Re: query on ldap->bind & ldap->compare

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 04 May 2000 11:19:51 BST, tim fulcher wrote:
> 
> Hi,
> 
> I'm trying to write a class which registers and subsequently checks
> itself against a LDAP server.
> 
> Firstly, I seem to be able to bind to the server OK when I supply a dn
> for an object that doesn't yet exist, which seems to be contradictory to
> trying, say a command line ldapsearch using the same dn as a bind
> argument. (that gives no such object).
> 
> So once I've bound OK, I do a search based on the cn, and if just one
> entry comes back I do the compare on it as follows:
> 
>       $cr = $self->{ldap}->compare ( $self->{searchresult}->entry(0) ,
>        attr => 'port', value => $self->port(),
>        attr => 'ipaddress', value => $self->ipaddress(),
>        attr => 'seedfile', value =>$self->seedfile()
>      );
> 
> print "compare returned code: ", $cr->code, " & error: ", $cr->error,
> "\n";
> 
> Can you not supply supply multiple attributes to a compare operation ?

The protocol does not permit this. You would probably have to issue 
three compare operations in your example, and AND together the results.

Alternatively, just issue a more complex search:

	&((cn=whatever)(port=blah)(ipaddress=foo)(seedfile=bletch))

> When I run this I get compare true (code 6), even though as shown below,
> my object attributes differ. When I run compare with just one attribute
> it right gives a false result. Will I have to do the compare for each
> attribute separately?

Yes. Also the way Net::LDAP parses parameters to methods (it converts 
them into a hash) will mean that only one of your attr settings is 
being used. Dunno which one though, but if you created the Net::LDAP 
object with debug => 3 this might help you work it out.

> The output fragment below prints out its attributes, does a search and
> if 1 entry returned, calls the code above.
> 
> > ldaptest.pl
> 
> service foob
> port 8190
> ip 132.146.3.99
> seedfile /tmp/cdb
> mdn is cn='foob',dc='nip',dc='services'
> bind returned code: 0 & error:
> 
> query = (cn=foob)
> search returned code: 0 & error:
> 
> ------------------------------------------------------------------------
> 
> dn:cn=foob, dc=nip, dc=services
> 
> cn: foob
> port: 8192
> description: guinea pig
> seedfile: /tmp/cdb
> ipaddress: 132.146.3.78
> userpassword: {md5}0IcaK1PGLeXgRv7eQvP3qw==
> objectclass: AppServer
> 
> search returned code: 0 & error:
> I found me
> compare returned code: 6 & error:
> 
> 
> btw, I'm using openldap 1.2.9. My db  ACL is  access * by self write by
> * read

I'm not sure what that ACL means, but you *may* have to grant access to 
compare certain attributes as well. The only standard access control 
model around at the moment can set different permissions for compare, 
searching, and reading.

The other thought that springs to mind is, does comparing a password 
held by the server in MD5 require that the compare operation send the 
plaintext password, or something else?

> cheers
> 
> 
> Tim
> 
> 

Cheers,

Chris