RE: LDAP Query Performance question
Mike- When you do this is this a loop that runs 5500 queries or 1 query that updates 5500 records? Just curious what the impact is for each connection. John -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 3:45 PM To: cf-talk Subject: RE: LDAP Query Performance question Oh, by the way, regarding my earlier message. We have about 5,500 accounts that I update on a daily basis. Performance isn't really an issue, however, I have plans to cut this down from taking several minutes, to just a few dozen seconds. Mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 12:03 PM To: cf-talk Subject: RE: LDAP Query Performance question It's just a nightly task but it may have 300-400 results each time it runs. I don't think it'll bring down the house or anything it just brought up the question to see if there was a more elegant way of doing it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314769 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query Performance question
My current process is to query AD using CFLDAP. That returns about 5,500 user objects. Then, I loop over those results and perform a CFQUERY to a SQL 2005 database. Our SQL server is pretty beefy, so we haven't had any performance issues. My goal of this process is to compare names, titles, phones, addresses, etc, from AD to the daily-updated information in SQL. If any one of the data attributes is different, then I perform an LDAP update to refresh that particular user object. It does take a few minutes to run, however, I have found a faster method of connecting AD directly to SQL Server. When I get some time, I'm going to rewrite this process to actually join AD and the SQL table and compare the data in one swoop rather than thousands of swoops. Then, I will be able to schedule this as a SQL job and take the full load of of ColdFusion. Until then, it doesn't hurt a thing. Mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2008 9:19 AM To: cf-talk Subject: RE: LDAP Query Performance question Mike- When you do this is this a loop that runs 5500 queries or 1 query that updates 5500 records? Just curious what the impact is for each connection. John ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314770 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Query Performance question
See, I'm doing the opposite. I'm getting a list of accounts from a SQL database and trying to then perform a read query to get those user accounts from AD. However, I can't find an elegant way to do that in 1 query so I'm looping over my results and doing individual queries to the AD for each account. I'm definitely looking into this AD/SQL linking which I had never heard of before. Thanks for the help! John -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2008 10:27 AM To: cf-talk Subject: RE: LDAP Query Performance question My current process is to query AD using CFLDAP. That returns about 5,500 user objects. Then, I loop over those results and perform a CFQUERY to a SQL 2005 database. Our SQL server is pretty beefy, so we haven't had any performance issues. My goal of this process is to compare names, titles, phones, addresses, etc, from AD to the daily-updated information in SQL. If any one of the data attributes is different, then I perform an LDAP update to refresh that particular user object. It does take a few minutes to run, however, I have found a faster method of connecting AD directly to SQL Server. When I get some time, I'm going to rewrite this process to actually join AD and the SQL table and compare the data in one swoop rather than thousands of swoops. Then, I will be able to schedule this as a SQL job and take the full load of of ColdFusion. Until then, it doesn't hurt a thing. Mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2008 9:19 AM To: cf-talk Subject: RE: LDAP Query Performance question Mike- When you do this is this a loop that runs 5500 queries or 1 query that updates 5500 records? Just curious what the impact is for each connection. John ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314771 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query Performance question
Would it help if you used some sort of group membership? For example, your SQL query would add all accounts to a domain group, or remove accounts, as needed. Then, you would just pull all members of that group in one CFLDAP query. I do something similar to this every morning. My process determines who is an active employee, faculty or student. I have a SSIS job that pulls current employment information from our HR system. It then checks to see if each employee is a member of our Current Employees domain group. If it is not a member, it adds them. Conversely, it also checks to see if any group members are no longer employed. If not, they are removed from the domain group. The result is the domain group is competely updated every morning. Performance is high, because group membership does not change greatly on a daily basis. You may add/drop a member here and there, but the entire group is usually not completely changed. mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2008 9:31 AM To: cf-talk Subject: RE: LDAP Query Performance question See, I'm doing the opposite. I'm getting a list of accounts from a SQL database and trying to then perform a read query to get those user accounts from AD. However, I can't find an elegant way to do that in 1 query so I'm looping over my results and doing individual queries to the AD for each account. I'm definitely looking into this AD/SQL linking which I had never heard of before. Thanks for the help! John ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314773 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: LDAP Query Performance question
Here is a link to information about optimizing and profiling ldap queries to AD: http://robbieallen.com/downloads/RAllen_LDAP_Searching.ppt On Fri, Oct 31, 2008 at 11:25 AM, Burns, John D [EMAIL PROTECTED] wrote: I have a query of a SQL table that returns to me a bunch of usernames. From that, I need to query some information out of Active Directory for each user. Right now I have it looping over each row in the result from the SQL query and doing a separate LDAP query to the AD. This just doesn't seem like the best way to do things. Does anyone know if there's a syntax within LDAP querying of the AD to do something like an IN keyword where I could give the whole list of usernames I want to query and get a single result set back from one query instead of doing individual queries? There's no commonality amongst the user accounts in the AD except for the fact that their usernames are all in this external SQL table. Let me know if you have any ideas. Or maybe the single LDAP queries aren't as intensive as bad as what I'm thinking. I just know I always try to avoid multiple queries in SQL whenever possible. Here's the syntax I'm using now when querying the AD: cfldap action=QUERY name=GetEmployeeIDByUsername attributes=cn,displayName,givenName,extensionAttribute1 start=dc=domain,dc=com scope=subtree filter=((objectCategory=Person)(cn=#myQuery.username#)) server=domaincontroller.mydomain.com username=#ADUsername# password=#ADPassword# Thanks in advance for any help. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314681 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: LDAP Query Performance question
On Friday 31 Oct 2008, Burns, John D wrote: I have a query of a SQL table that returns to me a bunch of usernames. From that, I need to query some information out of Active Directory for each user. Right now I have it looping over each row in the result from Firstly, how many is a bunch, how up-to-date does the result for each need to be,and how often is the AD data updated (and how) ? It maybe you can just cache the result, or have the new data for a person pushed to you. -- Tom Chiverton Helping to efficiently incentivize visionary intuitive six-generation environments This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314682 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query Performance question
It's just a nightly task but it may have 300-400 results each time it runs. I don't think it'll bring down the house or anything it just brought up the question to see if there was a more elegant way of doing it. -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 12:51 PM To: cf-talk Subject: Re: LDAP Query Performance question On Friday 31 Oct 2008, Burns, John D wrote: I have a query of a SQL table that returns to me a bunch of usernames. From that, I need to query some information out of Active Directory for each user. Right now I have it looping over each row in the result from Firstly, how many is a bunch, how up-to-date does the result for each need to be,and how often is the AD data updated (and how) ? It maybe you can just cache the result, or have the new data for a person pushed to you. -- Tom Chiverton Helping to efficiently incentivize visionary intuitive six-generation environments This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314684 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query Performance question
First, do you have SQL Server 200x? If so, create a link to Active Directory and then you can join the two datasources just as you would join two tables. If not, retrieve all your AD accounts, using a single CFLDAP query and store them in a SQL database. From there, you can join the data as needed. If you have a beefy domain controller, you should not have any problems hitting the directory hundreds, or thousands, of times. I do this on an almost-daily basis. You could build your LDAP filter to retrieve multiple accounts, however, I wouldn't have it return more than a couple dozen, at a time. Try changing your filter to be something like: ((objectCategory=Person)(|(cn=user_1)(cn=user_2)(cn=user_n))) Personally, I'd just hit the domain controllers as you are doing now and be happy in the simplicity of the solution. Mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 11:26 AM To: cf-talk Subject: LDAP Query Performance question I have a query of a SQL table that returns to me a bunch of usernames. From that, I need to query some information out of Active Directory for each user. Right now I have it looping over each row in the result from the SQL query and doing a separate LDAP query to the AD. This just doesn't seem like the best way to do things. Does anyone know if there's a syntax within LDAP querying of the AD to do something like an IN keyword where I could give the whole list of usernames I want to query and get a single result set back from one query instead of doing individual queries? There's no commonality amongst the user accounts in the AD except for the fact that their usernames are all in this external SQL table. Let me know if you have any ideas. Or maybe the single LDAP queries aren't as intensive as bad as what I'm thinking. I just know I always try to avoid multiple queries in SQL whenever possible. Here's the syntax I'm using now when querying the AD: cfldap action=QUERY name=GetEmployeeIDByUsername attributes=cn,displayName,givenName,extensionAttribute1 start=dc=domain,dc=com scope=subtree filter=((objectCategory=Person)(cn=#myQuery.username#)) server=domaincontroller.mydomain.com username=#ADUsername# password=#ADPassword# Thanks in advance for any help. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314700 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query Performance question
Oh, by the way, regarding my earlier message. We have about 5,500 accounts that I update on a daily basis. Performance isn't really an issue, however, I have plans to cut this down from taking several minutes, to just a few dozen seconds. Mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 12:03 PM To: cf-talk Subject: RE: LDAP Query Performance question It's just a nightly task but it may have 300-400 results each time it runs. I don't think it'll bring down the house or anything it just brought up the question to see if there was a more elegant way of doing it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314701 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: LDAP Query Performance question
LDAP is optimized for reading, so I would assume that tens of thousands of requests per second shouldn't phase it. (OpenLDAP 2.4 can handle 32,000 per second, (I can't seem to find a number for Active Directory)). speeves On Fri, Oct 31, 2008 at 2:45 PM, Dawson, Michael [EMAIL PROTECTED]wrote: Oh, by the way, regarding my earlier message. We have about 5,500 accounts that I update on a daily basis. Performance isn't really an issue, however, I have plans to cut this down from taking several minutes, to just a few dozen seconds. Mike -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 12:03 PM To: cf-talk Subject: RE: LDAP Query Performance question It's just a nightly task but it may have 300-400 results each time it runs. I don't think it'll bring down the house or anything it just brought up the question to see if there was a more elegant way of doing it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314704 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query Performance question
AD can handle 32,001 ;^) -Original Message- From: Shannon Peevey [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 3:06 PM To: cf-talk Subject: Re: LDAP Query Performance question LDAP is optimized for reading, so I would assume that tens of thousands of requests per second shouldn't phase it. (OpenLDAP 2.4 can handle 32,000 per second, (I can't seem to find a number for Active Directory)). speeves ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314705 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: LDAP Query Performance question
My point exactly :) On Fri, Oct 31, 2008 at 3:17 PM, Dawson, Michael [EMAIL PROTECTED]wrote: AD can handle 32,001 ;^) -Original Message- From: Shannon Peevey [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2008 3:06 PM To: cf-talk Subject: Re: LDAP Query Performance question LDAP is optimized for reading, so I would assume that tens of thousands of requests per second shouldn't phase it. (OpenLDAP 2.4 can handle 32,000 per second, (I can't seem to find a number for Active Directory)). speeves ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314707 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query for group members
There are a couple of solutions to this issue, however, one is the best. I'll save that for last, of course. Member is a multi-value attribute in Active Directory. By default, it is a comma-delimited value. As you have found, distinguished names are also comma-delimted by nature. You can solve this issue by using CFLDAP's SEPARATOR attribute. If you specify a tab char, chr(9), you will get back a tab-separated list of member distinguished names. You can then use CFLOOP to loop over each member. However, if you want to know the member's first name, you would have to perform another LDAP query for each member. That could, and will, be very slow, if you have a large group. You will also have a limitation of 1000 members. Active Directory returns only 1000 values in a multi-value attribute. There is a workaround for this, but it really sucks. I don't even want to talk about it. Basically, this will get you close to what you are doing now, with the only improvement of a tab-separated list of members. The best solution comes now... It is so simple, it will make you giggle. Rather than query a group's members, you are better off querying all users who are a member of a group. Basically, you will set your filter to be: ((objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain, DC=com)) Also, you need to specify the DELIMITER attribute in the CFLDAP tag. Set it to a tab character chr(9). You won't be passing any tabs in your filter, however, this prevents any errors because of the commas in the group's distinguished name. Then, in your CFLDAP tag, you can specify all of the user attributes that you need: givenName, sn, title, department, telephoneNumber, etc. You will get it all back in one CF query object. The best part is that you are not limited to the 1000-value limit that you would have hit by using the first method. However, you may hit another limit in the number of records that Active Directory returns via LDAP queries. By default, I think it may be 1000, but you can modify your domain controllers to increase that limit. I increased our limit to 10,000 records. If you have this problem, Google ntdsutil and maxpagesize or just click here: http://support.microsoft.com/kb/315071 m!ke -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 9:30 AM To: CF-Talk Subject: LDAP Query for group members I'm trying to find out if there's a simpler way to do this than what I'm doing. Currently, I'm querying a group from LDAP and retrieving the attribute called Member which gives me this ugly result set of one record with all of these domain users' distinguished names instead of just the AD username. I can parse this, but it's a mess because the names look like this: CN=User.Name, OU=Users, OU=Location, OU=Organization, DC=domain, DC=com, CN=User2.Name, OU=Users,. The ldap code looks like this currently: cfldap action=QUERY name=GetGroupMembers attributes=Member start=dc=[domain],dc=com scope=subtree filter=((objectclass=group)(samaccountname=[groupI'mTryingtoGet])) server=[myDomainController] username=[username] password=[password] I'd like to find a way to query the names and have them return as a result set with one row for each user. Obviously, the parsing of the file would be difficult because of all the commas in a single record but it's possible because of each record starting with CN. Anyone have a better way of doing this? Is there some sort of LDAP function you can pass to get it to return just the username instead of the full DN? Eventually, I'm assuming I'll hit the same roadblock on querying a user's groups to see if they're in a specific group. Any information to make my life easier would be greatly appreciated. Thanks! John Burns ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299722 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query for group members
Also, you need to specify the DELIMITER attribute in the CFLDAP tag. Set it to a tab character chr(9). You won't be passing any tabs in your filter, however, this prevents any errors because of the commas in the group's distinguished name. Ignore this part of my message. This is only needed if you are specifying a distinguished name in the ATTRIBUTES attribute. Since you are specifying the group's DN in the FILTER attribute, you don't need the DELIMITER attribute. Sorry for the confusion. I'm doing this from memory since I'm on a very slow dial-up connection through my Treo and I don't have access to my servers from here. m!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299724 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Query for group members
Michael- AWESOME! Thank you so much for the help. Is it as simple to add users to the group using the same method? Did you come up with this on your own or find this info somewhere? Any other tips of things I can look out for as I'm working with CFLDAP? John -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 12:08 PM To: CF-Talk Subject: RE: LDAP Query for group members There are a couple of solutions to this issue, however, one is the best. I'll save that for last, of course. Member is a multi-value attribute in Active Directory. By default, it is a comma-delimited value. As you have found, distinguished names are also comma-delimted by nature. You can solve this issue by using CFLDAP's SEPARATOR attribute. If you specify a tab char, chr(9), you will get back a tab-separated list of member distinguished names. You can then use CFLOOP to loop over each member. However, if you want to know the member's first name, you would have to perform another LDAP query for each member. That could, and will, be very slow, if you have a large group. You will also have a limitation of 1000 members. Active Directory returns only 1000 values in a multi-value attribute. There is a workaround for this, but it really sucks. I don't even want to talk about it. Basically, this will get you close to what you are doing now, with the only improvement of a tab-separated list of members. The best solution comes now... It is so simple, it will make you giggle. Rather than query a group's members, you are better off querying all users who are a member of a group. Basically, you will set your filter to be: ((objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain, DC=com)) Also, you need to specify the DELIMITER attribute in the CFLDAP tag. Set it to a tab character chr(9). You won't be passing any tabs in your filter, however, this prevents any errors because of the commas in the group's distinguished name. Then, in your CFLDAP tag, you can specify all of the user attributes that you need: givenName, sn, title, department, telephoneNumber, etc. You will get it all back in one CF query object. The best part is that you are not limited to the 1000-value limit that you would have hit by using the first method. However, you may hit another limit in the number of records that Active Directory returns via LDAP queries. By default, I think it may be 1000, but you can modify your domain controllers to increase that limit. I increased our limit to 10,000 records. If you have this problem, Google ntdsutil and maxpagesize or just click here: http://support.microsoft.com/kb/315071 m!ke -Original Message- From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 9:30 AM To: CF-Talk Subject: LDAP Query for group members I'm trying to find out if there's a simpler way to do this than what I'm doing. Currently, I'm querying a group from LDAP and retrieving the attribute called Member which gives me this ugly result set of one record with all of these domain users' distinguished names instead of just the AD username. I can parse this, but it's a mess because the names look like this: CN=User.Name, OU=Users, OU=Location, OU=Organization, DC=domain, DC=com, CN=User2.Name, OU=Users,. The ldap code looks like this currently: cfldap action=QUERY name=GetGroupMembers attributes=Member start=dc=[domain],dc=com scope=subtree filter=((objectclass=group)(samaccountname=[groupI'mTryingtoGet])) server=[myDomainController] username=[username] password=[password] I'd like to find a way to query the names and have them return as a result set with one row for each user. Obviously, the parsing of the file would be difficult because of all the commas in a single record but it's possible because of each record starting with CN. Anyone have a better way of doing this? Is there some sort of LDAP function you can pass to get it to return just the username instead of the full DN? Eventually, I'm assuming I'll hit the same roadblock on querying a user's groups to see if they're in a specific group. Any information to make my life easier would be greatly appreciated. Thanks! John Burns ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299740 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Query for group members
AWESOME! Thank you so much for the help. Is it as simple to add users to the group using the same method? Did you come up with this on your own or find this info somewhere? Any other tips of things I can look out for as I'm working with CFLDAP? John -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 12:08 PM To: CF-Talk Subject: RE: LDAP Query for group members There are a couple of solutions to this issue, however, one is the best. I'll save that for last, of course. Member is a multi-value attribute in Active Directory. By default, it is a comma-delimited value. As you have found, distinguished names are also comma-delimted by nature. You can solve this issue by using CFLDAP's SEPARATOR attribute. If you specify a tab char, chr(9), you will get back a tab-separated list of member distinguished names. You can then use CFLOOP to loop over each member. However, if you want to know the member's first name, you would have to perform another LDAP query for each member. That could, and will, be very slow, if you have a large group. You will also have a limitation of 1000 members. Active Directory returns only 1000 values in a multi-value attribute. There is a workaround for this, but it really sucks. I don't even want to talk about it. Basically, this will get you close to what you are doing now, with the only improvement of a tab-separated list of members. The best solution comes now... It is so simple, it will make you giggle. Rather than query a group's members, you are better off querying all users who are a member of a group. Basically, you will set your filter to be: ((objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain, DC=com)) Also, you need to specify the DELIMITER attribute in the CFLDAP tag. Set it to a tab character chr(9). You won't be passing any tabs in your filter, however, this prevents any errors because of the commas in the group's distinguished name. Then, in your CFLDAP tag, you can specify all of the user attributes that you need: givenName, sn, title, department, telephoneNumber, etc. You will get it all back in one CF query object. The best part is that you are not limited to the 1000-value limit that you would have hit by using the first method. However, you may hit another limit in the number of records that Active Directory returns via LDAP queries. By default, I think it may be 1000, but you can modify your domain controllers to increase that limit. I increased our limit to 10,000 records. If you have this problem, Google ntdsutil and maxpagesize or just click here: http://support.microsoft.com/kb/315071 m!ke ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299741 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Query for group members
Glad to help. Regarding group membership, check back through the archives on this list. Specifically, look on Thurs, Jan 17, 2008 at 9:12 AM. I posted a reply with the subject of RE: CFLdap. This reply contains the code that uses CFLDAP to add and remove domain group members. If you can't find it, let me know and I'll repost it for you. I learned most of this by combining Active Directory Users and Computers with LDAP. I would make a change in ADUC, then output all attributes via LDAP. Then, I would see which values would change. That is how I mapped-out many of the attributes. MSDN helped quite a bit, as well. I also picked up some obscure help by Googling. Other than knowing the multi-value attributes, and an odd binary attribute here and there, LDAP with Active Directory is cake. I would suggest that you install the Active Directory Schema MMC plug in on a domain controller. You can browse the schema and see which attributes are multi-values, which are indexed and find out the datatype/length of the attributes. I you have any other LDAP questions, let me know. M!ke _ From: Burns, John D [mailto:[EMAIL PROTECTED] Sent: Fri 2/22/2008 1:09 PM To: CF-Talk Subject: RE: LDAP Query for group members Michael- AWESOME! Thank you so much for the help. Is it as simple to add users to the group using the same method? Did you come up with this on your own or find this info somewhere? Any other tips of things I can look out for as I'm working with CFLDAP? John ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299768 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: LDAP
in general, no, I would say it's not a great idea, but sometimes requirements dictate that it has to be done. I've seen directories replicated out to a DMZ server to insulate things a bit, but I honestly don't see that as really improving security much, unless you are replicating non-sensitive information. for starters you should not open port 389 and instead open port 636 (and do LDAP over SSL/TLS). In addition, you could open a different port on the firewall (say 6636) and forward that to 636 on the inside. Also, if the rule is for traffic originating from a specific IP, that is much better than allowing anything in. I think a lot of this depends on how secure your LDAP servers are... in reality you shouldn't be able to do anything destructive without the necessary credentials. Even though the transmission of credentials will be encrypted, it doesn't change the fact that your server could be compromised and passwords sniffed before they go over the wire. I think there's a lot of variables to consider - if it *must* be done it tends to make admins more comfortable if the LDAP client is in a DMZ segment, thus under a bit more control (and can have IDS, etc) rather than a random server out on the Internet. Dave Ross http://www.coldspringframework.org Have an app that is remote from a network that is your standard LDAP/AD dealthe client's folks really want the remote app to authenticate back via LDAP. Now, I don't want to open up 389 in the firewall at all; so for you great CF minds out thereis it even remotely advisable to setup a firewall rule to accept 389 LDAP requests from a single IP address.so this CF app can do its thing?? I always err on the side of no in these situationsbut limiting it to a specific IP is decent...but relies on that system being correct and free of breachhas others seen this go on? Thanks Eric Eric J. Hoffman Managing Partner 1940 Greeley Street South Suite 102 StillwaterMN55082 mail: [EMAIL PROTECTED] www: http://www.ejhassociates.com tel: 651.717.4105 fax: 651.717.4101 mob: 651.245.2717 Adobe Solutions Partner Microsoft Certified Partner This message contains confidential information and is intended only for [EMAIL PROTECTED] If you are not [EMAIL PROTECTED] com you should not disseminate, distribute or copy this e-mail. Please notify [EMAIL PROTECTED] immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Eric J. Hoffman therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. ~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285419 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: LDAP
Eric J. Hoffman wrote: Have an app that is remote from a network that is your standard LDAP/AD dealthe client's folks really want the remote app to authenticate back via LDAP. Is LDAP a means or an end here? Do they specifically want LDAP or do they want something that allows single sign on and ties into AD and is LDAP just the first thing that came to their mind? Now, I don't want to open up 389 in the firewall at all; so for you great CF minds out thereis it even remotely advisable to setup a firewall rule to accept 389 LDAP requests from a single IP address.so this CF app can do its thing?? If they really want LDAP, you are going to have to give them LDAP. You can argue a security baseline and require IPSec, TLS, server hardening etc., but in the end the client is king. I always err on the side of no in these situationsbut limiting it to a specific IP is decent...but relies on that system being correct and free of breachhas others seen this go on? If they really want LDAP the entire security of the AD can be breached. The problem with LDAP authentication is that the users enter their credentials on the remote application, and the remote application checks the credentials with the LDAP server. If the remote application is breached, the credentials are breached because they pass through the remote application. What you really want is a Trusted Third Party setup where the users enter their credentials at the AD, and then the AD guarantees the identity to the remote application without revealing the credentials. If the remote application is breached, only the remote application is breached, not the credentials. If you want to do this right you should use something like Kerberos, A-Select, Shibboleth. Jochem ~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: LDAP Anyone?
I am now updating images within LDAP by using CFHTTP to call an ASP page... As you say, it appears something might be lost in translation between cfldap and the underlying Java code. While looking into Java for a solution, a smart co-worker (thanks Peter Jacoby!) wrote a .NET script that updates the photo directly in its binary form. COLDFUSION CODE: cfif Trim(seljpegPhoto) neq cftry !--- upload image --- cffile action=upload filefield=seljpegPhoto destination=#root#\update\upload nameconflict=overwrite !--- cfhttp call passes file name to update.aspx which updates the photo --- cfhttp url=#webroot#qry/update.aspx?CN=#qry_get_one_emp.cn#photo=#file.serverfile# method=GET/cfhttp cfcatch type = Any cfset err = #err#liThere was an LDAP error updating your image./libr /cfcatch /cftry !--- we print a 1 in update.aspx page if successful --- cfif IsDefined(cfhttp.fileContent) and Trim(cfhttp.fileContent) neq 1 cfset err = #err#liThere was an LDAP error updating your image./libr /cfif /cfif UPDATE.ASPX CODE: % @Page Language=C# Debug=true CompilerOptions='/R:c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll'% %@ Import Namespace=System.DirectoryServices % script runat=server void Page_Load(object sender, EventArgs e) { //_LDAPSERVER_ is your server and _LDAPUSERNAME_ _LDAPPASSWORD_ is a username/password that has rights to update the binary attribute System.Drawing.Image imgInFile = System.Drawing.Image.FromFile(Server.MapPath(../update/upload/ + Request.QueryString[photo])); System.IO.MemoryStream ms = new System.IO.MemoryStream(); imgInFile.Save(ms, System.Drawing.Imaging.ImageFormat.Jpeg); DirectoryEntry personInfo = new DirectoryEntry(LDAP://_LDAPSERVER_/CN= + Request.QueryString[CN] + ,OU=NA,OU=Employees,O=Teleatlas,C=Global, _LDAPUSERNAME_, _LDAPPASSWORD_, AuthenticationTypes.None); try { personInfo.Properties[jpegPhoto][0] = ms.ToArray(); personInfo.CommitChanges(); Response.Write (1); } catch { Response.Write (ERROR: Cannot find employee + Request.QueryString[CN]); ms.Close(); imgInFile = null; Response.End(); } ms.Close(); imgInFile = null; } /script Thanks everyone for your help on this. I'm disappointed that CF couldn't do it. Or maybe I should reword that as I'm disappointed I couldn't figure out a CF-only solution. CF Wish list: CFLDAP with a file option like... cfldap action=modify DN=#qry_get_one_emp.distinguishedName# attributes=jpegPhoto files=#file.serverfile# modifytype=replace server=#LDAPServer# username=#LDAPUsername# password=#LDAPPassword# At any rate, I can now move on with my development and I thank everyone for their help on this. Especially Peter Jacoby! -Vince ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273966 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: LDAP Anyone?
I second this. Remember, because CF is typeless, when it tries to write to output binary in the cfldap tage, it might be expecting a string, not binary. How they've chosen to output the attributes, I don't know, but that might cause it to fail. I would double (triple?) check that the data sent through LDAP is, in fact, binary or encoded (base64 or hex or uuencode, etc). I wouldn't use a tool to do that as it might be altering results. Rather, try a packet sniffer to see what the actual contents are. If it's encoded, your life will be easier. If not, then you're probably going to have to investigate some Java-based alternative. My experience: I wanted a way to compress data. Specifically, I thought there should be a way to feed data through a CF function and get a compressed result. Since there's nothing that does it natively, I turned to Java. Java has a native GZipDataStream - very slick. The trouble was getting the data from CF -- it could only come and go as a String. I ended up requiring it to be base64 encoded to and from, and decode it once it was inside Java. (now I have a tag that will compress a datastream without writing to disk. I use it for squashing wddx packets for storage in a database) I think it was the interface they've written for custom CFX that's the limiter. -Original Message- From: Dinner [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 7:42 PM To: CF-Talk Subject: Re: LDAP Anyone? On a totally different note: Why not use some java solution? I bet you could even do something along the lines of cfmail, where CF has javamail (iirc), which totally rocks, but of which CF exposes only a tiny bit. Find what CF uses for LDAP, research it, and call it yourself using createObject(), if even just for the image upload stuff. Whenever I've run into a problem like that (IMAP stuff, in my case), I've found using the underlying java will do what CF couldn't, if in fact CF can't. HIH, and if you have questions about how to leverage some java package, feel free to ask. Maybe jldap ( openldap.org)? Eh... Force be with you! This email message may contain privileged and/or confidential information. If you are not the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this email message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this email message from your computer. CAUTION: The Agency of Human Services cannot ensure the confidentiality or security of email transmissions. ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273496 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: LDAP Anyone?
Thanks Dinner, Looking under the hood of CF sounds a bit scary but only because I have never done it before. I very much appreciate your suggestion and may have questions along the way. Dinner wrote: On a totally different note: Why not use some java solution? I bet you could even do something along the lines of cfmail, where CF has javamail (iirc), which totally rocks, but of which CF exposes only a tiny bit. Find what CF uses for LDAP, research it, and call it yourself using createObject(), if even just for the image upload stuff. Whenever I've run into a problem like that (IMAP stuff, in my case), I've found using the underlying java will do what CF couldn't, if in fact CF can't. HIH, and if you have questions about how to leverage some java package, feel free to ask. Maybe jldap ( openldap.org)? Eh... Force be with you! On 3/22/07, Vince C wrote: Thanks again Michael, I guess that's the question. Can ColdFusion do this now? In 6.1 or 7.0? I think it probably can but I don't know if there is some switch or other that can be passed along with this update that tells LDAP so. ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273504 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: LDAP Anyone?
