Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Quanah Gibson-M. <qu...@st...> - 2003-02-04 19:28:07
|
Hello,
I am curious if anyone on this list has been able to make K5 GSSAPI binds
to a server using SASL. I've yet to have this be successful, but do not
know if I am doing something wrong. I can do K5 GSSAPI binds via SASL with
ldapsearch, so I have a valid K5 ticket, etc. Any help much appreciated.
My script looks like:
#!/usr/local/bin/perl
use Net::LDAP;
use Authen::SASL;
my $ldap = Net::LDAP->new('ldap3.stanford.edu') or die "$@";
my $sasl = Authen::SASL->new(
mechanism=>'GSSAPI',
);
$ldap->bind(sasl=>$sasl, version=>3);
The output on the server from this search is:
Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 848112 local4.debug]
conn=52 fd=11 ACCEPT from IP=171.64.19.55:36091 (IP=0.0.0.0:389)
Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 347666 local4.debug]
conn=52 op=0 BIND dn="" method=163
Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 668004 local4.debug]
SASL [conn=52] Failure: not authorized
Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 217296 local4.debug]
conn=52 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure:
not authorized
Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 850449 local4.debug]
conn=52 fd=11 closed
Here is the output from an ldapsearch:
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 848112 local4.debug]
conn=51 fd=11 ACCEPT from IP=171.64.19.55:36088 (IP=0.0.0.0:389)
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 902418 local4.debug]
conn=51 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 706578 local4.debug]
conn=51 op=0 SRCH attr=supportedSASLMechanisms
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 217296 local4.debug]
conn=51 op=0 RESULT tag=101 err=0 text=
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 347666 local4.debug]
conn=51 op=1 BIND dn="" method=163
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 951063 local4.debug]
conn=51 op=3 BIND authcid="qu...@st..."
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 988814 local4.debug]
conn=51 op=3 AUTHZ
dn="suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
mech=GSSAPI ssf=56
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 902418 local4.debug]
conn=51 op=4 SRCH base="cn=accounts,dc=stanford,dc=edu" scope=2
filter="(suSeasSunetID=quanah)"
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 706578 local4.debug]
conn=51 op=4 SRCH attr=sumaildrop
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 362707 local4.debug]
conn=51 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 338319 local4.debug]
conn=51 op=5 UNBIND
Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 850449 local4.debug]
conn=51 fd=11 closed
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: <pll...@la...> - 2003-02-04 19:26:50
|
In a message dated: Tue, 04 Feb 2003 14:17:15 EST Jim Harle said: >In fact, userPassword may not exist on your server or may not allow compare. >A bind with DN and password is appropriate. Many servers do not let you co >password compares or reads to help cut down on password cracking attempts. Okay, that makes sense. Can someone show me what a bind with a DN/ password would look like? Is is something like this: $dn = 'uid=12345, ou=people,ou=corporate,ou=intranet,o=foo.com $r = $ldap->bind ($dn, password=>'F00B4r'); ? Then I would test that $r->code == 0? It seems to work, I just want to make sure I'm not missing something. Thansk, -- Seeya, Paul -- Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! |
|
From: Jim H. <ha...@us...> - 2003-02-04 19:17:35
|
In fact, userPassword may not exist on your server or may not allow compare. A bind with DN and password is appropriate. Many servers do not let you co password compares or reads to help cut down on password cracking attempts. --Jim harle On Tue, 4 Feb 2003, Christopher A Bongaarts wrote: > As Bob...@kp... once put it so eloquently: > > > I suspect that you did an anonymous bind(), or a bind as a vanilla user. > > The message indicates that the attribute "userpassword" is protected by an > > Access List, and you don't have a high enough level of privilege. Try > > doing an authenticated as a master account and see if the problem goes > > away. > > Alternatively, you can use the "standard" method of verifying a > password - attempt to bind to the directory as the user with the given > password. > > > Hi all, > > > > I'd like to use perl-ldap to authenticate a user against an existing > > LDAP server, however, I can't quite figure out what I'm missing. > > > > When I attempt to use the compare method: > > (stolen directly from Graham's slides for O'Reilly's OSS con 2001) > > > > $DN = $msg->entry->dn; > > $r = $ldap->compare( $DN, attr => 'userPassword', value > > => 'foobar' ); > > > > I get $r->code == 50 (LDAP_INSUFFICIENT_ACCESS). > > > > What I'm not sure of is how I'm *supposed* to compare. I've got my > > apache web server auth'ing against the same LDAP server and that > > works just fine, so I know the LDAP server works. > > %% Christopher A. Bongaarts %% ca...@tc... %% > %% Internet Services %% http://umn.edu/~cab %% > %% University of Minnesota %% +1 (612) 625-1809 %% > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > |
|
From: <pll...@la...> - 2003-02-04 19:12:49
|
In a message dated: Tue, 04 Feb 2003 10:45:54 PST Bob...@kp... said: >I suspect that you did an anonymous bind(), or a bind as a vanilla user. >The message indicates that the attribute "userpassword" is protected by an >Access List, and you don't have a high enough level of privilege. Try >doing an authenticated as a master account and see if the problem goes >away. Unfortunately, I have nothing to do with the server, so I know I'm not on any ACLs with sufficient priviledges. But my apache server can bind and auth users. How does that work? I don't have any special priviledges there either. Same LDAP server. Thanks, -- Seeya, Paul -- Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! |
|
From: Christopher A B. <ca...@tc...> - 2003-02-04 19:07:01
|
As Bob...@kp... once put it so eloquently: > I suspect that you did an anonymous bind(), or a bind as a vanilla user. > The message indicates that the attribute "userpassword" is protected by an > Access List, and you don't have a high enough level of privilege. Try > doing an authenticated as a master account and see if the problem goes > away. Alternatively, you can use the "standard" method of verifying a password - attempt to bind to the directory as the user with the given password. > Hi all, > > I'd like to use perl-ldap to authenticate a user against an existing > LDAP server, however, I can't quite figure out what I'm missing. > > When I attempt to use the compare method: > (stolen directly from Graham's slides for O'Reilly's OSS con 2001) > > $DN = $msg->entry->dn; > $r = $ldap->compare( $DN, attr => 'userPassword', value > => 'foobar' ); > > I get $r->code == 50 (LDAP_INSUFFICIENT_ACCESS). > > What I'm not sure of is how I'm *supposed* to compare. I've got my > apache web server auth'ing against the same LDAP server and that > works just fine, so I know the LDAP server works. %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
|
From: <Bob...@kp...> - 2003-02-04 18:47:12
|
I suspect that you did an anonymous bind(), or a bind as a vanilla user.
The message indicates that the attribute "userpassword" is protected by an
Access List, and you don't have a high enough level of privilege. Try
doing an authenticated as a master account and see if the problem goes
away.
B
Bob Goolsby
bob...@kp...
(925) 926-3406
pll...@la...
Sent by: per...@li...
02/04/2003 10:21 AM
Please respond to
pll...@la...
To
per...@li...
cc
Subject
user auth using perl-ldap?
Hi all,
I'd like to use perl-ldap to authenticate a user against an existing
LDAP server, however, I can't quite figure out what I'm missing.
When I attempt to use the compare method:
(stolen directly from Graham's slides for O'Reilly's OSS con 2001)
$DN = $msg->entry->dn;
$r = $ldap->compare( $DN, attr => 'userPassword', value
=> 'foobar' );
I get $r->code == 50 (LDAP_INSUFFICIENT_ACCESS).
What I'm not sure of is how I'm *supposed* to compare. I've got my
apache web server auth'ing against the same LDAP server and that
works just fine, so I know the LDAP server works.
Any help greatly appreciated!
--
Seeya,
Paul
--
Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE
It may look like I'm just sitting here doing nothing,
but I'm really actively waiting for all my problems to go away.
If you're not having fun, you're not doing it right!
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
|
|
From: <pll...@la...> - 2003-02-04 18:21:58
|
Hi all, I'd like to use perl-ldap to authenticate a user against an existing LDAP server, however, I can't quite figure out what I'm missing. When I attempt to use the compare method: (stolen directly from Graham's slides for O'Reilly's OSS con 2001) $DN = $msg->entry->dn; $r = $ldap->compare( $DN, attr => 'userPassword', value => 'foobar' ); I get $r->code == 50 (LDAP_INSUFFICIENT_ACCESS). What I'm not sure of is how I'm *supposed* to compare. I've got my apache web server auth'ing against the same LDAP server and that works just fine, so I know the LDAP server works. Any help greatly appreciated! -- Seeya, Paul -- Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! |
|
From: Chris R. <chr...@ma...> - 2003-02-04 09:09:32
|
On 4/2/03 8:30 am, Marina Markus <ma...@bg...> wrote: > > Hello all, > > A very elementary question: is it possible to install Ldap > extension to Perl on an NT server? Yes. > If yes, what more should be installed to support this > (parallel LDAP client libraries on Linux)? None, unless you want things like SSL or (I think) SASL support. See <http://perl-ldap.sourceforge.net/> Cheers, Chris |
|
From: Marina M. <ma...@bg...> - 2003-02-04 08:30:49
|
Hello all, A very elementary question: is it possible to install Ldap extension to Perl on an NT server? If yes, what more should be installed to support this (parallel LDAP client libraries on Linux)? Thanks in advance, Marina Markus Ben-Gurion University Computer Center ====================== ma...@bg... |
|
From: LaSandra D. <ld...@mi...> - 2003-02-03 23:01:43
|
Dear Webmaster (perl-ldap.sourceforge.net), Mirapoint offers a LDAP solution and was wondering if you would like to trade links with me since it would be a great site to add to your LDAP resources page? You can see my site at www.mirapoint.com. I would give your site a prominent listing on my page at http://www.mirapoint.com/company/resources.shtml, if you would be willing to do the same. Thank you for having a great directory of LDAP resources, I enjoyed browsing it! LaSandra DeLeon Mirapoint, Inc. Direct: 408-720-3739 Email: ld...@mi... |
|
From: <Hd...@DT...> - 2003-02-03 12:21:00
|
Hi Graham, I think a section that explains what's involved with storing and retrieving certificates in LDAP using Net::LDAP would be very useful. The work done by David Chadwick for the IETF on the field of certificates in LDAP could be a good starting point. However I know this is not a trivial piece of text to write, so maybe it is out of the scope of your book. Another suggestion would be to include an elaborate example of building a HTTP-LDAP gateway as a sort of GUI. I know of more than one organisation doing exactly this (and not without trouble), so it seems people could use some pointers from an expert `;-) HTH Sincerely, -- J.A. de Vries aka HdV Delft University of Technology Computing Centre |
|
From: Tarjei H. <ta...@nu...> - 2003-02-01 17:00:10
|
Hi,
I'm trying to export a few dn's to an ldif, but i stumbled accross a somewhat
odd problem.
This works:
my $ldif = Net::LDAP::LDIF->new( '././ldif', "w", onerror => 'warn' );
for (my $i = 0;$i < $object->count ;$i++) {
my $entry = $object->entry($i);
$ldif->write_entry($entry);
This, however does not work, what happens is that the whole program hangs on
the $ldif->write_entries($entry) command :/
my $file = './.ldif';
my $rand = rand();
$rand =~ s/\./E/;
if (-f "$file") { $file='./.ldif' . $rand; }
#print Dumper(@entries);
my $ldif = Net::LDAP::LDIF->new( $file, "w", onerror => 'warn' );
for (my $i = 0;$i < $object->count ;$i++) {
my $entry = $object->entry($i);
$ldif->write_entry($entry);
}
Why?
I've tried opening a filehandle first, like this:
open my $LDIF,"> $file";
#print Dumper(@entries);
my $ldif = Net::LDAP::LDIF->new( $LDIF, "w", onerror => 'die' );
for (my $i = 0;$i < $object->count ;$i++) {
my $entry = $object->entry($i);
$ldif->write_entry($entry);
but it hangs then as well.
What am I diong wrong?
Tarjei
Mob: 920 63 413
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
|
|
From: Graham B. <gb...@po...> - 2003-01-31 18:33:28
|
On Fri, Jan 31, 2003 at 01:21:49PM -0500, Joseph Kezar wrote:
> I was stuck on this same question today. I hope there is a way to eventually $entry->delete('mail'=>'wrongadd\@here.com');
That should work, but it looks like there is a bug. Try
$entry->delete('mail'=> [ 'wrongadd\@here.com' ] );
Graham.
