perl-ldap-dev

passing dynamic attribute lists

[Eric S. J. <es...@ha...>]

this is probably more of the perl problem than anything else but I'm trying
to figure out how to pass a dynamic list of attributes to LDAP add.  The
base attribute list looks exactly like:

$base_attributes = {
                    objectclass => 'minimalRadiusPerson',
                    ServiceType => '2',
                    FramedProtocol => 'PPP',
                    FramedMTU => '1500',
                    AscendIdleLimit => '900'
                   };

as the data source specifies additional attributes, I add them to the hash.
Passing them on the other hand has been a bit of a problem.  I'm missing
something about perl references which will let me pass this reference to an
anonymous hash in as an attrs argument.  I've tried different forms but I'm
not getting the right level of dereferencing.  What I missing?
...
      $ldap_res = $mast_srv->add ($dn,
                                  attrs => $base_attributes
                                 );
      die "unable to add entry $dn " if ($ldap_res->code);

Re: trivial bug(+fix) and a not-so-trivial problem

[Graham B. <gb...@po...>]

On Mon, Jun 05, 2000 at 02:19:35PM +0200, Bob Pepin wrote:
> Hi,
> seems someone forgot a parameter to _sendmesg in the definition of unbind().
> Makes perl throw a runtime error when calling unbind().
> 
> --- perl-ldap-0.16/lib/Net/LDAP.pm.orig	Mon Jun  5 13:58:25 2000
> +++ perl-ldap-0.16/lib/Net/LDAP.pm	Mon Jun  5 13:10:44 2000
> @@ -138,7 +138,7 @@
>      controls      => $arg->{control}
>    ) or return $mesg->set_error(LDAP_ENCODING_ERROR,"$@");
>  
> -  $ldap->_sendmesg();
> +  $ldap->_sendmesg($mesg);
>  }

This has already bee fixed in 0.18

> We had a problem with perl-ldap a few times that it would just hang when
> calling the search() method, and not send out any requests to the server
> anymore, but I couldn't reproduce it yet, though I suspect that it might have
> something to do with the connection to the ldap server having been open for a
> few days already in each case. Have been told that the error message included
> something about buffers, though I'm not sure about this. I suspect perl-ldap
> could be leaking something somewhere. This was all under perl-ldap 0.13.

If you could give more information, like a debug trace etc, it would be of
great help.

Graham.

Re: authentication in a cgi context

[Mark W. <mew...@un...>]

On Sun, 4 Jun 2000, David Leigh wrote:

> I am looking for a clean way to securely authenticate a cgi script to
> LDAP.  Here are a couple scenarios that I could use some help with:
> 
> Scenario 1:
> 1) User brings up an authenticated cgi in their browser
> 2) The web server prompts for username & passwd, authenticates the user,
> and runs the cgi
> 3) The cgi binds to the LDAP server as the authenticated user
> 4) User pulls data, makes changes, etc...
> 
> I don't care much what method of authentication is used (Unix, LDAP,
> Kerberos, etc...)  It seems like Kerberos would be appropriate in this
> case, but does perl-ldap support kerberos?
LDAP v3 allows you to use different authentication mechanisms via SASL and
Net::LDAP supports SASL (it's not widely tested so I can't say how well).

Of course, is this CGI script designed to update an LDAP server or is it
doing something else and you're looking for a network authentication
system?

If it's designed to update an LDAP server then you must use LDAP to
authenticate.

If you're simply authenticating a CGI script for something else and you
want to use kerberos, then you don't LDAP at all.


> 
> Scenario 2:
> 1) User hits the authenticated cgi
> 2) The web server authenticates the user and runs the cgi
> 3) The cgi binds to the LDAP server as a predefined user, ie.
> "webadmin".
> 4) User pulls data, makes changes, etc... and the LDAP server thinks
> it's "webadmin" that's doing all the work.
> 
> The trick here is that I don't want the password for "webadmin" to be
> accessible to users.  The way I have it now, anyone looking can bind to
> the LDAP server as "webadmin" after looking at the cgi source.  Is there
> any way to set this up so that the password is not opaque?
No. But then your CGI source code should only be read by people who have
shell access to your server. I really don't like using things like this to
update the server because it puts all of the access controls on your
application instead of using LDAP's. 

It looks like (you didn't really give us a lot of information to go on
here) that you're trying to develop a CGI program to update an LDAP
server. In this case you should use LDAP to authenticate. Now if you have
your LDAP server setup to do SASL with Kerberos instead of simple
authentication, then you can use that if you want. 

Mark
> 
> Thanks,
> -David
> 
> 

trivial bug(+fix) and a not-so-trivial problem

[Bob P. <bo...@pr...>]

Hi,
seems someone forgot a parameter to _sendmesg in the definition of unbind().
Makes perl throw a runtime error when calling unbind().

--- perl-ldap-0.16/lib/Net/LDAP.pm.orig	Mon Jun  5 13:58:25 2000
+++ perl-ldap-0.16/lib/Net/LDAP.pm	Mon Jun  5 13:10:44 2000
@@ -138,7 +138,7 @@
     controls      => $arg->{control}
   ) or return $mesg->set_error(LDAP_ENCODING_ERROR,"$@");
 
-  $ldap->_sendmesg();
+  $ldap->_sendmesg($mesg);
 }
 
We had a problem with perl-ldap a few times that it would just hang when
calling the search() method, and not send out any requests to the server
anymore, but I couldn't reproduce it yet, though I suspect that it might have
something to do with the connection to the ldap server having been open for a
few days already in each case. Have been told that the error message included
something about buffers, though I'm not sure about this. I suspect perl-ldap
could be leaking something somewhere. This was all under perl-ldap 0.13.

Re: unicode-utf8

[Graham B. <gb...@po...>]

On Mon, Jun 05, 2000 at 11:41:20AM +0200, Jean-Claude Giese wrote:
>  I use the Unicode-String module, works well. You should also use
>  perl5.6 which has native UTF-8 support (tr/// can convert in UTF-8).

perl5.6 has many issues, one of which is that Net::LDAP may not work
correctly. I would suggest waiting until 5.6.1

Graham.

Re: unicode-utf8

[Jean-Claude G. <Jea...@lo...>]

Hansen Erik writes:
 > 
 > Hi,
 > I want to add entries with (german ) special characters in the cn and sn
 > field. How can I get these Strings to the UTF-8 format?
 > I thought that the <Unicode-String-2.06> module could be an option, but I
 > get an installation error.
 > Is there another way?
 > thanks


 I use the Unicode-String module, works well. You should also use
 perl5.6 which has native UTF-8 support (tr/// can convert in UTF-8).

-- 
Jean-Claude

unicode-utf8

[Hansen E. <eh...@de...>]

Hi,
I want to add entries with (german ) special characters in the cn and sn
field. How can I get these Strings to the UTF-8 format?
I thought that the <Unicode-String-2.06> module could be an option, but I
get an installation error.
Is there another way?
thanks
Erik

RE: error 32

[Hansen E. <eh...@de...>]

ok..fixed. It was some kind of server-configuration Problem. The server did
not create the base dn. Now it works fine. Thanks for all of your help.
erik

authentication in a cgi context

[David L. <dl...@us...>]

I am looking for a clean way to securely authenticate a cgi script to
LDAP.  Here are a couple scenarios that I could use some help with:

Scenario 1:
1) User brings up an authenticated cgi in their browser
2) The web server prompts for username & passwd, authenticates the user,
and runs the cgi
3) The cgi binds to the LDAP server as the authenticated user
4) User pulls data, makes changes, etc...

I don't care much what method of authentication is used (Unix, LDAP,
Kerberos, etc...)  It seems like Kerberos would be appropriate in this
case, but does perl-ldap support kerberos?

Scenario 2:
1) User hits the authenticated cgi
2) The web server authenticates the user and runs the cgi
3) The cgi binds to the LDAP server as a predefined user, ie.
"webadmin".
4) User pulls data, makes changes, etc... and the LDAP server thinks
it's "webadmin" that's doing all the work.

The trick here is that I don't want the password for "webadmin" to be
accessible to users.  The way I have it now, anyone looking can bind to
the LDAP server as "webadmin" after looking at the cgi source.  Is there
any way to set this up so that the password is not opaque?

Thanks,
-David

RE: error 32

[Stuart S. <Stu...@iw...>]

Erik,

Have you tried creating the organisation object first before trying to
create objects beneath it?


Stuart.

Re: error 32

[Graham B. <gb...@po...>]

As your directory is currently empty I suppose it could be a configuration
error with your server. But I am not sure, maybe someone else on the list
can shed light. Have you tried adding with any other tools, for example
the tools that come with OpenLDAP ?

But in the event it is a problem with Net::LDAP can you turn on debug
just before the ->add call with

  $ldap->debug(3);

and post the output.

Also what version of Net::LDAP are you using ?

Graham.

On Fri, Jun 02, 2000 at 02:05:57PM +0200, Hansen Erik wrote:
> first...thanks for your help Graham. 
> 
> But now there is another problem:
> 
> i get the following error:
> error 32, LDAP_NO_SUCH_OBJECT, The server cannot find an object specified in
> the request
> 
> and my code looks like this:
> 
> $result = $ldap->add(
> 			dn   => 'cn=xyz,o=debis Systemhaus Darmstadt',
> 			attr =>	[	
> 					'objectclass' => ['top','person'],
> 					'cn'   => 'xyz',
> 					'sn'   => 'xyz'
>                           		]
> 		);
> 
> so, why do I get the message no such object? In don`t understand...sure it
> does not exist, that's why I add it for? Or which object is meant?
> 
> (perhaps this is interesting: my Ldap-Directory is completely emtpy, this is
> the first entry i want to add)
> 
> thank for your help
> Erik Hansen
> 
> 

Re: error 32

[Chris R. <Chr...@me...>]

On Fri, 02 Jun 2000 14:05:57 +0200, Hansen Erik wrote:
> first...thanks for your help Graham. 
> 
> But now there is another problem:
> 
> i get the following error:
> error 32, LDAP_NO_SUCH_OBJECT, The server cannot find an object specified in
> the request
> 
> and my code looks like this:
> 
> $result = $ldap->add(
> 			dn   => 'cn=xyz,o=debis Systemhaus Darmstadt',
> 			attr =>	[	
> 					'objectclass' => ['top','person'],
> 					'cn'   => 'xyz',
> 					'sn'   => 'xyz'
>                           		]
> 		);
> 
> so, why do I get the message no such object? In don`t understand...sure it
> does not exist, that's why I add it for? Or which object is meant?

You will get this if the parent entry doesn't exist. LDAP sets the 
matchedDN in the result (accessible via $result->dn in Net::LDAP) which 
will contain the DN of the closest parent entry the directory could 
find, depending on access controls.

If the parent entry doesn't exist, you will have to create it first.

> (perhaps this is interesting: my Ldap-Directory is completely emtpy, this is
> the first entry i want to add)
> 
> thank for your help
> Erik Hansen
> 
> 

Cheers,

Chris

error 32

[Hansen E. <eh...@de...>]

first...thanks for your help Graham. 

But now there is another problem:

i get the following error:
error 32, LDAP_NO_SUCH_OBJECT, The server cannot find an object specified in
the request

and my code looks like this:

$result = $ldap->add(
			dn   => 'cn=xyz,o=debis Systemhaus Darmstadt',
			attr =>	[	
					'objectclass' => ['top','person'],
					'cn'   => 'xyz',
					'sn'   => 'xyz'
                          		]
		);

so, why do I get the message no such object? In don`t understand...sure it
does not exist, that's why I add it for? Or which object is meant?

(perhaps this is interesting: my Ldap-Directory is completely emtpy, this is
the first entry i want to add)

thank for your help
Erik Hansen

Re: LDAP-Errormessage 65

[Graham B. <gb...@po...>]

On Fri, Jun 02, 2000 at 11:28:47AM +0200, Hansen Erik wrote:
> i try to add an entry to my ldap-directory. the ldap->add command gives back
> an error but dont say which one.
> 
> 
> $result = $ldap->add(
> 			dn   => 'uid=xyz,o=debis Systemhaus Darmstadt',
> 			attr =>	[	'cn'   => 'xyz',
> 					'sn'   => 'xyz',
> 					'objectclass' => ['top','person']
>                           	]
> 		);

 adding here

  use Net::LDAP::Util qw(ldap_error_name);

  warn ldap_error_name($result->code) if $result->code;

would have shown

LDAP_OBJECT_CLASS_VIOLATION

or using ldap_error_text you would have got

The request specifies a change to an existing entry or the addition of a new
entry that does not comply with the servers schema


Graham.

LDAP-Errormessage 65

[Hansen E. <eh...@de...>]

i try to add an entry to my ldap-directory. the ldap->add command gives back
an error but dont say which one.


$result = $ldap->add(
			dn   => 'uid=xyz,o=debis Systemhaus Darmstadt',
			attr =>	[	'cn'   => 'xyz',
					'sn'   => 'xyz',
					'objectclass' => ['top','person']
                          	]
		);


 The netscape directory server 3.1 protocoll gives the following information
(erroor 65) what does this error mean? Is there any documentatiion about the
LDAP-Error codes?


[02/Jun/2000:11:17:42 +0200] conn=13 op=0 BIND dn="cn=root" method=128
version=2
[02/Jun/2000:11:17:42 +0200] conn=13 op=0 RESULT err=0 tag=97 nentries=0
[02/Jun/2000:11:17:43 +0200] conn=13 op=1 ADD dn="uid=xyz,o=debis Systemhaus
Darmstadt"
[02/Jun/2000:11:17:43 +0200] conn=13 op=1 RESULT err=65 tag=105 nentries=0
[02/Jun/2000:11:17:43 +0200] conn=13 op=2 UNBIND
[02/Jun/2000:11:17:43 +0200] conn=13 op=2 fd=568 closed


please help me...
Erik Hansen

Re: LDIF2SQL

[Clif H. <cl...@di...>]

> 
> Hi,
> 
> 	Has anyone ever built a script which does an LDIF to SQL conversion?
> I know this isn't rocket science but I figured I would check before building
> it myself.  
> 
> Thanks,
> 
> > _______
> > 
> > Mike Mazzolini
> > Bank Of America
> > mi...@cr...
> > 312-234-2679
> > - Whether you think you can or think you can't, you're right!
> > 
> > 
> 
> 

Yes, I LDIF to SQL (MySQL) everyday.

It is not rocket science but it will be custom process. 

Regards,

Clif Harden           INTERNET:  c-h...@ti...

Re: LDIF2SQL

[Jim H. <ha...@us...>]

There have been numerous discussions about the topic of LDAP and SQL in
this mail list and the plain ldap list.  The gist is that relational
databases and LDAP directories are very different animals and conversion
between the two is not straightforward, especially with things like
multi-valued attributes.

I have written a set of applications to keep our directory and our
database in synch.  There are numersous special cases and exceptions in
the code.  Its not pretty, but it works.

The bottom line is that there isn't a magic elixir to convert between the
2.

  Jim Harle
  US Naval Academy


On Wed, 31 May 2000 mi...@cr... wrote:

> Hi,
> 
> 	Has anyone ever built a script which does an LDIF to SQL conversion?
> I know this isn't rocket science but I figured I would check before building
> it myself.  
> 
> Thanks,
> 
> > _______
> > 
> > Mike Mazzolini
> > Bank Of America
> > mi...@cr...
> > 312-234-2679
> > - Whether you think you can or think you can't, you're right!
> > 
> > 
> 
> 

subscribe

[<lhe...@ci...>]

subscribe

--
Luis Enrique Hernandez
C I T I
Sendero Sur 285 Col. Country
Monterrey, N.L. 64860 Mexico
Tel (528) 357-2267 Fax (528) 357-8047
http://www.citi.com.mx

LDIF2SQL

[<mi...@cr...>]

Hi,

	Has anyone ever built a script which does an LDIF to SQL conversion?
I know this isn't rocket science but I figured I would check before building
it myself.  

