Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Chris R. <chr...@me...> - 2001-01-30 10:29:13
|
"Kurt D. Zeilenga" <Ku...@Op...> wrote: > Edited for clarity: > > At 10:54 AM 1/29/01 -0800, Kurt D. Zeilenga wrote: >> My suggestion is to have three routines: >> >> subschema( targetDN ) which reads the subschema contained in the >> entry (or subentry) named by the targetDN. This would do a base >> search of the targetDN with the filter (objectClass=subschema) and >> specifically request the return of attribute types describing >> the schema elements. >> >> subschemasubentry( targetDN ) which returns the DN contained >> as a value of the subschemaSubentry attribute type within >> the entry (or subentry) named by the targetDN. Would return error >> if multiple values of subschemasubentry exist (subschemasubentry >> is a single valued attributed type). >> >> schema( DN ) [named this for historical purposes] which is >> a basically a shortcut for >> subschema( subschemasubentry( targetDN ) ) >> >> Note this would return an error if the root DSE subschemasubentry >> contained multiple values. This is a FEATURE as the user needs >> to select the correct one manually to obtain the appropriate >> schema. >> >> Kurt Thanks for the comments. In fact, my change of yesterday is incorrect because it accidentally used the X.500 subschema operational attributes instead of the LDAP ones. (In X.500 attributeTypes and objectClasses etc are operational attributes on every entry.) Your suggested API looks sensible. It permits caching of schema objects, which is a Good Thing as they're reasonably expensive to keep transferring from the directory and parsing in the client. They're also fairly large objects to have to keep creating :-) Here's a revised patch. It implements a cache which appeared to work in my test. I'm not entirely certain what the desired semantics of the old subschema() method were (this was probably apparent from my previous message :-), so have left that method alone. The cache is keyed on subentry DN, and includes a timestamp which is either the subentry's modifyTimestamp (if it has one) or createTimestamp (if it has one). It needs migrating to the 0.22 API, but that's fairly trivial. There's a minor problem because the code 'knows' what attributes the Net::LDAP::Schema class requires, but that's fixable too. Cheers, Chris |
|
From: Gary Ashton-J. <gas...@f2...> - 2001-01-30 06:30:27
|
I wish to use an LDAP directory for authentication in the AuthTicket.pm module. Currently AuthTicket uses a MySQL database to hold valid users and their encrypted passwords. I thought it would be simply a case of copying the relevant lines from the handler method in AuthNetLDAP (just as Mark Wilcox did from AuthPerLDAP) into the check_credentials subroutine in AuthTicket. However I get the following lines in my Apache error_log at startup and the authentication fails with an error 1 (BTW how do I use Net::LDAP::Constants?): . . . [Tue Jan 30 16:32:27 2001] ASN1.pm: Constant subroutine opUTF8 redefined at /usr /lib/perl5/site_perl/5.005/Convert/ASN1.pm line 48. [Tue Jan 30 16:32:27 2001] ASN1.pm: Constant subroutine opANY redefined at /usr/ lib/perl5/site_perl/5.005/Convert/ASN1.pm line 48. [Tue Jan 30 16:32:27 2001] ASN1.pm: Constant subroutine opCHOICE redefined at /usr/lib/perl5/site_perl/5.005/Convert/ASN1.pm line 48. [Tue Jan 30 16:32:29 2001] [notice] Apache/1.3.14 (Unix) mod_perl/1.24_01 configured -- resuming normal operations AuthNetLDAP.pm works correctly by itself and I can run a standalone Perl script which just calls the methods in Net::LDAP so I think I've got all the parameters to LDAP correct. I just need to know what other lines from AuthNetLDAP I need to copy to get AuthTicket to work. Any help appreciated. (PS Has Mark Wilcox or anyone else got any further with Apache::AuthCookieNetLDAP which is basically what this is all about?) Cheers Gary Ashton-Jones |
|
From: Kurt D. Z. <Ku...@Op...> - 2001-01-29 19:19:14
|
Edited for clarity:
At 10:54 AM 1/29/01 -0800, Kurt D. Zeilenga wrote:
>My suggestion is to have three routines:
>
>subschema( targetDN ) which reads the subschema contained in the
>entry (or subentry) named by the targetDN. This would do a base
>search of the targetDN with the filter (objectClass=subschema) and
>specifically request the return of attribute types describing
>the schema elements.
>
>subschemasubentry( targetDN ) which returns the DN contained
>as a value of the subschemaSubentry attribute type within
>the entry (or subentry) named by the targetDN. Would return error
>if multiple values of subschemasubentry exist (subschemasubentry
>is a single valued attributed type).
>
>schema( DN ) [named this for historical purposes] which is
>a basically a shortcut for
> subschema( subschemasubentry( targetDN ) )
>
>Note this would return an error if the root DSE subschemasubentry
>contained multiple values. This is a FEATURE as the user needs
>to select the correct one manually to obtain the appropriate
>schema.
>
>Kurt
>
>
>At 06:02 PM 1/29/01 +0000, Chris Ridd wrote:
>>I think the schema method of the Net::LDAP class is fairly broken. It isn't
>>documented, either :-)
>>
>>Here's my take on the existing behaviour:
>>
>>schema ( [ dn => DN ] )
>>
>>DN is an optional distinguished name. If not present, the method will use a
>>random DN from the Root DSE's subschemaSubentry attribute. If this
>>attribute is not present, the method will try <cn=schema>.
>>
>>It then tries to do a base object search of that DN with a filter of
>>(objectClass=*).
>>
>>However, this is useless if you specify the DN, because the schema object
>>can only be constructed if the search requests some operational attributes.
>>
>>This is also useless if you don't specify the DN and there is a
>>subschemaSubentry attribute in the root DSE, because the filter is wrong
>>(see RFC 2251 section 3.2.2, last para.)
>>
>>It's probably also useless in the <cn=schema> case, though that case seems
>>to be a band-aid for broken versions of a particular server (Netscape?) and
>>so all bets are probably off on that one's behaviour ;-)
>>
>>So the code's kind of trying to do two different things (reading a subentry
>>and reading an entry) and failing at both.
>>
>>Here's what I think this code should do.
>>
>>schema ( [ dn => DN ] )
>>
>> If a DN is passed, return a Net::LDAP::Schema object using the subschema
>>retrieved from the objectClasses and attributeTypes operational attributes
>>from that entry (specifically entry, *not* subentry.)
>>
>> If a DN is not specified, return a Net::LDAP::Schema object using the
>>objectClasses and attributeTypes held in the subentry (again, specifically
>>subentry, *not* entry) referenced by one of the values from the Root DSE's
>>subschemaSubentry attribute. If the Root DSE doesn't contain a
>>subschemaSubentry attribute, try using the DN of <cn=schema> for
>>compatibility with some broken directory servers.
>>
>>I'm attaching some diffs against Net::LDAP 0.20 which implements this
>>behaviour. The line offsets are probably a bit out too because I've been
>>experimenting with some other local changes. Sigh. Anyway, sorry it isn't
>>against a clean 0.22, but the guts of the change are:
>>
>>In schema() add a $filter variable and set it depending on the existence of
>>$arg{'dn'};
>>
>>In schema() set the attrs array when reading the subschema to include the
>>necessary operational attributes;
>>
>>In root_dse() set the attrs array when reading the Root DSE to include all
>>the standard (RFC 2251) operational attributes.
>>
>>I suppose I must get around to installing 0.22 at some point :-)
>>
>>Cheers,
>>
>>Chris
|
|
From: Kurt D. Z. <Ku...@Op...> - 2001-01-29 18:55:32
|
My suggestion is to have three routines:
subschema( targetDN ) which reads the subschema contained in the
entry (or subentry) named by the DN. This would do a base
search of the DN with the filter (objectClass=subschema) and
specifically request the return of attribute types describing
the schema elements.
subschemasubentry( targetDN ) which returns the DN contained
as a value of the subschemaSubentry attribute type within
the entry (or subentry) named by the DN. Would return error
if multiple values of subschemasubentry exist (subschemasubentry
is a single valued attributed type).
schema( DN ) [named this for historical purposes] which is
a basically a shortcut for
subschema( subschemasubentry( targetDN ) )
Note this would return an error if the root DSE subschemasubentry
contained multiple values. This is a FEATURE as the user needs
to select the correct one manually to obtain the appropriate
schema.
Kurt
At 06:02 PM 1/29/01 +0000, Chris Ridd wrote:
>I think the schema method of the Net::LDAP class is fairly broken. It isn't
>documented, either :-)
>
>Here's my take on the existing behaviour:
>
>schema ( [ dn => DN ] )
>
>DN is an optional distinguished name. If not present, the method will use a
>random DN from the Root DSE's subschemaSubentry attribute. If this
>attribute is not present, the method will try <cn=schema>.
>
>It then tries to do a base object search of that DN with a filter of
>(objectClass=*).
>
>However, this is useless if you specify the DN, because the schema object
>can only be constructed if the search requests some operational attributes.
>
>This is also useless if you don't specify the DN and there is a
>subschemaSubentry attribute in the root DSE, because the filter is wrong
>(see RFC 2251 section 3.2.2, last para.)
>
>It's probably also useless in the <cn=schema> case, though that case seems
>to be a band-aid for broken versions of a particular server (Netscape?) and
>so all bets are probably off on that one's behaviour ;-)
>
>So the code's kind of trying to do two different things (reading a subentry
>and reading an entry) and failing at both.
>
>Here's what I think this code should do.
>
>schema ( [ dn => DN ] )
>
> If a DN is passed, return a Net::LDAP::Schema object using the subschema
>retrieved from the objectClasses and attributeTypes operational attributes
>from that entry (specifically entry, *not* subentry.)
>
> If a DN is not specified, return a Net::LDAP::Schema object using the
>objectClasses and attributeTypes held in the subentry (again, specifically
>subentry, *not* entry) referenced by one of the values from the Root DSE's
>subschemaSubentry attribute. If the Root DSE doesn't contain a
>subschemaSubentry attribute, try using the DN of <cn=schema> for
>compatibility with some broken directory servers.
>
>I'm attaching some diffs against Net::LDAP 0.20 which implements this
>behaviour. The line offsets are probably a bit out too because I've been
>experimenting with some other local changes. Sigh. Anyway, sorry it isn't
>against a clean 0.22, but the guts of the change are:
>
>In schema() add a $filter variable and set it depending on the existence of
>$arg{'dn'};
>
>In schema() set the attrs array when reading the subschema to include the
>necessary operational attributes;
>
>In root_dse() set the attrs array when reading the Root DSE to include all
>the standard (RFC 2251) operational attributes.
>
>I suppose I must get around to installing 0.22 at some point :-)
>
>Cheers,
>
>Chris
|
|
From: Chris R. <chr...@me...> - 2001-01-29 18:03:18
|
I think the schema method of the Net::LDAP class is fairly broken. It isn't
documented, either :-)
Here's my take on the existing behaviour:
schema ( [ dn => DN ] )
DN is an optional distinguished name. If not present, the method will use a
random DN from the Root DSE's subschemaSubentry attribute. If this
attribute is not present, the method will try <cn=schema>.
It then tries to do a base object search of that DN with a filter of
(objectClass=*).
However, this is useless if you specify the DN, because the schema object
can only be constructed if the search requests some operational attributes.
This is also useless if you don't specify the DN and there is a
subschemaSubentry attribute in the root DSE, because the filter is wrong
(see RFC 2251 section 3.2.2, last para.)
It's probably also useless in the <cn=schema> case, though that case seems
to be a band-aid for broken versions of a particular server (Netscape?) and
so all bets are probably off on that one's behaviour ;-)
So the code's kind of trying to do two different things (reading a subentry
and reading an entry) and failing at both.
Here's what I think this code should do.
schema ( [ dn => DN ] )
If a DN is passed, return a Net::LDAP::Schema object using the subschema
retrieved from the objectClasses and attributeTypes operational attributes
from that entry (specifically entry, *not* subentry.)
If a DN is not specified, return a Net::LDAP::Schema object using the
objectClasses and attributeTypes held in the subentry (again, specifically
subentry, *not* entry) referenced by one of the values from the Root DSE's
subschemaSubentry attribute. If the Root DSE doesn't contain a
subschemaSubentry attribute, try using the DN of <cn=schema> for
compatibility with some broken directory servers.
I'm attaching some diffs against Net::LDAP 0.20 which implements this
behaviour. The line offsets are probably a bit out too because I've been
experimenting with some other local changes. Sigh. Anyway, sorry it isn't
against a clean 0.22, but the guts of the change are:
In schema() add a $filter variable and set it depending on the existence of
$arg{'dn'};
In schema() set the attrs array when reading the subschema to include the
necessary operational attributes;
In root_dse() set the attrs array when reading the Root DSE to include all
the standard (RFC 2251) operational attributes.
I suppose I must get around to installing 0.22 at some point :-)
Cheers,
Chris |
|
From: Graham B. <gb...@po...> - 2001-01-29 12:23:46
|
Convert::ASN is known not to work with threads as it uses a feature of perl
that is known not to work when threads is enabled. However due to recent
discussion on perl5-porters about how broken perls threads are and that they
should be removed (if they could be) I am reluctant to spend the time
to code the algorithm a different way.
So all can say is, don't use a perl compiled with threads enabled.
Graham.
On Sat, Jan 27, 2001 at 01:44:55AM -0700, Guruprasad S wrote:
> Hi,
> I am running Perl5.6.0 on NT. Whenever I build with USE_MULTI uncommented and USE_ITHREAD commented, I can access the directory. But when I uncomment UCS_ITHREAD as well, my script fails by saying
>
> decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136.
> 84
> decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136.
> ...propagated at ldap1.pl line 12.
>
> Can any of you help me out.
>
> My script looks like this:
>
> use Net::LDAP;
> $ldap = Net::LDAP->new('blr-nb7.blr.novell.com') or die "$@";
>
> $mesg = $ldap->bind or die "Failed to bind\n";
> if ($mesg->code) {
> print $mesg->error, $mesg->code,"\n";
> die;
> }
>
> $mesg = $ldap->search( # perform a search
> base => "o=novell",
> filter => "sn=*",
> ) or die "Failed to search\n";
>
> if ($mesg->code) {
> print $mesg->error, $mesg->code,"\n";
> die;
> }
>
>
> Thanks
> Guru
>
>
|
|
From: Chris R. <chr...@me...> - 2001-01-29 11:40:42
|
Guruprasad S <sgu...@no...> wrote:
> Hi,
> I am running Perl5.6.0 on NT. Whenever I build with USE_MULTI
> uncommented and USE_ITHREAD commented, I can access the directory. But
> when I uncomment UCS_ITHREAD as well, my script fails by saying
>
> decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136.
