password#
dn=uid=#newid#, ou=CES, ou=uwex, o=Extension


Deanna Schneider
Interactive Media Developer
[EMAIL PROTECTED]



~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

Re: LDAP Passwords

[Darren Houle]

Deanna,

Yes!   but the CF 4.5 documentation warns that when you modify you
must specify all values for all existing attributes along with the new
ones because any existing attributes you don't specify will be
overwritten with empty values.

We use an LDAP bridge into Novell NDS and there are way too many
attributes to reiterate when we just want to set the password.  I
thought there might be a more straightforward way to do this.

Am I wrong on this detail?

Thanks again,
Darren




 [EMAIL PROTECTED] 10/03/02 04:13PM 
You mean like so:
!--- Change password ---
 cfldap server=#request.ldapserver# port=389 action=modify
  username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension
 password=#request.ldappassword#
attributes=userpassword=#form.password#
dn=uid=#newid#, ou=CES, ou=uwex, o=Extension


Deanna Schneider
Interactive Media Developer
[EMAIL PROTECTED] 




~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Get the mailserver that powers this list at http://www.coolfusion.com

Re: LDAP Passwords

[Michael Ross]

We use the ldap- Novell here as well.  If I remember nds won't let you change the 
password..but I could be wrong...anyways we have stayed away from allowing 
that.  Have you successfully done it?

 [EMAIL PROTECTED] 10/03/02 04:33PM 
Deanna,

Yes!   but the CF 4.5 documentation warns that when you modify you
must specify all values for all existing attributes along with the new
ones because any existing attributes you don't specify will be
overwritten with empty values.

We use an LDAP bridge into Novell NDS and there are way too many
attributes to reiterate when we just want to set the password.  I
thought there might be a more straightforward way to do this.

Am I wrong on this detail?

Thanks again,
Darren




 [EMAIL PROTECTED] 10/03/02 04:13PM 
You mean like so:
!--- Change password ---
cfldap server=#request.ldapserver# port=389 action=modify
  username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension
password=#request.ldappassword#
attributes=userpassword=#form.password#
dn=uid=#newid#, ou=CES, ou=uwex, o=Extension


Deanna Schneider
Interactive Media Developer
[EMAIL PROTECTED] 





~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm

Re: LDAP Passwords

[Darren Houle]

I know that the NDK has Java api's that allow you to accomplish this but
I was hoping i wouldn't have to install jar files etc.

We authenticate to web apps using LDAP but haven't done the password
reset thing yet, but we will.  It's just a matter of which method we
wind up using.

Darren


 [EMAIL PROTECTED] 10/03/02 04:48PM 
We use the ldap- Novell here as well.  If I remember nds won't let you
change the password..but I could be wrong...anyways we have
stayed away from allowing that.  Have you successfully done it?

 [EMAIL PROTECTED] 10/03/02 04:33PM 
Deanna,

Yes!   but the CF 4.5 documentation warns that when you modify you
must specify all values for all existing attributes along with the new
ones because any existing attributes you don't specify will be
overwritten with empty values.

We use an LDAP bridge into Novell NDS and there are way too many
attributes to reiterate when we just want to set the password.  I
thought there might be a more straightforward way to do this.

Am I wrong on this detail?

Thanks again,
Darren




 [EMAIL PROTECTED] 10/03/02 04:13PM 
You mean like so:
!--- Change password ---
cfldap server=#request.ldapserver# port=389 action=modify
  username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension
password=#request.ldappassword#
attributes=userpassword=#form.password#
dn=uid=#newid#, ou=CES, ou=uwex, o=Extension


Deanna Schneider
Interactive Media Developer
[EMAIL PROTECTED] 






~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.

RE: LDAP/Active Directory

[LANCASTER, STEVEN M. (JSC-OL) (BAR)]

I have a guy here at work working on an LDAP server (brand New) I will get
some info from him and pass it along to you.

Steven Lancaster
Barrios Technology
NASA/JSC
281-244-2444 (voice)
[EMAIL PROTECTED] 

 

-Original Message-
From: Timothy Heald [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 4:15 PM
To: CF-Talk
Subject: LDAP/Active Directory


Does anyone have links to good resources for using Active Directory through
LDAP?  I am doing some work on this now, I have the tutorial out on the MM
site, but I am also looking for anything I should look out for? Pitfalls
people?

TIA :)

Tim Heald
ACP/CCFD :)
Application Development
www.schoollink.net


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: LDAP/Active Directory

[Timothy Heald]

That would be great.  The error messages are horrible.  You get LDAP Error
and that's about it.  At least with the SQL messages you get a clue :)

Tim Heald
ACP/CCFD :)
Application Development
www.schoollink.net

 -Original Message-
 From: LANCASTER, STEVEN M. (JSC-OL) (BAR)
 [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, June 04, 2002 5:37 PM
 To: CF-Talk
 Subject: RE: LDAP/Active Directory


 I have a guy here at work working on an LDAP server (brand New) I will get
 some info from him and pass it along to you.

 Steven Lancaster
 Barrios Technology
 NASA/JSC
 281-244-2444 (voice)
 [EMAIL PROTECTED]



 -Original Message-
 From: Timothy Heald [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, June 04, 2002 4:15 PM
 To: CF-Talk
 Subject: LDAP/Active Directory


 Does anyone have links to good resources for using Active
 Directory through
 LDAP?  I am doing some work on this now, I have the tutorial out on the MM
 site, but I am also looking for anything I should look out for? Pitfalls
 people?

 TIA :)

 Tim Heald
 ACP/CCFD :)
 Application Development
 www.schoollink.net


 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: LDAP and CF Resources

[Michael Ross]

the query time is slower than hitting a regular db, how large are your queries?  how 
powerful is your ldap server?, whats the network connection to it like?  this things 
can cause a ldap query to be significantly slowedand may cause cf to lock up on 
rare occasions.

 [EMAIL PROTECTED] 05/20/02 10:10AM 
We recently launched an app that uses LDAP. It's a phone directory. Since
its release we have had problems with CF locking up. Anyone know if LDAP is
a CF resource hog?

James


__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists