getting "protocol error" when attempting to modify()?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,
    I'm writing a web form interface for our local LDAP dir, and I've 
been able to pull LDAP info using Net::LDAP to create the forms, but 
when handling modify requests I get "Protocol Error" :p  I'm running 
OpenLDAP v2.0.17 and I'm able to remote client in with my root DN and 
secret (using simple authentication) with other apps (ldapbrowser, 
directory_administrator).

Some of the debug 12 output:

Net::LDAP=HASH(0x83289ac) sending:
0000   48: SEQUENCE {
0002    1:   INTEGER = 1
0005   43:   [APPLICATION 0] {
0007    1:     INTEGER = 2
000A   21:     STRING = 'cn=root,o=netomat.net'
0021   15:     [CONTEXT 0]
0023     :       **** secret ****
0032     :   }
0032     : }
Net::LDAP=HASH(0x83289ac) received:
0000   12: SEQUENCE {
0002    1:   INTEGER = 1
0005    7:   [APPLICATION 1] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Net::LDAP=HASH(0x83170bc) sending:
0000   48: SEQUENCE {
0002    1:   INTEGER = 2
0005   43:   [APPLICATION 0] {
0007    1:     INTEGER = 2
000A   21:     STRING = 'cn=root,o=netomat.net'
0021   15:     [CONTEXT 0]
0023     :       **** secret ****
0032     :   }
0032     : }
Net::LDAP=HASH(0x83170bc) received:
0000   12: SEQUENCE {
0002    1:   INTEGER = 2
0005    7:   [APPLICATION 1] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }

Then it seems to read properly, but when I try to update....

Net::LDAP=HASH(0x83170bc) sending:
0000    5: SEQUENCE {
0002    1:   INTEGER = 4
0005    0:   [APPLICATION 2]
0007     : }
[dn]: uid=hennessy,ou=people,o=netomat.net
replace: [initials] -> [A]
Net::LDAP=HASH(0x83170bc) sending:
0000   67: SEQUENCE {
0002    1:   INTEGER = 5
0005   62:   [APPLICATION 6] {
0007   36:     STRING = 'uid=hennessy,ou=people,o=netomat.net'
002D   22:     SEQUENCE {
002F   20:       SEQUENCE {
0031    1:         ENUM = 2
0034   15:         SEQUENCE {
0036    8:           STRING = 'initials'
0040    3:           SET {
0042    1:             STRING = 'A'
0045     :           }
0045     :         }
0045     :       }
0045     :     }
0045     :   }
0045     : }

I get a code() of 1 and error() of "Protocol Error" returned and no 
changes made :(

Here's some output from slapd:
Feb 11 13:39:37 eddie slapd[12182]: conn=64958 op=0 BIND 
dn="CN=ROOT,O=NETOMAT.NET" method=128
Feb 11 13:39:37 eddie slapd[12182]: conn=64958 op=0 RESULT tag=97 err=0 
text=
Feb 11 13:39:37 eddie slapd[10584]: daemon: conn=64959 fd=35 connection 
from IP=127.0.0.1:46582 (IP=0.0.0.0:34049) accepted.
Feb 11 13:39:37 eddie slapd[10584]: conn=-1 fd=33 closed
Feb 11 13:39:37 eddie slapd[13388]: conn=64959 op=0 BIND 
dn="CN=ROOT,O=NETOMAT.NET" method=128
Feb 11 13:39:37 eddie slapd[13388]: conn=64959 op=0 RESULT tag=97 err=0 
text=
Feb 11 13:39:37 eddie slapd[13779]: conn=64959 op=1 SRCH 
base="ou=people,o=netomat.net" scope=1 filter="(uid=hennessy)"
Feb 11 13:39:37 eddie slapd[13779]: conn=64959 op=1 SEARCH RESULT 
tag=101 err=0 text=
Feb 11 13:39:37 eddie slapd[12145]: conn=64959 op=2 UNBIND
Feb 11 13:39:37 eddie slapd[12145]: conn=-1 fd=35 closed

It doesn't appear to have even attempted a MOD.  I get the same Protocol 
Error on modify ops when binding with the rootdn/rootpw OR anonymously, 
so it smells like somewhere it's dropping or not using the rootdn/rootpw 
or silently failing the bind and backtracking to anonymous bind...

I'm feeding it the rootdn and rootpw secret (in cleartext on the localhost):

# $ldapcfg is a hashref containing default config values
# create connection to LDAP
$ldap=Net::LDAP->new(   $ldapcfg->{'server'},
                        port => $ldapcfg->{'port'},
                        async=>1,
                        debug=>12,
                     );
# bind to bind DN
if ($ldapcfg->{'binddn'}) {
        $msg=$ldap->bind(       dn => 'cn=root,o=netomat.net'},
                                password => 'secret', # where secret is 
the secret word in cleartext
                        );}

Then I get the entry:
my $results = $ldap->search(
                base    => $ldapcfg->{'basedn'},
                filter  => "($ldapcfg->{'userattr'}=$username) ",
                scope   => "one",
                );
}
my $entry = $results->pop_entry ||die;

Then, I do the replace (using attributes modified listed in the 
$attributes hashref, and a CGI object ref where parameter names are 
proper LDAP attribute names and values are lists of attribute values):

foreach my $attr (keys %$attrlist) {
                print STDERR "replace: [$attr] -> [". 
join("|",$cgi->param($attr)) . "]\n";
                $msg=$ldap->modify( $entry->dn(), replace => 
{"$attr"=>$cgi->param($attr)} );
                $msg=$msg->code() .":". $msg->error() if ($msg->code());
                Die("Could not replace! [$msg]") if ($msg);
}

For everything I try, I get the Die page saying "Could not replace! 
[1:Protocol Error]"..  What am I doing wrong?

Any help appreciated!  Please cc: me as I'm not on the list (the project 
page on sourceforge said mailing Qs to the maillist is OK)..

Cheers,
- Matt

ps: system is Mandrake Linux 8.1 with stock Perl (no threading) and 
up-to-date Net::LDAP courtesy of CPAN..