This document discusses how LDAP servers can help guide LDAP clients and users through the use of server-side information without enforcing strict rules. It provides examples of how the web2ldap application utilizes rootDSE, subschema, and other server data to populate user interfaces and handle requests. The document also covers issues around interoperability, access control, and recommendations for client developers, server developers, and IT administrators.
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...MongoDB
MongoDB and Red Hat have collaborated to deliver an integrated solution for securing MongoDB deployments. Red Hat's proven security infrastructure adds extra protection to MongoDB with standards-based identity management featuring centralization of user, password, and certificate information. MongoDB and Red Hat team members present what you need to know to secure your systems, including an overview of Red Hat's Identity Management in Red Hat Enterprise Linux and MongoDB-RHEL security architecture.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
This presentation was shown at Spring Framework Meeting 2009 in Rome (Lazio - Italy) - 31th October 2009.
http://www.open4dev.com/journal/2009/10/26/spring-framework-meeting-2009-rome.html
Abstract:
Spring LDAP basics: how to start to use the LdapTemplate in your custom J2EE application. This how-to will show you how to bind, unbind, search and authenticate users in your LDAP using the LdapTemplate provided by Spring.
Presentation on Oracle Identity Management from Insync10 conference in Melbourne August 2010. Looks at OID and some of the potential issues around installation and configuration
It introduces and illustrates use cases, benefits and problems for Kerberos deployment on Hadoop; how Token support and TokenPreauth can help solve the problems. It also briefly introduces Haox project, a Java client library for Kerberos.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
In Hadoop in Taiwan 2013 event, engineer of TCloud Computing presented the security concepts and features of Hadoop, how to script Crypto API, configuration details and future development.
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]Malin Weiss
By leveraging memory-mapped files, Speedment and the Chronicle Engine supports large Java maps that easily can exceed the size of your server’s RAM.Because the Java maps are mapped onto files, these maps can be shared instantly between several microservice JVMs and new microservice instances can be added, removed, or restarted very quickly. Data can be retrieved with predictable ultralow latency for a wide range of operations. The solution can be synchronized with an underlying database so that your in-memory maps will be consistently “alive.” The mapped files can be tens of terabytes, which has been done in real-world deployment cases, and a large number of micro services can share these maps simultaneously. Learn more in this session.
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...MongoDB
MongoDB and Red Hat have collaborated to deliver an integrated solution for securing MongoDB deployments. Red Hat's proven security infrastructure adds extra protection to MongoDB with standards-based identity management featuring centralization of user, password, and certificate information. MongoDB and Red Hat team members present what you need to know to secure your systems, including an overview of Red Hat's Identity Management in Red Hat Enterprise Linux and MongoDB-RHEL security architecture.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
This presentation was shown at Spring Framework Meeting 2009 in Rome (Lazio - Italy) - 31th October 2009.
http://www.open4dev.com/journal/2009/10/26/spring-framework-meeting-2009-rome.html
Abstract:
Spring LDAP basics: how to start to use the LdapTemplate in your custom J2EE application. This how-to will show you how to bind, unbind, search and authenticate users in your LDAP using the LdapTemplate provided by Spring.
Presentation on Oracle Identity Management from Insync10 conference in Melbourne August 2010. Looks at OID and some of the potential issues around installation and configuration
It introduces and illustrates use cases, benefits and problems for Kerberos deployment on Hadoop; how Token support and TokenPreauth can help solve the problems. It also briefly introduces Haox project, a Java client library for Kerberos.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
In Hadoop in Taiwan 2013 event, engineer of TCloud Computing presented the security concepts and features of Hadoop, how to script Crypto API, configuration details and future development.
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]Malin Weiss
By leveraging memory-mapped files, Speedment and the Chronicle Engine supports large Java maps that easily can exceed the size of your server’s RAM.Because the Java maps are mapped onto files, these maps can be shared instantly between several microservice JVMs and new microservice instances can be added, removed, or restarted very quickly. Data can be retrieved with predictable ultralow latency for a wide range of operations. The solution can be synchronized with an underlying database so that your in-memory maps will be consistently “alive.” The mapped files can be tens of terabytes, which has been done in real-world deployment cases, and a large number of micro services can share these maps simultaneously. Learn more in this session.
Oracle Identity Management presentation for 2010 Conference presented by Peter McLarty, looks at installation issues, planning and design, overall view of 11g Identity Management, more detailed look at installation and configuration of the Oracle Internet Directory.
Talk about a complete open source IAM solution that includes LDAP directory server, Access Management and especially the enterprise-scale Identity Management system. The presentation also includes motivation why LDAP server alone is not enough.
Thanks to Katka Valalikova for delivering a OpenLDAP + Evolveum midPoint demo during the talk.
LDAPcon 2015, Edinburgh.
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010Bhupesh Bansal
Jan 22nd, 2010 Hadoop meetup presentation on project voldemort and how it plays well with Hadoop at linkedin. The talk focus on Linkedin Hadoop ecosystem. How linkedin manage complex workflows, data ETL , data storage and online serving of 100GB to TB of data.
Now that we have looked several design patterns, from the databases to web presentation, we are now ready to look at the application as a whole. In this lecture we examine the considerations we face when creating an application architecture and we look at each of the three layers.
The lecture presents one way of designing enterprise applications. The goal is to create scalable services.
We also look at the Play framework in more detail and look at REST.
Sql server performance tuning and optimizationManish Rawat
Sql server performance tuning and optimization
SQL Server Concepts/Structure
Performance Measuring & Troubleshooting Tools
Locking
Performance Problem : CPU
Performance Problem : Memory
Performance Problem : I/O
Performance Problem : Blocking
Query Tuning
Indexing
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Maarten Balliauw
Serving up content on the Internet is something our web sites do daily. But are we doing this in the fastest way possible? How are users in faraway countries experiencing our apps? Why do we have three webservers serving the same content over and over again? In this session, we’ll explore the Azure Content Delivery Network or CDN, a service which makes it easy to serve up blobs, videos and other content from servers close to our users. We’ll explore simple file serving as well as some more advanced, dynamic edge caching scenarios.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath New York Community Day in-person eventDianaGray10
UiPath Community Day is a unique gathering designed to foster collaboration, learning, and networking with automation enthusiasts. Whether you're an automation developer, business analyst, IT professional, solution architect, CoE lead, practitioner or a student/educator excited about the prospects of artificial intelligence and automation technologies in the United States, then the UiPath Community Day is definitely the place you want to be.
Join UiPath leaders, experts from the industry, and the amazing community members and let's connect over expert sessions, demos and use cases around AI in automation as we highlight our technology with a special speaker on Document Understanding.
📌Agenda
3:00 PM Registrations
3:30 PM Welcome note and Introductions | Corina Gheonea (Senior Director of Global UiPath Community)
4:00 PM Introduction to Document Understanding
How to build and deploy Document Understanding process
Where would Document Understanding be used.
Demo
Q&A
4:45 PM Customer/Partner showcase
Accelirate
Intro to Accelirate and history with UiPath
Why are we excited about the new AI features of UiPath?
Customer highlight
a. Document Understanding – BJs Case Study
b. Document Understanding + generative AI
5.30 PM Networking
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The infamous Mallox is the digital Robin Hoods of our time, except they steal from everyone and give to themselves. Since mid-2021, they've been playing hide and seek with unsecured Microsoft SQL servers, encrypting data, and then graciously offering to give it back for a modest Bitcoin donation.
Mallox decided to go shopping for new malware toys, adding the Remcos RAT, BatCloak, and a sprinkle of Metasploit to their collection. They're now playing a game of "Catch me if you can" with antivirus software, using their FUD obfuscator packers to turn their ransomware into the digital equivalent of a ninja.
-------
This document provides a analysis of the Target Company ransomware group, also known as Smallpox, which has been rapidly evolving since its first identification in June 2021.
The analysis delves into various aspects of the group's operations, including its distinctive practice of appending targeted organizations' names to encrypted files, the evolution of its encryption algorithms, and its tactics for establishing persistence and evading defenses.
The insights gained from this analysis are crucial for informing defense strategies and enhancing preparedness against such evolving cyber threats.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...QADay
Lviv Direction QADay 2024 (Professional Development)
КАТЕРИНА АБЗЯТОВА
«Ефективне планування тестування ключові аспекти та практичні поради»
https://linktr.ee/qadayua
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. Who?
Michael Ströder <michael@stroeder.com>
Freelancer : LDAP and PKI consulting
Active open source projects:
– http://web2ldap.de
– http://python-ldap.org
Not a UI expert
Old-fashioned
Concerned about insecurity by complexity
stroeder.com
3. Why?
Kurt Zeilenga wrote:
> It might be interesting to discuss how/where web2ldap is
> able to support its users using vendor-inspecific codes,
> where you need to use vendor-specific codes, where LDAP's
> discovery mechanisms help, where they don't, what you do
> when they don't, etc.
How to guide human users using as much
server-side information as possible ?
How much client-side knowledge is needed?
stroeder.com
4. What?
Guiding vs. enforcing, notes about users
Introduction to available server information
Example use-cases with web2ldap using
server information
Recommendations
Open issues to be solved
stroeder.com
5. Guiding... (1)
Mantra:
Guiding is not enforcing!
Avoid user frustration, reducing false attempts
to reach use-case goal in normal situation
Try to use server-side extensions to improve
client behaviour without bothering user
Don't stop a skilled user to do something
unusual
stroeder.com
6. Guiding... (2)
Meaningful input forms:
– searchable naming contexts (rootDSE)
– available attributes and editable input values
(subschema, access control, constraints)
– Information about affected LDAP entries (count)
Gracefully handle user's input values (normalize)
Optional use of : DIT content/structure rules,
name forms, LDAPv3 ext. controls and ext.
operations
stroeder.com
7. Enforcing... (1)
Recommendation: Let only the server enforce...
– schema
– access control
– constraints (values, uniqueness, references)
Avoid client enforcing of schema and constraints
because users could circumvent rules
=> data integrity risks
Avoid client-side access control because users could
circumvent rules
=> security risks
stroeder.com
8. Enforcing... (2)
Client-side access control requires powerful
proxy user accounts which in real life gets
(ab)used later for other purposes (yuck!)
More meaningful logging possible by using
end user's identity for LDAP operations
Server can check constraints within one
transaction
stroeder.com
9. Enforcing... (3)
Things to enforce at client side based on
client configuration or user's input:
– StartTLS
– bind method
Local security configuration in web2ldap is
gateway security policy
stroeder.com
10. Users...
Some personal observations:
– Users are not dumb
– Users are pretty good in ignoring unneeded things
– Users appreciate additional information if something
went wrong and will report it to you
– Secretary with usual office skills provides better data
than IT guy with technical LDAP skills
– Speaking with end users helps
personal observations are the opposite of mainstream
UI opinions of IT guys...
stroeder.com
11. Server-side information (1)
LDAP result information (often overlooked)
– result code
– diagnostic message
rootDSE (obvious)
– naming contexts, default search root
– features (extended controls/operations)
– vendor-specific information (server roles etc.)
subschema subentry (most promising)
stroeder.com
12. Server-side information (2)
extended controls
extended operations
number of entries/values (entry count)
operational attributes (modifyTimestamp,
numSubordinates etc.)
special count extensions
audit / change log databases (for restoring?)
server-side access control and constraints
stroeder.com
13. Rather not generic
/web2ldap/passwd
Set password with various methods
(RFC 3062 ext.op., client-side hashed, MS AD,
Samba3 hashes)
/web2ldap/groupadm
Add/remove entry to/from groups
/web2ldap/dds
Refresh operation for dynamic entries
(implemented for Dieter)
Still subschema used almost everywhere.
stroeder.com
15. Subschema subentry (2)
Query attribute subschemaSubentry in
current entry
Read and parse the referenced subschema
subentry
Fall-back needed due to access restrictions
Each part of the DIT could have separate
subschema (rarely in practice)
Not unusual to have big subschema subentry
~200..400kB => caching needed!
stroeder.com
17. Diffing with matching rules
Goal:
Fine-grained delete-by-value to provoke
collisions in case of concurrent write access
(e.g. two admins working at the same ticket)
web2ldap uses EQUALITY matching rule
information to determine whether it's possible
to delete a certain attribute value
Matching rules are inherited !
It's not sufficient to only look at the
AttributeTypeDescription...
stroeder.com
18. DIT structure rules & name forms
Enforce tree structure, web2ldap guides
Ideal if server sets governingStructureRule
If not you have to find nearest “subschema
administrative point”
Real X.500 servers might provide attribute
administrativeRole with a value of
subschemaAdminSpecificArea
=> rather exotic in the pure LDAP field
=> fall-back to best matching naming context
Thanks to S. Legg for this private lesson :-)
stroeder.com
19. Interop issues (1)
Domino/LDAP tested up to 7.x (not sure whether fixed
in 8.x):
– single null-byte in attribute namingContexts
– returns diagnosticMessage in ISO-8859-1
– many attributes not found in subschema
web2ldap has work-arounds
otherwise users would blame web2ldap not to work
with Domino/LDAP
BTW : It was funny to see Domino/LDAP 5.x crash
because of tab character sent in a password ;-) (fixed)
stroeder.com
20. Interop issues (2)
Assertion control sent with modify request to
detect concurrent write access
Leads to interop issues with slapo-constraint
Had to disable this completely forever even if it
gets fixed because vendor version not
available in rootDSE
Users would blame web2ldap not to work with
OpenLDAP
stroeder.com
21. Interop issues (3)
Basically it's good when LDAP server enforces
access control - also on use of extended controls
But overzealous checks are not good !
OpenDJ disallowed post read entry control even in
case the user was allowed to read entry
At least a non-critical controls should not result in
error code being returned
Users would blame web2ldap not to work with
OpenDJ
stroeder.com
22. Interop issues (4)
ApacheDS returned invalid ASN.1 encoding for
password policy response control
=> raising ASN.1 exception was disabled in
python-ldap in case of invalid but non-critical
response controls
Otherwise users would blame web2ldap not to
work with ApacheDS
stroeder.com
23. Interop issues (5)
OpenLDAP returned invalid ASN.1 encoding
for read entry response control
Immediately fixed by Pierangelo within hours
But decoding work-around added to web2ldap
Otherwise users would blame web2ldap not to
work with OpenLDAP
or I'd have to disable the feature forever.
stroeder.com
24. Interop issues (6)
non-ASCII chars in MS AD's are a bad idea
SASL/DIGEST-MD5 does not work even
though you can see UTF-8 mentioned in SASL
messages
impossible to work around this
I don't expect this to be ever fixed because of
AD's own backward compability commitment
stroeder.com
25. Recommendation to client developers
Don't implement an advance LDAP client, it's
waste of your spare time
Prefer RAD to meet customer's requirements
Still crazy enough?
Still interested in implementing advanced
LDAP features ?
Mantra : testing, testing, testing, testing, ....
Otherwise people will complain about your
client and will prefer dumb LDAP clients
stroeder.com
26. Interop testing with servers
OpenLDAP 2.x
OpenDJ 2.4.x
MS Active Directory W2K3..W2K12
CA eTrust Directory 8.1 and 12.0
Novell eDirectory 8.7.x and 8.8.x
Lotus Domino LDAP R5.x, R6.x and R7.0.x
389/Fedora Directory Server (fairly recent)
iPlanet/SunONE Directory Server 5.x and 6.x
Siemens DirX 6.x
Innosoft Distributed Directory Server (IDDS)
IBM Directory Server 5.1
Apache DS 1.5 and 2.0M7
OpenDS 1.0 and 2.0RC
Isode's M-Vault LDAP/X.500 Directory Server R14
eB2Bcom's ViewDS (formerly View500) 6.0e11
Critical Path InJoin and Directory Server 4.2
Syntegra (historic)
Netscape Directory Server 4.x (historic)
stroeder.com
27. Recommendation to server developers
Meaningful diagnosticMessage helps ! Don't
write it just to the server's log.
Invite client developers to do interop testing of
more advanced features (test drive licenses)
Fix bugs reported to you ;-)
Add vendorName/vendorVersion to rootDSE
Document proprietary schema and extensions
don't hide experimental schema (.666)
stroeder.com
28. Recommendation to IT admins
Don't set overrestrictive access control on
– rootDSE
– subschema subentry
– operational attributes
Try to find interop issues and report them to
client and server developers if appropriate
Mantra : Logging helps...
stroeder.com
29. Access control
Goal : Disable input fields if no write access
Parsing proprietary ACLs / ACIs not an option
Get Effective Rights control :
different variants with the same control OID !
web2ldap uses allowedAttributesEffective
(available in MS AD and slapo-allowed)
Value-based access control is an issue
Rather a permissive write access interpretation
is recommended
stroeder.com
30. Failed attributes control
The diagnosticMessage is useful but not
machine-readable, user has to read and
correctly interpret it.
How about a response control listing what went
wrong for which attribute?
Would be useful to point the user directly to
input fields with false data.
stroeder.com
31. Attribute constraints (1)
New schema definition attributeConstraints
(suggested on ietf-ldapext back in 2008)
– REGEX
– VALUES
– LDAPURI
– OPTIONS
– NUMBER <min>..<max>
– MAXBYTELEN / MAXCHARLEN
Would partially directly fit HTML5 browser-side
checking
stroeder.com
32. Attribute constraints (2)
Attribute type 'jpegPhoto' with restricted size and
limited to a single value:
attributeConstraints
( 0.9.2342.19200300.100.1.60
MAXNUMBER 1
MAXBYTELEN 4000 )
Attribute 'gender' restricted to values in ISO-5801:
attributeConstraints
( 1.3.6.1.4.1.5427.1.389.4.7
VALUES ( '0' $ '1' $ '2' $ '9' ) )
stroeder.com
33. Attribute constraints (3)
Search URIs
( <attribute type OID>
LDAPURI <search URI> )
Value of attribute o in any org. entry :
ldap:///ou=dc=example,dc=com?o??
(objectClass=organization)
DN of manager's person entry :
ldap:///dc=example,dc=com???
(&(objectClass=inetOrgPerson)
(title=Manager))
stroeder.com
34. Thanks !
Any questions?
Any suggestions?
Still so crazy to develop advanced clients?
Improve «dead» LDAP together?
Have fun!
stroeder.com