Knowledge Partner
Knowledge Partner
739 views

ldap query for networkAddress

If it matters...
OES servers running eDirectory 8.8.7
Netware servers running eDirectory 8.8.5

I'm trying to do an ldap_search from PHP to check for the
networkAddress attribute. Using an ldap browser, I can see a user
with a networkAddress of 39 23 00 00 C0 A8 01 88.

The following line works as expected and returns all users:
ldap_search($ldap,"o=msktd", "networkAddress=*",$nds_stuff);

This one logs an invalid syntax error:
ldap_search($ldap,"o=msktd",
"networkAddress=\39\23\00\00\C0\A8\01\88",$nds_stuff);

I found a website that used the following syntax and it doesn't return
an error, but it also does not return the user:
ldap_search($ldap,"o=msktd",
"networkAddress=1#\C0\A8\01\88",$nds_stuff);

If someone could clue me in on how I need to format this, I would
greatly appreciate it.

One other question, I see that sometimes the IP address is prefixed
with "31 23" and other times it is "39 23 00 00". I'm not sure why I
see two different formats, but I need to account for both.

I just found one user that had two networkAddress entries:
31 23 C0 A8 02 82
39 23 00 00 C0 A8 02 82

The following line does return this user:
ldap_search($ldap,"o=msktd",
"networkAddress=1#\C0\A8\02\82",$nds_stuff);

But so far further testing is not getting me the expected results.
Help please.

Thanks,
Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
Labels (1)
0 Likes
24 Replies
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 15:43:25 +0000, KeN Etter wrote:

> I'm trying to do an ldap_search from PHP to check for the networkAddress
> attribute.


Why?


> Using an ldap browser, I can see a user with a
> networkAddress of 39 23 00 00 C0 A8 01 88.


Network Address is a structured attribute. It contains a "type" and an
"address". The address portion is different for each type. So to make
sense of this, you need to get the type, then use that to decide how to
decode the address.

The data returned for this structure is binary. LDAP handles this by
base64 encoding it. So you also have to handle base64 encode/decode.


> The following line works as expected and returns all users:
> ldap_search($ldap,"o=msktd", "networkAddress=*",$nds_stuff);


I assume that's the PHP syntax for specifying all objects with a Network
Address value.


> This one logs an invalid syntax error: ldap_search($ldap,"o=msktd",
> "networkAddress=\39\23\00\00\C0\A8\01\88",$nds_stuff);


Because that's not a valid base64 encoded string.


> I found a website that used the following syntax and it doesn't return
> an error, but it also does not return the user:
> ldap_search($ldap,"o=msktd",
> "networkAddress=1#\C0\A8\01\88",$nds_stuff);


Because that's not the format expected for a base64 encoded string search
of a structured binary attribute.


> If someone could clue me in on how I need to format this, I would
> greatly appreciate it.


The problem is similar to this one:

http://serverfault.com/questions/140683/get-an-object-by-its-objectguid-
using-ldapsearch

I suspect something along those lines is the answer.


> One other question, I see that sometimes the IP address is prefixed with
> "31 23" and other times it is "39 23 00 00". I'm not sure why I see two
> different formats, but I need to account for both.


Because they are different types. They are *not* IP addresses,
necessarily. Do not assume that everything you see in a networkAddress
value is an IP address. Some will be. Some will not. Without looking it
up, I suspect that one of those is "TCP" and the other is "UDP".


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 17:00:01 GMT, David Gersic
<dgersic@no-mx.forums.netiq.com> wrote:

>On Wed, 05 Mar 2014 15:43:25 +0000, KeN Etter wrote:
>
>> I'm trying to do an ldap_search from PHP to check for the networkAddress
>> attribute.

>
>Why?


I have a custom PHP NCP extension written for Netware. I use it to
find out who people are on my network so I can automatically log them
into a website. But I may not be able to get that ported over to run
on OES/Linux, so I was wanting to see what I could do with an ldap
search.

Guess I'll keep digging and see what I can find.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 18:16:47 +0000, KeN Etter wrote:

> On Wed, 05 Mar 2014 17:00:01 GMT, David Gersic
> <dgersic@no-mx.forums.netiq.com> wrote:
>
>>On Wed, 05 Mar 2014 15:43:25 +0000, KeN Etter wrote:
>>
>>> I'm trying to do an ldap_search from PHP to check for the
>>> networkAddress attribute.

>>
>>Why?

>
> I have a custom PHP NCP extension written for Netware. I use it to find
> out who people are on my network so I can automatically log them into a
> website. But I may not be able to get that ported over to run on
> OES/Linux, so I was wanting to see what I could do with an ldap search.


Yeah, I guessed it might be something like that.

So, in addition to everything else, you also need to know that this is
going to be unreliable.


> Guess I'll keep digging and see what I can find.