I was told when I began this project by the LDAP administrator that it is storing images in base64. So I just encoded the binary file as toBase64() and the database took it just fine but it actually wasn't just fine. All images uploaded my my tool where corrupt. By using a third party tool, the images showed as corrupt with errors like may be partially truncated or otherwise invalid. Using a third party tool it also qualified my newly uploaded images at Text Attributes while the other good images were qualified as Binary Attributes. As you say, it appears something might be lost in translation between cfldap and the underlying Java code. I have never worked with Java before and am a bit nervous venturing into it today but at this point, if I'm going to call myself a programmer, I suppose I better attempt to actually be one and take this challenge on. Thanks for your help, I will now look into trying to figure out what CFLDAP is calling and go from there. Best Regards, Leitch, Oblio wrote: I second this. Remember, because CF is typeless, when it tries to write to output binary in the cfldap tage, it might be expecting a string, not binary. How they've chosen to output the attributes, I don't know, but that might cause it to fail. I would double (triple?) check that the data sent through LDAP is, in fact, binary or encoded (base64 or hex or uuencode, etc). I wouldn't use a tool to do that as it might be altering results. Rather, try a packet sniffer to see what the actual contents are. If it's encoded, your life will be easier. If not, then you're probably going to have to investigate some Java-based alternative. My experience: I wanted a way to compress data. Specifically, I thought there should be a way to feed data through a CF function and get a compressed result. Since there's nothing that does it natively, I turned to Java. Java has a native GZipDataStream - very slick. The trouble was getting the data from CF -- it could only come and go as a String. I ended up requiring it to be base64 encoded to and from, and decode it once it was inside Java. (now I have a tag that will compress a datastream without writing to disk. I use it for squashing wddx packets for storage in a database) I think it was the interface they've written for custom CFX that's the limiter. -Original Message- From: Dinner [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 7:42 PM To: CF-Talk Subject: Re: LDAP Anyone? On a totally different note: Why not use some java solution? I bet you could even do something along the lines of cfmail, where CF has javamail (iirc), which totally rocks, but of which CF exposes only a tiny bit. Find what CF uses for LDAP, research it, and call it yourself using createObject(), if even just for the image upload stuff. Whenever I've run into a problem like that (IMAP stuff, in my case), I've found using the underlying java will do what CF couldn't, if in fact CF can't. HIH, and if you have questions about how to leverage some java package, feel free to ask. Maybe jldap ( openldap.org)? Eh... Force be with you! This email message may contain privileged and/or confidential information. If you are not the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this email message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this email message from your computer. CAUTION: The Agency of Human Services cannot ensure the confidentiality or security of email transmissions. ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273505 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Anyone?
There are methods for storing binaries/images in a database field. You could also convert the binary information to text, then store the text in a database. You could do something similar with LDAP. Just create a new attribute that can hold a large text value. Treat your LDAP server just like you would a database. M!ke -Original Message- From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 3:53 PM To: CF-Talk Subject: LDAP Anyone? It appears from the lack of response on this mail list to my question that none of you have any idea. I'm bummed and feel now I must look elsewhere besides ColdFusion to solve this problem. I will post this one last time in the hopes that someone will respond with an idea or suggestion: - - - - - - - - I have been asked to write a web-based editor to allow users to edit individual attributes themselves directly. I have done this and it is working for text attributes however it is not working for images. I have written the code to upload and READASBINARY the file. Then when putting the new file back into ldap I use jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images for LDAP were stored in base64 (Let me know if I'm wrong) but it appears to not work for me. Is there some sort of switch you pass to LDAP when your code is updating an image attribute to somehow flag it as a binary attribute? I've been looking for an answer and have posted questions on more then 20 forums and blogs over the past week. You all may have detected that I am a bit frustrated and desperate :( cffile action=READBINARY file=#root#\update\upload\#file.serverfile# variable=BinaryImageContent cfldap action=modify DN=#qry_get_one_emp.distinguishedName# attributes=jpegPhoto=#toBase64(BinaryImageContent)# modifytype=replace server=#LDAPServer# username=#LDAPUsername# password=#LDAPPassword# Changing this attributes=jpegPhoto=#toBase64(BinaryImageContent)# to this attributes=jpegPhoto=#BinaryImageContent# also errors since it appears that CFLDAP or http does not allow you to use binary directly in the call. - - - - - - - I'm at a loss and looking for any help possible. I really don't want to tell my client that ColdFusion can not do this. I'd much rather say that I didn't know how and the ColdFusion community were able to help me. ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273450 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: LDAP Anyone?
Thanks Michael, I am treating it like a database and all is well except for images. Text for example updates just fine. The directory has thousands of users which means thousands of images. Each image is stored in the directory as a binary attribute. I need to adhere to that field. Other tools use the existing images as they are stored currently (as binary). I can update the images using for example http://www-unix.mcs.anl.gov/~gawor/ldap/ which is an excellent java-based editor. It allows me to browse to my image and then it uploads it and all is well. Stored as a binary. However, if I change the way I store it because ColdFusion has to store it in a different way then all other tools such as that ldap browser/editor won't work and all the locations they are displaying it elsewhere would break. I'm hoping to find a way to update this existing binary attribute using CFLDAP or other tool. Dawson, Michael wrote: There are methods for storing binaries/images in a database field. You could also convert the binary information to text, then store the text in a database. You could do something similar with LDAP. Just create a new attribute that can hold a large text value. Treat your LDAP server just like you would a database. M!ke -Original Message- From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 3:53 PM To: CF-Talk Subject: LDAP Anyone? It appears from the lack of response on this mail list to my question that none of you have any idea. I'm bummed and feel now I must look elsewhere besides ColdFusion to solve this problem. I will post this one last time in the hopes that someone will respond with an idea or suggestion: - - - - - - - - I have been asked to write a web-based editor to allow users to edit individual attributes themselves directly. I have done this and it is working for text attributes however it is not working for images. I have written the code to upload and READASBINARY the file. Then when putting the new file back into ldap I use jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images for LDAP were stored in base64 (Let me know if I'm wrong) but it appears to not work for me. Is there some sort of switch you pass to LDAP when your code is updating an image attribute to somehow flag it as a binary attribute? I've been looking for an answer and have posted questions on more then 20 forums and blogs over the past week. You all may have detected that I am a bit frustrated and desperate :( cffile action=READBINARY file=#root#\update\upload\#file.serverfile# variable=BinaryImageContent cfldap action=modify DN=#qry_get_one_emp.distinguishedName# attributes=jpegPhoto=#toBase64(BinaryImageContent)# modifytype=replace server=#LDAPServer# username=#LDAPUsername# password=#LDAPPassword# Changing this attributes=jpegPhoto=#toBase64(BinaryImageContent)# to this attributes=jpegPhoto=#BinaryImageContent# also errors since it appears that CFLDAP or http does not allow you to use binary directly in the call. - - - - - - - I'm at a loss and looking for any help possible. I really don't want to tell my client that ColdFusion can not do this. I'd much rather say that I didn't know how and the ColdFusion community were able to help me. ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273453 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Anyone?
Ah. I gotcha now. You don't want to break convention just for ColdFusion. I'm not sure how else I can help other than part of the functionality is there with the RETURNASBINARY attribute. However, I know of no corresponding send-type attribute. You should be able to get the image using ColdFusion, but no way to put an image into the directory. You might want to Google Damon Cooper and send him a message asking about this. They might be able to add this as part of Scorpio. M!ke -Original Message- From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 4:13 PM To: CF-Talk Subject: Re: LDAP Anyone? Thanks Michael, I am treating it like a database and all is well except for images. Text for example updates just fine. The directory has thousands of users which means thousands of images. Each image is stored in the directory as a binary attribute. I need to adhere to that field. Other tools use the existing images as they are stored currently (as binary). I can update the images using for example http://www-unix.mcs.anl.gov/~gawor/ldap/ which is an excellent java-based editor. It allows me to browse to my image and then it uploads it and all is well. Stored as a binary. However, if I change the way I store it because ColdFusion has to store it in a different way then all other tools such as that ldap browser/editor won't work and all the locations they are displaying it elsewhere would break. I'm hoping to find a way to update this existing binary attribute using CFLDAP or other tool. Dawson, Michael wrote: There are methods for storing binaries/images in a database field. You could also convert the binary information to text, then store the text in a database. You could do something similar with LDAP. Just create a new attribute that can hold a large text value. Treat your LDAP server just like you would a database. M!ke -Original Message- From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 3:53 PM To: CF-Talk Subject: LDAP Anyone? It appears from the lack of response on this mail list to my question that none of you have any idea. I'm bummed and feel now I must look elsewhere besides ColdFusion to solve this problem. I will post this one last time in the hopes that someone will respond with an idea or suggestion: - - - - - - - - I have been asked to write a web-based editor to allow users to edit individual attributes themselves directly. I have done this and it is working for text attributes however it is not working for images. I have written the code to upload and READASBINARY the file. Then when putting the new file back into ldap I use jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images for LDAP were stored in base64 (Let me know if I'm wrong) but it appears to not work for me. Is there some sort of switch you pass to LDAP when your code is updating an image attribute to somehow flag it as a binary attribute? I've been looking for an answer and have posted questions on more then 20 forums and blogs over the past week. You all may have detected that I am a bit frustrated and desperate :( cffile action=READBINARY file=#root#\update\upload\#file.serverfile# variable=BinaryImageContent cfldap action=modify DN=#qry_get_one_emp.distinguishedName# attributes=jpegPhoto=#toBase64(BinaryImageContent)# modifytype=replace server=#LDAPServer# username=#LDAPUsername# password=#LDAPPassword# Changing this attributes=jpegPhoto=#toBase64(BinaryImageContent)# to this attributes=jpegPhoto=#BinaryImageContent# also errors since it appears that CFLDAP or http does not allow you to use binary directly in the call. - - - - - - - I'm at a loss and looking for any help possible. I really don't want to tell my client that ColdFusion can not do this. I'd much rather say that I didn't know how and the ColdFusion community were able to help me. ~| Create Web Applications With ColdFusion MX7 Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273458 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: LDAP Anyone?
Thanks again Michael, I guess that's the question. Can ColdFusion do this now? In 6.1 or 7.0? I think it probably can but I don't know if there is some switch or other that can be passed along with this update that tells LDAP so. That's the question, can it be done now? I guess it may be the case that I am the only person on planet ColdFusion that has tried to update an image using CFLDAP? UGH! I'll give Damon Cooper a shot. Please folks, don't give up on me. I'm hoping someone is on vacation and will read this when they get back and enlighten me :) Dawson, Michael wrote: Ah. I gotcha now. You don't want to break convention just for ColdFusion. I'm not sure how else I can help other than part of the functionality is there with the RETURNASBINARY attribute. However, I know of no corresponding send-type attribute. You should be able to get the image using ColdFusion, but no way to put an image into the directory. You might want to Google Damon Cooper and send him a message asking about this. They might be able to add this as part of Scorpio. M!ke -Original Message- From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 4:13 PM To: CF-Talk Subject: Re: LDAP Anyone? Thanks Michael, I am treating it like a database and all is well except for images. Text for example updates just fine. The directory has thousands of users which means thousands of images. Each image is stored in the directory as a binary attribute. I need to adhere to that field. Other tools use the existing images as they are stored currently (as binary). I can update the images using for example http://www-unix.mcs.anl.gov/~gawor/ldap/ which is an excellent java-based editor. It allows me to browse to my image and then it uploads it and all is well. Stored as a binary. However, if I change the way I store it because ColdFusion has to store it in a different way then all other tools such as that ldap browser/editor won't work and all the locations they are displaying it elsewhere would break. I'm hoping to find a way to update this existing binary attribute using CFLDAP or other tool. Dawson, Michael wrote: There are methods for storing binaries/images in a database field. You could also convert the binary information to text, then store the text in a database. You could do something similar with LDAP. Just create a new attribute that can hold a large text value. Treat your LDAP server just like you would a database. M!ke -Original Message- From: Vince Collins (NHJobs.com) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 3:53 PM To: CF-Talk Subject: LDAP Anyone? It appears from the lack of response on this mail list to my question that none of you have any idea. I'm bummed and feel now I must look elsewhere besides ColdFusion to solve this problem. I will post this one last time in the hopes that someone will respond with an idea or suggestion: - - - - - - - - I have been asked to write a web-based editor to allow users to edit individual attributes themselves directly. I have done this and it is working for text attributes however it is not working for images. I have written the code to upload and READASBINARY the file. Then when putting the new file back into ldap I use jpegPhoto=#toBase64(BinaryImageContent)# which I was told that images for LDAP were stored in base64 (Let me know if I'm wrong) but it appears to not work for me. Is there some sort of switch you pass to LDAP when your code is updating an image attribute to somehow flag it as a binary attribute? I've been looking for an answer and have posted questions on more then 20 forums and blogs over the past week. You all may have detected that I am a bit frustrated and desperate :( cffile action=READBINARY file=#root#\update\upload\#file.serverfile# variable=BinaryImageContent cfldap action=modify DN=#qry_get_one_emp.distinguishedName# attributes=jpegPhoto=#toBase64(BinaryImageContent)# modifytype=replace server=#LDAPServer# username=#LDAPUsername# password=#LDAPPassword# Changing this attributes=jpegPhoto=#toBase64(BinaryImageContent)# to this attributes=jpegPhoto=#BinaryImageContent# also errors since it appears that CFLDAP or http does not allow you to use binary directly in the call. - - - - - - - I'm at a loss and looking for any help possible. I really don't want to tell my client that ColdFusion can not do this. I'd much rather say that I didn't know how and the ColdFusion community were able to help me. ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com
Re: LDAP Anyone?
On a totally different note: Why not use some java solution? I bet you could even do something along the lines of cfmail, where CF has javamail (iirc), which totally rocks, but of which CF exposes only a tiny bit. Find what CF uses for LDAP, research it, and call it yourself using createObject(), if even just for the image upload stuff. Whenever I've run into a problem like that (IMAP stuff, in my case), I've found using the underlying java will do what CF couldn't, if in fact CF can't. HIH, and if you have questions about how to leverage some java package, feel free to ask. Maybe jldap ( openldap.org)? Eh... Force be with you! On 3/22/07, Vince C wrote: Thanks again Michael, I guess that's the question. Can ColdFusion do this now? In 6.1 or 7.0? I think it probably can but I don't know if there is some switch or other that can be passed along with this update that tells LDAP so. ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:273470 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Weidness
Can you ping/resolve this address from your web server's command line/prompt? -Original Message- From: Charles E. Heizer [mailto:[EMAIL PROTECTED] Sent: Friday, October 27, 2006 12:17 PM To: CF-Talk Subject: LDAP Weidness Hello, I'm doing a ldap query and I'm running into a weird issue. If I use the FQDN ldap.llnl.gov it does not work (Connection to LDAP Server failed). But, if I use the IP it works fine. Now, I know cfldap can work with using a FQDN since I'm connecting to another directory using the name not the IP. Has anyone seen this and if so how did you fix it? Thanks, - charles ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258299 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Ldap -- structure = Not String and Not Object
lol. So you are saying the *friend* is buggy, not CF? ;^) -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 25, 2006 6:54 PM To: CF-Talk Subject: Re: Ldap -- structure = Not String and Not Object I also recommend that you stop asking that particular friend about CF - the only buggy thing here is that person's understanding of CF syntax. So I asked a friend of mine and he suggested adding the ## and maybe putting the column in the variable name because he found CF to be a bit buggy in situations like these. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238753 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Ldap -- structure = Not String and Not Object
hehe. Well, CF does have some bugs, but this was not one of them. On 4/26/06, Dawson, Michael [EMAIL PROTECTED] wrote: lol. So you are saying the *friend* is buggy, not CF? ;^) -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 25, 2006 6:54 PM To: CF-Talk Subject: Re: Ldap -- structure = Not String and Not Object I also recommend that you stop asking that particular friend about CF - the only buggy thing here is that person's understanding of CF syntax. So I asked a friend of mine and he suggested adding the ## and maybe putting the column in the variable name because he found CF to be a bit buggy in situations like these. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238764 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Ldap -- structure = Not String and Not Object
The first thing I would do is CFDUMP the LDAP query. That will show you what you are getting back from the CFLDAP tag. It is possible to store different types of items in an LDAP directory. Our Active Directory stores binary information related to our voicemail system. However, if you are only using uid and displayName, I don't see where the problem lies. CFDUMP will help. M!ke -Original Message- From: Joelle Tegwen [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 25, 2006 10:38 AM To: CF-Talk Subject: Ldap -- structure = Not String and Not Object I posted this on the newbie list and didn't get much of a response so I'm trying here. The goal is to take the ldap response and move it from a query object into a structure. I'm searching on a primary key so I know I'll only get 0 or 1 responses. My code says this: cfldap action=QUERY attributes=uid,displayName name=ldap scope=SUBTREE start=o=University of Minnesota, c=US filter=((cn=*#x500ID#*)) server=ldap.umn.edu port=389 cfloop list=#ldap.ColumnList# index=column cfset thisColumn=#column# cfset args[#thisColumn#]=ldap[#thisColumn#] / cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- /cfloop Which gives me this error: Complex object types cannot be converted to simple values. And I said huh, I didn't expect that to be an object So I asked a friend of mine and he suggested adding the ## and maybe putting the column in the variable name because he found CF to be a bit buggy in situations like these. So I tried: cfloop list=#ldap.ColumnList# index=column cfset thisColumn=#column# cfset args[#thisColumn#]=ldap[#thisColumn#] / cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- /cfloop I get the same error. So I say fine be that way and I try this: cfloop list=#ldap.ColumnList# index=column cfset thisColumn=#column# cfset args[#thisColumn#]=ldap[#ldap[thisColumn.value]#] / cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- /cfloop Then the error is: You have attempted to dereference a scalar variable of type class java.lang.String as a structure with members. Which (seems to me) to be a direct contradiction of the previous error. How do I make this work? Thanks in advance Joelle Tegwen ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238624 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Ldap -- structure = Not String and Not Object
The dump looks like this: query - Top 1 of 1 Rows DISPLAYNAME UID 1 Joelle Tegwen tegwe002 So to me it looks like ldap.displayName is a string. (and it really should be) Is there something I'm missing? I'm pretty new to CF so it could be something totally obvious. Thanks Joelle Tegwen Dawson, Michael wrote: The first thing I would do is CFDUMP the LDAP query. That will show you what you are getting back from the CFLDAP tag. It is possible to store different types of items in an LDAP directory. Our Active Directory stores binary information related to our voicemail system. However, if you are only using uid and displayName, I don't see where the problem lies. CFDUMP will help. M!ke ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238636 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Ldap -- structure = Not String and Not Object
cfloop list=#ldap.ColumnList# index=column cfset thisColumn=#column# cfset args[#thisColumn#]=ldap[#thisColumn#] / cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- /cfloop You are missing the row value of the ldap query. Thus your are not getting to the value of the field. When accessing a query with the structure syntax it is queryname[column][row]. So try using ldap[thisColumn][1], you do not need the quotes and pound signs. Also, only use this when you know you have at least one row, and that the first row is the one you want. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238650 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Ldap -- structure = Not String and Not Object
cfloop list=#ldap.ColumnList# index=column cfset thisColumn=#column# cfset args[#thisColumn#]=ldap[#thisColumn#] / cfoutput#args[thisColumn]#/cfoutput !--- for debugging --- /cfloop Oh just to clean all this up. And I have doing this exact type of functions for over two years, and have never had any ColdFusion problems. The cfset thisColumn is completly redundant and one does not need all the quotes and pound signs. cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column] / /cfloop cfdump var=#args# !--- For debugging of the entire loop at one time. --- -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238651 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Ldap -- structure = Not String and Not Object
cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column] / /cfloop cfdump var=#args# !--- For debugging of the entire loop at one time. --- Ahh crud, now I forgot the row index. Corrected code below: cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column][1] / /cfloop ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238660 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Ldap -- structure = Not String and Not Object
Oh thank you! It worked wonderfully. I figured it was something simple. Thanks! (and thanks for being thorough.) Joelle Ian Skinner wrote: cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column] / /cfloop cfdump var=#args# !--- For debugging of the entire loop at one time. --- Ahh crud, now I forgot the row index. Corrected code below: cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column][1] / /cfloop ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238672 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Ldap -- structure = Not String and Not Object
I also recommend that you stop asking that particular friend about CF - the only buggy thing here is that person's understanding of CF syntax. So I asked a friend of mine and he suggested adding the ## and maybe putting the column in the variable name because he found CF to be a bit buggy in situations like these. On 4/26/06, Joelle Tegwen [EMAIL PROTECTED] wrote: Oh thank you! It worked wonderfully. I figured it was something simple. Thanks! (and thanks for being thorough.) Joelle Ian Skinner wrote: cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column] / /cfloop cfdump var=#args# !--- For debugging of the entire loop at one time. --- Ahh crud, now I forgot the row index. Corrected code below: cfloop list=#ldap.ColumnList# index=column cfset args[column]=ldap[column][1] / /cfloop -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:238740 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Help
I fixed it by adding a delimiter and doing modify/modifytype=add instead. Final code for all those interested: cfldap action=modify modifytype=add delimiter=| attributes=RevSubscriber=CN=Anderson User,CN=Users,DC=ATCAgency,DC=com dn=CN=_Help Desk,CN=Users,DC=ATCAgency,DC=com server=serverIPAddress username=David Anderson password=mypassword -Original Message- From: David Anderson [mailto:[EMAIL PROTECTED] Sent: Friday, September 09, 2005 12:50 PM To: CF-Talk Subject: LDAP Help Hi guys, I'm trying to add a user attribute (RevSubscriber) to a group in our Active Directory. I'm getting the following error when trying to execute the CF below. Basically, I'm trying to add a member to the group, but call it RevSubscriber. cfldap action=add attributes=RevSubscriber=CN=Anderson User,CN=Users,DC=ATCAgency,DC=com dn=CN=_Help Desk,CN=Users,DC=ATCAgency,DC=com server=serverIPAddress username=David Anderson password=mypassword Here's the error: An error has occured while trying to execute add :[LDAP: error code 65 - 207B: UpdErr: DSID-03050C04, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]. Any ideas would be greatly appreciated! Thanks, David Anderson David Anderson Chief Information Officer (760) 233-7630 America's Vacation Center / American Express Call us 7 days a week, 6am to 9pm Pacific United States/Canada: 1-800-788-0970 United Kingdom: 0-800-652-2559 Everywhere else: 001-760-233-7635 Click here to view our hand-picked deals: http://www.AmericasVacationCenter.com/Deals Please be advised that pricing can fluctuate within the same day and that all promotions and quotes are subject to change without notice. As a result, prices and quotes will not be guaranteed until booked with payment. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217850 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Authentication
Yes, we need to know which ldap server. If it's Windows Active Directory, you don't need to run two queries. You only need to pass the username/password to the cfldap tag. Windows, by default, allows any authenticated user to query the directory. If the query works, you have a valid user. If the query fails, you don't. For Windows AD, the username should be formatted as one of: [EMAIL PROTECTED] or domain\username Other ldap servers may work differently and that is probably why Macromedia's docs say to run two queries. M!ke -Original Message- From: Douglas Knudsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 7:34 PM To: CF-Talk Subject: Re: LDAP Authentication In my experience, typically you run two LDAP queries for authentication. In the first you use the UID filed, depends on your LDAP server, to get teh users DN. THe second query you use this DN and the users password, if this binds you authed. What LDAP server are you using? DK On 5/10/05, David Critchley [EMAIL PROTECTED] wrote: I was wondering if anyone knows anything about LDAP authentication. Examples from macromedia on this subject are very sketchy and I cant seem to get mine to work properly. I can query the LDAP server, but I am unable to authenticate. Here is my tag info: CFLDAP server=ldapserver port=389 action=QUERY name=userauth attributes=uid start=ou=employees,o=server.com http://server.com maxrows=1 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206426 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Authentication
It's not my server, we only have access to it. I believe it is not a windows server, more than likely it is running on a UNIX server. Could be Netscape. I work for a large organization, so we have access to it, but have no control over it. Neither are we privy to any specs. :-S Yes, we need to know which ldap server. If it's Windows Active Directory, you don't need to run two queries. You only need to pass the username/password to the cfldap tag. Windows, by default, allows any authenticated user to query the directory. If the query works, you have a valid user. If the query fails, you don't. For Windows AD, the username should be formatted as one of: [EMAIL PROTECTED] or domain\username Other ldap servers may work differently and that is probably why Macromedia's docs say to run two queries. M!ke -Original Message- From: Douglas Knudsen [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 10, 2005 7:34 PM To: CF-Talk Subject: Re: LDAP Authentication In my experience, typically you run two LDAP queries for authentication. In the first you use the UID filed, depends on your LDAP server, to get teh users DN. THe second query you use this DN and the users password, if this binds you authed. What LDAP server are you using? DK On 5/10/05, David Critchley [EMAIL PROTECTED] wrote: I was wondering if anyone knows anything about LDAP authentication. Examples from macromedia on this subject are very sketchy and I cant seem to get mine to work properly. I can query the LDAP server, but I am unable to authenticate. Here is my tag info: CFLDAP server=ldapserver port=389 action=QUERY name=userauth attributes=uid start=ou=employees,o=server.com http://server.com maxrows=1 ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206445 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Authentication
One of the biggest issues is how the username (the unique identifier, in other words) is stored in the directory. Once you have that syntax, you are pretty much set. M!ke -Original Message- From: David Critchley [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 1:37 PM To: CF-Talk Subject: RE: LDAP Authentication It's not my server, we only have access to it. I believe it is not a windows server, more than likely it is running on a UNIX server. Could be Netscape. I work for a large organization, so we have access to it, but have no control over it. Neither are we privy to any specs. :-S ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206452 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Authentication
If you look at my original post I give an example of my query, some info has been changed as I cant actually display live info. But the query works, I can query any uid and get info back through CFLDAP. One of the biggest issues is how the username (the unique identifier, in other words) is stored in the directory. Once you have that syntax, you are pretty much set. M!ke -Original Message- From: David Critchley [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 1:37 PM To: CF-Talk Subject: RE: LDAP Authentication It's not my server, we only have access to it. I believe it is not a windows server, more than likely it is running on a UNIX server. Could be Netscape. I work for a large organization, so we have access to it, but have no control over it. Neither are we privy to any specs. :-S ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206454 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Authentication
It's not my server, we only have access to it. I believe it is not a windows server, more than likely it is running on a UNIX server. Could be Netscape. I work for a large organization, so we have access to it, but have no control over it. Neither are we privy to any specs. Then use the 2 query approach. For example: cfset UserSearchFailed = 0 !--- This filter will look in the objectclass for the user's ID. --- cfset filter = ((objectclass=person)(uid= attributes.Username )) !--- Query LDAP for the user's DN; used later to authenticate the user. --- cftry cfldap action=query name=userSearch attributes=dn start=o=something scope=SUBTREE server=myLDAPServer port=389 filter=#filter# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry !--- If the user search failed or returns 0 rows abort. --- cfif NOT userSearch.recordcount OR UserSearchFailed cfset UserSearchFailed = true cfset errormsg = UID for #attributes.Username# not found. /cfif cfif userSearch.recordcount and not UserSearchFailed !--- Pass user's DN password to see if the user authenticates. --- cftry cfldap action=QUERY name=auth attributes=givenname,surname,uid,userid,groupMembership,mail,dn start=o=something scope=SUBTREE server=myLDAPServer port=389 filter=#filter# username=#userSearch.dn# password=#attributes.Password# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry /cfif Another recommendation: get a copy of Softerra LDAP Browser http://www.ldapbrowser.com/ Version 2.6 is freeware. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206460 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP Authentication
oh, and do yourself a big favour and head out to http://www.ldapadministrator.com/ and get the free LDAP browser. It will help you greatly DK On 5/11/05, Rebecca Wells [EMAIL PROTECTED] wrote: It's not my server, we only have access to it. I believe it is not a windows server, more than likely it is running on a UNIX server. Could be Netscape. I work for a large organization, so we have access to it, but have no control over it. Neither are we privy to any specs. Then use the 2 query approach. For example: cfset UserSearchFailed = 0 !--- This filter will look in the objectclass for the user's ID. --- cfset filter = ((objectclass=person)(uid= attributes.Username )) !--- Query LDAP for the user's DN; used later to authenticate the user. --- cftry cfldap action=query name=userSearch attributes=dn start=o=something scope=SUBTREE server=myLDAPServer port=389 filter=#filter# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry !--- If the user search failed or returns 0 rows abort. --- cfif NOT userSearch.recordcount OR UserSearchFailed cfset UserSearchFailed = true cfset errormsg = UID for #attributes.Username# not found. /cfif cfif userSearch.recordcount and not UserSearchFailed !--- Pass user's DN password to see if the user authenticates. --- cftry cfldap action=QUERY name=auth attributes=givenname,surname,uid,userid,groupMembership,mail,dn start=o=something scope=SUBTREE server=myLDAPServer port=389 filter=#filter# username=#userSearch.dn# password=#attributes.Password# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry /cfif Another recommendation: get a copy of Softerra LDAP Browser http://www.ldapbrowser.com/ Version 2.6 is freeware. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206464 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP Authentication - Resolved
We resolved this issue by actually putting the right content in the username field. I was connecting to the LDAP server properly, just wasnt able to send the username and password. username=uid=#usern#,ou=active,ou=employees,ou=people,o=#server# password=#plaintextpassword# Thanks for all the help. If you look at my original post I give an example of my query, some info has been changed as I cant actually display live info. But the query works, I can query any uid and get info back through CFLDAP. One of the biggest issues is how the username (the unique identifier, in other words) is stored in the directory. Once you have that syntax, you are pretty much set. M!ke -Original Message- From: David Critchley [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 11, 2005 1:37 PM To: CF-Talk Subject: RE: LDAP Authentication It's not my server, we only have access to it. I believe it is not a windows server, more than likely it is running on a UNIX server. Could be Netscape. I work for a large organization, so we have access to it, but have no control over it. Neither are we privy to any specs. :-S ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206468 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP Authentication
In my experience, typically you run two LDAP queries for authentication. In the first you use the UID filed, depends on your LDAP server, to get teh users DN. THe second query you use this DN and the users password, if this binds you authed. What LDAP server are you using? DK On 5/10/05, David Critchley [EMAIL PROTECTED] wrote: I was wondering if anyone knows anything about LDAP authentication. Examples from macromedia on this subject are very sketchy and I cant seem to get mine to work properly. I can query the LDAP server, but I am unable to authenticate. Here is my tag info: CFLDAP server=ldapserver port=389 action=QUERY name=userauth attributes=uid start=ou=employees,o=server.com http://server.com maxrows=1 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206300 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP passwords
Yes, the trick is working out permissions and which field stores the password. Do some research on the field and you should be fine. The password field doesn't show up I guess for security reasons. LDAP is a tricky wee beasty to work with. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include stdjoke.h -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:41 PM To: CF-Talk Subject: LDAP passwords Is there any way I can allow my users to change their Active Directory passwords through CFLDAP? When I dump the entire record for a user I don't see any column hinting at password so I'm assuming the answer no, but I thought I'd throw it out to the group before dismissing it entirely. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200031 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP passwords
You need a SSL certificate to do this securely with LDAP. I, personally, think that is overkill. However, the LDAP attribute is unicodePwd or something similar. This is how I do it on the Windows platform: I run ColdFusion as an domain account that is also an Account Operator (has permissions to change passwords, among other things.) Then, I use CFEXECUTE to call the NET USER command with the proper arguments to change the user's password. It is very easy and works quite well. When I create new accounts and need to set a password, I use a custom COM object I built that does it all. M!ke -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 12:41 PM To: CF-Talk Subject: LDAP passwords Is there any way I can allow my users to change their Active Directory passwords through CFLDAP? When I dump the entire record for a user I don't see any column hinting at password so I'm assuming the answer no, but I thought I'd throw it out to the group before dismissing it entirely. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200050 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP passwords
Thanks, that's good information. I'll explore a bit. -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:51 PM To: CF-Talk Subject: RE: LDAP passwords You need a SSL certificate to do this securely with LDAP. I, personally, think that is overkill. However, the LDAP attribute is unicodePwd or something similar. This is how I do it on the Windows platform: I run ColdFusion as an domain account that is also an Account Operator (has permissions to change passwords, among other things.) Then, I use CFEXECUTE to call the NET USER command with the proper arguments to change the user's password. It is very easy and works quite well. When I create new accounts and need to set a password, I use a custom COM object I built that does it all. M!ke -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 12:41 PM To: CF-Talk Subject: LDAP passwords Is there any way I can allow my users to change their Active Directory passwords through CFLDAP? When I dump the entire record for a user I don't see any column hinting at password so I'm assuming the answer no, but I thought I'd throw it out to the group before dismissing it entirely. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200058 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP passwords
which requires windows and your server belongingt in the correct domain and all. In my company the network/sysadmins will not allow this. I though you could use the cfldap tag for this. You have to have a uid/pwd that has the permissions to do such a thing. Depending on your LDAP server, the pwd field maybe different too. Doug like this maybe http://www.houseoffusion.com/cf_lists/index.cfm/method=messagesthreadid=17267forumid=4 On Fri, 25 Mar 2005 14:50:49 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: You need a SSL certificate to do this securely with LDAP. I, personally, think that is overkill. However, the LDAP attribute is unicodePwd or something similar. This is how I do it on the Windows platform: I run ColdFusion as an domain account that is also an Account Operator (has permissions to change passwords, among other things.) Then, I use CFEXECUTE to call the NET USER command with the proper arguments to change the user's password. It is very easy and works quite well. When I create new accounts and need to set a password, I use a custom COM object I built that does it all. M!ke -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 12:41 PM To: CF-Talk Subject: LDAP passwords Is there any way I can allow my users to change their Active Directory passwords through CFLDAP? When I dump the entire record for a user I don't see any column hinting at password so I'm assuming the answer no, but I thought I'd throw it out to the group before dismissing it entirely. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200068 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP passwords
First of all, what is the directory server in question? Active Directory or something else. My experience is with AD only, so far. If you try to set an AD password with CFLDAP, and you have no SSL cert, you will get an error similar to unwilling to respond, from what I remember. (I get that from my wife, too.) If you are in different domains, there are ways around that, but you have to have your sys admins' cooperation to trust the domains and give the CF server domain account the correct permissions. To change passwords. If you can't get their help, then SSL is the only way to set a password in AD. Again, I only know this about AD. I don't know other directory servers. If you don't mind, please post your solution, whatever it may be. M!ke -Original Message- From: Douglas Knudsen [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 4:57 PM To: CF-Talk Subject: Re: LDAP passwords which requires windows and your server belongingt in the correct domain and all. In my company the network/sysadmins will not allow this. I though you could use the cfldap tag for this. You have to have a uid/pwd that has the permissions to do such a thing. Depending on your LDAP server, the pwd field maybe different too. Doug ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200070 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP passwords
BTW, I will add that it is Windows' security that requires a certificate to change as password. ColdFusion could not care less. M!ke -Original Message- From: Douglas Knudsen [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 4:57 PM To: CF-Talk Subject: Re: LDAP passwords which requires windows and your server belongingt in the correct domain and all. In my company the network/sysadmins will not allow this. I though you could use the cfldap tag for this. You have to have a uid/pwd that has the permissions to do such a thing. Depending on your LDAP server, the pwd field maybe different too. Doug like this maybe http://www.houseoffusion.com/cf_lists/index.cfm/method=messagesthreadid =17267forumid=4 On Fri, 25 Mar 2005 14:50:49 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: You need a SSL certificate to do this securely with LDAP. I, personally, think that is overkill. However, the LDAP attribute is unicodePwd or something similar. This is how I do it on the Windows platform: I run ColdFusion as an domain account that is also an Account Operator (has permissions to change passwords, among other things.) Then, I use CFEXECUTE to call the NET USER command with the proper arguments to change the user's password. It is very easy and works quite well. When I create new accounts and need to set a password, I use a custom COM object I built that does it all. M!ke -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Friday, March 25, 2005 12:41 PM To: CF-Talk Subject: LDAP passwords Is there any way I can allow my users to change their Active Directory passwords through CFLDAP? When I dump the entire record for a user I don't see any column hinting at password so I'm assuming the answer no, but I thought I'd throw it out to the group before dismissing it entirely. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:200071 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP and Active Directory and getting the objectGUID
Hi Mike, Thanks for the info, I'm really hoping that Macromedia will fix this. Thanks again, - Charles On 3/18/05 5:05 AM, Dawson, Michael [EMAIL PROTECTED] wrote: That is a bug that has yet to be corrected by Macromedia. You could create a COM object that uses ADSI to pull that value into a meaningful state. M!ke -Original Message- From: Charles Heizer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 5:42 PM To: CF-Talk Subject: LDAP and Active Directory and getting the objectGUID Hello, Does anyone have an example on how to translate the attribute objectGUID to a legible string? If I look at it in ADSI edit, it's in hex format, but if I use coldfusion is garbage. Thanks, - Charles ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:199674 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP and Active Directory and getting the objectGUID
That is a bug that has yet to be corrected by Macromedia. You could create a COM object that uses ADSI to pull that value into a meaningful state. M!ke -Original Message- From: Charles Heizer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 17, 2005 5:42 PM To: CF-Talk Subject: LDAP and Active Directory and getting the objectGUID Hello, Does anyone have an example on how to translate the attribute objectGUID to a legible string? If I look at it in ADSI edit, it's in hex format, but if I use coldfusion is garbage. Thanks, - Charles ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:199311 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP
We use OpenLDAP because it meets our clients first requirement - it is free. The downside, for LDAP beginners, is that it is not particularly user friendly, meaning that, if you aren't an LDAP expert, and you don't know precisely how your organization needs to be structured, you will do it wrong. Hopefully, by the third redo, you will have it right. I used to use the Netscape (now Sun ONE) directory server, which was much easier, but is now (post Netscape) frighteningly expensive at about $1.25/user for large, no cash organizations. My client has about 100k users, and budgets about $0.005 per, which allows for a hefty linux box and a small stack of LDAP books. BTW, add me to the list of happy Softerra LDAPBrowser users. Cary Gordon The Cherry Hill Company -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 1:51 PM To: CF-Talk Subject: RE: LDAP It *shouldn't* matter what brand you use, but since they may have their own implementations, it's helpful to know. --- snip --- ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198836 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP
A bit of code for you to try cfldap: http://www.sixfive.co.uk/news/?nid=136 On Tue, 15 Mar 2005 10:27:02 -0800, Cary Gordon [EMAIL PROTECTED] wrote: We use OpenLDAP because it meets our clients first requirement - it is free. The downside, for LDAP beginners, is that it is not particularly user friendly, meaning that, if you aren't an LDAP expert, and you don't know precisely how your organization needs to be structured, you will do it wrong. Hopefully, by the third redo, you will have it right. I used to use the Netscape (now Sun ONE) directory server, which was much easier, but is now (post Netscape) frighteningly expensive at about $1.25/user for large, no cash organizations. My client has about 100k users, and budgets about $0.005 per, which allows for a hefty linux box and a small stack of LDAP books. BTW, add me to the list of happy Softerra LDAPBrowser users. Cary Gordon The Cherry Hill Company -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 1:51 PM To: CF-Talk Subject: RE: LDAP It *shouldn't* matter what brand you use, but since they may have their own implementations, it's helpful to know. --- snip --- ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198916 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP
KNOW YOUR LDAP CONFIGURATION. The ldap tag is pretty straight forward to use, if you know how your ldap has been configured. We currently use ours to control access based on NT security groups, stored in our ldap data. We currently do not do password verification with ldap, we do that directly against NT the NT security CFC from one can get from Macromedia's website. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA C code. C code run. Run code run. Please! - Cynthia Dunning -Original Message- From: Daniel Kessler [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 10:32 AM To: CF-Talk Subject: LDAP My boss asked me to hook into our ldap system for password validation and I'm looking for any heads-up or advice that I could get. Do people use cfLDAP for this? If I have an app and I just want a few people to have access to it, do I use a DB to store access groups and names of people and use LDAP to verify the passwords? How would that normally work? thanks. -- Daniel Kessler Department of Public and Community Health University of Maryland Suite 2387 Valley Drive College Park, MD 20742-2611 301-405-2545 Phone www.phi.umd.edu ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198675 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP
What brand of LDAP server are you planning on using? If it's Windows Active Directory, there are some things to know about. I use IIS/browser authentication for our intranet, but I use CFLDAP to connect to Active Directory to get group membership for each user. I also pull mailbox-related information for Exchange mailbox size reporting. I'm planning on rewriting my intranet so that I can use an html form for username/password to make it a bit more portable on PDAs and other mobile devices. If you have an LDAP server, use it rather than creating a DB to hold security information. You can add people to group, add attributes, etc. LDAP is mainly geared for user-type storage so there is little reason to rebuild if LDAP will support your requirements. If you plan on selling this system, then a DB would be a bit more portable than LDAP. M!ke -Original Message- From: Daniel Kessler [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 12:32 PM To: CF-Talk Subject: LDAP My boss asked me to hook into our ldap system for password validation and I'm looking for any heads-up or advice that I could get. Do people use cfLDAP for this? If I have an app and I just want a few people to have access to it, do I use a DB to store access groups and names of people and use LDAP to verify the passwords? How would that normally work? thanks. -- Daniel Kessler Department of Public and Community Health University of Maryland Suite 2387 Valley Drive College Park, MD 20742-2611 301-405-2545 Phone www.phi.umd.edu ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198676 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP
we use LDAP for authentication on our intranet apps. We use a sun ONE IIRC. Its fairly easy to use cfldap tag for this. Googling should get you an example or three. I suggest getting the ldap browser tool from softerra, its free, and it simply rocks. D On Mon, 14 Mar 2005 12:50:42 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: What brand of LDAP server are you planning on using? If it's Windows Active Directory, there are some things to know about. I use IIS/browser authentication for our intranet, but I use CFLDAP to connect to Active Directory to get group membership for each user. I also pull mailbox-related information for Exchange mailbox size reporting. I'm planning on rewriting my intranet so that I can use an html form for username/password to make it a bit more portable on PDAs and other mobile devices. If you have an LDAP server, use it rather than creating a DB to hold security information. You can add people to group, add attributes, etc. LDAP is mainly geared for user-type storage so there is little reason to rebuild if LDAP will support your requirements. If you plan on selling this system, then a DB would be a bit more portable than LDAP. M!ke -Original Message- From: Daniel Kessler [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 12:32 PM To: CF-Talk Subject: LDAP My boss asked me to hook into our ldap system for password validation and I'm looking for any heads-up or advice that I could get. Do people use cfLDAP for this? If I have an app and I just want a few people to have access to it, do I use a DB to store access groups and names of people and use LDAP to verify the passwords? How would that normally work? thanks. -- Daniel Kessler Department of Public and Community Health University of Maryland Suite 2387 Valley Drive College Park, MD 20742-2611 301-405-2545 Phone www.phi.umd.edu ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198678 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP
What brand of LDAP server are you planning on using? If it's Windows Active Directory, there are some things to know about. I don't know which LDAP server it is because I didn't realize I needed to know, hmmm. Time to ask. But it's the University of Maryland so I guess it's something that scales well. If you have an LDAP server, use it rather than creating a DB to hold security information. You can add people to group, add attributes, etc. LDAP is mainly geared for user-type storage so there is little reason to rebuild if LDAP will support your requirements. I don't know much about LDAPs. Are you saying that I can introduce my own group type and add existing people too it? I only want these two people into the Admin parts of my app, so could I make a group called myApp_admin and add them to it without affecting their current setup? and I'll look into the softerra tool, thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198679 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP
I don't know much about LDAPs. Are you saying that I can introduce my own group type and add existing people too it? I only want these two people into the Admin parts of my app, so could I make a group called myApp_admin and add them to it without affecting their current setup? Exactly, that's pretty much the whole point of ldap. You can create any kind of branches you like, and add new nodes all over the place. That can be a bit of a problem, but it's in the management of the ldap data. We are finding that our manager(s) liked to create security groups in several different nodes. It has been a bit interesting. I second the softerra browswer, once I had that, it became much easier, then the old trial and error approach I was first using. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA C code. C code run. Run code run. Please! - Cynthia Dunning -Original Message- From: daniel kessler [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 10:30 AM To: CF-Talk Subject: Re: LDAP What brand of LDAP server are you planning on using? If it's Windows Active Directory, there are some things to know about. I don't know which LDAP server it is because I didn't realize I needed to know, hmmm. Time to ask. But it's the University of Maryland so I guess it's something that scales well. If you have an LDAP server, use it rather than creating a DB to hold security information. You can add people to group, add attributes, etc. LDAP is mainly geared for user-type storage so there is little reason to rebuild if LDAP will support your requirements. I don't know much about LDAPs. Are you saying that I can introduce my own group type and add existing people too it? I only want these two people into the Admin parts of my app, so could I make a group called myApp_admin and add them to it without affecting their current setup? and I'll look into the softerra tool, thanks. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198686 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP
+1 on the softerra ldap browser tool. -Original Message- From: Douglas Knudsen [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 1:08 PM To: CF-Talk Subject: Re: LDAP we use LDAP for authentication on our intranet apps. We use a sun ONE IIRC. Its fairly easy to use cfldap tag for this. Googling should get you an example or three. I suggest getting the ldap browser tool from softerra, its free, and it simply rocks. D ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198712 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP
It *shouldn't* matter what brand you use, but since they may have their own implementations, it's helpful to know. Directories are organized into containers named Organizational Units which are basically sub-directories similar to a file system. The admins can create an OU just for you, give you access and then you can create whatever objects they allow you to create in that OU. I have an OU just for my intranet site's security groups. I do use other domain-related groups for intranet permissions, but if there is a group that doesn't related to a network share or existing domain group, I create my own, specialized intranet security group. Yes, you can create a group and add your web site admins. Then, on each admin page, check to see if the current user is a member of that group. In fact, I store all groups, of which the user is a member, in the session scope. Then, I have a simple function that checks to see if the user is related to that group. This prevents me from needing an LDAP call on each page that is secured. Another nice feature of LDAP is you can add your own attributes to directory objects. You can actually treat the LDAP server as a database of sorts. For example, you can store the last time someone accessed your web site in their LDAP user object attributes. Basically, if it has to do with a user account or group, you can store it right in the LDAP directory and not have to create a database object to store the same information. Feel free to ask any LDAP questions you may have. I wouldn't call myself an expert, but I have a few years of CF - Active Directory experience. M!ke -Original Message- From: daniel kessler [mailto:[EMAIL PROTECTED] Sent: Monday, March 14, 2005 12:30 PM To: CF-Talk Subject: Re: LDAP What brand of LDAP server are you planning on using? If it's Windows Active Directory, there are some things to know about. I don't know which LDAP server it is because I didn't realize I needed to know, hmmm. Time to ask. But it's the University of Maryland so I guess it's something that scales well. If you have an LDAP server, use it rather than creating a DB to hold security information. You can add people to group, add attributes, etc. LDAP is mainly geared for user-type storage so there is little reason to rebuild if LDAP will support your requirements. I don't know much about LDAPs. Are you saying that I can introduce my own group type and add existing people too it? I only want these two people into the Admin parts of my app, so could I make a group called myApp_admin and add them to it without affecting their current setup? ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:198720 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP question
Glad I could help. What LDAP directory are you using? Active Directory or something else? In AD, if there is a user, you should get the CN as you requested. It should never be empty. If there is no user, you will get an empty query. Try using attributes=* and see if you get anything back. Using * for testing is fine, but I don't recommend using it for real work. First, it brings back too much data, including binary voicemail recordings, (if you have Cisco Call Manager, for example) and it only brings back one value in a multi-value field such as memberOf. Again, I'm using AD and these things work for me. Now that I look at your code a bit more, you need to specify the filter attribute such as: filter=sAMAccountName=#userName# (Again, this is AD.) That is, if the same username for the credentials is the same for the CN you wish to retrieve. By not specifying a filter, you are asking for all kinds of stuff. One of those stuff probably doesn't have a CN or, at least, doesn't support returning the CN. M!ke -Original Message- From: Victor Moore [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 9:56 PM To: CF-Talk Subject: Re: LDAP question Modifying the start attribute to Mike's format worked. Hurray!!! So in may case this works: cfldap action=query name=getUser start=dc=companyName, dc=com scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=#userName# password=#userPassword# port=389 If the user exists will return a query. Unfortunately it's all the time an empty query, regarding what I put in the attributes list. For the time being I am OK but I would like very much to be able to return some info and not just verify that the user exists. Thanks Mike Victor ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196295 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
Hi Mike, That's the funny part. If the userID and password I provide exists on the AD, then I get back an empty query, regarding what attributes I request in the attributes field. If the user doesn't exists then I get an error: Inappropriate authentication. If I add * for attributes get an error: An error has occurred while trying to execute query :Unprocessed Continuation Reference(s). One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server The customer is using the Windows 2003 Server active directory. I think it's a setup or permission issue on the AD server. As I said, for the time being I am OK because if I get back a query (even empty) I assume the user exists if not then the user does not. I am sure that in the future they will want more things to be done so I would like to know what are my possibilities. It's obvious that people are using it and get the proper info back, so I think it's related to their setup. Unfortunately I don't know enough about AD to be able to debug and from their point everything is OK. Thanks again Victor On Thu, 24 Feb 2005 09:04:30 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: Glad I could help. What LDAP directory are you using? Active Directory or something else? In AD, if there is a user, you should get the CN as you requested. It should never be empty. If there is no user, you will get an empty query. Try using attributes=* and see if you get anything back. Using * for testing is fine, but I don't recommend using it for real work. First, it brings back too much data, including binary voicemail recordings, (if you have Cisco Call Manager, for example) and it only brings back one value in a multi-value field such as memberOf. Again, I'm using AD and these things work for me. Now that I look at your code a bit more, you need to specify the filter attribute such as: filter=sAMAccountName=#userName# (Again, this is AD.) That is, if the same username for the credentials is the same for the CN you wish to retrieve. By not specifying a filter, you are asking for all kinds of stuff. One of those stuff probably doesn't have a CN or, at least, doesn't support returning the CN. M!ke -Original Message- From: Victor Moore [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 9:56 PM To: CF-Talk Subject: Re: LDAP question Modifying the start attribute to Mike's format worked. Hurray!!! So in may case this works: cfldap action=query name=getUser start=dc=companyName, dc=com scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=#userName# password=#userPassword# port=389 If the user exists will return a query. Unfortunately it's all the time an empty query, regarding what I put in the attributes list. For the time being I am OK but I would like very much to be able to return some info and not just verify that the user exists. Thanks Mike Victor ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196298 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP question
You might try using the LDAP Browser utility at www.ldapbrowser.com. They have a freeware ldap browser that may help find the problem. Also, I would just use a generic account for the username and password. Preferably those of a domain admin. Then see what happens. If it works at that point, start backing off to a user account that has few permissions. If the domain admin account can't access any attributes, you have a different problem. M!ke -Original Message- From: Victor Moore [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 9:30 AM To: CF-Talk Subject: Re: LDAP question Hi Mike, That's the funny part. If the userID and password I provide exists on the AD, then I get back an empty query, regarding what attributes I request in the attributes field. If the user doesn't exists then I get an error: Inappropriate authentication. If I add * for attributes get an error: An error has occurred while trying to execute query :Unprocessed Continuation Reference(s). One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server The customer is using the Windows 2003 Server active directory. I think it's a setup or permission issue on the AD server. As I said, for the time being I am OK because if I get back a query (even empty) I assume the user exists if not then the user does not. I am sure that in the future they will want more things to be done so I would like to know what are my possibilities. It's obvious that people are using it and get the proper info back, so I think it's related to their setup. Unfortunately I don't know enough about AD to be able to debug and from their point everything is OK. Thanks again Victor On Thu, 24 Feb 2005 09:04:30 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: Glad I could help. What LDAP directory are you using? Active Directory or something else? In AD, if there is a user, you should get the CN as you requested. It should never be empty. If there is no user, you will get an empty query. Try using attributes=* and see if you get anything back. Using * for testing is fine, but I don't recommend using it for real work. First, it brings back too much data, including binary voicemail recordings, (if you have Cisco Call Manager, for example) and it only brings back one value in a multi-value field such as memberOf. Again, I'm using AD and these things work for me. Now that I look at your code a bit more, you need to specify the filter attribute such as: filter=sAMAccountName=#userName# (Again, this is AD.) That is, if the same username for the credentials is the same for the CN you wish to retrieve. By not specifying a filter, you are asking for all kinds of stuff. One of those stuff probably doesn't have a CN or, at least, doesn't support returning the CN. M!ke -Original Message- From: Victor Moore [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 9:56 PM To: CF-Talk Subject: Re: LDAP question Modifying the start attribute to Mike's format worked. Hurray!!! So in may case this works: cfldap action=query name=getUser start=dc=companyName, dc=com scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=#userName# password=#userPassword# port=389 If the user exists will return a query. Unfortunately it's all the time an empty query, regarding what I put in the attributes list. For the time being I am OK but I would like very much to be able to return some info and not just verify that the user exists. Thanks Mike Victor ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196300 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP question
BTW, if their domain admin won't give you an account with domain admin permissions, you can easily create a form where they can enter their credentials, to be used for the LDAP connection, and have it mail any output to you. -Original Message- From: Victor Moore [mailto:[EMAIL PROTECTED] Sent: Thursday, February 24, 2005 9:30 AM To: CF-Talk Subject: Re: LDAP question Hi Mike, That's the funny part. If the userID and password I provide exists on the AD, then I get back an empty query, regarding what attributes I request in the attributes field. If the user doesn't exists then I get an error: Inappropriate authentication. If I add * for attributes get an error: An error has occurred while trying to execute query :Unprocessed Continuation Reference(s). One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server The customer is using the Windows 2003 Server active directory. I think it's a setup or permission issue on the AD server. As I said, for the time being I am OK because if I get back a query (even empty) I assume the user exists if not then the user does not. I am sure that in the future they will want more things to be done so I would like to know what are my possibilities. It's obvious that people are using it and get the proper info back, so I think it's related to their setup. Unfortunately I don't know enough about AD to be able to debug and from their point everything is OK. Thanks again Victor On Thu, 24 Feb 2005 09:04:30 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: Glad I could help. What LDAP directory are you using? Active Directory or something else? In AD, if there is a user, you should get the CN as you requested. It should never be empty. If there is no user, you will get an empty query. Try using attributes=* and see if you get anything back. Using * for testing is fine, but I don't recommend using it for real work. First, it brings back too much data, including binary voicemail recordings, (if you have Cisco Call Manager, for example) and it only brings back one value in a multi-value field such as memberOf. Again, I'm using AD and these things work for me. Now that I look at your code a bit more, you need to specify the filter attribute such as: filter=sAMAccountName=#userName# (Again, this is AD.) That is, if the same username for the credentials is the same for the CN you wish to retrieve. By not specifying a filter, you are asking for all kinds of stuff. One of those stuff probably doesn't have a CN or, at least, doesn't support returning the CN. M!ke -Original Message- From: Victor Moore [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 23, 2005 9:56 PM To: CF-Talk Subject: Re: LDAP question Modifying the start attribute to Mike's format worked. Hurray!!! So in may case this works: cfldap action=query name=getUser start=dc=companyName, dc=com scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=#userName# password=#userPassword# port=389 If the user exists will return a query. Unfortunately it's all the time an empty query, regarding what I put in the attributes list. For the time being I am OK but I would like very much to be able to return some info and not just verify that the user exists. Thanks Mike Victor ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196301 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