> 84
> decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136.
> ...propagated at ldap1.pl line 12.
>
> Can any of you help me out.
>
> My script looks like this:
>
> use Net::LDAP;
> $ldap = Net::LDAP->new('blr-nb7.blr.novell.com') or die "$@";
>
> $mesg = $ldap->bind or die "Failed to bind\n";
> if ($mesg->code) {
> print $mesg->error, $mesg->code,"\n";
> die;
> }
>
> $mesg = $ldap->search( # perform a search
> base => "o=novell",
> filter => "sn=*",
> ) or die "Failed to search\n";
>
> if ($mesg->code) {
> print $mesg->error, $mesg->code,"\n";
> die;
> }
>
>
> Thanks
> Guru
>
>
Net::LDAP is known to trigger problems in perl 5.6, so it is probably best
to avoid that combination for now :-(
Can you set debug => 3 in the call to new and send us the screen output?
This debug setting will dump out all the PDUs sent and received, in hex.
This should make it easier to reproduce the problem.
Cheers,
Chris
|
|
From: Mark W. <mew...@un...> - 2001-01-28 19:58:55
|
I have an article on groups that answer many of these questions at www.webtechniques.com either search for wilcox or LDAP. But I'll try to answer inline as well. Tom Jordan wrote: > Hey Folks, > > I'm trying to get a handle on dynamic groups (and groups in general), and > have a few questions: > > 1. Is the concept of a dynamic group a netscape-only feature? Yes and no. The groupOfUrls object can be used in any LDAP server. But dynamic groups are really a feature implemented by the rest of the IPlanet line (ie Enterprise and Mail servers) for authorization services. However, I use them all of the time for my other applications. > > > 2. Netscape's docs state that dynamic groups are of the type 'groupOfURLs' > with the actual group membership criteria listed in the 'memberURL' > attribute. Is it the client's responsibility to expand this URL into list of > dn's? If so, what happens with big groups where the number ofentries will > exceed the searchlimit? Of course it's the client's responsibility that's the whole reason for groupOfUrls. instead of keeping a list of all of the members in the group object itself, the entire list is only generated when needed (if that search should exceed a search limit, then you'll need to use a Virtual List View or similar to control). However, most (95%) group accesses is part of authentication/authorization services. IE, only members of the Engineering group are allowed access to this web site. In that case you only have to determine if the user's entry would satisfy the query contained in the memberURL. > > > 3. Does anyone have suggestions for handling groups where the group > population is potentially quite large ( > 10,000 members)? That's the whole reason for dynamic groups. > > > 4. Is anyone aware of any practical limits on the number of members in a > group? In theory no. In practicality yes. Iplanet 4 it's around 15,000. I don't know what others are but I imagine their similar. Mark > > > Thanks much, > > Tom Jordan > University of Wisconsin Madison |
|
From: Daan K. <da...@nw...> - 2001-01-27 20:22:12
|
-----Original Message----- From: per...@li... [mailto:per...@li...]On Behalf Of per...@li... Sent: Saturday, January 27, 2001 2:04 PM To: per...@li... Subject: perl-ldap-dev digest, Vol 1 #199 - 5 msgs Send perl-ldap-dev mailing list submissions to per...@li... To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/perl-ldap-dev or, via email, send a message with subject or body 'help' to per...@li... You can reach the person managing the list at per...@li... When replying, please edit your Subject line so it is more specific than "Re: Contents of perl-ldap-dev digest..." Today's Topics: 1. Re: Trouble adding jpeg image to Netscape 4.1 directory server via ldap (Ken DeLay) 2. Authentication problem (Rob Hawkes) 3. Help newbie (Guruprasad S) 4. Re: Authentication problem (Jim Harle) 5. Re: Authentication problem (Rob Hawkes) --__--__-- Message: 1 Date: Fri, 26 Jan 2001 13:09:18 -0700 To: Chris Ridd <chr...@me...>, Ken DeLay <ken...@sy...>, per...@li... From: Ken DeLay <ken...@sy...> Subject: Re: Trouble adding jpeg image to Netscape 4.1 directory server via ldap Thanks for the reply Chris. I have been working with both the Mozilla and perl-ldap code. My code was from an attempt to use the Mozilla code and so it was not appropriate to post here. I used your suggestion and rewrote the script to use the perl-ldap implementation and the jpeg photo went in just fine. Again, thanks for the help. Is it true the Mozilla LDAP library for perl is not being maintained anymore? Ken At 08:38 AM 01/26/2001 +0000, Chris Ridd wrote: >You *should* just be able to read the JPEG in and add it as a value to a >jpegPhoto attribute. > > > >You appear to be using the Mozilla LDAP library for perl called perldap >(which uses native libraries and is not pure perl), which apparently isn't >being maintained any more. This mailing list is for the native perl LDAP >library, called perl-ldap. > >So there might be a problem with the way the Mozilla LDAP code handles >values which aren't text and which aren't BER. This kind of stuff is no >problem in perl-ldap :-) > --__--__-- Message: 2 To: per...@li..., gb...@po... Subject: Authentication problem Reply-To: rob...@mo... Date: Sat, 27 Jan 2001 06:01:17 +0000 From: Rob Hawkes <ha...@wa...> It seems to be impossible to use the non-anonymous bind to do user authentication. No matter what kind of bogus password I send along with the DN, I get a successful bind. I have tried using lots of $ldap->unbind calls, getting a brand new connection, everything I can think of. What am I missing? Thank you. Rob Hawkes Motorola, Inc. ------------------------------------------------------------------------ #! /usr/local/bin/perl # Test driver. ldapAuth('rvpl50', 'xxx'); ######################################################################## # # l d a p A u t h # ######################################################################## sub ldapAuth { my($userid,$password) = @_; use strict; use Net::LDAP; my($ldap,$mesg); my $server = "directory.mot.com"; # First do an anonymous bind with $userid and retrieve the DN. $ldap = Net::LDAP->new($server); if (! $ldap) { print "DEBUG: failed to connect to $server\n"; return 0; } $ldap->bind; my $mesg = $ldap->search base => "o=Motorola,c=US", filter => "uid=$userid" ); if ($mesg->code) { print $mesg->error; return 0; } else { # Try with all entries to bind with the supplied password. foreach my $entry ($mesg->all_entries) { my $dn = $entry->dn; print "DEBUG: try to bind with DN= $dn, password= $password\n"; $ldap->unbind; if ($ldap = Net::LDAP->new('directory.mot.com')) { $ldap->bind( $dn, password => $password ); print "\n", $mesg->code, " ", $mesg->error, "\n"; if ($mesg->code) { # Bind failed. return 0; } else { # Bind succeeded. $mesg = $ldap->search base => "o=Motorola,c=US", filter => "uid=$userid" ); foreach my $entry ($mesg->all_entries) { $entry->dump; } $ldap->unbind; return 1; } } else { # Could not get a new connection. return 0; } } } } --__--__-- Message: 3 Date: Sat, 27 Jan 2001 01:44:55 -0700 From: "Guruprasad S" <sgu...@no...> To: <per...@li...> Subject: Help newbie Hi, I am running Perl5.6.0 on NT. Whenever I build with USE_MULTI uncommented = and USE_ITHREAD commented, I can access the directory. But when I = uncomment UCS_ITHREAD as well, my script fails by saying=20 decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136. 84 decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136. ...propagated at ldap1.pl line 12. Can any of you help me out. My script looks like this: use Net::LDAP; $ldap =3D Net::LDAP->new('blr-nb7.blr.novell.com') or die "$@"; $mesg =3D $ldap->bind or die "Failed to bind\n"; if ($mesg->code) { print $mesg->error, $mesg->code,"\n"; die; } $mesg =3D $ldap->search( # perform a search base =3D> "o=3Dnovell", filter =3D> "sn=3D*", ) or die "Failed to search\n"; if ($mesg->code) { print $mesg->error, $mesg->code,"\n"; die; } Thanks Guru --__--__-- Message: 4 Date: Sat, 27 Jan 2001 11:14:34 -0500 From: Jim Harle <ha...@us...> To: rob...@mo... CC: per...@li..., gb...@po... Subject: Re: Authentication problem Rob, These 2 consecutive lines are at issue: if ($ldap = Net::LDAP->new('directory.mot.com')) { $ldap->bind( $dn, password => $password ); The first is unnecessary, but doen't hurt, other than performance. The second needs to be preceded by $mesg = Your line does the bind, but doesn't store the result anywhere. --Jim Harle Rob Hawkes wrote: > It seems to be impossible to use the non-anonymous bind to do user > authentication. No matter what kind of bogus password I send along > with the DN, I get a successful bind. I have tried using lots of > $ldap->unbind calls, getting a brand new connection, everything I can > think of. What am I missing? Thank you. > > Rob Hawkes > Motorola, Inc. > > ------------------------------------------------------------------------ > > #! /usr/local/bin/perl > > # Test driver. > > ldapAuth('rvpl50', 'xxx'); > > ######################################################################## > # > # l d a p A u t h > # > ######################################################################## > > sub ldapAuth { > my($userid,$password) = @_; > > use strict; > use Net::LDAP; > > my($ldap,$mesg); > my $server = "directory.mot.com"; > > # First do an anonymous bind with $userid and retrieve the DN. > $ldap = Net::LDAP->new($server); > if (! $ldap) { > print "DEBUG: failed to connect to $server\n"; > return 0; > } > > $ldap->bind; > my $mesg = $ldap->search ( > base => "o=Motorola,c=US", > filter => "uid=$userid" > ); > if ($mesg->code) { > print $mesg->error; > return 0; > } > else { > # Try with all entries to bind with the supplied password. > foreach my $entry ($mesg->all_entries) { > my $dn = $entry->dn; > print "DEBUG: try to bind with DN= $dn, password= $password\n"; > $ldap->unbind; > > if ($ldap = Net::LDAP->new('directory.mot.com')) { > $ldap->bind( $dn, password => $password ); > > print "\n", $mesg->code, " ", $mesg->error, "\n"; > > if ($mesg->code) { > # Bind failed. > return 0; > } > else { > # Bind succeeded. > $mesg = $ldap->search ( > base => "o=Motorola,c=US", > filter => "uid=$userid" > ); > > foreach my $entry ($mesg->all_entries) { > $entry->dump; > } > > $ldap->unbind; > return 1; > } > } > else { > # Could not get a new connection. > return 0; > } > } > } > } --__--__-- Message: 5 Date: Sat, 27 Jan 2001 09:40:03 -0700 From: Rob Hawkes <rob...@mo...> Organization: Motorola, Inc. To: Jim Harle <ha...@us...> CC: per...@li..., gb...@po... Subject: Re: Authentication problem Jim, Thank you for responding. I found the problem early this morning and have been feeling like a bozo ever since. Guess I should have slept on it before bothering the list. Thanks again. Rob Jim Harle wrote: > > Rob, > These 2 consecutive lines are at issue: > > if ($ldap = Net::LDAP->new('directory.mot.com')) { > $ldap->bind( $dn, password => $password ); > > The first is unnecessary, but doen't hurt, other than performance. The second needs to be > preceded by > $mesg = > Your line does the bind, but doesn't store the result anywhere. > > --Jim Harle > > Rob Hawkes wrote: > > > It seems to be impossible to use the non-anonymous bind to do user > > authentication. No matter what kind of bogus password I send along > > with the DN, I get a successful bind. I have tried using lots of > > $ldap->unbind calls, getting a brand new connection, everything I can > > think of. What am I missing? Thank you. > > > > Rob Hawkes > > Motorola, Inc. > > > > ------------------------------------------------------------------------ > > > > #! /usr/local/bin/perl > > > > # Test driver. > > > > ldapAuth('rvpl50', 'xxx'); > > > > ######################################################################## > > # > > # l d a p A u t h > > # > > ######################################################################## > > > > sub ldapAuth { > > my($userid,$password) = @_; > > > > use strict; > > use Net::LDAP; > > > > my($ldap,$mesg); > > my $server = "directory.mot.com"; > > > > # First do an anonymous bind with $userid and retrieve the DN. > > $ldap = Net::LDAP->new($server); > > if (! $ldap) { > > print "DEBUG: failed to connect to $server\n"; > > return 0; > > } > > > > $ldap->bind; > > my $mesg = $ldap->search ( > > base => "o=Motorola,c=US", > > filter => "uid=$userid" > > ); > > if ($mesg->code) { > > print $mesg->error; > > return 0; > > } > > else { > > # Try with all entries to bind with the supplied password. > > foreach my $entry ($mesg->all_entries) { > > my $dn = $entry->dn; > > print "DEBUG: try to bind with DN= $dn, password= $password\n"; > > $ldap->unbind; > > > > if ($ldap = Net::LDAP->new('directory.mot.com')) { > > $ldap->bind( $dn, password => $password ); > > > > print "\n", $mesg->code, " ", $mesg->error, "\n"; > > > > if ($mesg->code) { > > # Bind failed. > > return 0; > > } > > else { > > # Bind succeeded. > > $mesg = $ldap->search ( > > base => "o=Motorola,c=US", > > filter => "uid=$userid" > > ); > > > > foreach my $entry ($mesg->all_entries) { > > $entry->dump; > > } > > > > $ldap->unbind; > > return 1; > > } > > } > > else { > > # Could not get a new connection. > > return 0; > > } > > } > > } > > } --__--__-- _______________________________________________ perl-ldap-dev mailing list per...@li... http://lists.sourceforge.net/lists/listinfo/perl-ldap-dev End of perl-ldap-dev Digest |
|
From: Rob H. <rob...@mo...> - 2001-01-27 16:42:51
|
Jim,
Thank you for responding. I found the problem early this morning and
have been feeling like a bozo ever since. Guess I should have slept on
it before bothering the list. Thanks again.
Rob
Jim Harle wrote:
>
> Rob,
> These 2 consecutive lines are at issue:
>
> if ($ldap = Net::LDAP->new('directory.mot.com')) {
> $ldap->bind( $dn, password => $password );
>
> The first is unnecessary, but doen't hurt, other than performance. The second needs to be
> preceded by
> $mesg =
> Your line does the bind, but doesn't store the result anywhere.
>
> --Jim Harle
>
> Rob Hawkes wrote:
>
> > It seems to be impossible to use the non-anonymous bind to do user
> > authentication. No matter what kind of bogus password I send along
> > with the DN, I get a successful bind. I have tried using lots of
> > $ldap->unbind calls, getting a brand new connection, everything I can
> > think of. What am I missing? Thank you.
> >
> > Rob Hawkes
> > Motorola, Inc.
> >
> > ------------------------------------------------------------------------
> >
> > #! /usr/local/bin/perl
> >
> > # Test driver.
> >
> > ldapAuth('rvpl50', 'xxx');
> >
> > ########################################################################
> > #
> > # l d a p A u t h
> > #
> > ########################################################################
> >
> > sub ldapAuth {
> > my($userid,$password) = @_;
> >
> > use strict;
> > use Net::LDAP;
> >
> > my($ldap,$mesg);
> > my $server = "directory.mot.com";
> >
> > # First do an anonymous bind with $userid and retrieve the DN.
> > $ldap = Net::LDAP->new($server);
> > if (! $ldap) {
> > print "DEBUG: failed to connect to $server\n";
> > return 0;
> > }
> >
> > $ldap->bind;
> > my $mesg = $ldap->search (
> > base => "o=Motorola,c=US",
> > filter => "uid=$userid"
> > );
> > if ($mesg->code) {
> > print $mesg->error;
> > return 0;
> > }
> > else {
> > # Try with all entries to bind with the supplied password.
> > foreach my $entry ($mesg->all_entries) {
> > my $dn = $entry->dn;
> > print "DEBUG: try to bind with DN= $dn, password= $password\n";
> > $ldap->unbind;
> >
> > if ($ldap = Net::LDAP->new('directory.mot.com')) {
> > $ldap->bind( $dn, password => $password );
> >
> > print "\n", $mesg->code, " ", $mesg->error, "\n";
> >
> > if ($mesg->code) {
> > # Bind failed.
> > return 0;
> > }
> > else {
> > # Bind succeeded.
> > $mesg = $ldap->search (
> > base => "o=Motorola,c=US",
> > filter => "uid=$userid"
> > );
> >
> > foreach my $entry ($mesg->all_entries) {
> > $entry->dump;
> > }
> >
> > $ldap->unbind;
> > return 1;
> > }
> > }
> > else {
> > # Could not get a new connection.
> > return 0;
> > }
> > }
> > }
> > }
|
|
From: Jim H. <ha...@us...> - 2001-01-27 16:16:37
|
Rob,
These 2 consecutive lines are at issue:
if ($ldap = Net::LDAP->new('directory.mot.com')) {
$ldap->bind( $dn, password => $password );
The first is unnecessary, but doen't hurt, other than performance. The second needs to be
preceded by
$mesg =
Your line does the bind, but doesn't store the result anywhere.
--Jim Harle
Rob Hawkes wrote:
> It seems to be impossible to use the non-anonymous bind to do user
> authentication. No matter what kind of bogus password I send along
> with the DN, I get a successful bind. I have tried using lots of
> $ldap->unbind calls, getting a brand new connection, everything I can
> think of. What am I missing? Thank you.
>
> Rob Hawkes
> Motorola, Inc.
>
> ------------------------------------------------------------------------
>
> #! /usr/local/bin/perl
>
> # Test driver.
>
> ldapAuth('rvpl50', 'xxx');
>
> ########################################################################
> #
> # l d a p A u t h
> #
> ########################################################################
>
> sub ldapAuth {
> my($userid,$password) = @_;
>
> use strict;
> use Net::LDAP;
>
> my($ldap,$mesg);
> my $server = "directory.mot.com";
>
> # First do an anonymous bind with $userid and retrieve the DN.
> $ldap = Net::LDAP->new($server);
> if (! $ldap) {
> print "DEBUG: failed to connect to $server\n";
> return 0;
> }
>
> $ldap->bind;
> my $mesg = $ldap->search (
> base => "o=Motorola,c=US",
> filter => "uid=$userid"
> );
> if ($mesg->code) {
> print $mesg->error;
> return 0;
> }
> else {
> # Try with all entries to bind with the supplied password.
> foreach my $entry ($mesg->all_entries) {
> my $dn = $entry->dn;
> print "DEBUG: try to bind with DN= $dn, password= $password\n";
> $ldap->unbind;
>
> if ($ldap = Net::LDAP->new('directory.mot.com')) {
> $ldap->bind( $dn, password => $password );
>
> print "\n", $mesg->code, " ", $mesg->error, "\n";
>
> if ($mesg->code) {
> # Bind failed.
> return 0;
> }
> else {
> # Bind succeeded.
> $mesg = $ldap->search (
> base => "o=Motorola,c=US",
> filter => "uid=$userid"
> );
>
> foreach my $entry ($mesg->all_entries) {
> $entry->dump;
> }
>
> $ldap->unbind;
> return 1;
> }
> }
> else {
> # Could not get a new connection.
> return 0;
> }
> }
> }
> }
|
|
From: Guruprasad S <sgu...@no...> - 2001-01-27 08:45:59
|
Hi,
I am running Perl5.6.0 on NT. Whenever I build with USE_MULTI uncommented =
and USE_ITHREAD commented, I can access the directory. But when I =
uncomment UCS_ITHREAD as well, my script fails by saying=20
decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136.
84
decode error at c:/perl/site/5.6.0/lib/Convert/ASN1/_decode.pm line 136.
...propagated at ldap1.pl line 12.
Can any of you help me out.
My script looks like this:
use Net::LDAP;
$ldap =3D Net::LDAP->new('blr-nb7.blr.novell.com') or die "$@";
$mesg =3D $ldap->bind or die "Failed to bind\n";
if ($mesg->code) {
print $mesg->error, $mesg->code,"\n";
die;
}
$mesg =3D $ldap->search( # perform a search
base =3D> "o=3Dnovell",
filter =3D> "sn=3D*",
) or die "Failed to search\n";
if ($mesg->code) {
print $mesg->error, $mesg->code,"\n";
die;
}
Thanks
Guru
|
|
From: Rob H. <ha...@wa...> - 2001-01-27 06:03:40
|
It seems to be impossible to use the non-anonymous bind to do user
authentication. No matter what kind of bogus password I send along
with the DN, I get a successful bind. I have tried using lots of
$ldap->unbind calls, getting a brand new connection, everything I can
think of. What am I missing? Thank you.
Rob Hawkes
Motorola, Inc.
------------------------------------------------------------------------
#! /usr/local/bin/perl
# Test driver.
ldapAuth('rvpl50', 'xxx');
########################################################################
#
# l d a p A u t h
#
########################################################################
sub ldapAuth {
my($userid,$password) = @_;
use strict;
use Net::LDAP;
my($ldap,$mesg);
my $server = "directory.mot.com";
# First do an anonymous bind with $userid and retrieve the DN.
$ldap = Net::LDAP->new($server);
if (! $ldap) {
print "DEBUG: failed to connect to $server\n";
return 0;
}
$ldap->bind;
my $mesg = $ldap->search (
base => "o=Motorola,c=US",
filter => "uid=$userid"
);
if ($mesg->code) {
print $mesg->error;
return 0;
}
else {
# Try with all entries to bind with the supplied password.
foreach my $entry ($mesg->all_entries) {
my $dn = $entry->dn;
print "DEBUG: try to bind with DN= $dn, password= $password\n";
$ldap->unbind;
if ($ldap = Net::LDAP->new('directory.mot.com')) {
$ldap->bind( $dn, password => $password );
print "\n", $mesg->code, " ", $mesg->error, "\n";
if ($mesg->code) {
# Bind failed.
return 0;
}
else {
# Bind succeeded.
$mesg = $ldap->search (
base => "o=Motorola,c=US",
filter => "uid=$userid"
);
foreach my $entry ($mesg->all_entries) {
$entry->dump;
}
$ldap->unbind;
return 1;
}
}
else {
# Could not get a new connection.
return 0;
}
}
}
}
|
|
From: Ken D. <ken...@sy...> - 2001-01-26 20:08:56
|
Thanks for the reply Chris. I have been working with both the Mozilla and perl-ldap code. My code was from an attempt to use the Mozilla code and so it was not appropriate to post here. I used your suggestion and rewrote the script to use the perl-ldap implementation and the jpeg photo went in just fine. Again, thanks for the help. Is it true the Mozilla LDAP library for perl is not being maintained anymore? Ken At 08:38 AM 01/26/2001 +0000, Chris Ridd wrote: >You *should* just be able to read the JPEG in and add it as a value to a >jpegPhoto attribute. > > > >You appear to be using the Mozilla LDAP library for perl called perldap >(which uses native libraries and is not pure perl), which apparently isn't >being maintained any more. This mailing list is for the native perl LDAP >library, called perl-ldap. > >So there might be a problem with the way the Mozilla LDAP code handles >values which aren't text and which aren't BER. This kind of stuff is no >problem in perl-ldap :-) > |
|
From: Douglas G. S. <gr...@ca...> - 2001-01-26 14:11:01
|
Chris, Thanks for your reply. At 08:43 on 26-January-2001, Chris Ridd wrote: > Graham Barr <gb...@po...> wrote: > > ----- Forwarded message from Douglas Gray Stephens <DGr...@sl...> ----- > > <snip> > > I can connect to over SSL to a WEB server (i.e. HTTPS). > > > > The IO::Socket::SSL module is not included in the perl-ldap module > > that is available via the package manager. I believe that the module > > is (or was) part of the Bundle::Net::LDAP package > > http://www.perldoc.com/cpan/Bundle/Net/LDAP.html > > which I cannot locate? > > Well I don't think it should be, as SSL support is pretty optional for > Net::LDAP. > > > Is IO::Socket::SSL (or the Bundle::Net::LDAP package) available for > > windows? > > There's no real reason why it shouldn't be, although it relies on another > module which needs to be built using a C compiler so it might not be a > straightforward install. > > Have you looked at ActiveState's web site, or CPAN? I have looked at the ActiveState's site for a packaged module, and drew a blank. I will experiment with building the IO::SOcket::SSL on windows (if I can find a compiler). > > Has anyone managed to use perl-ldap (or another LDAP module) to > > communicate with an LDAP server over SSL? > > I have, and a couple of folks who beta tested the code have as well. I > suspect none of us were using Windows though. Cheers, Douglas. -- ================================ Douglas GRAY STEPHENS SL-IT Security (Directories) Schlumberger Cambridge Research High Cross, Madingley Road, Cambridge. CB3 0EL ENGLAND Phone +44 1223 325295 Fax +44 1223 311830 Email DGr...@sl... ================================ |
|
From: Chris R. <chr...@me...> - 2001-01-26 08:43:22
|
Graham Barr <gb...@po...> wrote:
> ----- Forwarded message from Douglas Gray Stephens
> <DGr...@sl...> -----
>
> Date: Wed, 24 Jan 2001 19:03:25 +0000
> To: per...@li...
> Cc: gb...@po...
> From: "Douglas Gray Stephens" <DGr...@sl...>
> Subject: Connecting to LDAP over SSL
> X-Mailer: emacs 20.7.1 (via feedmail 9-beta-7 I);
> VM 6.90 under Emacs 20.7.1
>
>
> Hi,
>
> I am trying to connect to an LDAP server over SSL (i.e. port 636).
>
> I looked at perldap (v1.4) and perl-ldap (v 0.22), and both hint that
> they can connect to an LDAP over SSL. However perldap appears to want
> to use a local certificate for client authenitcation, while is should
> be possible to use SSL simple to secure the communications channel.
>
> Using the following perl-ldap snippet can connect to the LDAP server
> (without SSL):
> use Net::LDAP;
>
> $ldap = new Net::LDAP('ldap:389','timeout'=>300) or die "$@";
>
> $mesg = $ldap->search ( # perform a search
> base => "o=slb,c=AN",
> filter => "alias=dgraystephens"
> );
>
> $mesg->code && die $mesg->error;
>
> foreach $entry ($mesg->all_entries) { $entry->dump; }
>
> however if I try to use an SSL connection, i.e.
>
> use Net::LDAPS;
>
> $ldap = new Net::LDAPS('ldap:636') or die "$@";
>
> $mesg = $ldap->search ( # perform a search
> base => "o=slb,c=AN",
> filter => "alias=dgraystephens"
> );
>
> $mesg->code && die $mesg->error;
>
> foreach $entry ($mesg->all_entries) { $entry->dump; }
>
> then the code fails to run
> Can't locate IO/Socket/SSL.pm in @INC (@INC contains:
> D:/Applications/Perl/lib D:/Applications/Perl/site/lib .) at
> D:/Applications/Perl/site/lib/Net/LDAPS.pm line 14. BEGIN
> failed--compilation aborted at
> D:/Applications/Perl/site/lib/Net/LDAPS.pm line 14. Compilation failed
> in require at temp.pl line 6.
> BEGIN failed--compilation aborted at temp.pl line 6.
>
> I can connect to over SSL to a WEB server (i.e. HTTPS).
>
> The IO::Socket::SSL module is not included in the perl-ldap module
> that is available via the package manager. I believe that the module
> is (or was) part of the Bundle::Net::LDAP package
> http://www.perldoc.com/cpan/Bundle/Net/LDAP.html
> which I cannot locate?
Well I don't think it should be, as SSL support is pretty optional for
Net::LDAP.
> Is IO::Socket::SSL (or the Bundle::Net::LDAP package) available for
> windows?
There's no real reason why it shouldn't be, although it relies on another
module which needs to be built using a C compiler so it might not be a
straightforward install.
Have you looked at ActiveState's web site, or CPAN?
> Has anyone managed to use perl-ldap (or another LDAP module) to
> communicate with an LDAP server over SSL?
I have, and a couple of folks who beta tested the code have as well. I
suspect none of us were using Windows though.
> Thanks in advance,
>
> Douglas.
>
> --
>
> ================================
> Dr. Douglas GRAY STEPHENS
> SL-IT Security (Directories)
> Schlumberger Cambridge Research
> High Cross,
> Madingley Road,
> Cambridge.
> CB3 0EL
> ENGLAND
>
> Phone +44 1223 325295
> Fax +44 1223 311830
> Email DGr...@sl...
> ================================
>
>
> ----- End forwarded message -----
>
Cheers,
Chris
|
|
From: Chris R. <chr...@me...> - 2001-01-26 08:38:00
|
Ken DeLay <ken...@sy...> wrote:
> Correction, $fileName var below was corrected but still doesn't work.
>
> I realize now that the jpeg photo should be ASN encoded first, is that
> correct?
>
> Ken
The RFCs require that values of jpegPhoto attributes be the raw bytes of
the JPEG file. The only reason to ASN encode (actually BER encode) the
value would be if you were manipulating the value using the ;binary
attribute type description of LDAPv3. So kind of this:
jpegPhoto;binary = <load of BER-encoded octets>
But that would be unusual and almost certainly the Netscape server wouldn't
be able to deal with it anyway.
You *should* just be able to read the JPEG in and add it as a value to a
jpegPhoto attribute.
Your code to read the image in is overcomplex IMHO, but should work. So
should this:
if (-e $fileName) {
local $/ = undef;
open JPEG, $fileName or die;
$jpegimage = <JPEG>;
close JPEG;
$res = $ldap->modify('cn=My entry,o=My company,c=XX',
add => { 'jpegPhoto' => [ $jpegimage ] }) or die;
$code = $res->code;
die "Modify error ($code)" if $code;
}
You appear to be using the Mozilla LDAP library for perl called perldap
(which uses native libraries and is not pure perl), which apparently isn't
being maintained any more. This mailing list is for the native perl LDAP
library, called perl-ldap.
So there might be a problem with the way the Mozilla LDAP code handles
values which aren't text and which aren't BER. This kind of stuff is no
problem in perl-ldap :-)
> At 03:08 PM 01/25/2001 -0700, Ken DeLay wrote:
>> Excuse a newbie question, but I am trying to do something simple and add
>> an entry to a Netscape Directory via perl-ldap with a jpeg photo.
>>
>> The problem I am having is that the jpeg photo doesn't seem to get added
>> correctly.
>>
>> I am using the same basic sample code from the Mozilla FAQ:
>>
>> $filename="test.jpg";
>> if (-e $fileName) {
>> open(JPEG, $fileName) || die;
>> while (sysread JPEG, $buf, 1024) {
>> $jpegimage .= $buf;
>>
>> }
>> } else {
>> open(JPEG, $NOPHOTOJPG) || die;
>> $jpegimage=<JPEG>;
>> while (sysread JPEG, $buf, 1024) {
>> $jpegimage .= $buf;
>> }
>> }
>> $entry->{jpegphoto} = $jpegimage;
>>
>> Anyone had problems using this code to add binary data such as a jpeg
>> photo to the Netscape 4.1 directory server?
>>
>>
>> Thanks,
>>
>> Ken
>>
>>
>> =========================
>> Ken DeLay
>> Senior Consultant
>> Syntegra (USA)
>> Phone: (303)-205-1621
>> email: ken...@sy...
>> =========================
>>
>
>
Cheers,
Chris
|
|
From: Ken D. <ken...@sy...> - 2001-01-26 01:27:53
|
Correction, $fileName var below was corrected but still doesn't work.
I realize now that the jpeg photo should be ASN encoded first, is that correct?
Ken
At 03:08 PM 01/25/2001 -0700, Ken DeLay wrote:
>Excuse a newbie question, but I am trying to do something simple and add an entry
>to a Netscape Directory via perl-ldap with a jpeg photo.
>
>The problem I am having is that the jpeg photo doesn't seem to get added correctly.
>
>I am using the same basic sample code from the Mozilla FAQ:
>
>$filename="test.jpg";
>if (-e $fileName) {
> open(JPEG, $fileName) || die;
> while (sysread JPEG, $buf, 1024) {
> $jpegimage .= $buf;
>
> }
> } else {
> open(JPEG, $NOPHOTOJPG) || die;
> $jpegimage=<JPEG>;
> while (sysread JPEG, $buf, 1024) {
> $jpegimage .= $buf;
> }
> }
> $entry->{jpegphoto} = $jpegimage;
>
>Anyone had problems using this code to add binary data such as a jpeg photo
>to the Netscape 4.1 directory server?
>
>
>Thanks,
>
>Ken
>
>
>=========================
>Ken DeLay
>Senior Consultant
>Syntegra (USA)
>Phone: (303)-205-1621
>email: ken...@sy...
>=========================
>
|
|
From: Ken D. <ken...@sy...> - 2001-01-25 22:08:00
|
Excuse a newbie question, but I am trying to do something simple and add an entry
to a Netscape Directory via perl-ldap with a jpeg photo.
The problem I am having is that the jpeg photo doesn't seem to get added correctly.
I am using the same basic sample code from the Mozilla FAQ:
$filename="test.jpg";
if (-e $fileName) {
open(JPEG, $fileName) || die;
while (sysread JPEG, $buf, 1024) {
$jpegimage .= $buf;
}
} else {
open(JPEG, $NOPHOTOJPG) || die;
$jpegimage=<JPEG>;
while (sysread JPEG, $buf, 1024) {
$jpegimage .= $buf;
}
}
$entry->{jpegphoto} = $jpegimage;
Anyone had problems using this code to add binary data such as a jpeg photo
to the Netscape 4.1 directory server?
Thanks,
Ken
=========================
Ken DeLay
Senior Consultant
Syntegra (USA)
Phone: (303)-205-1621
email: ken...@sy...
=========================
|
|
From: Booker C. B. <bb...@ne...> - 2001-01-25 19:12:59
|
On Wed, 24 Jan 2001, Jeff Mandel wrote: > I was wondering if anyone had the experience of one of their programs > knocking out a Netscape LDAP server? > > I was testing a small program that queried for mail and > mailalternateaddresses. There are not that many users in the database - > less than 500. I got a Net::IO Socket error, and then noticed the ldap > server was dead. I started it up and tried again. Still it was killed. > So I tried again on a different host and knocked that one out too. > I couldn't get any errors in the log - just the entries stating it was > recovering from a disorderly shutdown when it restarted. > > I figured there was probably an update to Net::LDAP, and used cpan to > get it. The cpan module also said that cpan itself had a later version > and I proceeded to update it. (Rather, it updated itself.) It updated > libnet and a bunch of other things, so I don't know where the culprit > might have been. After the update, no more konking out my ldap server. > But, wait... > > Good packet or bad, it seemed all to easy to kill the running instance > of slapd. I don't know if it was a bad search filter or perhaps a > malformed packet by the perl modules. Either way, it starts to feel like > the ldap server is not a stable as I expected. This on 4.11 and 4.2. > > Has anyone else experienced this? > - This is not really a perl-ldap question, but yes it's easy to kill just about any ldap server on the market. On any server based on the Umich code (i.e. netscape, openldap ), a few searches on an unindexed variable will bring the server to it's knees. - If you're depending on ldap for crucial services then you really need at least 3 servers at a minimum. And you need to think hard and long about allowing unauthenticated access. - Booker C. Bense |
|
From: Jeff M. <jef...@pr...> - 2001-01-24 21:34:04
|
I was wondering if anyone had the experience of one of their programs knocking out a Netscape LDAP server? I was testing a small program that queried for mail and mailalternateaddresses. There are not that many users in the database - less than 500. I got a Net::IO Socket error, and then noticed the ldap server was dead. I started it up and tried again. Still it was killed. So I tried again on a different host and knocked that one out too. I couldn't get any errors in the log - just the entries stating it was recovering from a disorderly shutdown when it restarted. I figured there was probably an update to Net::LDAP, and used cpan to get it. The cpan module also said that cpan itself had a later version and I proceeded to update it. (Rather, it updated itself.) It updated libnet and a bunch of other things, so I don't know where the culprit might have been. After the update, no more konking out my ldap server. But, wait... Good packet or bad, it seemed all to easy to kill the running instance of slapd. I don't know if it was a bad search filter or perhaps a malformed packet by the perl modules. Either way, it starts to feel like the ldap server is not a stable as I expected. This on 4.11 and 4.2. Has anyone else experienced this? Thanks, Jeff |
|
From: Graham B. <gb...@po...> - 2001-01-24 20:00:41
|
----- Forwarded message from Douglas Gray Stephens <DGr...@sl...> -----
Date: Wed, 24 Jan 2001 19:03:25 +0000
To: per...@li...