Look for "stuck network address" to read more.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

Looks like I need to pursue that NCP extension some more. While
testing today I just realized that the networkAddress entries for me
are gone. I have no clue why that should have happened. Seems like
it shouldn't be that hard if I am logging into eDirectory with the
Novell Client, then somehow my IP address should be consistently
listed in eDirectory. I know there are many companies out there that
use the IP address to determine who someone is (such as firewall and
filtering appliances), so it seems like it would be in Novell's
interest to make this work right. But if I can't count on this, I
better go back to my old method. Frustrating!

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 19:21:50 +0000, KeN Etter wrote:

> Looks like I need to pursue that NCP extension some more. While testing
> today I just realized that the networkAddress entries for me are gone.


Neat. Welcome to the wonderful world of Network Address not acting like
you think it should.


> I have no clue why that should have happened. Seems like it shouldn't
> be that hard if I am logging into eDirectory with the Novell Client,
> then somehow my IP address should be consistently listed in eDirectory.


You'd think that would be true, yes. You'll be disappointed, eventually,
if you rely on that thought.


> I know there are many companies out there that use the IP address to
> determine who someone is (such as firewall and filtering appliances), so
> it seems like it would be in Novell's interest to make this work right.


You'd think, yes. People that buy software that does this show up here
from time to time, asking why it doesn't work. Or why it works
differently this week from last week. Or why it's failing in some new and
exciting way. That's why I started off with "why?".

You'd think that somebody would want to fix this. It's not been done.


> But if I can't count on this, I better go back to my old method.
> Frustrating!


Yep. At least then you control the code and how it works.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 21:00:02 GMT, David Gersic
<dgersic@no-mx.forums.netiq.com> wrote:

>On Wed, 05 Mar 2014 19:21:50 +0000, KeN Etter wrote:
>
>> Looks like I need to pursue that NCP extension some more. While testing
>> today I just realized that the networkAddress entries for me are gone.

>
>Neat. Welcome to the wonderful world of Network Address not acting like
>you think it should.
>
>
>> I have no clue why that should have happened. Seems like it shouldn't
>> be that hard if I am logging into eDirectory with the Novell Client,
>> then somehow my IP address should be consistently listed in eDirectory.

>
>You'd think that would be true, yes. You'll be disappointed, eventually,
>if you rely on that thought.
>
>
>> I know there are many companies out there that use the IP address to
>> determine who someone is (such as firewall and filtering appliances), so
>> it seems like it would be in Novell's interest to make this work right.

>
>You'd think, yes. People that buy software that does this show up here
>from time to time, asking why it doesn't work. Or why it works
>differently this week from last week. Or why it's failing in some new and
>exciting way. That's why I started off with "why?".
>
>You'd think that somebody would want to fix this. It's not been done.


I don't remember the last time I was really ticked off at Novell, but
someone there needs to be slapped upside the head. This is just
stupid.

>> But if I can't count on this, I better go back to my old method.
>> Frustrating!

>
>Yep. At least then you control the code and how it works.


Unfortunately, I am not a programmer, I just mess around with PHP. So
I have to see if I can get the guy who originally wrote it for me to
port it over.

Thanks for the help.
Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress


KeN Etter;241641 Wrote:
> Looks like I need to pursue that NCP extension some more. While
> testing today I just realized that the networkAddress entries for me
> are gone. I have no clue why that should have happened. Seems like
> it shouldn't be that hard if I am logging into eDirectory with the
> Novell Client, then somehow my IP address should be consistently
> listed in eDirectory. I know there are many companies out there that
> use the IP address to determine who someone is (such as firewall and
> filtering appliances), so it seems like it would be in Novell's
> interest to make this work right. But if I can't count on this, I
> better go back to my old method. Frustrating!
>
> Ken

That value will deliberately be empty when you are not currently logged
in. Also if you turn off the updating of attributes while logging in,
often done to help eDir performance, it will never be filled in.
https://www.novell.com/support/kb/doc.php?id=3479868


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 23:14:02 GMT, ataubman
<ataubman@no-mx.forums.netiq.com> wrote:

>
>KeN Etter;241641 Wrote:
>> Looks like I need to pursue that NCP extension some more. While
>> testing today I just realized that the networkAddress entries for me
>> are gone. I have no clue why that should have happened. Seems like
>> it shouldn't be that hard if I am logging into eDirectory with the
>> Novell Client, then somehow my IP address should be consistently
>> listed in eDirectory. I know there are many companies out there that
>> use the IP address to determine who someone is (such as firewall and
>> filtering appliances), so it seems like it would be in Novell's
>> interest to make this work right. But if I can't count on this, I
>> better go back to my old method. Frustrating!
>>
>> Ken

>That value will deliberately be empty when you are not currently logged
>in. Also if you turn off the updating of attributes while logging in,
>often done to help eDir performance, it will never be filled in.
>https://www.novell.com/support/kb/doc.php?id=3479868


I haven't turned it off and I wasn't logged out. Someone at Novell
really ought to make this work correctly and consistently. Just
ridiculous that we can't count on something this simple working right.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress


I was just letting you know of the by-design circumstances when you
wouldn't be able to retrieve that value, that's all.


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress


To save yourself the heartaches and conserve world's supply of coffee
beans, it is "easiest" if you just grab the specific user's network
address as-is, base64 decode it, and work out the address from there,
rather than trying to search for that particular address directly.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Thu, 06 Mar 2014 01:24:02 GMT, peterkuo
<peterkuo@no-mx.forums.netiq.com> wrote:

>
>To save yourself the heartaches and conserve world's supply of coffee
>beans, it is "easiest" if you just grab the specific user's network
>address as-is, base64 decode it, and work out the address from there,
>rather than trying to search for that particular address directly.


Except I don't know the user. So I was going to grab all user's
network addresses and then do a comparison. But since the
networkAddress attribute still is not reliable, I'm giong to have to
go back to my current method.

What started this is I have my own single sign on. If a user is
logged into our network (eDirectory), then they are automatically
logged into our web sites. But the module that does this is a custom
PHP NCP extension that runs on Netware. I'm trying to get these web
sites moved to SLES or OES and thought maybe I could do it with an
LDAP query now because I *thought* from something I read in the Novell
Client 2 SP3 IR5 notes that Novell had finally fixed the
networkAddress attribute. Guess not.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress


Personally, I have not had problems with the network address attribute
gone "AWOL" as that seems to be mostly site-specific and I don't think
any one has a real handle on why that happens!

I don't know if you wish to discuss this publicly as it may be of
interest to others that faces similar needs. If yes, can you perhaps
give us a step-by-step on how your SSO process works? For instance, user
logs into your network with a NetWare Client, then you have a custom PHP
that periodically scan the server's connection table, then??? If we
know the actual steps involved, perhaps there is an easier workaround
instead.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Fri, 07 Mar 2014 02:24:02 GMT, peterkuo
<peterkuo@no-mx.forums.netiq.com> wrote:

>
>Personally, I have not had problems with the network address attribute
>gone "AWOL" as that seems to be mostly site-specific and I don't think
>any one has a real handle on why that happens!
>
>I don't know if you wish to discuss this publicly as it may be of
>interest to others that faces similar needs. If yes, can you perhaps
>give us a step-by-step on how your SSO process works? For instance, user
>logs into your network with a NetWare Client, then you have a custom PHP
>that periodically scan the server's connection table, then??? If we
>know the actual steps involved, perhaps there is an easier workaround
>instead.


User logs into the network with the Novell Client. Some web pages on
my internal sites need to know who the user is. Rather than asking
them to login again via LDAP, those pages include a PHP script. That
script uses the custom NCP extension to query the connection table on
the server and returns either their username or "not logged in". This
query occurs every time they hit a page that includes the connection
check PHP script.

We only have around 60 employees and this works very well.

I would really like to use the LDAP/networkAddress method because it
doesn't rely on anything custom (that is - it is just my PHP and LDAP
vs a custom NCP extension that I need to have someone update). But
the LDAP method worries me because it does not look like it will be as
reliable. I see two issues with it:

1. Stuck networkAddress entry. I currently have 1 IP address that is
listed for two people. So far I haven't figured out a way to delete
the old entry. Neither iManager nor my ldap browser give me that
option.
2. Missing networkAddress entry. I currently have 9 people who are
logged into the network but do not have a networkAddress entry in
eDirectory. They are all logged in under Windows 7 with the Novell
Client. Those 9 would work fine with my NCP method.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Fri, 07 Mar 2014 14:39:34 +0000, KeN Etter wrote:

> I would really like to use the LDAP/networkAddress method because it
> doesn't rely on anything custom (that is - it is just my PHP and LDAP vs
> a custom NCP extension that I need to have someone update). But the
> LDAP method worries me because it does not look like it will be as
> reliable.


It's not reliable. At best, it looks like it might work, leading you to
the belief that it's reliable. Until it bites you later.


> 1. Stuck networkAddress entry. I currently have 1 IP address that is
> listed for two people. So far I haven't figured out a way to delete the
> old entry.


Yup. The official answer is "dsrepair -n0" and running a local database
repair. The un-official answer is an LDIF like:

dn: cn=bob,ou=whatever
changetype: modify
delete: networkaddress


> 2. Missing networkAddress entry. I currently have 9 people who are
> logged into the network but do not have a networkAddress entry in
> eDirectory.


Interesting. I can't say that I've seen that, but it wouldn't surprise me.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.