<CFLDAP> Tag - ColdFusion

  <CFLDAP> Comments from Macromedia LiveDocs

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
I was also having the same problems with cfldap not returning the "limit exceeded" errors. The ldap server had a limit set at 25 results...so if cfldap would return 26 or more, it would just return with no results instead of throwing the correct "administrative limit exceeded" error.

This seemed to only happen for me when I search for specific attributes. For example if your cfldap "attribute" value is set to anything but "*" it will NOT return the "administrative limit exceeded" error. Howeverm if you do the same search again, but this time with "attribute=*" then, you will recieve the correct error. Hope that helps!

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
The documentation provided at the top of the page has some error that I don't see corrected in any comments (although another technote on this issue has the correct information). Specifically, the default password is changeit (all one word). Secondly, you need to use the -storepass flag and not the -keypass flag.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
CFLDAP Sorting Problem

Solution found at http://www.dantor.com/support/cfdocs/Migrating_ColdFusion_5_Applications/cf_migration_guide6.html

You can no longer sort CFLDAP query results on the client side using the sort attribute. The sort attribute triggers a server-side sort. If the LDAP server does not support server-side sorting, CFLDAP throws an error.

The sort order depends on the LDAP server; for example, iPlanet Directory Server 5.0, Novell 6.0 server, Oracle Internet Directory 9i, Microsoft Active Directory, and others might each sort differently.

To do client-side sorting on the CFLDAP query results, use the ColdFusion Query of Queries feature.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
LDAP: error code 34 - Invalid DN Syntax

Solution found at http://groups.google.com/group/macromedia.coldfusion.security/browse_thread/thread/46aef1c75e4e781b/36aac02d2ae3ebe4%2336aac02d2ae3ebe4?sa=X&oi=groupsr&start=0&num=2

The invalid DN syntax is probably for the username parameter. You need to bind as a fully qualified DN. So change your username parameter to something like cn=username,ou=my group,dc=mycomany,dc=com.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
You know, I see more than enough info on how to query LDAP servers until the cows come home. Updating attributes is no problem. I'd really like to ADD a new user to AD or move a user from one container to another or maybe add a brand new group to AD. Anyone ever done that?? There's absolutely nothing about it out there. Try adding anything and it complains about required attributes. Go to Microsoft, and you can find required attributes. Go back to CFLDAP, add the required attributes...notta. Is this even possible??

Thanks!

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Are others having this same problem with cfldap not picking up time limit exceeded errors?

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Is anyone aware that when you quey an ldap for multiple records in an OU, the first row in the result set is typically a row of empty values? At least this is my experience with Novell eDirectory.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
The <cfldap> doesn't seem to handle SSL gracefully. We have a self-signed certificate which doesn't seem to get accepted. Either that, or it doesn't handle TLS, which is the default encryption method for our server.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Be careful that this max record limit isn't set on your server. If your server has a max record limit of 100, setting the max to 150 on your request won't change the server's setting.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Performing an LDAP query on a LDAP server to bring back all users belonging to a subtree is limited to 100 returned results e.g. 150 users may actually exist but ColdFusion will only return the first 100.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
For some odd reason, when I submit the following query, coldfusion also asks for additional attributes. See below:

<cfldap action="query"
name="qCheckUsername"
server="#server#"
port="389"
attributes="uid"
maxrows="100"
start="cn=People,ou=school,dc=edu"
scope="subtree"
filter="(uid=23423423)"
username="uid=serviceaccount,cn=people,ou=school,dc=edu"
password="password">

When I look at the logs on the iPlanet LDAP server, the query is requesting a bunch of attributes in addition to uid: attrs="uid objectClass javaSerializedData javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames javaremotelocation"

I don't want coldfusion to ask for all these extra attributes. I only want it to ask "uid" and that's it. This will definately cause people problems if their admins are very tight on their LDAP security (like mine).

I also have not found any documentation regarding this behavior.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
I am unable to figure out how to retrieve all values of a multi-valued binary attribute, based on this documentation.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
If you want to sort: The recordset from LDAP is returned as a query object. You can perform a query of queries on it.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
The documentation does not specify how to set LDAP service controls such as telling the server not to search aliases. Where can I find this information?

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Setting any value for timeout seems to cause the timeout value to be set to 1, rather than the value you set. If timeout is not specified, the value is set to 61, not 60.

I am using an LDAP v2 server and there is a v3 bind that fails before a successful v2 bind (why this inefficiency? I want to be able to specify v2!).

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
It appears that a time limit exceeded error is no longer being picked up and thrown as an exception. I have the following:

<cftry>
<cfldap separator="|" name="#ldap_name#" action="#ldap_action#" scope="#ldap_scope#" start="#ldap_start#" filter="#ldap_filter#"
server="#ldap_server#" username="#ldap_user#" password="#ldap_pword#" maxrows="#ldap_maxrows#" attributes="#ldap_attributes#" referral="2"
rebind="yes" timeout="#ldap_timeout#">

<cfcatch type="any">
<CFDUMP var="#cfcatch#"><cfabort>
</cfcatch>
</cftry>

and according to the protocol log from the LDAP server, it is sending

messageID 3,
protocolOp {
result Code {
resultCode timeLimitExceeded,
matchedDN "",
errorMessage "",
}
}

This may be because the LDAP server is v2 and the error structure is subtly different than what cold fusion is expecting as it assumes version 3 servers.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
We've entered a bug/enhancement report 55206 for GAlanShepherd's requests for changes to LDAP.
They are listed as:
1) Provide ColdFusion-side sorting of results (as was done in CF5)
2) Provide a flag indicating that an alias was dereferenced.
3) Provide a way to specify/use LDAP version 2.

Re documentation, we have a full chapter on using LDAP in the Developing ColdFusion MX Applications document, at http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/ldap.htm.
However, this may not provide all the information that you'd like to see.
If there are any specifics that aren't covered either here or in the Developing Applications chapter, please post additional Livedocs comments specifying what more you want covered.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
why cant I specify the LDAP version? What if I want to use version 2?

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Why is the documentation for this tag so limited? Why is it not possible to obtain information on such things as size limit exceeded, partial result qualifiers etc?

And most irritatingly of all, cfldap appears to prepend ldap://server:389/ to the DNs of all entries returned that are a result of an alias dereferenced. If I try to use this in a subsequent operation as the DN, I get server unavailable. IT IS NOT USEFUL to do this! There should be an other flag indicating alias dereferenced.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
The unavailable critical extension error appears because you have asked the server to sort the entries (cold fusion MX dropped client side sorting - why?) and marked it as a mandatory critical extension in the protocol. The server has responded saying that it does not support that extension (sorting presumably) and so the operation fails. It is possible that there is another critical extension it is not doing, but the sort is the most likely cause.

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
Why do I get this error when I try to use the "sort" attribute?

An error has occured while trying to execute sort :[LDAP: error code 12 - Unavailable Critical Extension].

LiveDocs Comments - coldfusion - 6.1 - htmldocs - tags-p69.htm
the attribute action is not optional in MX 6.1. If ommited you get a nullpointer exception

Recommended Books COLDFUSION MX Web Application Construction Kit (5th Edition) Authors:   Ben Forta and Nate Weiss 1500 pages [Top] Web Sites Macromedia The makers of ColdFusion/ColdFusion MX. ColdFusion Developer's Journal Forta.com (ColdFusion Section) Ben Forta is Macromedia's Senior Technical Evangelist. Here on his site find useful ColdFusion information. Flash CFM Flash and ColdFusion Development. Handling file uploads without CFFILE BLOG post by "Sam" on REWINDLIFE.COM gives insight into how to upload a file on your site if you are not allowed to use the CFFILE tag. [Top]