Menu
▾
▴
RE: Active directory and Perl-ldap
|
From: Robbie A. <ra...@ci...> - 2001-04-26 17:52:38
|
As far as the user dn, you can use the UPN (User Principle Name) instead.
Just change:
> $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password =>
to:
> $ldap->bind('Adm...@Mc...', password =>
Makes for a portable AD app, just not a portable LDAP app ;-)
Robbie Allen
> -----Original Message-----
> From: Fox [mailto:ld...@cd...]
> Sent: Thursday, April 26, 2001 10:30 AM
> To: per...@li...
> Subject: Re: Active directory and Perl-ldap
>
>
> Here is how I connect to a brand spanking new Active
> Directory server I set
> up authenticating clear text with rights to add users (I
> added 12,000). The
> tricky part is getting the whole user dn correct. Just
> substitute your
> domain for mckee.com and you should have a winner.
>
> Fox
> ld...@cd...
>
> #!/usr/bin/perl
>
> use Net::LDAP;
> use Net::LDAP::Entry;
>
> # ------> Declare leconte ldap server
> $ldap = Net::LDAP->new('ranier.mckee.com') or die "$@";
> # You must bind with write rights to add an entry
> $mesg =
> $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password =>
> 'mypassword');
> print "Connecting to ldap server... " . $mesg->error . "\n";
>
>
>
> ----- Original Message -----
> From: "Robbie Allen" <ra...@ci...>
> To: <per...@li...>
> Sent: Thursday, April 26, 2001 11:26 AM
> Subject: RE: Active directory and Perl-ldap
>
>
> > I second the motion. You absolutely can connect to AD with
> a simple bind.
> >
> > Robbie Allen
> >
> > > -----Original Message-----
> > > From: Rafael Corvalan [mailto:Raf...@li...]
> > > Sent: Tuesday, April 24, 2001 1:44 AM
> > > To: per...@li...
> > > Subject: RE: Active directory and Perl-ldap
> > >
> > >
> > > Sorry, I can connect to my ADS in clear text....
> > > So Kerberos is not the only authentication protocol supported
> > > by ADS...
> > >
> > > rafael
> > >
> > > -----Original Message-----
> > > From: ma...@mj... [mailto:ma...@mj...]
> > > Sent: lundi, 23. avril 2001 19:50
> > > To: per...@li...
> > > Subject: RE: Active directory and Perl-ldap
> > >
> > >
> > > Aha, just as I expected.
> > >
> > > One of the right things MS did with W2K is to realize that LDAP is
> > > not an authentication protocol, however, mightily we try
> to make it
> > > one (and keep in mind that I've written *alot* of LDAP
> > > authentication code in my time).
> > >
> > > No, AD uses Kerberos for its authentication protocol.
> > >
> > > As per, the LDAP specs, out of the box, Net::LDAP authenticates
> > > using simple bind (dn and password). Which AD doesn't support.
> > >
> > > The solution is to use the SASL module (but you'll
> probably have to
> > > code in your own Kerberos module for it) if AD supports SASL.
> > >
> > > If not, then we'll have to devise some other way.
> > >
> > > Mark
> > >
> > > On 23 Apr 01, at 13:17, William Richter wrote:
> > >
> > > > I've added the line:
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > after the bind. A non-authenticated login works fine,
> except I can't
> > > > see anything but root, but as soon as I hit the server with an
> > > > authenticated user, the error: AcceptSecurityContext
> occurs. I then
> > > > went back to LDP and found that by default, it connects using
> > > > NTML/Kerberos. I tried the alternate methods but they failed. My
> > > > question is, what method does Perl-ldap use and if this is the
> > > > problem, how do I change the authentication method? If
> on the other
> > > > hand, default authentication should work, any ideas why the
> > > server is
> > > > denying my credentials? I've tried this on two AD servers
> > > on site and
> > > > both fail.
> > > >
> > > > William Richter
> > > > Technology Specialist
> > > > Edinboro University of PA
> > > > 814-732-2931
> > > >
> > > > -----Original Message-----
> > > > From: Rafael Corvalan [mailto:Raf...@li...]
> > > > Sent: Friday, April 20, 2001 5:41 AM
> > > > To: 'c-h...@ti...'; ri...@ed...
> > > > Cc: per...@li...
> > > > Subject: RE: Active directory and Perl-ldap
> > > >
> > > > You should be able to get your entries without
> requesting ["**] for
> > > > the attributes.
> > > >
> > > > I'm not a really specialist, but here arte my comments:
> > > >
> > > >
> > > > 1) I think you have problems with the authentication. Check your
> > > > credentials. Are you sure you are using
> > > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com"
> > > > as your credentials?
> > > > If you have authentication failure, you will not see
> it (see the
> > > > point 2)
> > > >
> > > > 2) The bind method returns a Net::LDAP::Bind object, so
> unless the
> > > > bind method returns "undefined" (I don't think it can do so),
> > > > avoid writing:
> > > > bind(...) or die(...);
> > > > In other words, try binding with wrong credentials,
> and you will
> > > > see, the die() will not be called. I prefer to use:
> > > >
> > > > $mesg = bind(....);
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > 3) I think that using normal settings, the DC=company,
> DC=com tree
> > > > and DC=Users, DC=company, DC=com tree are protected
> in ADS. You
> > > > must bind with a valid user to get someting, they are not
> > > > accessible anonymously. I think that if you do not
> see anything
> > > > it's because you have authentication failure.
> > > >
> > > > 4) Use protocol version 3. I'ts better since version 2
> doesn't knows
> > > > about referrals. To do that, use "version => 3" as one of the
> > > > parameters in the bind() call.
> > > >
> > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft
> > > > "Active Directory Administration Tool", I only get the
> > > base DN when
> > > > connected without calling bind (and referrals too).
> Are you sure
> > > > that MS LDAP doesn't connect using "transperent" login,
> > > forwarding
> > > > your credentials to ADS? (Using Kerberos or NTLM).
> > > >
> > > > 6) This is an example that works for me. I hope it will do so
> > > > for you:
> > > >
> > > >
> > > > =========================================
> > > > === Example starts here ===
> > > > =========================================
> > > >
> > > > #!/usr/bin/perl -w
> > > >
> > > > use Net::LDAP;
> > > > use strict;
> > > >
> > > >
> > > > # Comment the following line to log on anonymously
> > > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com';
> > > >
> > > >
> > > > # Comment one of the following two lines (Base DN)
> > > > my $base = 'CN=Users, DC=linkvest, DC=com';
> > > > #my $base = 'DC=linkvest, DC=com';
> > > >
> > > >
> > > > my $ldapserver = 'ads.linkvest.com';
> > > > my $password = 'XXXXXXXX';
> > > > my $version = 3;
> > > >
> > > > my $filter = "(objectclass=*)";
> > > > my $scope = '1';
> > > >
> > > >
> > > > my $mesg;
> > > >
> > > > # CONNECTION
> > > > my $ldap = Net::LDAP->new($ldapserver) or die "$@";
> > > >
> > > > # BIND
> > > > if (defined $admin) {
> > > > $mesg = $ldap->bind ( dn => $admin,
> > > > password => $password,
> > > > version => $version);
> > > > } else {
> > > > $mesg = $ldap->bind ( noauth => 1,
> > > > version => $version);
> > > > }
> > > >
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > # SEARCH
> > > > $mesg = $ldap->search( scope => $scope,
> > > > base => $base,
> > > > filter => $filter);
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > >
> > > > # RESULTS
> > > > foreach my $entry ($mesg->entries) { $entry->dump; }
> > > > printf("====\nFound %d entries\n", $mesg->count);
> > > >
> > > >
> > > > =======================================
> > > > === Example ends here ===
> > > > =======================================
> > > >
> > > >
> > > >
> > > > Hope it helps.
> > > >
> > > > Rafael
> > > >
> > > > ________________________________________________________
> > > > Rafael Corvalan
> > > > Systems & Networks Competence Center Manager
> > > > Linkvest SA
> > > > Av des Baumettes 19, 1020 Renens Switzerland
> > > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90
> > > > http://www.linkvest.com Raf...@li...
> > > > ________________________________________________________
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Clif Harden [mailto:cl...@di...]
> > > > Sent: jeudi, 19. avril 2001 23:24
> > > > To: ri...@ed...
> > > > Cc: per...@li...
> > > > Subject: Re: Active directory and Perl-ldap
> > > >
> > > >
> > > > >
> > > > > I am trying to access Active directory using Perl-ldap and I'm
> > > > > having a problem. Here is sample code:
> > > > >
> > > > > my $base = 'DC=edinboro,DC=edu';
> > > > > my $filter = "(objectclass=*)";
> > > > > my $attrs = (); # request all available attributes
> > > > > my $scope = '0';
> > > > >
> > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG)
> or die "$@";
> > > > >
> > > > > # bind to a directory with dn and password - makes no
> difference
> > > > > # whether
> > > > > authenticated or not
> > > > > $ldap->bind (dn => $admin,password => $password) or die "$@";
> > > > >
> > > > > $mesg = $ldap->search(
> > > > > scope => $scope,
> > > > > base => $base,
> > > > > filter => $filter,
> > > > > attrs => $attrs,
> > > > > );
> > > > >
> > > > > If I do a search, all I can manage to find is the
> base DN. If I
> > > > > change
> > > > the
> > > > > scope to 1, I retrieve nothing. If I change the scope to
> > > 'subtree',
> > > > > all I retrieve are root entries. I see no cn or ou
> > > entries. Nor do I
> > > > > retrieve anything if I set my base to
> > > cn=users,dn=edinboro,dn=edu.
> > > > > I've run the
> > > > same
> > > > > search against ldap.itd.umich.edu and I can retrieve
> anything I
> > > > > request. Also if I use MS LDP (even if not authenticated), the
> > > > > search pulls the entries, as it is suppose to. I've checked
> > > > > permissions on the server but I am at a loss. Is
> there anything
> > > > > special I need to make Active Directory
> > > > work
> > > > > correctly with LDAP?
> > > > >
> > > > > Thanks in advance,
> > > > >
> > > > > William Richter
> > > > > Technology Specialist, Edinboro University of PA 814-732-2931
> > > > >
> > > >
> > > > Try requesting a return attribute(s) in your request.
> > > >
> > > > attrs => ["*"],
> > > >
> > > > If I do what you have done all I get is a DN but no data.
> > > >
> > > > Regards,
> > > >
> > > > Clif Harden INTERNET: c-h...@ti...
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > Mark Wilcox
> > > ma...@mj...
> > > Got LDAP?
> > >
> >
> >
>
>
|
