RE: Active directory and Perl-ldap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Sorry, I can connect to my ADS in clear text....
So Kerberos is not the only authentication protocol supported by ADS...

rafael

-----Original Message-----
From: ma...@mj... [mailto:ma...@mj...]
Sent: lundi, 23. avril 2001 19:50
To: per...@li...
Subject: RE: Active directory and Perl-ldap

Aha, just as I expected.

One of the right things MS did with W2K is to realize that LDAP is 
not an authentication protocol, however, mightily we try to make it 
one (and keep in mind that I've written *alot* of LDAP 
authentication code in my time).

No, AD uses Kerberos for its authentication protocol.

As per, the LDAP specs, out of the box, Net::LDAP authenticates 
using simple bind (dn and password). Which AD doesn't support.

The solution is to use the SASL module (but you'll probably have to 
code in your own Kerberos module for it) if AD supports SASL.

If not, then we'll have to devise some other way.

Mark

On 23 Apr 01, at 13:17, William Richter wrote:

> I've added the line:
> die($mesg->error) if $mesg->code;
> 
> after the bind. A non-authenticated login works fine, except I can't
> see anything but root, but as soon as I hit the server with an
> authenticated user, the error: AcceptSecurityContext occurs. I then
> went back to LDP and found that by default, it connects using
> NTML/Kerberos. I tried the alternate methods but they failed. My
> question is, what method does Perl-ldap use and if this is the
> problem, how do I change the authentication method? If on the other
> hand, default authentication should work, any ideas why the server is
> denying my credentials? I've tried this on two AD servers on site and
> both fail.
> 
> William Richter
> Technology Specialist
> Edinboro University of PA
> 814-732-2931
> 
> -----Original Message-----
> From: Rafael Corvalan [mailto:Raf...@li...]
> Sent: Friday, April 20, 2001 5:41 AM
> To: 'c-h...@ti...'; ri...@ed...
> Cc: per...@li...
> Subject: RE: Active directory and Perl-ldap
> 
> You should be able to get your entries without requesting ["**] for
> the attributes.
> 
> I'm not a really specialist, but here arte my comments:
> 
> 
> 1) I think you have problems with the authentication. Check your
>    credentials. Are you sure you are using
>    $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com"
>    as your credentials?
>    If you have authentication failure, you will not see it (see the
>    point 2)
> 
> 2) The bind method returns a Net::LDAP::Bind object, so unless the
>    bind method returns "undefined" (I don't think it can do so),
>    avoid writing:
>    bind(...) or die(...);
>    In other words, try binding with wrong credentials, and you will
>    see, the die() will not be called. I prefer to use:
> 
>    $mesg = bind(....);
>    die($mesg->error) if $mesg->code;
> 
> 3) I think that using normal settings, the DC=company, DC=com tree
>    and DC=Users, DC=company, DC=com tree are protected in ADS. You
>    must bind with a valid user to get someting, they are not
>    accessible anonymously. I think that if you do not see anything
>    it's because you have authentication failure.
> 
> 4) Use protocol version 3. I'ts better since version 2 doesn't knows
>    about referrals. To do that, use "version => 3" as one of the
>    parameters in the bind() call.
> 
> 5) I'm disappointed regarding MS LDP.... Using the Microsoft
>    "Active Directory Administration Tool", I only get the base DN when
>    connected without calling bind (and referrals too). Are you sure
>    that MS LDAP doesn't connect using "transperent" login, forwarding
>    your credentials to ADS? (Using Kerberos or NTLM).
> 
> 6) This is an example that works for me. I hope it will do so
>    for you:
> 
> 
> =========================================
> ===        Example starts here        ===
> =========================================
> 
> #!/usr/bin/perl -w
> 
> use Net::LDAP;
> use strict;
> 
> 
> # Comment the following line to log on anonymously
> my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com';
> 
> 
> # Comment one of the following two lines (Base DN)
> my $base = 'CN=Users, DC=linkvest, DC=com';
> #my $base = 'DC=linkvest, DC=com';
> 
> 
> my $ldapserver = 'ads.linkvest.com';
> my $password = 'XXXXXXXX';
> my $version = 3;
> 
> my $filter = "(objectclass=*)";
> my $scope = '1';
> 
> 
> my $mesg;
> 
> # CONNECTION
> my $ldap = Net::LDAP->new($ldapserver) or die "$@";
> 
> # BIND
> if (defined $admin) {
>     $mesg = $ldap->bind ( dn       => $admin,
>                           password => $password,
>                           version  => $version);
> } else {
>     $mesg = $ldap->bind ( noauth  => 1,
>                           version => $version);
> }
> 
> die($mesg->error) if $mesg->code;
> 
> # SEARCH
> $mesg = $ldap->search( scope  => $scope,
>                        base   => $base,
>                        filter => $filter);
> die($mesg->error) if $mesg->code;
> 
> 
> # RESULTS
> foreach my $entry ($mesg->entries) { $entry->dump; }
> printf("====\nFound %d entries\n", $mesg->count);
> 
> 
> =======================================
> ===        Example ends here        ===
> =======================================
> 
> 
> 
> Hope it helps.
> 
> Rafael
> 
> ________________________________________________________
> Rafael Corvalan
> Systems & Networks Competence Center Manager
> Linkvest SA
> Av des Baumettes 19, 1020 Renens Switzerland
> Tel:    +41 21 632 90 00    Fax:    +41 21 632 90 90
> http://www.linkvest.com     Raf...@li...
> ________________________________________________________
> 
> 
> -----Original Message-----
> From: Clif Harden [mailto:cl...@di...]
> Sent: jeudi, 19. avril 2001 23:24
> To: ri...@ed...
> Cc: per...@li...
> Subject: Re: Active directory and Perl-ldap
> 
> 
> >
> > I am trying to access Active directory using Perl-ldap and I'm
> > having a problem. Here is sample code:
> >
> > my $base = 'DC=edinboro,DC=edu';
> > my $filter = "(objectclass=*)";
> > my $attrs = ();             # request all available attributes
> > my $scope = '0';
> >
> > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@";
> >
> > # bind to a directory with dn and password - makes no difference
> > # whether
> > authenticated or not
> > $ldap->bind (dn => $admin,password => $password) or die "$@";
> >
> > $mesg = $ldap->search(
> >                scope => $scope,
> >                base => $base,
> >              filter => $filter,
> >                attrs => $attrs,
> >              );
> >
> >  If I do a search, all I can manage to find is the base DN. If I
> >  change
> the
> > scope to 1, I retrieve nothing. If I change the scope to 'subtree',
> > all I retrieve are root entries. I see no cn or ou entries. Nor do I
> > retrieve anything if I set my base to cn=users,dn=edinboro,dn=edu. 
> > I've run the
> same
> > search against ldap.itd.umich.edu and I can retrieve anything I
> > request. Also if I use MS LDP (even if not authenticated), the
> > search pulls the entries, as it is suppose to. I've checked
> > permissions on the server but I am at a loss. Is there anything
> > special I need to make Active Directory
> work
> > correctly with LDAP?
> >
> > Thanks in advance,
> >
> > William Richter
> > Technology Specialist, Edinboro University of PA 814-732-2931
> >
> 
> Try requesting a return attribute(s) in your request.
> 
> attrs => ["*"],
> 
> If I do what you have done all I get is a DN but no data.
> 
> Regards,
> 
> Clif Harden           INTERNET:  c-h...@ti...
> 
> 
> 
> 

Mark Wilcox
ma...@mj...
Got LDAP?