> rather than
> $ldap->modify($dn, delete=> { 'mail'=>'wrongadd\@here.com' });
>
>
> ----- Original Message -----
> From: Todd Rosenberry
> To: per...@li...
> Sent: Friday, January 31, 2003 1:04 PM
> Subject: delete
>
>
>
> Is there a reason that the delete function of Net::LDAP::Entry can only act on attributes and not specific values like add and replace can? I can delete specific values using modify from Net::LDAP but I would rather make multiple changes to the entry and then commit them all at once using update from Net::LDAP::Entry.
>
> - Todd
>
|
|
From: Joseph K. <jk...@do...> - 2003-01-31 18:21:59
|
I was stuck on this same question today. I hope there is a way to =
eventually $entry->delete('mail'=3D>'wrongadd\@here.com');
rather than
$ldap->modify($dn, delete=3D> { 'mail'=3D>'wrongadd\@here.com' });
----- Original Message -----=20
From: Todd Rosenberry=20
To: per...@li...=20
Sent: Friday, January 31, 2003 1:04 PM
Subject: delete
Is there a reason that the delete function of Net::LDAP::Entry can =
only act on attributes and not specific values like add and replace can? =
I can delete specific values using modify from Net::LDAP but I would =
rather make multiple changes to the entry and then commit them all at =
once using update from Net::LDAP::Entry.
- Todd
|
|
From: Todd R. <Tod...@xi...> - 2003-01-31 18:05:02
|
Is there a reason that the delete function of Net::LDAP::Entry can
only act on attributes and not specific values like add and replace can?
I can delete specific values using modify from Net::LDAP but I would
rather make multiple changes to the entry and then commit them all at
once using update from Net::LDAP::Entry.
- Todd
|
|
From: TOMOE H. <rm...@IT...> - 2003-01-30 16:43:01
|
hi > I am successfully using perl-ldap-0.2701 > Net::LDAP and simply need a > response code from a bind operation. I am accepting a username and > password from a web page and then simply bind with those details to LDAP. > If the result is success (0) I know the password is valid. > > I can't seem to get an error or mesg returned unless I carry out an > operation after the bind. $ldap->bind() returns a mesg. So checking this should be sufficient. But be aware that an empty password means anonymous bind to ldap, which should always succeed, so test for that before calling bind(). $mesg = $ldap->bind(sasl => $sasl); $mesg->code() && die $mesg->error(); cu |
|
From: Graham B. <gb...@po...> - 2003-01-30 16:15:26
|
----- Forwarded message from John Hennessy <jo...@he...> ----- Date: Fri, 31 Jan 2003 00:04:19 +0800 (WST) To: gb...@po... From: John Hennessy <jo...@he...> Hi Graham, I appreciate that you must get many requests so I will keep this short in hope of a quick and easy answer. I am successfully using perl-ldap-0.2701 > Net::LDAP and simply need a response code from a bind operation. I am accepting a username and password from a web page and then simply bind with those details to LDAP. If the result is success (0) I know the password is valid. I can't seem to get an error or mesg returned unless I carry out an operation after the bind. Many thanks John. ----- End forwarded message ----- |
|
From: <rg...@cu...> - 2003-01-29 15:40:25
|
Graham, something I'd really like to see in your book, is examples to people
on doing retries and failover.
We're going through lots of effort explaining to our user who have newly
discovered LDAP that our servers sometimes produce error codes that are
not fatal and can be retried. In other case we're trying to get the point
across to user to open another connection to a different machine if the
first one doesn't answer.
If our users are having this much problem, I would think the rest of the
world would be having a little bit of it too.
Clif and I both program to take this into account, but I be open to changing
to better way if you published one.
To summarize:
1. retry code for some non-fatal error codes (e.g. 51 || 53)
2. complete disconnect (closing socket) and reconnecting to a different
server on a fatal error.
Thanks, and I'm looking forward to the book.
Rusty
--
Russell Biggs (Rusty) Internet: r-...@ti...
6500 Chase Oaks Blvd, M/S 8412 Phone: (214) 567-0826
Texas Instruments Fax: (972) 575-4853
Plano Tx 75023
"Is dark outside...
or are the windows painted black?"
...Directory Services Admin
|
|
From: Kurt D. Z. <Ku...@Op...> - 2003-01-29 14:41:06
|
At 02:51 PM 1/27/2003, Graham Barr wrote: >Several people have made reference to ldapi:// on this list recently. > >Can anyone point me at a definition so I can write a URI class to handle >it. To the best of my knowledge, no technical specification for ldapi:// exists. I'll nudge its inventor to publish something. Kurt |
|
From: Maurice M. <rm...@IT...> - 2003-01-29 07:16:24
|
hello again, > I've got problems binding with sasl and gssapi. > I'm using: > > GSSAPI: gss_accept_sec_context: A token was invalid; Token header is malformed or corrupt; > at ./ldap-test1 line 19 I think I'v found a bug in Authen::SASL::Cyrus regarding the handling of the initstring client_start returns. It is copied around using strdup() and returned like a normal C string, but in fact, when doing auth with GSSAPI it is binary data. patch attached (o: but one problem remains: the next ldap-call after bind() fails with: syswrite() on unopened filehandle GLOB at /usr/share/perl5/Net/LDAP.pm line 627. I suspect it is a problem securesocket or something like that. For reference I attached my test program, it's output and the relevant (I hope) part of slapd -d 5 output. sorry if this posting is a bit large /: cu Maurice Massar |
|
From: TOMOE H. <rm...@IT...> - 2003-01-29 05:01:48
|
hi,
I've got problems binding with sasl and gssapi.
I'm using:
ii libnet-ldap-perl 0.26-2 A Client interface to LDAP servers.
ii libauthen-sasl-pe 2.03-1 SASL Authentication framework
ii libauthen-sasl-cy 0.06-1 Perl extension for Cyrus SASL library
ii libsasl-dev 1.5.27-3.3 Development files for authentication abstraction l
ii libsasl-gssapi-mi 1.5.24-15 Pluggable Authentication Modules for SASL - MIT GS
As far as I could get was this:
=========
$
./ldap-test1
GSSAPI: gss_accept_sec_context: A token was invalid; Token header is malformed or corrupt;
at ./ldap-test1 line 19
=========
ldapsearch or even my small self written ldap-sasl-search work fine though.
Here is ldap-test1:
=========
#!/usr/bin/perl -w
use strict;
use Net::LDAP;
use Authen::SASL;
my $ldap = Net::LDAP->new('hopser.hotaru.it.fh-worms.de', version => 3, onerror => "die");
$ldap->start_tls(verify => 'none');
my $root = $ldap->root_dse(attrs => ['supportedSASLMechanisms']);
my $sasl = Authen::SASL->new(
# mechanism => join(' ',$root->get_value('supportedSASLMechanisms')),
mechanism => 'GSSAPI',
callback => {
'user' => '',
'password' => '',
},
);
$ldap->bind(sasl => $sasl);
=========
Any help welcome...
thanks
|
|
From: Christopher A B. <ca...@tc...> - 2003-01-28 22:20:36
|
As Ken Cornetet once put it so eloquently: > As to how NT integrated authentication works, I haven't a clue. Someday > when I get time, I may attempt some network sniffs and see if I can > figure it out. I believe someone has a patch to graft NT authentication > into LWP, although I have no idea if LDAP uses the same mechanism > (kerberos perhaps?) > > This would be a major and important item for NT types considering using > Net::LDAP, though. Microsoft makes a big deal of the fact plain-text > passwords over the wire are a security hole. Many NT admins and > programmers will dismiss a solution out of hand if it requires > plain-text passwords. Integrated authentication would allow Net::LDAP to > be used in organizations where plain text passwords are ruled out. What about using Net::LDAPS? %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
|
From: Christopher A B. <ca...@tc...> - 2003-01-28 21:17:11
|
As Abhishek Kaul once put it so eloquently: > Is there any module for MS Active directory ? > LDAP was being used in one of the applications here but want to move it > to active directory > authentication... > any help towards this will be appreciated. Active Directory can use the LDAP protocol for searches and updates. Net::LDAP can be used for this purpose. %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
|
From: Christopher A B. <ca...@tc...> - 2003-01-28 21:15:59
|
As Graham Barr once put it so eloquently: > Many will be please to know that work has finally started on a book > for Net::LDAP. The book is being authored by myself and Robbie > Allen. Seems like it would be good to cover some of the FAQs that come across here - "How do I find all DN's in a subtree?" and the like. The mailing list archives themselves would be a rich source of ideas for what to include... %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
|
From: Ken C. <Ken...@ki...> - 2003-01-28 18:14:18
|
OK, to the list it is... Yes, ActiveDirectory is a very big area. However, since AD will very soon be (if not already) the most deployed LDAP accessible directory in the world, I'd think you'd want to do as much possible to get folks like me (using perl to manage NT) to buy your book. There are some specific things Net::LDAP users will need to know when working with AD: 1. The root of your tree won't look like the Net::LDAP examples. Instead of company/geographic references like "o=3Dacme, c=3Dus", AD uses your = DNS domain (dc=3Dacme,dc=3Dcom). 2. The old NT user id all NT folk know and love becomes LDAP attribute "samaccountname" 3. If you need to search/get objects in multiple NT domains in a forest, you can connect to a "global catalog" (GC) on port 3268 which contains read-only copies of all the objects in the forest (not all attributes, but most). 4. Sometimes, AD gives you a referral when you search for an object and the starting point is too far above the desired object. Another reason to use GCs - they don't seem to do this. I haven't figured this one out yet. Near as I can tell, ADSI (the native NT API for accessing the directory) automatically chases these referrals for you. 5. AD does allow anonymous reads of AD objects, but not sub level searches. Also, a maximum of 5000 objects will be returned on a query. These are the defaults, but can be changed. 6. Some timestamps in AD are the goofy VT_FILETIME type which is the 64 bit unsigned int number of elapsed 100 nanosecond intervals since 01/01/1601 (sheesh...) One possible cookbook example for AD might be managing Exchange 2000 distribution lists (self subscription, for example). Another might be how to synchronize two different Exchange organizations (recipients in one become contacts in the other).=20 =20 An indispensable tool for figuring out AD's LDAP personality is LDP.EXE from the win2k resource kit. You can use this tool to browse AD and look at all of an object's attributes. As to how NT integrated authentication works, I haven't a clue. Someday when I get time, I may attempt some network sniffs and see if I can figure it out. I believe someone has a patch to graft NT authentication into LWP, although I have no idea if LDAP uses the same mechanism (kerberos perhaps?) This would be a major and important item for NT types considering using Net::LDAP, though. Microsoft makes a big deal of the fact plain-text passwords over the wire are a security hole. Many NT admins and programmers will dismiss a solution out of hand if it requires plain-text passwords. Integrated authentication would allow Net::LDAP to be used in organizations where plain text passwords are ruled out.=20 -----Original Message----- From: Graham Barr [mailto:gb...@po...]=20 Sent: Monday, January 27, 2003 2:35 PM To: Ken Cornetet Subject: Re: perl-ldap book I probably should have put in the message that I prefer all responses to be kept on list. On Mon, Jan 27, 2003 at 01:59:03PM -0500, Ken Cornetet wrote: > Using Net::LDAP with ActiveDirectory! Care to expand, that is a very very large area. > Which reminds me: Any plans to incorporate NT integrated security into > Net::LDAP? I know nothing about NT, so if it is to happen then someone needs to explain what Net::LDAP needs to do, or provide a patch Graham. > -----Original Message----- > From: Graham Barr [mailto:gb...@po...] > Sent: Monday, January 27, 2003 1:36 PM > To: LDAP Mailing List > Subject: perl-ldap book >=20 >=20 > Many will be please to know that work has finally started on a book=20 > for Net::LDAP. The book is being authored by myself and Robbie Allen. >=20 > Details are still in the early stages. However one section of the=20 > book, 3 chapters, are being done in the form of a cookbook. We are=20 > currently planning about 10 example per chapter. >=20 > We would like to fill these chapters with the most relevant topics we=20 > can, so we thought we would ask the largest, most inteligent resource=20 > we have, which means we won't be asking here :) Er no seriously, we=20 > would be glad to hear from anyone what areas of LDAP would be the most > useful to cover. >=20 > Graham. >=20 >=20 > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld =3D Something 2 See! = > http://www.vasoftware.com |
7902 messages has been excluded from this view by a project administrator.
