20090416 authenticated access to a dsml server - plembo/onemoretech GitHub Wiki
title: Authenticated access to a DSML server link: https://onemoretech.wordpress.com/2009/04/16/authenticated-access-to-a-dsml-server/ author: lembobro description: post_id: 336 created: 2009/04/16 20:27:38 created_gmt: 2009/04/16 20:27:38 comment_status: open post_name: authenticated-access-to-a-dsml-server status: publish post_type: post
Authenticated access to a DSML server
So let’s begin with the understanding that every vendor who supports DSML in their directory server product will probably do this differently. The following example is what works with Sun Java System Directory 5.2, which is what I’m currently testing with.
To authenticate to Sun’s DSML server you need to either present a certificate or a user ID and credentials (i.e. password) over the HTTP interface.
Documentation for this can be found here.
If you’re authenticating with a userID and password (called HTTP Basic Authentication), by default the DSML configuration assumes the entry you’ll be submitting a uid value for the user ID, and that the entry lives in “ou=People,dc=example,dc=com”, with “dc=example,dc=com” being the base dn of your directory. To change this you need to add one or more identity mapping objects under “cn=HTTP-BASIC,cn=identity mapping,cn=config” for that server instance. These can be added using ldapmodify and a simple LDIF. By way of example here is an LDIF to add two new identity mappings to my test directory:
`
dn: cn=special users,cn=HTTP-BASIC,cn=identity mapping, cn=config
objectclass: top
objectclass: nsContainer
objectclass: dsIdentityMapping
cn: special users
dssearchbasedn: ou=special users,dc=example,dc=com
dssearchfilter: (cn=${Authorization})
dn: cn=corporate,cn=HTTP-BASIC,cn=identity mapping, cn=config
objectclass: top
objectclass: nsContainer
objectclass: dsIdentityMapping
cn: corporate
dssearchbasedn: ou=People,o=Corporate,dc=example,dc=com
dssearchfilter: (uid=${Authorization})
`
Notice that in the first of these, “special users”, the ID attribute is “cn” and the basedn is an ou named “special users”. In the second users are located in a container named for a business organization named “Corporate” and the ID attribute is once again “uid”.
Putting this all together, you would get something like this:
#! /usr/bin/perl
# Search for entry in the directory server.
#
use Net::DSML;
use Net::DSML::Filter;
my $HOME = $ENV{'HOME'};
our($myUsr, $myPass, $myHost);
require "$HOME/etc/ldapscript.conf";
$dirHost = $myHost;
$usrPass = $myPass;
$usrID = $myUsr;
my ($usrID, $superior) = split(',', $usrDN);
for($usrID) { s/uid=//gi; s/cn=//gi; }
$dsmlPort = "11000";
$filter = Net::DSML::Filter->new();
$attribute = "sn";
$value = "lembo";
$basedn = "dc=example,dc=com";
@attributes = qw(*);
if ( !($filter->subString( { type =>"initial",
attribute => $attribute,
value => $value } ) ) ) {
print $filter->error(), "n";
exit;
}
$dsml = Net::DSML->new({ debug => 0,
url => "http://$dirHost:$dsmlPort/dsml",
dn => $usrID,
password => $usrPass,
});
$dsml->setScope({scope => "wholeSubtree"});
if ( !( $dsml->search( { sfilter => $filter->getFilter(),
base => $basedn,
attributes => @attributes,
} ) ) ) {
print $dsml->error, "n";
exit;
}
if ( !$dsml->send() ) {
print $dsml->error, "n";
exit;
}
$content = $dsml->content();
print $content, "n";
__END__;
`
Note what I do here in order to leverage my existing script config file that defines variables for various often used values like hostnames, user passwords and user entry distinguished names (dn):
$usrID = $myUsr; my ($usrID, $superior) = split(',', $usrDN); for($usrID) { s/uid=//gi; s/cn=//gi; }
These lines take a user dn ($myUsr), assign it to a new variable ($usrID) and then strip the dn elements from it so that you’re left with a userID-like value suitable for submitting to the DSML server.
Copyright 2004-2019 Phil Lembo