Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: LDAP Query - host allowed option
Top Forums UNIX for Advanced & Expert Users LDAP Query - host allowed option Post 303019451 by dagamier on Friday 29th of June 2018 11:27:16 AM
Old 06-29-2018
Network LDAP Query - host allowed option
I have an in interesting dilemna that I am trying to address. I have some ldap queries that I use to retrieve user information to perform access validations on a quarterly/annual basis. I can successfully pull the local users, and I can use ldapsearch to pull back all the users from the DN as well. However, my problem is, I need to narrow down this search so that I can report on LDAP users who have access to the local server and not just return every user in the DN on every server so that I can then truly validate whether people need to retain access to the specific hosts they have access to. I have so far been unable to come up with (or find an example of) a proper command that returns a "host allowed" value, or just returns a list of users with access to the host that I am running the ldap search on. Has anyone run across this before and have a viable option of how to report only LDAP users with access to the server on which the query is running? I have to run this on hundreds of servers, so getting this right is pretty critical to me.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Ldap dn chars allowed

Hi Is it possible to add the following to an ldif entry: dn=estmmartín i.e Note the charchter 'í' Thanks in advance (3 Replies)
Discussion started by: tom123
3 Replies

2. Shell Programming and Scripting

Perl and Net::LDAP, objects and arrays query

Hi I'm not a programmer but am muddling through as best I can. I am trying to set up a PostSearchHook for Radiator (RADIUS server), that carries out an LDAP lookup, and, based on the string returned ("staff" or "student") in the "businessCategory" attribute, will set the $role to be either 40... (3 Replies)
Discussion started by: mikie
3 Replies

3. UNIX for Dummies Questions & Answers

LDAP search query help

I would like to do an ldap search which looks for entries which do not actually have a certain attribute. Not that the attribute is Null, but where the attribute does not exist. Is this possible using ldapsearch? (3 Replies)
Discussion started by: dopple
3 Replies

4. UNIX for Dummies Questions & Answers

CRON JOB SCHEDULER throwing "option not allowed error"

Hi All, Pardon me if this turns out to be a dumb question. But I am trying to schedule a cron job for a my script which takes input options. So an entry in crontab would be something like: 1 * * * * run_report.sh -o out.csv -m monthly -e somename@email.com > cron_output.log 2> cron_error.log... (3 Replies)
Discussion started by: trueharsh
3 Replies

5. Solaris

Mail issue solution query- host map: lookup (domain): deferred

Hi all I had a mail issue earlier today where I was not receiving any emails from the servers of one of our clients. The mail queue just showed this: -----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient----------- o8S7eSpp020274* 5858 Tue Sep 28 10:42... (0 Replies)
Discussion started by: notreallyhere
0 Replies

6. Red Hat

SMB can't locate LDAP on another host

Hi, We have a mail server which has Zimbra installed on it and a file server. Folks use the same login information they use to access their email to access the file server. So the file server is using the same LDAP server as the mail server. Couple days ago, at around 12 PM all of the sudden,... (3 Replies)
Discussion started by: tezarin
3 Replies

7. Shell Programming and Scripting

Ldap search query

Hi All, I have a existing Ldap query which take a HOME as variable and gives the result where i grep for a particular line. ldapsearch -h server_domain_name -p 389 -D "uid=user,ou=appadm,o=ent" -w PaB -b "ou=roles,o=ent" "cidx=$HOME" | grep -w "ent: xyz" Now i have 330K Homes in a... (1 Reply)
Discussion started by: posner
1 Replies

8. Emergency UNIX and Linux Support

LDAP and AD Authentication Query

Hi Friends, I have below scenarios . dom1.test.com - LDAP dom2.test.com - AD Requirement is establish a trust relation between LDAP and AD server in such a way that if any user login on LDAP managed authentication server with dom1\username -> get authenticated by LDAP host ... (2 Replies)
Discussion started by: Shirishlnx
2 Replies

9. Shell Programming and Scripting

Db2 query on other host

Hello, i need some help with a script. I made a script, which connect to different hosts to get some informations. But i got now some problems with getting informations of a database (db2) which is on a other host. I tried something like var=$(rsh HOST su - db2adm -c "db2 connect to database;... (2 Replies)
Discussion started by: Cyver
2 Replies

10. UNIX and Linux Applications

LDAP Group query

I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation. Below are the details - ================ LDIF entry for OndotAPI group dn: cn=OndotAPI,ou=Groups,o=CNS changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies

LEARN ABOUT REDHAT

squid_ldap_auth

squid_ldap_auth(8)					      System Manager's Manual						squid_ldap_auth(8)

NAME

       squid_ldap_auth - Squid LDAP authentication helper

SYNOPSIS

       squid_ldap_auth -b "base DN" [-u attribute] [options] [ldap_server_name[:port]]...]

       squid_ldap_auth -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...]

DESCRIPTION

       This helper allows Squid to connect to a LDAP directory to validate the user name and password of Basic HTTP authentication.

       The  program  has  two  major  modes  of operation. In the default mode of operation the users DN is constructed using the base DN and user
       attribute. In the other mode of operation a search filter is used to locate valid user DN's below the base DN.

       -b basedn (REQUIRED)
	      Specifies the base DN under which the users are located.

       -f filter
	      LDAP search filter to locate the user DN. Required if the users are in a hierarchy below the base DN, or if the login  name  is  not
	      what builds the user specific part of the users DN.

	      The search filter can contain up to 15 occurrences of %s which will be replaced by the username, as in "uid=%s" for RFC2037 directo-
	      ries. For a detailed description of LDAP search filter syntax see RFC2254.

       -u userattr
	      Specifies the name of the DN attribute that contains the username/login.	Combined with the base DN to construct the users  DN  when
	      no search filter is specified (-f option). Defaults to 'uid'

	      Note:  This  can	only be done if all your users are located directly under the same position in the LDAP tree and the login name is
	      used for naming each user object. If your LDAP tree does not match these criterias or if you want to filter who are valid users then
	      you need to use a search filter to search for your users DN (-f option).

       -s base|one|sub
	      search scope when performing user DN searches specified by the -f option. Defaults to 'sub'.

	      base object only, one level below the base object or subtree below the base object

       -D binddn -w password
	      The  DN  and  password  to  bind	as  while  performing  searches. Required by the -f flag if the directory does not allow anonymous
	      searches.

	      As the password needs to be printed in plain text in your Squid configuration it is strongly recommended to use a account with mini-
	      mal associated privileges.  This to limit the damage in case someone could get hold of a copy of your Squid configuration file.

       -P     Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the
	      LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user  validations.  Recom-
	      mended for larger installations.

       -R     do not follow referrals

       -a never|always|search|find
	      when to dereference aliases. Defaults to 'never'

	      never dereference aliases (default), always dereference aliases, only while searching or only to find the base object

       -h ldapserver
	      Specify the LDAP server to connect to

       -p ldapport
	      Specify an alternate TCP port where the ldap server is listening if other than the default LDAP port 389.

EXAMPLES

       For  directories  using	the RFC2307 layout with a single domain, all you need to specify is usually the base DN under where your users are
       located and the server name:

	      squid_ldap_auth -b ou=people,dc=your,dc=domain ldapserver

       If you have sub-domains then you need to use a search filter approach to locate your user DNs as these can no longer be constructed direcly
       from the base DN and login name alone:

	      squid_ldap_auth -b dc=your,dc=domain -f uid=%s ldapserver

       And similarily if you only want to allow access to users having a specific attribute

	      squid_ldap_auth -b dc=your,dc=domain -f (&(uid=%s)(specialattribute=value)) ldapserver

       Or  if  the  user  attribute of the user DN is "cn" instead of "uid" and you do not want to have to search for the users then you could use
       something like the following example for Active Directory:

	      squid_ldap_auth -u cn -b cn=Users,dc=your,dc=domain ldapserver

       If you want to search for the user DN and your directory does not allow anonymous searches then you must also use the -D and  -w  flags	to
       specify a user DN and password to log in as to perform the searches, as in the following complex Active Directory example

	      squid_ldap_auth  -p  -R  -b  dc=your,dc=domain  -D  cn=squid,cn=users,dc=your,dc=domain  -w secretsquidpassword -f (&(userPrincipal-
	      Name=%s)(objectClass=Person)) activedirectoryserver

NOTES

       When constructing search filters it is strongly recommended to test the filter using ldapsearch before you attempt to use  squid_ldap_auth.
       This to verify that the filter matches what you expect.

AUTHOR

       This manual page was written by Henrik Nordstrom <hno@squid-cache.org>

       squid_ldap_auth is written by Glenn Newton <gnewton@wapiti.cisti.nrc.ca> and Henrik Nordstrom <hno@squid-cache.org>

KNOWN ISSUES

       Will crash if other % values than %s is used in -f, or if more than 15 %s is used.

QUESTIONS

       Any  questions  on  usage can be sent to Squid Users <squid-users@squid-cache.org>, or to your favorite LDAP list/friend if the question is
       more related to LDAP than Squid.

REPORTING BUGS

       Report bugs or bug-fixes to Squid Bugs <squid-bugs@squid-cache.org> or ideas for new improvements  to  Squid  Developers  <squid-dev@squid-
       cache.org>

SEE ALSO

       ldapsearch(1),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,

Squid LDAP Auth 						 25 September 2001						squid_ldap_auth(8)
All times are GMT -4. The time now is 03:47 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy