Chat now with support
Chat with Support

Privilege Manager for Unix 7.1.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

ldap_open

Syntax
ldapid ldap_open( string host [, int port [, boolean trace]] )
Description

ldap_open opens a connection to the LDAP server on the specified host (identified by hostname or IP address) and port number. The default port number is 389. Use the returned LDAP connection ID as the first parameter to the other LDAP functions.

If the optional trace parameter is set to true, any errors or warnings from the LDAP function are written to stdout.

If successful, it returns a valid LDAP connection ID; otherwise it returns an undefined variable.

The ldap_open library function has been deprecated in the open LDAP libraries. If supported by the installed LDAP library, the ldap_open policy function calls ldap_initialize in preference to ldap_open. However, ldap_initialize does not open the connection - the connection is opened by the first operation attempted, so ldap_initialize will succeed even if given an invalid host name. The ldap_open policy function displays the loaded LDAP library path if a value of 1 is passed as the trace parameter to ldap_open. This makes it easier to determine which LDAP library is used.

Example
ldap = ldap_open( 'ldap.host' ); 
if( !defined ldap ){ 
   reject "Connection to LDAP server failed" ; 
} 

ldap_search

Syntax
ldapresult ldap_search(int ldapid, string basedn, string scope, string filter [, list attrList [, int attrOnly[, boolean trace]]] )
Description

ldap_search performs a search in the LDAP directory starting at the location identified by basedn. The ldapid is a valid connection ID returned by ldap_open.

The optional attrList parameter is the list of attributes to return in the results. This defaults to an empty list. The filter contains the LDAP search string, in the format described in RFC 4526.

The optional attrOnly parameter is a true or false value. When true, the results contain only the attribute; when false the results return attributes and values. Default setting is true.

Possible search scope:

  • "base" - returns only the entry specified at the DN specified by basedn.
  • "onelevel" - returns all matching entries from the next level down the directory.
  • "subtree" - returns all matching entries below the basedn in the tree.

If the optional trace parameter is set to true, any errors or warnings from the LDAP function are written to stdout.

Returns a special type ldapresult containing the results of the search in a format that you can pass to the ldap_first_entry and ldap_next_entry functions.

Example
#search for all Users at base level 
searchresults= ldap_search( ldapid, "ou=Users,dn=ldap,dn=domain,dn=com", 
   'onelevel', '(objectClass=*)' ); 
if (ldap_count_results(ldapid, searchresults) == 0) 
{ 
   reject "Found no users"; 
}

ldap_unbind

Syntax
ldap_unbind (int ldapid[, boolean trace] )
Description

ldap_unbind closes the LDAP connection and frees all associated resources. The ldapid must be a valid LDAP connection returned by ldap_open.

If the optional trace parameter is set to true, any errors or warnings from the LDAP function are written to stdout.

Example
ldapid = ldap_open( 'ldap.host' ); 
if( defined ldapid ){ 
   rc=ldap_bind(ldapid, "cn=admin", "Secretpassword"); 
   if ((defined rc) && (rc == 0)){ 
      rc=func_search_for_user(ldapid); 
      ldap_unbind(ldapid); 
   }
}

LDAP API example

The pmpolicy language supports the use of LDAP calls to obtain data on the following platforms:

  • all versions of Linux on x86 supported by Privilege Manager for Unix
  • all versions of Linux on x86-64 supported by Privilege Manager for Unix
  • Solaris SPARC® 6 and above
  • AIX 5.2 and above
  • HP-UX PA-RISC 11 and above

The pmpolicy LDAP functions follow, as closely as possible, the API outlined in RFC 1823 to ensure compatibility and ease of understanding.

The feature_enabled() function indicates whether the LDAP functions are available on a particular policy server.

The following example illustrates the use of the LDAP functions.

if (!feature_enabled(FEATURE_LDAP) { 
   print("LDAP support is not available on this policy server"); 
} else { 
   ld_user = "cn=Directory Manager"; 
   ld_passwd = "password"; 
   ld_host = "ldapserver"; 
   BASEDN="ou=People,dc=skynet,dc=local"; 
   SCOPE="onelevel"; 
   FILTER="(objectClass=*)"; 
   ATTRLIST={}; 
   ATTRONLY=false; 

   print( "LDAP Server: " + ld_host ); 
   print( "    User DN: " + ld_user ); 
   print( "   Password: " + ld_passwd ); 
   print( "" ); 
   print( "    Base DN: " + BASEDN ); 
   print( "      Scope: " + SCOPE ); 
   print( "     Filter: " + FILTER ); 
   print( "" ); 

   # Open a connection to the directory server 
   ldapid = ldap_open( ld_host ); 
   if( ldapid < 0 ) { 
      print( "ldap_open failed" ); 
      reject; 
   } 
   # bind to the directory 
   rc = ldap_bind( ldapid, ld_user, ld_passwd ); 
   if( rc==0 ) { 
      # perform the search 
      ld_results = ldap_search( ldapid, BASEDN, SCOPE, FILTER, ATTRLIST, ATTRONLY ); 
      if( ld_results >= 0 ) { 
         # how many results have been returned? 
         num = ldap_count_entries( ldapid, ld_results ); 
         str = sprintf( "Num results = %d", num ); 
         print(str); 
         print(""); 
         print("RESULTS"); 
         print(""); 
         if( num>0 ) { 
            # Grab the first entry from the results 
            lentry = ldap_first_entry( ldapid, ld_results ); 
            while( lentry ) { 
               # print the DN 
               dn = ldap_get_dn( ldapid, ld_results ); 
               print("---- START OF ENTRY (" + dn + ") ----"); 
               e = ldap_explode_dn( dn ); 
               print( "              Exploded DN: " + join( e, ', ' ) ); 
               e = ldap_explode_dn( dn, 1 ); 
               print( "Exploded DN, no type names: " + join( e, ', ' ) ); 
               print( "              User Friendly form: " + ldap_dn2ufn( dn ) ); 
               print(""); 
               oc = ldap_get_values( ldapid, lentry, "objectClass" ); 
               if( "inetorgperson" in oc ) { 
                  gn = ldap_get_values( ldapid, lentry, "givenname" ); 
                  sn = ldap_get_values( ldapid, lentry, "sn" ); 
                  print( "  Found a person, Name = " + gn[0] + " " + sn[0] ); 
               } 

               attrs = ldap_get_attributes( ldapid, lentry ); 
               print( "Attributes: " + join(attrs, ", ") ); 
               # Move through each attibute for the entry 
               attr = ldap_first_attribute( ldapid, lentry ); 
               while( attr != '' ) { 
                  print(" ATTR: " + attr ); 
                     # Print the values for the given attribute 
                     values = ldap_get_values( ldapid, lentry, attr ); 
                     print( "  VALUES = { " + join(values, ", ") + " }" );

                     # move to the next attibute 
                        attr = ldap_next_attribute( ldapid, lentry ); 
               }
               # move to the next entry 
               lentry = ldap_next_entry( ldapid, ld_results ); 
               print("---- END OF ENTRY (" + dn + ") ---- "); 
               print(""); 
            } 
            print(""); 
         } 
         print("-- END OF RESULTS --"); 
      }
   } else { 
      print( "ldap_bind failed" ); 
      reject; 
   }

   rc = ldap_unbind( ldapid ); 
   str = sprintf( "rc = %d", rc ); 
   print(str); 
}
Related Topics

feature_enabled

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating