RE: [ActiveDir] LDAP Logon Name

[joe]

I'm sorry small correction...    You have two different things you have to worry about special characters in, DNs and Search Filters. They have different sets of characters you need to worry about and also have two different methods of escaping the characters.    In DNs you escape special characters by a preceding back slash, note from RFC 2253:      If the UTF-8 string does not have any of the following characters    which need escaping, then that string can be used as the string    representation of the value.     o   a space or "#" character occurring at the beginning of the         string     o   a space character occurring at the end of the string     o   one of the characters ",", "+", """, "\", "<", ">" or ";"    Implementations MAY escape other characters.    If a character to be escaped is one of the list shown above, then it    is prefixed by a backslash ('\' ASCII 92).    Otherwise the character to be escaped is replaced by a backslash and    two hex digits, which form a single byte in the code of the    character. As you can see, commas are clearly listed as a character that needs to be escaped and this is obvious as Paul mentioned, it is a delimitr. It is used to delimit the DN into its individual RDNs.    In Search Filters, you have slightly different rules as indicated in RFC 2254:   If a value should contain any of the following characters            Character       ASCII value            ---------------------------            *               0x2a            (               0x28            )               0x29            \               0x5c            NUL             0x00    the character must be encoded as the backslash '\' character (ASCII    0x5c) followed by the two hexadecimal digits representing the ASCII    value of the encoded character. The case of the two hexadecimal    digits is not significant.    This simple escaping mechanism eliminates filter-parsing ambiguities    and allows any filter that can be represented in LDAP to be    represented as a NUL-terminated string. Other characters besides the    ones listed above may be escaped using this mechanism, for example,    non-printing characters.    For example, the filter checking whether the "cn" attribute contained    a value with the character "*" anywhere in it would be represented as    "(cn=*\2a*)".    Note that although both the substring and present productions in the    grammar above can produce the "attr=*" construct, this construct is    used only to denote a presence filter.   As you can see, commas are not normally a character that needs to be escaped in a filter. However, they will, because of RFC2253 have to be escaped for any attributes with a DN based attribute syntax (i.e. if you stuff a DN into a string value, you wouldn't need to escape it, but if you stuff it into a DN attribute you would). If you truly were going to escape a comma for a filter reason, the escape sequence would be \2c I believe.   To further complicate the matter, putting that slash in front of the comma when it isn't required for a DN will cause the filter to not properly match.   [Thu 08/17/2006 10:01:46.40] F:\DEV\cpp\eventiddmp>adfind -default -f "displayname=user, test" -dn   AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006   Using server: r2dc2.test.loc:389 Directory: Windows Server 2003 Base DN: DC=test,DC=loc   dn:CN=user\, test,OU=Users,OU=TestOU,DC=test,DC=loc   1 Objects returned   [Thu 08/17/2006 10:01:48.69] F:\DEV\cpp\eventiddmp>adfind -default -f "displayname=user\, test" -dn   AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006   Using server: r2dc2.test.loc:389 Directory: Windows Server 2003 Base DN: DC=test,DC=loc   0 Objects returned     So the upshot, if your query has a DN in it and being compared against a DN syntax attribute say like member or memberof, then you need to escape any extraneous commas. Otherwise, leave the commas alone.   This one of the reasons why DNs should be based on very simple ascii characters. If using full blown GUI tools they will "usually" handle this stuff for you so you don't have to worry, but lower level tools and command line tools won't usually guide you as much.      joe       -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, August 17, 2006 4:30 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name You need to escape the comma, as a comma is a delimiter and in the case of displayName it shouldn't be a delimiter:   (&(objectCategory=person)(objectClass=user)(displayName=phelps\, k*))     I've not read the whole thread, so can't discuss whether or not this is the best way to do what you want.  I will say I feel for you re. the HP documentation.  I had some fun getting the AD iLO integration stuff to work because the guide wasn't very helpful at explaining what format and syntax things wanted.  I found the help on the administration pages better, and simply tried a number of things that I thought should work.     --Paul ----- Original Message ----- From: Alex Alborzfard To: ActiveDir@mail.activedir.org Sent: Monday, August 14, 2006 8:22 PM Subject: RE: [ActiveDir] LDAP Logon Name Good catch, but the corrected query still didn’t work! L   Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Cace Sent: Monday, August 14, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Logon Name   In the error below, the LDAP filter is "(&(objectclass=person)displayname=phelps,k*))".  You missed the opening parenthesis before displayname.   -Andrew   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Monday, August 14, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Logon Name   That was exactly the same as HP documentation. I’ll try your filter and will post the result.   Thanks   Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 1:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name   I assume you need a filter such as "(&(objectcategory=person)(objectclass=user)(displayname=phelps,k*))"   I optimised the user object search and put a opening bracket when specifying the displayname.   M@   On 8/14/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote: Your ldap filter doesnt look correct.   M@   On 8/14/06, Alex Alborzfard <[EMAIL PROTECTED] > wrote: According to product documentation, I have to configure embedded ldap authentication. Apparently this printer has an Embedded Web Server (EWS). However, when I follow the documentation, using ldp tool, it fails when trying to query ldap. The message I get is this: ***Searching... ldap_search_s(ld, "DC=pharmanet,DC=com", 2, "(&(objectclass=person)displayname=phelps,k*))", NULL,  0, &msg) Error: Search: Filter Error. <87> Server error: Error<94>: ldap_parse_result failed: No result present in message Getting 0 entries: I connect to ldp as member of Domain Admins and Schema Admins, with the same result. Any ideas? Alex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 09, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Alex Alborzfard wrote: > We have a HP printer/scanner that we want to setup for emailing scanned > documents. > > Management wants to ensure only domain users with email addresses can do > this. > > There is an option for setting up LDAP gateway, where you can set user > name & password up. > > It's asking for LDAP logonname. I have tried my user name and account > anme, but it didn't work. > > I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation but I would try to use DN, or CN (in CN=... format) of this user. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx