RE: Active directory and Perl-ldap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

We use only AD here for our LDAP server and haven't had any major issues.  I
think I can shed some light on the issues being discussed.  Also, I would be
more than happy to write an Active Directory and LDAP FAQ.  If anyone's
interested please drop me a note with topics that you'd like to see
covered...  See in-line for answers to questions posed in this thread....

> -----Original Message-----
> From: ma...@mj... [mailto:ma...@mj...] 
> Sent: Monday, April 23, 2001 10:50 AM
> To: per...@li...
> Subject: RE: Active directory and Perl-ldap
> 
> 
> Aha, just as I expected.
> 
> One of the right things MS did with W2K is to realize that LDAP is 
> not an authentication protocol, however, mightily we try to make it 
> one (and keep in mind that I've written *alot* of LDAP 
> authentication code in my time).
> 
> No, AD uses Kerberos for its authentication protocol.
> 

This is correct and incorrect at the same time.  By default the LDP tool
will use Kerberos (and fallback to NTLM if necessary) to authenticate to AD.
Active directory accepts a really wide variety of auth methods (including
simple bind).  To use a simple bind to AD with LDP specify the full DN of
the user and the password, unchecking the "Domain" box, and then clicking
"Advanced" and set the method to SIMPLE.

> As per, the LDAP specs, out of the box, Net::LDAP authenticates 
> using simple bind (dn and password). Which AD doesn't support.
> 

See above, it does support simple bind.

> The solution is to use the SASL module (but you'll probably have to 
> code in your own Kerberos module for it) if AD supports SASL.

Yup, it supports SASL as well...

> 
> If not, then we'll have to devise some other way.
> 
> Mark
> 
> On 23 Apr 01, at 13:17, William Richter wrote:
> 
> > I've added the line:
> > die($mesg->error) if $mesg->code;
> > 
> > after the bind. A non-authenticated login works fine, 
> except I can't 
> > see anything but root, but as soon as I hit the server with an 
> > authenticated user, the error: AcceptSecurityContext occurs. I then 
> > went back to LDP and found that by default, it connects using 
> > NTML/Kerberos. I tried the alternate methods but they failed. My 
> > question is, what method does Perl-ldap use and if this is the 
> > problem, how do I change the authentication method? If on the other 
> > hand, default authentication should work, any ideas why the 
> server is 
> > denying my credentials? I've tried this on two AD servers 
> on site and 
> > both fail.
> > 
> > William Richter
> > Technology Specialist
> > Edinboro University of PA
> > 814-732-2931
> > 
> > -----Original Message-----
> > From: Rafael Corvalan [mailto:Raf...@li...]
> > Sent: Friday, April 20, 2001 5:41 AM
> > To: 'c-h...@ti...'; ri...@ed...
> > Cc: per...@li...
> > Subject: RE: Active directory and Perl-ldap
> > 
> > You should be able to get your entries without requesting ["**] for 
> > the attributes.
> > 
> > I'm not a really specialist, but here arte my comments:
> > 
> > 
> > 1) I think you have problems with the authentication. Check your
> >    credentials. Are you sure you are using
> >    $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com"
> >    as your credentials?
> >    If you have authentication failure, you will not see it (see the
> >    point 2)
> > 
> > 2) The bind method returns a Net::LDAP::Bind object, so unless the
> >    bind method returns "undefined" (I don't think it can do so),
> >    avoid writing:
> >    bind(...) or die(...);
> >    In other words, try binding with wrong credentials, and you will
> >    see, the die() will not be called. I prefer to use:
> > 
> >    $mesg = bind(....);
> >    die($mesg->error) if $mesg->code;
> > 
> > 3) I think that using normal settings, the DC=company, DC=com tree
> >    and DC=Users, DC=company, DC=com tree are protected in ADS. You
> >    must bind with a valid user to get someting, they are not
> >    accessible anonymously. I think that if you do not see anything
> >    it's because you have authentication failure.
> > 
> > 4) Use protocol version 3. I'ts better since version 2 doesn't knows
> >    about referrals. To do that, use "version => 3" as one of the
> >    parameters in the bind() call.
> > 
> > 5) I'm disappointed regarding MS LDP.... Using the Microsoft
> >    "Active Directory Administration Tool", I only get the 
> base DN when
> >    connected without calling bind (and referrals too). Are you sure
> >    that MS LDAP doesn't connect using "transperent" login, 
> forwarding
> >    your credentials to ADS? (Using Kerberos or NTLM).
> > 
> > 6) This is an example that works for me. I hope it will do so
> >    for you:
> > 
> > 
> > =========================================
> > ===        Example starts here        ===
> > =========================================
> > 
> > #!/usr/bin/perl -w
> > 
> > use Net::LDAP;
> > use strict;
> > 
> > 
> > # Comment the following line to log on anonymously
> > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com';
> > 
> > 
> > # Comment one of the following two lines (Base DN)
> > my $base = 'CN=Users, DC=linkvest, DC=com';
> > #my $base = 'DC=linkvest, DC=com';
> > 
> > 
> > my $ldapserver = 'ads.linkvest.com';
> > my $password = 'XXXXXXXX';
> > my $version = 3;
> > 
> > my $filter = "(objectclass=*)";
> > my $scope = '1';
> > 
> > 
> > my $mesg;
> > 
> > # CONNECTION
> > my $ldap = Net::LDAP->new($ldapserver) or die "$@";
> > 
> > # BIND
> > if (defined $admin) {
> >     $mesg = $ldap->bind ( dn       => $admin,
> >                           password => $password,
> >                           version  => $version);

This should not have the "dn =>", so the correct code would be:

$mesg = $ldap->bind ( $admin,
                      password => $password,
                      version => $version);

The first sample in the man page for Net::LDAP is incorrect:

---- begin incorrect portion ----
        $ldap->bind (   # bind to a directory with dn and password
                     dn       => 'cn=root, o=University of Michigan, c=us',
                     password => 'secret'
                    );
---- end incorrect portion ----

A correct sample can be found later in the man page:

---- begin correct portion ----
$ldap->bind( $DN, password => $password);
---- end correct portion ----

And here's the code I use:

---- begin my code ----
$ldap = Net::LDAP->new('dcjnprmrc1.jnpr.net',
		port => 389,
		debug => 0,
                timeout => 2
	) or
$ldap = Net::LDAP->new('dcjnprmrc2.jnpr.net',
                 port => 389,
                 debug => 0,
                timeout => 5
        ) or
	die $@;

$bindargs{password} = '**************';
$bindargs{version} = 3;

my $result = $ldap->bind('cn=Web Guest,ou=Users,ou=Common,dc=jnpr,dc=net',
            %bindargs);

if ($result->code != 0)
{
  if ($result->code == 49)
  {
    printf "Password incorrect\n";
    die "\n";
  } else
  {
    printf "Error %i occurred while binding - aborting.\n",($result->code);
    die "\n";
  }
}
---- end of my code ----

> > } else {
> >     $mesg = $ldap->bind ( noauth  => 1,
> >                           version => $version);
> > }
> > 
> > die($mesg->error) if $mesg->code;
> > 
> > # SEARCH
> > $mesg = $ldap->search( scope  => $scope,
> >                        base   => $base,
> >                        filter => $filter);
> > die($mesg->error) if $mesg->code;
> > 
> > 
> > # RESULTS
> > foreach my $entry ($mesg->entries) { $entry->dump; } 
> > printf("====\nFound %d entries\n", $mesg->count);
> > 
> > 
> > =======================================
> > ===        Example ends here        ===
> > =======================================

- clipped -

Dave Mills
Juniper Networks, Inc.