Modifying the start attribute to Mike's format worked. Hurray!!! So in may case this works: cfldap action=query name=getUser start=dc=companyName, dc=com scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=#userName# password=#userPassword# port=389 If the user exists will return a query. Unfortunately it's all the time an empty query, regarding what I put in the attributes list. For the time being I am OK but I would like very much to be able to return some info and not just verify that the user exists. Thanks Mike Victor On Fri, 28 Jan 2005 13:26:19 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: One other thing, change your START attribute to the following format: start=dc=domain, dc=com (Replace domain with the correct domain for this company.) For example, ours would be: start=dc=evansville, dc=edu As I mentioned in another message, all users, by default, can query the Active Directory. This could change if the domain admins changed this functionality. If this still doesn't work, change the start to an existing OU: start=ou=users, dc=domain, dc=com and see if you can query from that point. It may be possible that your user account doesn't have access to the root of the directory. M!ke ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196269 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
what protocol version are they using on the ldap? v2, v3? On Fri, 28 Jan 2005 12:26:09 -0500, Victor Moore [EMAIL PROTECTED] wrote: Hi, I search all of the previous posts and while I got a ton of info nothing that can help me. This is the scenarios: I have to authenticate users, at a customers site, against an ldap. I was given remote access to the CFMX 6.1 server and was told that the server is on the company domain and can see the ldap server (I can ping it). Regarding how I am invoking the cfldap tag I cannot get a connection. I am not sure if I need more info and if yes what exactly or how to debug the problem. Any help, pointers are greatly appreciated. This is what I have: cfldap action=query name=getUser start=o=#companyName# scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=cn=#userName# password=#userPassword# port=389 I get the following error: Inappropriate authentication and the attributes line highlighted. I am told that IP, user and password are correct. Thanks Victor ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192112 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
They are not sure. It's the default installation that comes with Windows 2003. On Fri, 28 Jan 2005 12:49:26 -0500, jonese [EMAIL PROTECTED] wrote: what protocol version are they using on the ldap? v2, v3? On Fri, 28 Jan 2005 12:26:09 -0500, Victor Moore [EMAIL PROTECTED] wrote: Hi, I search all of the previous posts and while I got a ton of info nothing that can help me. This is the scenarios: I have to authenticate users, at a customers site, against an ldap. I was given remote access to the CFMX 6.1 server and was told that the server is on the company domain and can see the ldap server (I can ping it). Regarding how I am invoking the cfldap tag I cannot get a connection. I am not sure if I need more info and if yes what exactly or how to debug the problem. Any help, pointers are greatly appreciated. This is what I have: cfldap action=query name=getUser start=o=#companyName# scope=SUBTREE maxrows=1 server=#serverIP# attributes=cn username=cn=#userName# password=#userPassword# port=389 I get the following error: Inappropriate authentication and the attributes line highlighted. I am told that IP, user and password are correct. Thanks Victor ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192115 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
Here is the CFC I use to authenticate users. Notice that there are 2 LDAP queries, first to see if the user exists, then using the returned username and form.password to return their info. This is from the example given on page 369 of the book Developing ColdFusion MX Applications with CFML. !--- NOTE: for this to work, this code needs to be in a MX accessible web root. USAGE: cfinvoke component=security method=authenticate returnVariable=authenticated cfcUsername=#form.username# cfcPassword=#form.password# --- cfcomponent cffunction access=public name=authenticate output=0 !--- security authentication function --- !--- username and password required --- cfargument name=cfcUsername type=string required=1/ cfargument name=cfcPassword type=string required=1/ cfset UserSearchFailed = 0 !--- This filter will look in the objectclass for the user's ID. --- cfset filter = ((objectclass=person)(uid= arguments.cfcUsername )) !--- Query LDAP for the user's DN; used later to authenticate the user. --- cftry cfldap action=query name=userSearch attributes=dn start=o=#companyName# scope=SUBTREE server=#serverIP# port=389 filter=#filter# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry !--- If the user search failed or returns 0 rows abort. --- cfif NOT userSearch.recordcount OR UserSearchFailed cfset UserSearchFailed = true cfset errormsg = UID for #arguments.cfcUsername# not found. /cfif cfif userSearch.recordcount and not UserSearchFailed !--- Pass user's DN password to see if the user authenticates. --- cftry cfldap action=QUERY name=auth attributes=givenname,surname,uid,userid,groupMembership,mail,dn start=o=#companyName# scope=SUBTREE server=#serverIP# port=389 filter=#filter# username=#userSearch.dn# password=#arguments.cfcPassword# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry /cfif cfset User = StructNew() cfif not UserSearchFailed and auth.recordCount and len(auth.userid) eq 4 cfif auth.groupMembership IS NOT !--- Parse the roles from the group memberships. --- cfset groupList = Replace(auth.groupMembership, , , :, All) cfloop list=#groupList# index=i delimiters=: cfset thisRoleStart = FindNoCase(uid=, i)+4 cfset thisRoleEnd = FindNoCase(,, i, thisRoleStart) cfset roles = roles Mid(i, thisRoleStart, thisRoleEnd-thisRoleStart) , /cfloop /cfif !--- Trim final comma from the end of the roles variable. --- cfset roles = RemoveChars(roles, len(roles), 1) cfscript StructInsert(User, givenname, auth.givenname); StructInsert(User, surname, auth.surname); StructInsert(User, uid, auth.uid); StructInsert(User, userid, auth.userid); StructInsert(User, roles, roles); StructInsert(User, mail, auth.mail); StructInsert(User, ou, auth.dn); /cfscript /cfif cfreturn User/ /cffunction /cfcomponent ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192117 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP question
Instead of username=cn=... try using the domain such as: username=domain\username, or username=[EMAIL PROTECTED] Also, try using Softerra's free LDAP browser at: http://www.ldapbrowser.com/ It may help you with the authentication credentials. Let us know if this helps or not. Thanks MAD ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192118 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP question
I would like to add that, for Windows 200x domain controllers, the two-step process is not necessary. You can pass the user's username and password to the CFLDAP query and if it works, you are set, if not, then the username/password combination was wrong to start with. Windows allows all domain users to query the Active Directory, by default. M!ke -Original Message- From: Rebecca Wells [mailto:[EMAIL PROTECTED] Sent: Friday, January 28, 2005 11:40 AM To: CF-Talk Subject: Re: LDAP question Here is the CFC I use to authenticate users. Notice that there are 2 LDAP queries, first to see if the user exists, then using the returned username and form.password to return their info. This is from the example given on page 369 of the book Developing ColdFusion MX Applications with CFML. !--- NOTE: for this to work, this code needs to be in a MX accessible web root. USAGE: cfinvoke component=security method=authenticate returnVariable=authenticated cfcUsername=#form.username# cfcPassword=#form.password# --- cfcomponent cffunction access=public name=authenticate output=0 !--- security authentication function --- !--- username and password required --- cfargument name=cfcUsername type=string required=1/ cfargument name=cfcPassword type=string required=1/ cfset UserSearchFailed = 0 !--- This filter will look in the objectclass for the user's ID. --- cfset filter = ((objectclass=person)(uid= arguments.cfcUsername )) !--- Query LDAP for the user's DN; used later to authenticate the user. --- cftry cfldap action=query name=userSearch attributes=dn start=o=#companyName# scope=SUBTREE server=#serverIP# port=389 filter=#filter# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry !--- If the user search failed or returns 0 rows abort. --- cfif NOT userSearch.recordcount OR UserSearchFailed cfset UserSearchFailed = true cfset errormsg = UID for #arguments.cfcUsername# not found. /cfif cfif userSearch.recordcount and not UserSearchFailed !--- Pass user's DN password to see if the user authenticates. --- cftry cfldap action=QUERY name=auth attributes=givenname,surname,uid,userid,groupMembership,mail,dn start=o=#companyName# scope=SUBTREE server=#serverIP# port=389 filter=#filter# username=#userSearch.dn# password=#arguments.cfcPassword# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry /cfif cfset User = StructNew() cfif not UserSearchFailed and auth.recordCount and len(auth.userid) eq 4 cfif auth.groupMembership IS NOT !--- Parse the roles from the group memberships. --- cfset groupList = Replace(auth.groupMembership, , , :, All) cfloop list=#groupList# index=i delimiters=: cfset thisRoleStart = FindNoCase(uid=, i)+4 cfset thisRoleEnd = FindNoCase(,, i, thisRoleStart) cfset roles = roles Mid(i, thisRoleStart, thisRoleEnd-thisRoleStart) , /cfloop /cfif !--- Trim final comma from the end of the roles variable. --- cfset roles = RemoveChars(roles, len(roles), 1) cfscript StructInsert(User, givenname, auth.givenname); StructInsert(User, surname, auth.surname); StructInsert(User, uid, auth.uid); StructInsert(User, userid, auth.userid); StructInsert(User, roles, roles); StructInsert(User, mail, auth.mail); StructInsert(User, ou, auth.dn); /cfscript /cfif cfreturn User/ /cffunction /cfcomponent ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client
RE: LDAP question
I don't know if this will help. But my experience when I first jumped into LDAP for authentication may be similar to yours. In order to get around a problem with the Java NT security object, if a user belongs to groups whose total characters of all names exceeds 512. I built a LDAP solution to get the groups. Being my first attempt at using LDAP, I ran into a lot of trouble like yours. It seemed to be that the user and permission I had did not have permission to return intermediary nodes from the LDAP tree. So, I couldn't just start at the top and work my way down to the user step by step, because many of those steps would return errors like you are seeing. I had to get the full tree path to the data I needed and had permission to. Clear is mud? -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192120 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
Thank you. I have tried that before but got a different error. I am trying to see now if all the permissions are set up properly. This is the error: An error has occurred while trying to execute query :[LDAP: error code 1 - : LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]. One or more of the required attributes may be missing/incorrect or you do not have permissions to execute this operation on the server I suspect that I don't have the permissions to execute it. Thanks Victor On Fri, 28 Jan 2005 13:40:05 -0400, Rebecca Wells [EMAIL PROTECTED] wrote: Here is the CFC I use to authenticate users. Notice that there are 2 LDAP queries, first to see if the user exists, then using the returned username and form.password to return their info. This is from the example given on page 369 of the book Developing ColdFusion MX Applications with CFML. !--- NOTE: for this to work, this code needs to be in a MX accessible web root. USAGE: cfinvoke component=security method=authenticate returnVariable=authenticated cfcUsername=#form.username# cfcPassword=#form.password# --- cfcomponent cffunction access=public name=authenticate output=0 !--- security authentication function --- !--- username and password required --- cfargument name=cfcUsername type=string required=1/ cfargument name=cfcPassword type=string required=1/ cfset UserSearchFailed = 0 !--- This filter will look in the objectclass for the user's ID. --- cfset filter = ((objectclass=person)(uid= arguments.cfcUsername )) !--- Query LDAP for the user's DN; used later to authenticate the user. --- cftry cfldap action=query name=userSearch attributes=dn start=o=#companyName# scope=SUBTREE server=#serverIP# port=389 filter=#filter# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry !--- If the user search failed or returns 0 rows abort. --- cfif NOT userSearch.recordcount OR UserSearchFailed cfset UserSearchFailed = true cfset errormsg = UID for #arguments.cfcUsername# not found. /cfif cfif userSearch.recordcount and not UserSearchFailed !--- Pass user's DN password to see if the user authenticates. --- cftry cfldap action=QUERY name=auth attributes=givenname,surname,uid,userid,groupMembership,mail,dn start=o=#companyName# scope=SUBTREE server=#serverIP# port=389 filter=#filter# username=#userSearch.dn# password=#arguments.cfcPassword# cfcatch type=Any cfset UserSearchFailed = true /cfcatch /cftry /cfif cfset User = StructNew() cfif not UserSearchFailed and auth.recordCount and len(auth.userid) eq 4 cfif auth.groupMembership IS NOT !--- Parse the roles from the group memberships. --- cfset groupList = Replace(auth.groupMembership, , , :, All) cfloop list=#groupList# index=i delimiters=: cfset thisRoleStart = FindNoCase(uid=, i)+4 cfset thisRoleEnd = FindNoCase(,, i, thisRoleStart) cfset roles = roles Mid(i, thisRoleStart, thisRoleEnd-thisRoleStart) , /cfloop /cfif !--- Trim final comma from the end of the roles variable. --- cfset roles = RemoveChars(roles, len(roles), 1) cfscript StructInsert(User, givenname, auth.givenname); StructInsert(User, surname, auth.surname); StructInsert(User, uid, auth.uid); StructInsert(User, userid, auth.userid); StructInsert(User, roles, roles); StructInsert(User, mail, auth.mail); StructInsert(User, ou, auth.dn); /cfscript /cfif cfreturn User/ /cffunction /cfcomponent ~| Logware
RE: LDAP question
One other thing, change your START attribute to the following format: start=dc=domain, dc=com (Replace domain with the correct domain for this company.) For example, ours would be: start=dc=evansville, dc=edu As I mentioned in another message, all users, by default, can query the Active Directory. This could change if the domain admins changed this functionality. If this still doesn't work, change the start to an existing OU: start=ou=users, dc=domain, dc=com and see if you can query from that point. It may be possible that your user account doesn't have access to the root of the directory. M!ke ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192123 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP question
Pretty much I have tried all kind of variances, all with no avail. I suspect that some settings are not done properly, but I don't have enough knowledge of ldap to be able to walk them through or determine if the right permissions have been given. I will install http://www.ldapbrowser.com/ and see if I can get more info. Thanks Victor. On Fri, 28 Jan 2005 13:26:19 -0600, Dawson, Michael [EMAIL PROTECTED] wrote: One other thing, change your START attribute to the following format: start=dc=domain, dc=com (Replace domain with the correct domain for this company.) For example, ours would be: start=dc=evansville, dc=edu As I mentioned in another message, all users, by default, can query the Active Directory. This could change if the domain admins changed this functionality. If this still doesn't work, change the start to an existing OU: start=ou=users, dc=domain, dc=com and see if you can query from that point. It may be possible that your user account doesn't have access to the root of the directory. M!ke ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:192125 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP and Active Directory Problem
If things are configured for any sort of security, you don't get the password back at all. You perform a login via LDAP by doing an LDAP bind (passing the user's username and password in the query). I'd use the DN to identify the user in the directory. -Original Message- From: Duncan I Loxton [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 January 2005 8:04 To: CF-Talk Subject: LDAP and Active Directory Problem I am trying to use cfldap to query AD and get the username and password of the users and some other personal details out. [snip] ~| Purchase Dreamweaver with Homesite Plus from House of Fusion, a Macromedia Authorized Affiliate and support the CF community. http://www.houseoffusion.com/banners/view.cfm?bannerid=54 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190178 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: LDAP and Active Directory Problem
I managed to work out a solution, and I posted it here: http://www.sixfive.co.uk/news/?nid=136 On Thu, 13 Jan 2005 09:51:02 +0800, James Holmes [EMAIL PROTECTED] wrote: If things are configured for any sort of security, you don't get the password back at all. You perform a login via LDAP by doing an LDAP bind (passing the user's username and password in the query). I'd use the DN to identify the user in the directory. -Original Message- From: Duncan I Loxton [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 January 2005 8:04 To: CF-Talk Subject: LDAP and Active Directory Problem I am trying to use cfldap to query AD and get the username and password of the users and some other personal details out. [snip] ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190181 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP and Active Directory Problem
