Menu
▾
▴
RE: Active directory and Perl-ldap
|
From: William R. <ri...@ed...> - 2001-04-23 17:10:07
|
I've added the line: die($mesg->error) if $mesg->code; after the bind. A non-authenticated login works fine, except I can't see anything but root, but as soon as I hit the server with an authenticated user, the error: AcceptSecurityContext occurs. I then went back to LDP and found that by default, it connects using NTML/Kerberos. I tried the alternate methods but they failed. My question is, what method does Perl-ldap use and if this is the problem, how do I change the authentication method? If on the other hand, default authentication should work, any ideas why the server is denying my credentials? I've tried this on two AD servers on site and both fail. William Richter Technology Specialist Edinboro University of PA 814-732-2931 -----Original Message----- From: Rafael Corvalan [mailto:Raf...@li...] Sent: Friday, April 20, 2001 5:41 AM To: 'c-h...@ti...'; ri...@ed... Cc: per...@li... Subject: RE: Active directory and Perl-ldap You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
