Anonymous_User Absent Member.
Absent Member.
852 views

ECMAScript LDAPSearch Issue


Hi all,

In order to verify if a generated email address has already been used
for an existing account of a remote directory, i have to use the Novell
ECMAScript function "ldapSearch", included in the NOVLLIBLDAP-JS
Library.

the parameters of this function are:

/**
* ldapSearch
*
* @param (String} host LDAP Server, either DNS or IP-Address
* @param (Number} port LDAP listening port
* @param (String} user user account, full distinguished name,
LDAP syntax
* @param (String} password the cleartext LDAP userpassword
* @param (String} base search base
* @param (String} scope (base | one | sub)
* @param (String} filter LDAP search filter according to RFC2254
(see {@link #ldapCount(DirContext, String, String)}
* @param (String} attrList comma separated list of attributes to
return
* @type Nodeset
* @return NodeSet containing instances from search result, or status
element with error message
*/
function ldapSearch(host, port, user, password, base, scope, filter,
attrList) {}


In my Policy, i call it this way:

ldapSearch("1.2.3.4","389","cn=IamAccount,o=IAM","MyPassword","","sub","(mail=$lvGeneratedEmailAddress)","uid");

Of course, it doesn"t work 😄

The driver log can show me a DN Syntax Error:

--> Token Value: "Error : JavaException: com.novell.ldap.LDAPException:
Invalid DN Syntax".


* cn=IamAccount,o=IAM is the Service account of IDM. If i change it, i
have another error (bad credentials), so it seems to be good.
* "": i kept the "base" attribute empty because i want to do my search
from the Root of the directory. Is it a problem?

To debug it, i launched the same command in the designer ECMA console.
The command return no result (but no Error!). Maybe it's because the
console isn't able to show a nodeset as a String..

Do somebody already used this function and see something i could have
done wrong?

Thank you in advance 🙂


--
sniceper
------------------------------------------------------------------------
sniceper's Profile: https://forums.netiq.com/member.php?userid=5188
View this thread: https://forums.netiq.com/showthread.php?t=48546

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: ECMAScript LDAPSearch Issue

You're using eDirectory so get an LDAP trace from the eDirectory side to
see exactly what is happening. Here are the joys of using good
troubleshooting tools. First, go to your LDAP Server object in eDirectory
(with iManager or ConsoleOne or whatever) and go to the 'Trace' or 'Screen
Options' section and check all checkboxes. Go back to the 'Genreal'
section and 'Refresh NLDAP Server Now' (should happen automatically, but
we'll be sure). Now tracing is enabled for LDAP nicely, so let's go watch
it. At the command line on the eDirectory server:

Code:
--------------------
ndstrace
set dstrace=nodebug
dstrace +time +tags +ldap
dstrace file on
set dstrace=*r
#do whatever you do in Designer or the engine to test
dstrace file off
quit
--------------------

Post the contents of the ndstrace.log file which is, by default, going to
be somewhere like /var/opt/novell/eDirectory/log/ndstrace.log

Good luck.
0 Likes
jtl1 Absent Member.
Absent Member.

Re: ECMAScript LDAPSearch Issue

Hello,

Set a valid base dn. I think you should be able to use "t=<tree name>" to search the entire tree from root.

Invalid DN Syntax, it is the empty search base that has an invalid DN syntax.

Best regards,
Tobias

On 2013-09-05 16:04, sniceper wrote:
>
> Hi all,
>
> In order to verify if a generated email address has already been used
> for an existing account of a remote directory, i have to use the Novell
> ECMAScript function "ldapSearch", included in the NOVLLIBLDAP-JS
> Library.
>
> the parameters of this function are:
>
> /**
> * ldapSearch
> *
> * @param (String} host LDAP Server, either DNS or IP-Address
> * @param (Number} port LDAP listening port
> * @param (String} user user account, full distinguished name,
> LDAP syntax
> * @param (String} password the cleartext LDAP userpassword
> * @param (String} base search base
> * @param (String} scope (base | one | sub)
> * @param (String} filter LDAP search filter according to RFC2254
> (see {@link #ldapCount(DirContext, String, String)}
> * @param (String} attrList comma separated list of attributes to
> return
> * @type Nodeset
> * @return NodeSet containing instances from search result, or status
> element with error message
> */
> function ldapSearch(host, port, user, password, base, scope, filter,
> attrList) {}
>
>
> In my Policy, i call it this way:
>
> ldapSearch("1.2.3.4","389","cn=IamAccount,o=IAM","MyPassword","","sub","(mail=$lvGeneratedEmailAddress)","uid");
>
> Of course, it doesn"t work 😄
>
> The driver log can show me a DN Syntax Error:
>
> --> Token Value: "Error : JavaException: com.novell.ldap.LDAPException:
> Invalid DN Syntax".
>
>
> * cn=IamAccount,o=IAM is the Service account of IDM. If i change it, i
> have another error (bad credentials), so it seems to be good.
> * "": i kept the "base" attribute empty because i want to do my search
> from the Root of the directory. Is it a problem?
>
> To debug it, i launched the same command in the designer ECMA console.
> The command return no result (but no Error!). Maybe it's because the
> console isn't able to show a nodeset as a String..
>
> Do somebody already used this function and see something i could have
> done wrong?
>
> Thank you in advance 🙂
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ECMAScript LDAPSearch Issue

On 09/05/2013 10:00 AM, Tobias Ljunggren wrote:
> Hello,
>
> Set a valid base dn. I think you should be able to use "t=<tree name>" to
> search the entire tree from root.
>
> Invalid DN Syntax, it is the empty search base that has an invalid DN syntax.


I'd be surprised if a zero-length string caused this problem. I do this
all the time both in IDM as well as other LDAP tools and it is fine.
Zero-length strings just mean to search everything by default.

Good luck.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ECMAScript LDAPSearch Issue

If you look at the ECMA function, the way that Lothar wrote it (and it
is pretty clear NetIQ cribbed it from his (older) version) you will see
that it makes the LDAP request, and then pastes the results into an XDS
document.

You can see if you can change the ECMA simply to instead of cloning it
into an XDS <instance> event, and perhaps simply treat the entire result
as a string, and see if you get anything better back.


On 9/5/2013 10:04 AM, sniceper wrote:
>
> Hi all,
>
> In order to verify if a generated email address has already been used
> for an existing account of a remote directory, i have to use the Novell
> ECMAScript function "ldapSearch", included in the NOVLLIBLDAP-JS
> Library.
>
> the parameters of this function are:
>
> /**
> * ldapSearch
> *
> * @param (String} host LDAP Server, either DNS or IP-Address
> * @param (Number} port LDAP listening port
> * @param (String} user user account, full distinguished name,
> LDAP syntax
> * @param (String} password the cleartext LDAP userpassword
> * @param (String} base search base
> * @param (String} scope (base | one | sub)
> * @param (String} filter LDAP search filter according to RFC2254
> (see {@link #ldapCount(DirContext, String, String)}
> * @param (String} attrList comma separated list of attributes to
> return
> * @type Nodeset
> * @return NodeSet containing instances from search result, or status
> element with error message
> */
> function ldapSearch(host, port, user, password, base, scope, filter,
> attrList) {}
>
>
> In my Policy, i call it this way:
>
> ldapSearch("1.2.3.4","389","cn=IamAccount,o=IAM","MyPassword","","sub","(mail=$lvGeneratedEmailAddress)","uid");
>
> Of course, it doesn"t work 😄
>
> The driver log can show me a DN Syntax Error:
>
> --> Token Value: "Error : JavaException: com.novell.ldap.LDAPException:
> Invalid DN Syntax".
>
>
> * cn=IamAccount,o=IAM is the Service account of IDM. If i change it, i
> have another error (bad credentials), so it seems to be good.
> * "": i kept the "base" attribute empty because i want to do my search
> from the Root of the directory. Is it a problem?
>
> To debug it, i launched the same command in the designer ECMA console.
> The command return no result (but no Error!). Maybe it's because the
> console isn't able to show a nodeset as a String..
>
> Do somebody already used this function and see something i could have
> done wrong?
>
> Thank you in advance 🙂
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: ECMAScript LDAPSearch Issue

sniceper wrote:

> i have to use the Novell ECMAScript function "ldapSearch",
> included in the NOVLLIBLDAP-JS Library.


Try the version from the BitsNdPieces v1.0.4 package available at my public
Designer repo at http://www.brummelhook.com/download/idm/packages/site.xml and
see if it runs into the same error (has an additional parameter to support
SSL/TLS, so make sure to adapt the calling xpath). Try trace level 5 to narrow
down to where it fails inside the ECMA function (and send me the fix if it does
🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.