Cc: gb...@po...
From: "Douglas Gray Stephens" <DGr...@sl...>
Subject: Connecting to LDAP over SSL
X-Mailer: emacs 20.7.1 (via feedmail 9-beta-7 I);
VM 6.90 under Emacs 20.7.1
Hi,
I am trying to connect to an LDAP server over SSL (i.e. port 636).
I looked at perldap (v1.4) and perl-ldap (v 0.22), and both hint that
they can connect to an LDAP over SSL. However perldap appears to want
to use a local certificate for client authenitcation, while is should
be possible to use SSL simple to secure the communications channel.
Using the following perl-ldap snippet can connect to the LDAP server
(without SSL):
use Net::LDAP;
$ldap = new Net::LDAP('ldap:389','timeout'=>300) or die "$@";
$mesg = $ldap->search ( # perform a search
base => "o=slb,c=AN",
filter => "alias=dgraystephens"
);
$mesg->code && die $mesg->error;
foreach $entry ($mesg->all_entries) { $entry->dump; }
however if I try to use an SSL connection, i.e.
use Net::LDAPS;
$ldap = new Net::LDAPS('ldap:636') or die "$@";
$mesg = $ldap->search ( # perform a search
base => "o=slb,c=AN",
filter => "alias=dgraystephens"
);
$mesg->code && die $mesg->error;
foreach $entry ($mesg->all_entries) { $entry->dump; }
then the code fails to run
Can't locate IO/Socket/SSL.pm in @INC (@INC contains: D:/Applications/Perl/lib D:/Applications/Perl/site/lib .) at D:/Applications/Perl/site/lib/Net/LDAPS.pm line 14.
BEGIN failed--compilation aborted at D:/Applications/Perl/site/lib/Net/LDAPS.pm line 14.
Compilation failed in require at temp.pl line 6.
BEGIN failed--compilation aborted at temp.pl line 6.
I can connect to over SSL to a WEB server (i.e. HTTPS).
The IO::Socket::SSL module is not included in the perl-ldap module
that is available via the package manager. I believe that the module
is (or was) part of the Bundle::Net::LDAP package
http://www.perldoc.com/cpan/Bundle/Net/LDAP.html
which I cannot locate?
Is IO::Socket::SSL (or the Bundle::Net::LDAP package) available for windows?
Has anyone managed to use perl-ldap (or another LDAP module) to
communicate with an LDAP server over SSL?
Thanks in advance,
Douglas.
--
================================
Dr. Douglas GRAY STEPHENS
SL-IT Security (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND
Phone +44 1223 325295
Fax +44 1223 311830
Email DGr...@sl...
================================
----- End forwarded message -----
|
|
From: Jim H. <ha...@us...> - 2001-01-24 14:16:30
|
use $Query = &(cn=*medi*)(|(city=Phoenix)(city=Santa Clara)) & and | are prefix operators, not infix. On Wed, 24 Jan 2001, Graham Barr wrote: > ----- Forwarded message from Medi Montaseri <me...@sc...> ----- > > Date: Tue, 23 Jan 2001 10:21:02 -0800 > To: gb...@po... > From: Medi Montaseri <me...@sc...> > Subject: Net::LDAP::Filter > X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-22 i686) > > Hi Graham, > > I am having some difficulties setting up a dynamically genereated Filter > in my CGI. > Could you help? > > I want to be able to construct a filter that is a mix of AND and OR > logic. eg > Here is the logic > > If name is provided, then $Query = &(cn=$name) > also, if city is provided, then > Query = city-1 or city-2 and name= $name > > More specifically > > $Query = '|(city=Phoenix)(city=Santa Clara)' > $ldap->search( base => 'o=Prepass, c=US', filter => "($Query)" ) > > works fine. > but > > $Query = &(cn=*medi*)|(city=Phoenix)(city=Santa Clara) > $ldap->search( base => 'o=Prepass, c=US', filter => "($Query)" ) > > yield "Bad Filter" > > I have tried putting () around each group with no avail. Can you show > me a mix of AND and OR logic in a filter please. > > -- > ======================================================================= > Medi Montaseri, me...@sc..., 408-450-7114 > Lockheed Martin IMS (Prepass), IT/Operations, Software Eng. > ======================================================================= > > > > ----- End forwarded message ----- > > |
|
From: Chris R. <chr...@me...> - 2001-01-24 11:00:56
|
"Klunder, JAA (Hans)" <J.A...@rf...> wrote:
> Dear all,
>
> It might be a bit of topic, but anyway:
>
> I'm having a discussion with a collegue on LDAP searchfilters, do AND and
> OR work on 2 filtercomponents or on N filtercomponents.
>
> so is:
>
> (|(cn=a)(cn=b)(cn=c))
>
> allowed, or need I specify:
>
> (|(|(cn=a)(cn=b))(cn=c))
>
> Our server (messagingDirect) supports both, but I'm wondering if this is
> intentional.
>
> Thanks for any help,
>
> Hans
LDAP clients only send filters encoded in ASN.1 to the server, and in ASN.1
filters are allowed to have multiple terms in and/or expressions. RFC 2251:
Filter ::= CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
...
}
The SET OF above is unbounded, so you can have one, two, or more elements
in the SET OF.
The string form of filters appears to also allow multiple items in a simple
filter expression. RFC 2254:
filter = "(" filtercomp ")"
filtercomp = and / or / not / item
and = "&" filterlist
or = "|" filterlist
not = "!" filter
filterlist = 1*filter
(etc)
According to the ABNF defined in RFC 822, 1*filter means 'at least one and
at most infinite occurrences of filter'.
So both filters are, I think, legal.
Cheers,
Chris
|
|
From: Klunder, J. (Hans) <J.A...@rf...> - 2001-01-24 10:34:26
|
Dear all, It might be a bit of topic, but anyway: I'm having a discussion with a collegue on LDAP searchfilters, do AND and OR work on 2 filtercomponents or on N filtercomponents. so is: (|(cn=a)(cn=b)(cn=c)) allowed, or need I specify: (|(|(cn=a)(cn=b))(cn=c)) Our server (messagingDirect) supports both, but I'm wondering if this is intentional. Thanks for any help, Hans ================================================ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================ The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. |
7902 messages has been excluded from this view by a project administrator.