Yes, the cftry block is exactly the right way to do it. -Original Message- From: Duncan I Loxton [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 January 2005 10:14 To: CF-Talk Subject: Re: LDAP and Active Directory Problem I managed to work out a solution, and I posted it here: http://www.sixfive.co.uk/news/?nid=136 ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:190182 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: LDAP inconstancies
You might try using Softterra's LDAP Browser product.It's free and very nice.It could help narrow down where the problem actually lies. M!ke From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 10:41 AM To: CF-Talk Subject: RE: LDAP inconstancies What seems to be the problem?I don't know the guts of it, but I have a bit of experience with LDAP and Active Directory. Well, it is not really a Problem since all the groups we need for the web are consistently returned.But for some reason we get a different lists of groups for specific users when the login code, using cfldap to get their groups from active directory, is installed on different servers.The servers are set up on the same network, and use the exact same ldap code connecting to the same active directory repository with the same user and password. As I said the groups we need are consistently returned by both servers, but our QA department needs to know why there is a difference and I don't know enough about active directory to explain the differences. -- Ian Skinner Web Programmer BloodSource file:///C:\Documents%20and%20Settings\iskinner\Application%20Data\Micro soft\Signatures\www.BloodSource.org www.BloodSource.org http://www.BloodSource.orgSacramento Sacramento, CA C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice:This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: LDAP inconstancies
What seems to be the problem?I don't know the guts of it, but I have a bit of experience with LDAP and Active Directory. Well, it is not really a Problem since all the groups we need for the web are consistently returned.But for some reason we get a different lists of groups for specific users when the login code, using cfldap to get their groups from active directory, is installed on different servers.The servers are set up on the same network, and use the exact same ldap code connecting to the same active directory repository with the same user and password. As I said the groups we need are consistently returned by both servers, but our QA department needs to know why there is a difference and I don't know enough about active directory to explain the differences. -- Ian Skinner Web Programmer BloodSource file:///C:\Documents%20and%20Settings\iskinner\Application%20Data\Microsoft\Signatures\www.BloodSource.org www.BloodSource.org http://www.BloodSource.orgSacramento Sacramento, CA C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice:This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: LDAP inconstancies
What seems to be the problem?I don't know the guts of it, but I have a bit of experience with LDAP and Active Directory. From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Monday, October 04, 2004 6:15 PM To: CF-Talk Subject: LDAP inconstancies Is anybody out there very knowledge of the underpinnings of CFLDAP?We have modified the ntsecurity.cfc to use LDAP to get the user groups since we have seemed to run into a limitation of the group's method that comes with ntsecurity. But we are experiencing an interesting discrepancy.When the code is run on different machines but for the same users, us, we get slightly different results.Neither of us is experienced enough with the ins and outs of window's networking to reliably explain this.Can anybody help? TIA -- Ian Skinner Web Programmer BloodSource file:///C:\Documents%20and%20Settings\iskinner\Application%20Data\Micro soft\Signatures\www.BloodSource.org www.BloodSource.org http://www.BloodSource.orgSacramento Sacramento, CA C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice:This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: LDAP server is unwilling to perform
message of LDAP server is unwilling to perform How busy is the traffic to the LDAP?Ours refuses connections after a certain limit over a defined period of time, presumably to stop hack attempts. Might be a similar issue. -- dc [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: LDAP, CF5.0 vs CFMX6.1
I have some code that does some M$ Exchange LDAP lookups that works beautifully on a CFMX6.1 box, but bombs out on a CF5.0 box.I'm not using anything that is CFMX specific, AFAIK. But here is the code...anyone have any ideas? I'm no LDAP expert, but I don't see anything wrong with your code. Are you able to run any LDAP client on that machine and query the LDAP server successfully? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: LDAP, CF5.0 vs CFMX6.1
ah, good point, gonna try to do this.I know this CF5.0 box can connect to an LDAP store, a netscrape one I think.I just can't get it to connect to a M$ Exchange LDAP store.Also, Ihave tried this code on other CF5 boxes in my comapny and it bombs there too.I'm thinking something changed in the cfldap tag code in CFMX.I'm digging in the docs now. The error is not very informative CFLDAP Local error The error occurred while processing an element with a general identifier of (CFLDAP), occupying document position (54:3) to (90:5) in the template file c:\inetpub\wwwroot\corpdir_old2.cfm. Doug -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 1:02 PM To: CF-Talk Subject: RE: LDAP, CF5.0 vs CFMX6.1 I have some code that does some M$ Exchange LDAP lookups that works beautifully on a CFMX6.1 box, but bombs out on a CF5.0 box.I'm not using anything that is CFMX specific, AFAIK. But here is the code...anyone have any ideas? I'm no LDAP expert, but I don't see anything wrong with your code. Are you able to run any LDAP client on that machine and query the LDAP server successfully? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: LDAP Monitoring Utility/Tool/CF Script
Surely this feature-rich monitoring tool lets you monitor ports 389 and 636 on your LDAP server? -- jon mailto:[EMAIL PROTECTED] Tuesday, July 15, 2003, 8:49:59 AM, you wrote: AC Hi, AC I'm searching for a free LDAP monitoring utility/tool AC or atleast a script. Basically I want to have an AC update of the LDAP Server at all times. The AC utility/script should alert me when something goes AC wrong (service stops/fails). I am using Nagios. Nagios AC is a feature-rich network monitoring package. It can AC also be configured to send alerts and perform other AC actions when problems are detected. AC Is there anyone who can help me? AC Thanks AC Allan ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP Monitoring Utility/Tool/CF Script
Well, aside from just checking the port, I'm sure it would be ideal to see if searches are actually working. I see a couple of different ways to do this (and this is assuming ColdFusion MX): The ideal way to do it would be to simply use CFLDAP, and query an object periodically that you know will be there. Otherwise, find some sort of JDBC driver that can handle LDAP. The openldap project has a bridge available that will do this, I believe. At that point, you just have it run a search periodically. If you can't do that, I'm sure you can use SNMP - somehow. If you can't do that, then grab one of the LDAP command tools, like ldapsearch, and call that via a CFEXECUTE periodically, and parse the output for what you are expecting. Pretty? Not really... But it is functional. I'd be surprised if Nagios didn't have some sort of LDAP monitoring built in. Michael Jackson Systems Engineer [EMAIL PROTECTED] http://www.cfxhosting.com/ -Original Message- From: jon hall [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 09:50 AM To: CF-Talk Subject: Re: LDAP Monitoring Utility/Tool/CF Script Surely this feature-rich monitoring tool lets you monitor ports 389 and 636 on your LDAP server? Tuesday, July 15, 2003, 8:49:59 AM, you wrote: AC Hi, AC I'm searching for a free LDAP monitoring utility/tool AC or atleast a script. Basically I want to have an AC update of the LDAP Server at all times. The AC utility/script should alert me when something goes AC wrong (service stops/fails). I am using Nagios. Nagios AC is a feature-rich network monitoring package. It can AC also be configured to send alerts and perform other AC actions when problems are detected. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: LDAP binary
using ssl on linux? -Original Message- From: Dimo Michailov [mailto:[EMAIL PROTECTED] Sent: 02 April 2003 17:16 To: CF-Talk Subject: LDAP binary Hello all: I am trying to extract a JPG binary image from our LDAP server but I get back only the first 4 bytes, the rest seems truncated. Any help? The code I use is: cfldap server=our server here action=query name=getUserPhoto attributes=jpegPhoto start=our start dn filter=((uid=userID)) The code above works on CF5 and crashes on MX. In CF5, the length of the returned getUserPhoto.jpegPhoto is 4 bytes only, not the whole 2KB image. Any help? Thanks in advance - Dimo Michailov ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: LDAP binary
ColdFusion running under NT, LDAP under Solaris. No SSL being used. Again, anyone can help? Dimo webguy wrote: using ssl on linux? -Original Message- From: Dimo Michailov [mailto:[EMAIL PROTECTED] Sent: 02 April 2003 17:16 To: CF-Talk Subject: LDAP binary Hello all: I am trying to extract a JPG binary image from our LDAP server but I get back only the first 4 bytes, the rest seems truncated. Any help? The code I use is: cfldap server=our server here action=query name=getUserPhoto attributes=jpegPhoto start=our start dn filter=((uid=userID)) The code above works on CF5 and crashes on MX. In CF5, the length of the returned getUserPhoto.jpegPhoto is 4 bytes only, not the whole 2KB image. Any help? Thanks in advance - Dimo Michailov ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: LDAP Question
Try this cfldap action=query name=auth start=cn=Scott Dowling, ou=users, ou=Taxes,ou=Accounting, dc=oag, dc=com attributes=dn, cn server=MyServer.Mine.gov scope=subtree this is what I use to return all the users in our sub directory (we then have other containers to drill through, I am just starting higher up in the tree) CFLDAP NAME=GetSubEntries ACTION=Query SERVER=xxx.xxx.xxx.xxx ATTRIBUTES=ou, givenname, sn, loginDisabled, telephoneNUMBER SCOPE=SUBTREE SORT = #VARIABLES.SORTT# SORTCONTROL=ASC START=ou=surg,ou=com,ou=campus,o=osu_mc [EMAIL PROTECTED] 02/12/03 03:13PM Hi guys. Having a minor problem accessing the active directory using LDAP. I can connect ok and I can even get the info I need. Problem is because our directory is broken up and divided into many containers such as for each division and each section within a division. For instance, Im in accounting and within accounting im in taxes. And I have a container for accounting and within that container I have 4 more containers for each section one of which is taxes. Well right now I need my LDAP query to go all the way into both accounting and taxes to find me. Whereas I need it to be able to look in all the containers in accounting so anyone in accounting can log in. cftry cfldap action=query name=auth start=cn=Scott Dowling, ou=users, ou=Taxes, ou=Accounting, dc=oag, dc=com attributes=userPrincipalName server=MyServer.Mine.gov username=Scott Dowling password=MyPass scope=subtree cfoutput #Auth.Recordcount# /cfoutput See in the above query I need to drill down right to my name in the containers to get a recordcount of 1(meaning a match) If I try to go and look into just the accounting container it wont find me. How do I get it to search all the containers in our dc and look for a match? Thanks! ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: LDAP Passwords
Hm...I think we use netscape directory services, and I pulled that code directly from a production app that never gives us problems. I would guess there are some other attributes set in there (though I'm not positive). I guess the only thing I could suggest is to set up a dummy ldap account and do some testing. -d Deanna Schneider Interactive Media Developer [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm
Re: LDAP Passwords
You mean like so: !--- Change password --- cfldap server=#request.ldapserver# port=389 action=modify username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension password=#request.ldappassword# attributes=userpassword=#form.password# dn=uid=#newid#, ou=CES, ou=uwex, o=Extension Deanna Schneider Interactive Media Developer [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: LDAP Passwords
Deanna, Yes! but the CF 4.5 documentation warns that when you modify you must specify all values for all existing attributes along with the new ones because any existing attributes you don't specify will be overwritten with empty values. We use an LDAP bridge into Novell NDS and there are way too many attributes to reiterate when we just want to set the password. I thought there might be a more straightforward way to do this. Am I wrong on this detail? Thanks again, Darren [EMAIL PROTECTED] 10/03/02 04:13PM You mean like so: !--- Change password --- cfldap server=#request.ldapserver# port=389 action=modify username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension password=#request.ldappassword# attributes=userpassword=#form.password# dn=uid=#newid#, ou=CES, ou=uwex, o=Extension Deanna Schneider Interactive Media Developer [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com
Re: LDAP Passwords
We use the ldap- Novell here as well. If I remember nds won't let you change the password..but I could be wrong...anyways we have stayed away from allowing that. Have you successfully done it? [EMAIL PROTECTED] 10/03/02 04:33PM Deanna, Yes! but the CF 4.5 documentation warns that when you modify you must specify all values for all existing attributes along with the new ones because any existing attributes you don't specify will be overwritten with empty values. We use an LDAP bridge into Novell NDS and there are way too many attributes to reiterate when we just want to set the password. I thought there might be a more straightforward way to do this. Am I wrong on this detail? Thanks again, Darren [EMAIL PROTECTED] 10/03/02 04:13PM You mean like so: !--- Change password --- cfldap server=#request.ldapserver# port=389 action=modify username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension password=#request.ldappassword# attributes=userpassword=#form.password# dn=uid=#newid#, ou=CES, ou=uwex, o=Extension Deanna Schneider Interactive Media Developer [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
Re: LDAP Passwords
I know that the NDK has Java api's that allow you to accomplish this but I was hoping i wouldn't have to install jar files etc. We authenticate to web apps using LDAP but haven't done the password reset thing yet, but we will. It's just a matter of which method we wind up using. Darren [EMAIL PROTECTED] 10/03/02 04:48PM We use the ldap- Novell here as well. If I remember nds won't let you change the password..but I could be wrong...anyways we have stayed away from allowing that. Have you successfully done it? [EMAIL PROTECTED] 10/03/02 04:33PM Deanna, Yes! but the CF 4.5 documentation warns that when you modify you must specify all values for all existing attributes along with the new ones because any existing attributes you don't specify will be overwritten with empty values. We use an LDAP bridge into Novell NDS and there are way too many attributes to reiterate when we just want to set the password. I thought there might be a more straightforward way to do this. Am I wrong on this detail? Thanks again, Darren [EMAIL PROTECTED] 10/03/02 04:13PM You mean like so: !--- Change password --- cfldap server=#request.ldapserver# port=389 action=modify username=uid=#request.ldapusername#, ou=CES, ou=uwex, o=Extension password=#request.ldappassword# attributes=userpassword=#form.password# dn=uid=#newid#, ou=CES, ou=uwex, o=Extension Deanna Schneider Interactive Media Developer [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=listsbody=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
RE: LDAP/Active Directory
I have a guy here at work working on an LDAP server (brand New) I will get some info from him and pass it along to you. Steven Lancaster Barrios Technology NASA/JSC 281-244-2444 (voice) [EMAIL PROTECTED] -Original Message- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 4:15 PM To: CF-Talk Subject: LDAP/Active Directory Does anyone have links to good resources for using Active Directory through LDAP? I am doing some work on this now, I have the tutorial out on the MM site, but I am also looking for anything I should look out for? Pitfalls people? TIA :) Tim Heald ACP/CCFD :) Application Development www.schoollink.net __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: LDAP/Active Directory
That would be great. The error messages are horrible. You get LDAP Error and that's about it. At least with the SQL messages you get a clue :) Tim Heald ACP/CCFD :) Application Development www.schoollink.net -Original Message- From: LANCASTER, STEVEN M. (JSC-OL) (BAR) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 5:37 PM To: CF-Talk Subject: RE: LDAP/Active Directory I have a guy here at work working on an LDAP server (brand New) I will get some info from him and pass it along to you. Steven Lancaster Barrios Technology NASA/JSC 281-244-2444 (voice) [EMAIL PROTECTED] -Original Message- From: Timothy Heald [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 4:15 PM To: CF-Talk Subject: LDAP/Active Directory Does anyone have links to good resources for using Active Directory through LDAP? I am doing some work on this now, I have the tutorial out on the MM site, but I am also looking for anything I should look out for? Pitfalls people? TIA :) Tim Heald ACP/CCFD :) Application Development www.schoollink.net __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: LDAP and CF Resources
the query time is slower than hitting a regular db, how large are your queries? how powerful is your ldap server?, whats the network connection to it like? this things can cause a ldap query to be significantly slowedand may cause cf to lock up on rare occasions. [EMAIL PROTECTED] 05/20/02 10:10AM We recently launched an app that uses LDAP. It's a phone directory. Since its release we have had problems with CF locking up. Anyone know if LDAP is a CF resource hog? James __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists