perl-ldap-dev

Re: [Fwd] Re: query on ldap->bind & ldap->compare

[Jim H. <ha...@us...>]

> Yes. And for now if method does not exist we can be compatable and give
> a warning.

This seems that it would eventually break every currently existing script,
since method isn't used.  Arghh!!
  --Jim Harle

On Thu, 4 May 2000, Graham Barr wrote:

> On Thu, May 04, 2000 at 03:43:27PM +0100, Chris Ridd wrote:
> > I think we're saying the same thing.
> > 
> > Examples:
> > 
> > 	bind(method => 'none')
> > 	bind(method => 'simple',
> >              dn => 'blah', password => 'blah')
> > 	bind(method => 'nameonly',
> > 	     dn => 'blah')
> > 	bind(method => 'sasl',
> > 	     dn => 'blah', ... more stuff for SASL ... )
> > 
> > Bind can look at method and do whatever checking it wants on the other 
> > parameters, like checking for empty passwords in certain cases.
> 
> Yes. And for now if method does not exist we can be compatable and give
> a warning.
> 
> Anyone want to submit a patch
> 
> Graham.
> 
> 

Re: [Fwd] Your LDAP Perl Module

[Graham B. <gb...@po...>]

On Thu, May 04, 2000 at 04:27:02PM +0100, Chris Ridd wrote:
> Graham, does the sample script look awfully familiar to you? Like the 
> start of an old version of LDAP.pod perhaps? :-)

Now that you mention it.

Graham.

Re: [Fwd] Re: query on ldap->bind & ldap->compare

[Graham B. <gb...@po...>]

On Thu, May 04, 2000 at 03:43:27PM +0100, Chris Ridd wrote:
> I think we're saying the same thing.
> 
> Examples:
> 
> 	bind(method => 'none')
> 	bind(method => 'simple',
>              dn => 'blah', password => 'blah')
> 	bind(method => 'nameonly',
> 	     dn => 'blah')
> 	bind(method => 'sasl',
> 	     dn => 'blah', ... more stuff for SASL ... )
> 
> Bind can look at method and do whatever checking it wants on the other 
> parameters, like checking for empty passwords in certain cases.

Yes. And for now if method does not exist we can be compatable and give
a warning.

Anyone want to submit a patch

Graham.

Re: [Fwd] Your LDAP Perl Module

[Chris R. <Chr...@me...>]

On Thu, 04 May 2000 15:47:25 BST, Graham Barr wrote:
> ----- Forwarded message from Gerald Roehrbein/Pctdmn <gro...@bi...> -----
> 
> From: Gerald Roehrbein/Pctdmn <gro...@bi...>
> Date: Thu, 4 May 2000 14:54:40 -0100
> To: gb...@po...
> Subject: Your LDAP Perl Module
> 
> 
> Hello Graham,
> 
> I try to use your LDAP Module but I'am not able to use it. Maybe I'am not 
> so experienced with LDAP.
> I have to write a little module that should do the following:
> 
> The Module have to use 3 Parameter (Name, Password, UniqueId)
> Then it should build a mail adress Uni...@my... and a mail alias. 
> The Software should query
> LDAP to permit/deny double e-mail aliases. And then it should add the data 
> to LDAP directory.
> 
> Sounds easy.
> 
> The prgram is from the examples of ACTIVE PERL but it does not run.
> The Source Code is below and the output of the programm is added below the 
> source. I do not know what the problem
> is and how to debug. I'am not an experienced Perl prorgammer so I do not 
> have any idea how to debug it and how to get more information about the 
> reasons of the errors.

A lot of the problems appear to be because you haven't taught your 
script enough about what information your LDAP server is holding.

> 
> ---------------------------------------------------------------------BEGIN 
> OF SOURCE-------------------------------------------------------------
> use CGI;
> # use strict # 'vars';
> # use Mail::Send;
> use Net::LDAP;
> # use Net::LDAP::message;
> 
>  $ldap = Net::LDAP->new('mcis01', debug=> 3) or die "$@";
>  $ldap->bind ;    # an anonymous bind
>  $mesg = $ldap->search (  # perform a search
>                         base   => "c=mcis01",

That isn't a legal country name. Country names can only be two 
characters wide, eg US, or GB, or EH. (A mini competition! Who can tell 
me where c=EH is?)

>                         filter => "(& (uid= (o=microsoft))"

That isn't a legal search filter. It should probably be something like:

			filter => '(&(uid=1234abcd)(o=microsoft))'

>  $result = $ldap->add (
>                          dn   => 'cn = Barbara Jensen',

That DN looks unlikely; it is indicating a person directly below the 
directory ROOT entry.

>               attr => [ 'cn'   => ['Barbara Jensen', 'Barbs Jensen'],
>                         #'sn'    => 'Jensen',
>                         'mail' => 'b.j...@um...'
>                       ]

This is not adding all the attributes that are required by the 
directory. In particular, you need to specify the objectclass attribute.

You need to work out:

1) what is the DN of the top entry that your LDAP server is storing. 
This entry is often called something like an "initial naming context", 
or possibly just "naming context".

2) where under this point you can add entries.

If you find out th DN of the top entry is "o=some company,c=US" then 
change the add to say:

	dn => "cn=Barbara Jensen,o=some company,c=US",

Graham, does the sample script look awfully familiar to you? Like the 
start of an old version of LDAP.pod perhaps? :-)

Cheers,

Chris

Re: [Fwd] Re: query on ldap->bind & ldap->compare

[Mark W. <mew...@un...>]

On Thu, 4 May 2000, Chris Ridd wrote:
> 
> > was just tinking of requiring one of sasl anon (none anonymous whatever) or
> > simple to be passed. This gives compatability with the current syntax and
> > gives checking too. Also a password of '' should probably not be allowed
> > with simple.
> 
> I think we're saying the same thing.
> 
> Examples:
> 
> 	bind(method => 'none')
> 	bind(method => 'simple',
>              dn => 'blah', password => 'blah')
> 	bind(method => 'nameonly',
> 	     dn => 'blah')
> 	bind(method => 'sasl',
> 	     dn => 'blah', ... more stuff for SASL ... )
+1 from me.
> 
> Bind can look at method and do whatever checking it wants on the other 
> parameters, like checking for empty passwords in certain cases.
> 
> > > The current default of 'none' should be kept.
> > 
> > You mean anonymous bind if no method is given ? That would leave
> > use where we are now if someone misspells method. I would rather
> > requier a method parameter.
> 
> Oh yeah :-) Sorry I must have been thinking about something else...
> 
By not allowing us to use blank passwords (except for none) I think this
will eliminate one more critical LDAP programming mistake (wish other APIs
would follow this path).

Mark
> > Graham.
> 
> Chris
> 
> 
> 

[Fwd] Your LDAP Perl Module

[Graham B. <gb...@po...>]

----- Forwarded message from Gerald Roehrbein/Pctdmn <gro...@bi...> -----

From: Gerald Roehrbein/Pctdmn <gro...@bi...>
Date: Thu, 4 May 2000 14:54:40 -0100
To: gb...@po...
Subject: Your LDAP Perl Module


Hello Graham,

I try to use your LDAP Module but I'am not able to use it. Maybe I'am not 
so experienced with LDAP.
I have to write a little module that should do the following:

The Module have to use 3 Parameter (Name, Password, UniqueId)
Then it should build a mail adress Uni...@my... and a mail alias. 
The Software should query
LDAP to permit/deny double e-mail aliases. And then it should add the data 
to LDAP directory.

Sounds easy.

The prgram is from the examples of ACTIVE PERL but it does not run.
The Source Code is below and the output of the programm is added below the 
source. I do not know what the problem
is and how to debug. I'am not an experienced Perl prorgammer so I do not 
have any idea how to debug it and how to get more information about the 
reasons of the errors.


---------------------------------------------------------------------BEGIN 
OF SOURCE-------------------------------------------------------------
use CGI;
# use strict # 'vars';
# use Mail::Send;
use Net::LDAP;
# use Net::LDAP::message;

 $ldap = Net::LDAP->new('mcis01', debug=> 3) or die "$@";
 $ldap->bind ;    # an anonymous bind
 $mesg = $ldap->search (  # perform a search
                        base   => "c=mcis01",
                        filter => "(& (uid= (o=microsoft))"
                       );
 print "Error: "+$mesg->error+"!!!";

 $mesg->code && die $mesg->error;
 foreach $entry ($mesg->all_entries) { print "ENTRY: "; $entry->dump; }
 $ldap->unbind;   # take down session


 $ldap = Net::LDAP->new('mcis01', debug =>3 );

  $ldap->bind (   # bind to a directory with dn and password
              dn       => 'cn=Administrator,ou=Members, o=microsoft',
              password => 'NetFRAME'
             );

 $result = $ldap->add (
                         dn   => 'cn = Barbara Jensen',
              # dn   => 'cn = Barbara Jensen',
              attr => [ 'cn'   => ['Barbara Jensen', 'Barbs Jensen'],
                        #'sn'    => 'Jensen',
                        'mail' => 'b.j...@um...'
                      ]
            );
  $result->code && warn "failed to add entry: ", $result->error ;

-------------------------------------------------------END OF 
SOURCE----------------------------------------------------
Output of the above source:

---------------------------------------------------------BEGIN OF 
LOG-------------------------------------------------------

C:\ldap>ldap.pl
Net::LDAP=HASH(0x8bbf1f0) sending:

30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0....`........

Net::LDAP=HASH(0x8bbf1f0) received:

30 0C 02 01 01 61 07 0A 01 00 04 00 04 00 __ __ 0....a........

Net::LDAP=HASH(0x8bbf1f0) sending:

30 32 02 01 02 63 2D 04 08 63 3D 6D 63 69 73 30 02...c-..c=mcis0
31 0A 01 02 0A 01 02 02 01 00 02 01 00 01 01 00 1...............
A0 10 A3 0E 04 01 6F 04 09 6D 69 63 72 6F 73 6F ......o..microso
66 74 30 00 __ __ __ __ __ __ __ __ __ __ __ __ ft0.

Net::LDAP=HASH(0x8bbf1f0) received:

30 0C 02 01 02 65 07 0A 01 00 04 00 04 00 __ __ 0....e........

0Net::LDAP=HASH(0x8bbf1f0) sending:

30 05 02 01 03 42 00 __ __ __ __ __ __ __ __ __ 0....B.

Net::LDAP=HASH(0x8f76be4) sending:

30 3C 02 01 04 60 37 02 01 02 04 28 63 6E 3D 41 0<...`7....(cn=A
64 6D 69 6E 69 73 74 72 61 74 6F 72 2C 6F 75 3D dministrator,ou=
4D 65 6D 62 65 72 73 2C 20 6F 3D 6D 69 63 72 6F Members, o=micro
73 6F 66 74 80 08 4E 65 74 46 52 41 4D 45 __ __ soft..NetFRAME

Net::LDAP=HASH(0x8f76be4) received:

30 0C 02 01 04 61 07 0A 01 00 04 00 04 00 __ __ 0....a........

Net::LDAP=HASH(0x8f76be4) sending:

30 60 02 01 05 68 5B 04 13 63 6E 20 3D 20 42 61 0`...h[..cn = Ba
72 62 61 72 61 20 4A 65 6E 73 65 6E 30 44 30 24 rbara Jensen0D0$
04 02 63 6E 31 1E 04 0E 42 61 72 62 61 72 61 20 ..cn1...Barbara
4A 65 6E 73 65 6E 04 0C 42 61 72 62 73 20 4A 65 Jensen..Barbs Je
6E 73 65 6E 30 1C 04 04 6D 61 69 6C 31 14 04 12 nsen0...mail1...
62 2E 6A 65 6E 73 65 6E 40 75 6D 69 63 68 2E 65 b.jensen@umich.e
64 75 __ __ __ __ __ __ __ __ __ __ __ __ __ __ du

Net::LDAP=HASH(0x8f76be4) received:

30 0C 02 01 05 69 07 0A 01 41 04 00 04 00 __ __ 0....i...A....

failed to add entry:  at C:\dfbldap\ldap.pl line 36.

C:\ldap>

---------------------------------------------------------------------END OF 
LOG---------------------------------------------------------------

Within the LDAP directory there are two Members. But the search does not 
find them.
It would be nice to get a little help from you. 


Thanks a lot.

With best regards

Gerald


P.S. It's running under Windows NT 4.0 and the LDAP Server is LDAP from the 
MCIS MAIL.


----- End forwarded message -----

mailing list [2]

[Graham B. <gb...@po...>]

If you got this message then you have been subscribed to the new perl-ldap
mailing list per...@li...

Graham.

Re: [Fwd] Re: query on ldap->bind & ldap->compare

[Chris R. <Chr...@me...>]

On Thu, 04 May 2000 15:12:54 BST, Graham Barr wrote:
> On Thu, May 04, 2000 at 02:49:22PM +0100, Chris Ridd wrote:
> > That makes sense. Something like a 'method' parameter, with values 
> > 'anonymous'/'none' (empty name + empty password), 'nameonly' (name + 
> > empty password), 'simple' (name + password), or 'sasl' (erm, "stuff").
> 
> Hm, you mean split the method and password into two like
> 
>   method => 'sasl', password => $sasl
>   method => 'anonymous'
>   method => 'simple', password => $pass

Yes, but still including 'dn'.

> was just tinking of requiring one of sasl anon (none anonymous whatever) or
> simple to be passed. This gives compatability with the current syntax and
> gives checking too. Also a password of '' should probably not be allowed
> with simple.

I think we're saying the same thing.

Examples:

	bind(method => 'none')
	bind(method => 'simple',
             dn => 'blah', password => 'blah')
	bind(method => 'nameonly',
	     dn => 'blah')
	bind(method => 'sasl',
	     dn => 'blah', ... more stuff for SASL ... )

Bind can look at method and do whatever checking it wants on the other 
parameters, like checking for empty passwords in certain cases.

> > The current default of 'none' should be kept.
> 
> You mean anonymous bind if no method is given ? That would leave
> use where we are now if someone misspells method. I would rather
> requier a method parameter.

Oh yeah :-) Sorry I must have been thinking about something else...

> Graham.

Chris

Re: query on ldap->bind & ldap->compare

[Mark W. <mew...@un...>]

On Thu, 4 May 2000, tim fulcher wrote:

> 
> Hi,
> 
> I'm trying to write a class which registers and subsequently checks
> itself against a LDAP server.
> 
> Firstly, I seem to be able to bind to the server OK when I supply a dn
> for an object that doesn't yet exist, which seems to be contradictory to
> trying, say a command line ldapsearch using the same dn as a bind
> argument. (that gives no such object).
> 
Are you checking for an error code during your bind?
$msg = $ldap->bind(....);
die("failed to bind ",$mesg->code(),"\n") if $mesg->code() ?

Net::LDAP will only die if you tell it to (most of the time) ;). 

> So once I've bound OK, I do a search based on the cn, and if just one
> entry comes back I do the compare on it as follows:
> 
>       $cr = $self->{ldap}->compare ( $self->{searchresult}->entry(0) ,
>        attr => 'port', value => $self->port(),
>        attr => 'ipaddress', value => $self->ipaddress(),
>        attr => 'seedfile', value =>$self->seedfile()
>      );
> 
> print "compare returned code: ", $cr->code, " & error: ", $cr->error,
> "\n";
> 

> Can you not supply supply multiple attributes to a compare operation ?
> When I run this I get compare true (code 6), even though as shown below,
> my object attributes differ. When I run compare with just one attribute
> it right gives a false result. Will I have to do the compare for each
> attribute separately?
Read the friggin' RFC. The compare is a LDAP command, not a helpful tool
in Net::LDAP. And it only takes a DN, an attribute and a single value. 

Thus if you want to do do a compare on each individual attribute, you must
make successive calls to the LDAP server. However, it might be more
efficient to return the entire entry and then do that compare in your code
if you are checking multiple attributes and values. 

Mark
 > 
> The output fragment below prints out its attributes, does a search and
> if 1 entry returned, calls the code above.
> 
> > ldaptest.pl
> 
> service foob
> port 8190
> ip 132.146.3.99
> seedfile /tmp/cdb
> mdn is cn='foob',dc='nip',dc='services'
> bind returned code: 0 & error:
> 
> query = (cn=foob)
> search returned code: 0 & error:
> 
> ------------------------------------------------------------------------
> 
> dn:cn=foob, dc=nip, dc=services
> 
> cn: foob
> port: 8192
> description: guinea pig
> seedfile: /tmp/cdb
> ipaddress: 132.146.3.78
> userpassword: {md5}0IcaK1PGLeXgRv7eQvP3qw==
> objectclass: AppServer
> 
> search returned code: 0 & error:
> I found me
> compare returned code: 6 & error:
> 
> 
> btw, I'm using openldap 1.2.9. My db  ACL is  access * by self write by
> * read
> 
> cheers
> 
> 
> Tim
> 
> 
> 

Re: [Fwd] Re: query on ldap->bind & ldap->compare

[Graham B. <gb...@po...>]

On Thu, May 04, 2000 at 02:49:22PM +0100, Chris Ridd wrote:
> > 
> > >  $br = $self->{ldap}->bind( $self->{mydn}, passwd => $self->{service}  );
> > 
> > passwd is not a valid option, you need password. This will result in
> > bind doing an anonymous bind.
> > 
> > We need to catch this, but I do not want to add option name verification
> > to all the methods as that will slow things down (too much IMO).
> > 
> > Maybe an anonymous bind should be explicitly specified. ie none, password or sasl
> > must be given and password => '' is illegal (it must be none)
> > 
> > Does anyone have any thoughts ?
> 
> That makes sense. Something like a 'method' parameter, with values 
> 'anonymous'/'none' (empty name + empty password), 'nameonly' (name + 
> empty password), 'simple' (name + password), or 'sasl' (erm, "stuff").

Hm, you mean split the method and password into two like

  method => 'sasl', password => $sasl
  method => 'anonymous'
  method => 'simple', password => $pass

was just tinking of requiring one of sasl anon (none anonymous whatever) or
simple to be passed. This gives compatability with the current syntax and
gives checking too. Also a password of '' should probably not be allowed
with simple.

> The current default of 'none' should be kept.

You mean anonymous bind if no method is given ? That would leave
use where we are now if someone misspells method. I would rather
requier a method parameter.

Graham.

Re: [Fwd] Re: query on ldap->bind & ldap->compare

[Chris R. <Chr...@me...>]

On Thu, 04 May 2000 14:07:30 BST, Graham Barr wrote:
> ----- Forwarded message from Graham Barr <gb...@po...> -----
> 
> Date: Thu, 4 May 2000 13:27:26 +0100
> From: Graham Barr <gb...@po...>
> To: tim fulcher <ful...@dr...>
> Subject: Re: query on ldap->bind & ldap->compare
> X-Mailer: Mutt 1.0pre3i
> In-Reply-To: <391...@dr...>
> 
> On Thu, May 04, 2000 at 01:09:34PM +0100, tim fulcher wrote:
> > Graham Barr wrote:
> > 
> > > On Thu, May 04, 2000 at 11:19:51AM +0100, tim fulcher wrote:
> > > >
> > > > Hi,
> > > >
> > > > I'm trying to write a class which registers and subsequently checks
> > > > itself against a LDAP server.
> > > >
> > > > Firstly, I seem to be able to bind to the server OK when I supply a dn
> > > > for an object that doesn't yet exist, which seems to be contradictory to
> > > > trying, say a command line ldapsearch using the same dn as a bind
> > > > argument. (that gives no such object).
> > >
> > > Can you post the code you use to bind and how you check that the bind
> > > succeeded.
> > 
> 
> >  $br = $self->{ldap}->bind( $self->{mydn}, passwd => $self->{service}  );
> 
> passwd is not a valid option, you need password. This will result in
> bind doing an anonymous bind.
> 
> We need to catch this, but I do not want to add option name verification
> to all the methods as that will slow things down (too much IMO).
> 
> Maybe an anonymous bind should be explicitly specified. ie none, password or sasl
> must be given and password => '' is illegal (it must be none)
> 
> Does anyone have any thoughts ?

That makes sense. Something like a 'method' parameter, with values 
'anonymous'/'none' (empty name + empty password), 'nameonly' (name + 
empty password), 'simple' (name + password), or 'sasl' (erm, "stuff").

The current default of 'none' should be kept.

Cheers,

Chris

[Fwd] Re: query on ldap->bind & ldap->compare

[Graham B. <gb...@po...>]

----- Forwarded message from Graham Barr <gb...@po...> -----

Date: Thu, 4 May 2000 13:27:26 +0100
From: Graham Barr <gb...@po...>
To: tim fulcher <ful...@dr...>
Subject: Re: query on ldap->bind & ldap->compare
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <391...@dr...>

On Thu, May 04, 2000 at 01:09:34PM +0100, tim fulcher wrote:
> Graham Barr wrote:
> 
> > On Thu, May 04, 2000 at 11:19:51AM +0100, tim fulcher wrote:
> > >
> > > Hi,
> > >
> > > I'm trying to write a class which registers and subsequently checks
> > > itself against a LDAP server.
> > >
> > > Firstly, I seem to be able to bind to the server OK when I supply a dn
> > > for an object that doesn't yet exist, which seems to be contradictory to
> > > trying, say a command line ldapsearch using the same dn as a bind
> > > argument. (that gives no such object).
> >
> > Can you post the code you use to bind and how you check that the bind
> > succeeded.
> 

>  $br = $self->{ldap}->bind( $self->{mydn}, passwd => $self->{service}  );

passwd is not a valid option, you need password. This will result in
bind doing an anonymous bind.

We need to catch this, but I do not want to add option name verification
to all the methods as that will slow things down (too much IMO).

Maybe an anonymous bind should be explicitly specified. ie none, password or sasl
must be given and password => '' is illegal (it must be none)

Does anyone have any thoughts ?

> > > Can you not supply supply multiple attributes to a compare operation ?
> >
> > No, LDAP only supports the compare of a single attribute at a time.
> 
> Yeah, OK, I've fixed that so the compare only does one attr at a time.

As suggested by Chris, it may be better to do a search using the given dn as a base
and a scope of 'one' This would mean only one request would be sent to the server.

Graham.

----- End forwarded message -----

Re: query on ldap->bind & ldap->compare

[Chris R. <Chr...@me...>]

On Thu, 04 May 2000 11:19:51 BST, tim fulcher wrote:
> 
> Hi,
> 
> I'm trying to write a class which registers and subsequently checks
> itself against a LDAP server.
> 
> Firstly, I seem to be able to bind to the server OK when I supply a dn
> for an object that doesn't yet exist, which seems to be contradictory to
> trying, say a command line ldapsearch using the same dn as a bind
> argument. (that gives no such object).
> 
> So once I've bound OK, I do a search based on the cn, and if just one
> entry comes back I do the compare on it as follows:
> 
>       $cr = $self->{ldap}->compare ( $self->{searchresult}->entry(0) ,
>        attr => 'port', value => $self->port(),
>        attr => 'ipaddress', value => $self->ipaddress(),
>        attr => 'seedfile', value =>$self->seedfile()
>      );
> 
> print "compare returned code: ", $cr->code, " & error: ", $cr->error,
> "\n";
> 
> Can you not supply supply multiple attributes to a compare operation ?

The protocol does not permit this. You would probably have to issue 
three compare operations in your example, and AND together the results.

Alternatively, just issue a more complex search:

	&((cn=whatever)(port=blah)(ipaddress=foo)(seedfile=bletch))

> When I run this I get compare true (code 6), even though as shown below,
> my object attributes differ. When I run compare with just one attribute
> it right gives a false result. Will I have to do the compare for each
> attribute separately?

Yes. Also the way Net::LDAP parses parameters to methods (it converts 
them into a hash) will mean that only one of your attr settings is 
being used. Dunno which one though, but if you created the Net::LDAP 
object with debug => 3 this might help you work it out.

> The output fragment below prints out its attributes, does a search and
> if 1 entry returned, calls the code above.
> 
> > ldaptest.pl
> 
> service foob
> port 8190
> ip 132.146.3.99
> seedfile /tmp/cdb
> mdn is cn='foob',dc='nip',dc='services'
> bind returned code: 0 & error:
> 
> query = (cn=foob)
> search returned code: 0 & error:
> 
> ------------------------------------------------------------------------
> 
> dn:cn=foob, dc=nip, dc=services
> 
> cn: foob
> port: 8192
> description: guinea pig
> seedfile: /tmp/cdb
> ipaddress: 132.146.3.78
> userpassword: {md5}0IcaK1PGLeXgRv7eQvP3qw==
> objectclass: AppServer
> 
> search returned code: 0 & error:
> I found me
> compare returned code: 6 & error:
> 
> 
> btw, I'm using openldap 1.2.9. My db  ACL is  access * by self write by
> * read

I'm not sure what that ACL means, but you *may* have to grant access to 
compare certain attributes as well. The only standard access control 
model around at the moment can set different permissions for compare, 
searching, and reading.

The other thought that springs to mind is, does comparing a password 
held by the server in MD5 require that the compare operation send the 
plaintext password, or something else?

> cheers
> 
> 
> Tim
> 
> 

Cheers,

Chris

Re: query on ldap->bind & ldap->compare

[Graham B. <gb...@po...>]

On Thu, May 04, 2000 at 11:19:51AM +0100, tim fulcher wrote:
> 
> Hi,
> 
> I'm trying to write a class which registers and subsequently checks
> itself against a LDAP server.
> 
> Firstly, I seem to be able to bind to the server OK when I supply a dn
> for an object that doesn't yet exist, which seems to be contradictory to
> trying, say a command line ldapsearch using the same dn as a bind
> argument. (that gives no such object).

Can you post the code you use to bind and how you check that the bind
succeeded.

> So once I've bound OK, I do a search based on the cn, and if just one
> entry comes back I do the compare on it as follows:
> 
>       $cr = $self->{ldap}->compare ( $self->{searchresult}->entry(0) ,
>        attr => 'port', value => $self->port(),
>        attr => 'ipaddress', value => $self->ipaddress(),
>        attr => 'seedfile', value =>$self->seedfile()
>      );

This will comapre the value of seedfile with $self->seedfile() 

> Can you not supply supply multiple attributes to a compare operation ?

No, LDAP only supports the compare of a single attribute at a time.

> When I run this I get compare true (code 6), even though as shown below,
> my object attributes differ. When I run compare with just one attribute
> it right gives a false result. Will I have to do the compare for each
> attribute separately?

That is because seedfile does compare

Graham.

query on ldap->bind & ldap->compare

[tim f. <ful...@dr...>]

Hi,

I'm trying to write a class which registers and subsequently checks
itself against a LDAP server.

Firstly, I seem to be able to bind to the server OK when I supply a dn
for an object that doesn't yet exist, which seems to be contradictory to
trying, say a command line ldapsearch using the same dn as a bind
argument. (that gives no such object).

So once I've bound OK, I do a search based on the cn, and if just one
entry comes back I do the compare on it as follows:

      $cr = $self->{ldap}->compare ( $self->{searchresult}->entry(0) ,
       attr => 'port', value => $self->port(),
       attr => 'ipaddress', value => $self->ipaddress(),
       attr => 'seedfile', value =>$self->seedfile()
     );

print "compare returned code: ", $cr->code, " & error: ", $cr->error,
"\n";

Can you not supply supply multiple attributes to a compare operation ?
When I run this I get compare true (code 6), even though as shown below,
my object attributes differ. When I run compare with just one attribute
it right gives a false result. Will I have to do the compare for each
attribute separately?

The output fragment below prints out its attributes, does a search and
if 1 entry returned, calls the code above.

> ldaptest.pl

service foob
port 8190
ip 132.146.3.99
seedfile /tmp/cdb
mdn is cn='foob',dc='nip',dc='services'
bind returned code: 0 & error:

query = (cn=foob)
search returned code: 0 & error:

------------------------------------------------------------------------

dn:cn=foob, dc=nip, dc=services

cn: foob
port: 8192
description: guinea pig
seedfile: /tmp/cdb
ipaddress: 132.146.3.78
userpassword: {md5}0IcaK1PGLeXgRv7eQvP3qw==
objectclass: AppServer

search returned code: 0 & error:
I found me
compare returned code: 6 & error:


btw, I'm using openldap 1.2.9. My db  ACL is  access * by self write by
* read

cheers


Tim