Thanks,

> _______
> 
> Mike Mazzolini
> Bank Of America
> mi...@cr...
> 312-234-2679
> - Whether you think you can or think you can't, you're right!
> 
> 

Re: Bind problem

[Jochen S. <Joc...@ic...>]

> > Just to understand it, how could wrong iterators in different processes
> > influence each other?
>
> Hm, I have no idea about that, unless one process was a fork of the
> other with an exec.

The processes run independently on different systems ... hm, mysterious!

But well, it works now ...

Thanks again

                    Jochen

Re: Bind problem

[Graham B. <gb...@po...>]

On Wed, May 31, 2000 at 02:24:15PM +0200, Jochen Stenzel wrote:
> > This is a known problem. A patch is attached
> 
> Thank you, this fixed the problem.
> 
> Just to understand it, how could wrong iterators in different processes
> influence each other?

Hm, I have no idea about that, unless one process was a fork of the
other with an exec.

Graham.

Re: Bind problem

[Jochen S. <Joc...@ic...>]

> This is a known problem. A patch is attached

Thank you, this fixed the problem.

Just to understand it, how could wrong iterators in different processes
influence each other?

                    Jochen

Re: Bind problem

[Graham B. <gb...@po...>]

This is a known problem. A patch is attached

Graham.

On Wed, May 31, 2000 at 01:07:40PM +0200, Jochen Stenzel wrote:
> Hello,
> 
> I'm using version 0.18 of the module. Since I've updated from 0.14,
> privileged logins sometimes fail: every second attempt is accepted only
> as an ANONYMOUS login (I'm logging in for every query). This happens
> reproducably for query sequences performed by ONE client as well as by
> SEVERAL clients (A logs in and succeeds, B logs in and fails, A ok, B
> fails, B ok, A fails, etc.)
> 
> Reading the traces displayed with debug=>3 I saw that the login string
> is sent incompletely when the privileged logins fail. Is this a known
> behaviour?
> 
> Thanks in advance
> 
>                     Jochen
> 
> 

Bind problem

[Jochen S. <Joc...@ic...>]

Hello,

I'm using version 0.18 of the module. Since I've updated from 0.14,
privileged logins sometimes fail: every second attempt is accepted only
as an ANONYMOUS login (I'm logging in for every query). This happens
reproducably for query sequences performed by ONE client as well as by
SEVERAL clients (A logs in and succeeds, B logs in and fails, A ok, B
fails, B ok, A fails, etc.)

Reading the traces displayed with debug=>3 I saw that the login string
is sent incompletely when the privileged logins fail. Is this a known
behaviour?

Thanks in advance

                    Jochen

Re: Searching groups on Novell LDAP servers

[<Sim...@wi...>]

Mark,

      Many thanks for the lead !

      I found that your script had uppercase DN in the ldap->bind. This seemed
      to cause ldap.pm to do an anonymous bind.

      Changing to lowercase dn fixed the problem. The bind is now successful and
      the correct list is being returned.

      Thank you for the prompt response.

      Rgds,

      Simon.



From   Mark Wilcox <mew...@un...>     Date    20:28:06   30 May 2000

To:   Simon Wilcox/BASE/WilliamsLea@WilliamsLea
cc:   per...@li...
Fax to:
Subject:  Re: Searching groups on Novell LDAP servers



A couple of things to check.
1) make sure that you're binded as a user who can read group memberships
2) make sure that Novell uses either groupOfUniqueNames or groupOfNames as
their group object. I've never used Novell LDAP server so I have no idea
what they are using. There is not a standard group object in LDAP, thus
they could be using something else. The 2 groups I picked are essentially
the de-facto standards, appearing in Netscape & openLDAP (which is derived
from UMich).

If you can send me a sample LDIF of a group, I'll be happy to update my
script to accomodate Novell if it does something else.

Mark