Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

LDAP and interface file

3 posts in ,  Product Futures Discussion Administration Last posting was on 2002-03-05 03:02:14.0Z
Alain RICHARD Posted on 2002-01-17 09:37:31.0Z
Date: Thu, 17 Jan 2002 10:37:31 +0100
From: alain.richard@equation.fr (Alain RICHARD)
Subject: LDAP and interface file
Message-ID: <alain.richard-1701021037310001@macagr.equation.fr>
Organization: EQUATION
User-Agent: NewsWatcher-X 2.2.3b2
X-NNTP-Posting-Host: macagr.equation.fr
Newsgroups: sybase.public.ase.administration,sybase.public.ase.product_futures_discussion
Lines: 62
NNTP-Posting-Host: ns1.equation.fr 213.56.79.161
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com!macagr.equation.fr!user
Xref: forums-1-dub sybase.public.ase.administration:3273 sybase.public.ase.product_futures_discussion:190
Article PK: 27943

I am playing currently with LDAP/SSL integration in ASE 12.5. All my tests
so far are pretty promising : it is a big plus to be able to centralize
the servers declarations when you have a lot of clients and/or when the
number and declarations of servers evolves a lot in time (We are
supporting a lot of customers, so each time we add a customer or customers
change their installation, we have to change our interfaces files on each
PCs).

During this investigation, I have encountered some drawbacks :

1) Once you add the LDAP directory to your libtcl.cfg file, your interface
file is ignored and no longer used. This is a very bad beaviour because it
means that once you use LDAP directories, all your clients must ask the
LDAP manager to add any single server you want to test. This is not a good
solution for companies like ours that have a lot of developpers that may
have to make tests. Is there any mean to have the interface file checked
before or after the LDAP directory in cases the server is not found in
LDAP ?

2) Although it is simple to add a non SSL enabled server to LDAP
directory, there is no published means to do it for an SSL enabled one (I
mean, on an interface file,you just have to add ",ssl" to the master/query
line, but in the directory what are the corresponding attributes/values).

3) The only protocole supported seams to be ldap and no ldaps. This is a
pretty unsecure feature as it means that it is very easy to recover the
password used during the bind between the Sybase client and the LDAP
server.

4) During SSL connection negociation, it seems there is no means for the
client to present a certificate to the server (only the server provides a
certificate to the client). This is very anoying if you want to restrict
the access to a server based on client certificate (client certificate are
very secure because they have to be installed on the client, certified by
a known CA, and may also be revoked using CRLs on the server side, so If a
mobile computer is stolen, an administrator may keep its server access
secured).

5) There is no mean to keep Sybase logins in the Sybase database. This is
a very missing feature if you want to centralized account information
(most of the time this is the primary goal of an LDAP infrastructure).


I know 12.5 is the first version implementing LDAP and SSL, and it seems
both needs a lot of inprovements in ASE. Any solutions ?

Regards,


Jeremy Chubb Posted on 2002-01-21 15:07:52.0Z
From: "Jeremy Chubb" <jchubb@totalise.co.uk>
References: <alain.richard-1701021037310001@macagr.equation.fr>
Subject: Re: LDAP and interface file
Date: Mon, 21 Jan 2002 15:07:52 -0000
Lines: 49
X-Newsreader: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Message-ID: <nIkrm4ooBHA.123@forums.sybase.com>
Newsgroups: sybase.public.ase.administration,sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: mailhost.rabo-bank.com 195.50.100.21
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.administration:3272 sybase.public.ase.product_futures_discussion:189
Article PK: 27941


>1) Once you add the LDAP directory to your libtcl.cfg file, your interface
>file is ignored and no longer used. This is a very bad beaviour because it
>means that once you use LDAP directories, all your clients must ask the
>LDAP manager to add any single server you want to test. This is not a good
>solution for companies like ours that have a lot of developpers that may
>have to make tests. Is there any mean to have the interface file checked
>before or after the LDAP directory in cases the server is not found in
>LDAP ?
>

I think it is possible to use an interfaces file by using the "-I
<interface_file>" option of isql.

HTH

Jeremy


>2) Although it is simple to add a non SSL enabled server to LDAP
>directory, there is no published means to do it for an SSL enabled one (I
>mean, on an interface file,you just have to add ",ssl" to the master/query
>line, but in the directory what are the corresponding attributes/values).
>
>3) The only protocole supported seams to be ldap and no ldaps. This is a
>pretty unsecure feature as it means that it is very easy to recover the
>password used during the bind between the Sybase client and the LDAP
>server.
>
>4) During SSL connection negociation, it seems there is no means for the
>client to present a certificate to the server (only the server provides a
>certificate to the client). This is very anoying if you want to restrict
>the access to a server based on client certificate (client certificate are
>very secure because they have to be installed on the client, certified by
>a known CA, and may also be revoked using CRLs on the server side, so If a
>mobile computer is stolen, an administrator may keep its server access
>secured).
>
>5) There is no mean to keep Sybase logins in the Sybase database. This is
>a very missing feature if you want to centralized account information
>(most of the time this is the primary goal of an LDAP infrastructure).
>
>
>I know 12.5 is the first version implementing LDAP and SSL, and it seems
>both needs a lot of inprovements in ASE. Any solutions ?
>
>Regards,


Sethu Posted on 2002-03-05 03:02:14.0Z
Message-ID: <3C843536.8D7DA001@sybase.com>
Date: Mon, 04 Mar 2002 22:02:14 -0500
From: Sethu <sethu@sybase.com>
Organization: Sybase, Inc.
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Alain RICHARD <alain.richard@equation.fr>
Subject: Re: LDAP and interface file
References: <alain.richard-1701021037310001@macagr.equation.fr>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: sybase.public.ase.administration,sybase.public.ase.product_futures_discussion
Lines: 56
NNTP-Posting-Host: 10.22.91.118
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.administration:3271 sybase.public.ase.product_futures_discussion:188
Article PK: 27942

One more reply from me.

> 1) Once you add the LDAP directory to your libtcl.cfg file, your interface
> file is ignored and no longer used. This is a very bad beaviour because it
> means that once you use LDAP directories, all your clients must ask the
> LDAP manager to add any single server you want to test. This is not a good
> solution for companies like ours that have a lot of developpers that may
> have to make tests. Is there any mean to have the interface file checked
> before or after the LDAP directory in cases the server is not found in
> LDAP ?
>

You can force any client tools to use the -I option. You can also
set this in your application to look at interfaces file.

> 2) Although it is simple to add a non SSL enabled server to LDAP
> directory, there is no published means to do it for an SSL enabled one (I
> mean, on an interface file,you just have to add ",ssl" to the master/query
> line, but in the directory what are the corresponding attributes/values).
>
> 3) The only protocole supported seams to be ldap and no ldaps. This is a
> pretty unsecure feature as it means that it is very easy to recover the
> password used during the bind between the Sybase client and the LDAP
> server.

Request well taken.

>
> 4) During SSL connection negociation, it seems there is no means for the
> client to present a certificate to the server (only the server provides a
> certificate to the client). This is very anoying if you want to restrict
> the access to a server based on client certificate (client certificate are
> very secure because they have to be installed on the client, certified by
> a known CA, and may also be revoked using CRLs on the server side, so If a
> mobile computer is stolen, an administrator may keep its server access
> secured).
>
This is in the drawing board.

> 5) There is no mean to keep Sybase logins in the Sybase database. This is
> a very missing feature if you want to centralized account information
> (most of the time this is the primary goal of an LDAP infrastructure).

This is also in the drawing board. So far this is a very popular request
among our customers that I have visited/spoken to.

Thanks,
Sethu