Highlighted
Knowledge Partner
Knowledge Partner
808 views

ldap query for networkAddress

If it matters...
OES servers running eDirectory 8.8.7
Netware servers running eDirectory 8.8.5

I'm trying to do an ldap_search from PHP to check for the
networkAddress attribute. Using an ldap browser, I can see a user
with a networkAddress of 39 23 00 00 C0 A8 01 88.

The following line works as expected and returns all users:
ldap_search($ldap,"o=msktd", "networkAddress=*",$nds_stuff);

This one logs an invalid syntax error:
ldap_search($ldap,"o=msktd",
"networkAddress=\39\23\00\00\C0\A8\01\88",$nds_stuff);

I found a website that used the following syntax and it doesn't return
an error, but it also does not return the user:
ldap_search($ldap,"o=msktd",
"networkAddress=1#\C0\A8\01\88",$nds_stuff);

If someone could clue me in on how I need to format this, I would
greatly appreciate it.

One other question, I see that sometimes the IP address is prefixed
with "31 23" and other times it is "39 23 00 00". I'm not sure why I
see two different formats, but I need to account for both.

I just found one user that had two networkAddress entries:
31 23 C0 A8 02 82
39 23 00 00 C0 A8 02 82

The following line does return this user:
ldap_search($ldap,"o=msktd",
"networkAddress=1#\C0\A8\02\82",$nds_stuff);

But so far further testing is not getting me the expected results.
Help please.

Thanks,
Ken
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
Labels (1)
0 Likes
24 Replies
Highlighted
Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 15:43:25 +0000, KeN Etter wrote:

> I'm trying to do an ldap_search from PHP to check for the networkAddress
> attribute.


Why?


> Using an ldap browser, I can see a user with a
> networkAddress of 39 23 00 00 C0 A8 01 88.


Network Address is a structured attribute. It contains a "type" and an
"address". The address portion is different for each type. So to make
sense of this, you need to get the type, then use that to decide how to
decode the address.

The data returned for this structure is binary. LDAP handles this by
base64 encoding it. So you also have to handle base64 encode/decode.


> The following line works as expected and returns all users:
> ldap_search($ldap,"o=msktd", "networkAddress=*",$nds_stuff);


I assume that's the PHP syntax for specifying all objects with a Network
Address value.


> This one logs an invalid syntax error: ldap_search($ldap,"o=msktd",
> "networkAddress=\39\23\00\00\C0\A8\01\88",$nds_stuff);


Because that's not a valid base64 encoded string.


> I found a website that used the following syntax and it doesn't return
> an error, but it also does not return the user:
> ldap_search($ldap,"o=msktd",
> "networkAddress=1#\C0\A8\01\88",$nds_stuff);


Because that's not the format expected for a base64 encoded string search
of a structured binary attribute.


> If someone could clue me in on how I need to format this, I would
> greatly appreciate it.


The problem is similar to this one:

http://serverfault.com/questions/140683/get-an-object-by-its-objectguid-
using-ldapsearch

I suspect something along those lines is the answer.


> One other question, I see that sometimes the IP address is prefixed with
> "31 23" and other times it is "39 23 00 00". I'm not sure why I see two
> different formats, but I need to account for both.


Because they are different types. They are *not* IP addresses,
necessarily. Do not assume that everything you see in a networkAddress
value is an IP address. Some will be. Some will not. Without looking it
up, I suspect that one of those is "TCP" and the other is "UDP".


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 17:00:01 GMT, David Gersic
<dgersic@no-mx.forums.netiq.com> wrote:

>On Wed, 05 Mar 2014 15:43:25 +0000, KeN Etter wrote:
>
>> I'm trying to do an ldap_search from PHP to check for the networkAddress
>> attribute.

>
>Why?


I have a custom PHP NCP extension written for Netware. I use it to
find out who people are on my network so I can automatically log them
into a website. But I may not be able to get that ported over to run
on OES/Linux, so I was wanting to see what I could do with an ldap
search.

Guess I'll keep digging and see what I can find.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 18:16:47 +0000, KeN Etter wrote:

> On Wed, 05 Mar 2014 17:00:01 GMT, David Gersic
> <dgersic@no-mx.forums.netiq.com> wrote:
>
>>On Wed, 05 Mar 2014 15:43:25 +0000, KeN Etter wrote:
>>
>>> I'm trying to do an ldap_search from PHP to check for the
>>> networkAddress attribute.

>>
>>Why?

>
> I have a custom PHP NCP extension written for Netware. I use it to find
> out who people are on my network so I can automatically log them into a
> website. But I may not be able to get that ported over to run on
> OES/Linux, so I was wanting to see what I could do with an ldap search.


Yeah, I guessed it might be something like that.

So, in addition to everything else, you also need to know that this is
going to be unreliable.


> Guess I'll keep digging and see what I can find.


Look for "stuck network address" to read more.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

Looks like I need to pursue that NCP extension some more. While
testing today I just realized that the networkAddress entries for me
are gone. I have no clue why that should have happened. Seems like
it shouldn't be that hard if I am logging into eDirectory with the
Novell Client, then somehow my IP address should be consistently
listed in eDirectory. I know there are many companies out there that
use the IP address to determine who someone is (such as firewall and
filtering appliances), so it seems like it would be in Novell's
interest to make this work right. But if I can't count on this, I
better go back to my old method. Frustrating!

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 19:21:50 +0000, KeN Etter wrote:

> Looks like I need to pursue that NCP extension some more. While testing
> today I just realized that the networkAddress entries for me are gone.


Neat. Welcome to the wonderful world of Network Address not acting like
you think it should.


> I have no clue why that should have happened. Seems like it shouldn't
> be that hard if I am logging into eDirectory with the Novell Client,
> then somehow my IP address should be consistently listed in eDirectory.


You'd think that would be true, yes. You'll be disappointed, eventually,
if you rely on that thought.


> I know there are many companies out there that use the IP address to
> determine who someone is (such as firewall and filtering appliances), so
> it seems like it would be in Novell's interest to make this work right.


You'd think, yes. People that buy software that does this show up here
from time to time, asking why it doesn't work. Or why it works
differently this week from last week. Or why it's failing in some new and
exciting way. That's why I started off with "why?".

You'd think that somebody would want to fix this. It's not been done.


> But if I can't count on this, I better go back to my old method.
> Frustrating!


Yep. At least then you control the code and how it works.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 21:00:02 GMT, David Gersic
<dgersic@no-mx.forums.netiq.com> wrote:

>On Wed, 05 Mar 2014 19:21:50 +0000, KeN Etter wrote:
>
>> Looks like I need to pursue that NCP extension some more. While testing
>> today I just realized that the networkAddress entries for me are gone.

>
>Neat. Welcome to the wonderful world of Network Address not acting like
>you think it should.
>
>
>> I have no clue why that should have happened. Seems like it shouldn't
>> be that hard if I am logging into eDirectory with the Novell Client,
>> then somehow my IP address should be consistently listed in eDirectory.

>
>You'd think that would be true, yes. You'll be disappointed, eventually,
>if you rely on that thought.
>
>
>> I know there are many companies out there that use the IP address to
>> determine who someone is (such as firewall and filtering appliances), so
>> it seems like it would be in Novell's interest to make this work right.

>
>You'd think, yes. People that buy software that does this show up here
>from time to time, asking why it doesn't work. Or why it works
>differently this week from last week. Or why it's failing in some new and
>exciting way. That's why I started off with "why?".
>
>You'd think that somebody would want to fix this. It's not been done.


I don't remember the last time I was really ticked off at Novell, but
someone there needs to be slapped upside the head. This is just
stupid.

>> But if I can't count on this, I better go back to my old method.
>> Frustrating!

>
>Yep. At least then you control the code and how it works.


Unfortunately, I am not a programmer, I just mess around with PHP. So
I have to see if I can get the guy who originally wrote it for me to
port it over.

Thanks for the help.
Ken
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ldap query for networkAddress


KeN Etter;241641 Wrote:
> Looks like I need to pursue that NCP extension some more. While
> testing today I just realized that the networkAddress entries for me
> are gone. I have no clue why that should have happened. Seems like
> it shouldn't be that hard if I am logging into eDirectory with the
> Novell Client, then somehow my IP address should be consistently
> listed in eDirectory. I know there are many companies out there that
> use the IP address to determine who someone is (such as firewall and
> filtering appliances), so it seems like it would be in Novell's
> interest to make this work right. But if I can't count on this, I
> better go back to my old method. Frustrating!
>
> Ken

That value will deliberately be empty when you are not currently logged
in. Also if you turn off the updating of attributes while logging in,
often done to help eDir performance, it will never be filled in.
https://www.novell.com/support/kb/doc.php?id=3479868


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Wed, 05 Mar 2014 23:14:02 GMT, ataubman
<ataubman@no-mx.forums.netiq.com> wrote:

>
>KeN Etter;241641 Wrote:
>> Looks like I need to pursue that NCP extension some more. While
>> testing today I just realized that the networkAddress entries for me
>> are gone. I have no clue why that should have happened. Seems like
>> it shouldn't be that hard if I am logging into eDirectory with the
>> Novell Client, then somehow my IP address should be consistently
>> listed in eDirectory. I know there are many companies out there that
>> use the IP address to determine who someone is (such as firewall and
>> filtering appliances), so it seems like it would be in Novell's
>> interest to make this work right. But if I can't count on this, I
>> better go back to my old method. Frustrating!
>>
>> Ken

>That value will deliberately be empty when you are not currently logged
>in. Also if you turn off the updating of attributes while logging in,
>often done to help eDir performance, it will never be filled in.
>https://www.novell.com/support/kb/doc.php?id=3479868


I haven't turned it off and I wasn't logged out. Someone at Novell
really ought to make this work correctly and consistently. Just
ridiculous that we can't count on something this simple working right.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ldap query for networkAddress


I was just letting you know of the by-design circumstances when you
wouldn't be able to retrieve that value, that's all.


--
ataubman
------------------------------------------------------------------------
ataubman's Profile: https://forums.netiq.com/member.php?userid=301
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: ldap query for networkAddress


To save yourself the heartaches and conserve world's supply of coffee
beans, it is "easiest" if you just grab the specific user's network
address as-is, base64 decode it, and work out the address from there,
rather than trying to search for that particular address directly.


--
--
-eDirectory Rules!-

Peter
www.DreamLAN.com
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=50184

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: ldap query for networkAddress

On Thu, 06 Mar 2014 01:24:02 GMT, peterkuo
<peterkuo@no-mx.forums.netiq.com> wrote:

>
>To save yourself the heartaches and conserve world's supply of coffee
>beans, it is "easiest" if you just grab the specific user's network
>address as-is, base64 decode it, and work out the address from there,
>rather than trying to search for that particular address directly.


Except I don't know the user. So I was going to grab all user's
network addresses and then do a comparison. But since the
networkAddress attribute still is not reliable, I'm giong to have to
go back to my current method.

What started this is I have my own single sign on. If a user is
logged into our network (eDirectory), then they are automatically
logged into our web sites. But the module that does this is a custom
PHP NCP extension that runs on Netware. I'm trying to get these web
sites moved to SLES or OES and thought maybe I could do it with an
LDAP query now because I *thought* from something I read in the Novell
Client 2 SP3 IR5 notes that Novell had finally fixed the
networkAddress attribute. Guess not.

Ken
--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums within this community!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.