Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Chris R. <chr...@ma...> - 2002-11-12 19:53:18
|
On 13/11/02 12:14 am, Todd <net...@ch...> wrote:
>
> I'm try to write a seb app that uses LDAP Simple Auth to authenticate
> users against our iPlanet directory. The Perl code is being executed
> on an Activestate/Win2k setup. Here is the code:
>
> #!/usr/bin/perl
>
> use Net::LDAP;
> use Net::LDAP::Util qw(ldap_error_text
> ldap_error_name
> ldap_error_desc);
>
> $uid = shift;
> $pass = shift;
>
> $ldap = Net::LDAP->new('directory-f5.vw.com') or die "$0";
>
> $ldap->bind ; # an anonymous bind
>
> $mesg = $ldap->search ( # perform a search
> base => "dc=vw,dc=com",
> filter => "(uid=$uid)"
> );
>
> $mesg->code && die $mesg->error;
>
> $entry = $mesg->entry(0); #should be the first and only entry
>
> $ldap->unbind; # take down session
>
> $dn = $entry->dn;
>
> print "$dn\n\n";
>
> $mesg2 = $ldap->bind ( # bind to a directory with dn and password
> $dn,
> password => $pass,
> version => 3,
> callback => sub { $_[0]->shift_entry }
> );
>
> LDAPError("Binding", $mesg2) if $mesg2->code();
> exit 1 if $mesg2->code();
>
> sub LDAPError {
> my ($from, $mesg) = @_;
>
> print STDERR "\n";
> print STDERR "Return code: ", $mesg->code . "\n";
> print STDERR "Message: ", ldap_error_name($mesg->code);
> print STDERR " : ", ldap_error_text($mesg->code);
> print STDERR "MessageID: ", $mesg->mesg_id . "\n";
> print STDERR "DN: ", $mesg->dn;
> print STDERR "\n";
> }
>
> ===============
>
> When I run it I get:
>
> E:\Inetpub\scripts>ldap.pl myid mypass
> uid=myid,ou=PROD-ABH-XYZ-COM,ou=internal,ou=xyzoa,dc=xyz,dc=com
>
>
> Return code: 1
> Message: LDAP_OPERATIONS_ERROR : Server encountered an internal error
> MessageID: 4
> DN:
>
> Under other versions of the code I get an I/O error.
>
> Any ideas?
One possibility is that the server doesn't like you rebinding after sending
an unbind on the connection. The socket you've got open isn't actually
closed (despite your comment!) until the $ldap object is destroyed.
There's actually no real need to unbind at all as the standard supports
issuing multiple binds on the same connection, so maybe just delete the
$ldap->unbind call and see what happens.
Cheers,
Chris
|
|
From: Todd <net...@ch...> - 2002-11-12 19:38:40
|
FYI, I get the same output on a Linux system. [root@localhost root]# ./ldap.pl myid mypass uid=myid,ou=PROD-ABH-XYZ-COM,ou=internal,ou=xyzoa,dc=xyz,dc=com Return code: 1 Message: LDAP_OPERATIONS_ERROR : Server encountered an internal error MessageID: 4 DN: |
|
From: Todd <net...@ch...> - 2002-11-12 19:32:21
|
I'm try to write a seb app that uses LDAP Simple Auth to authenticate
users against our iPlanet directory. The Perl code is being executed
on an Activestate/Win2k setup. Here is the code:
#!/usr/bin/perl
use Net::LDAP;
use Net::LDAP::Util qw(ldap_error_text
ldap_error_name
ldap_error_desc);
$uid = shift;
$pass = shift;
$ldap = Net::LDAP->new('directory-f5.vw.com') or die "$0";
$ldap->bind ; # an anonymous bind
$mesg = $ldap->search ( # perform a search
base => "dc=vw,dc=com",
filter => "(uid=$uid)"
);
$mesg->code && die $mesg->error;
$entry = $mesg->entry(0); #should be the first and only entry
$ldap->unbind; # take down session
$dn = $entry->dn;
print "$dn\n\n";
$mesg2 = $ldap->bind ( # bind to a directory with dn and password
$dn,
password => $pass,
version => 3,
callback => sub { $_[0]->shift_entry }
);
LDAPError("Binding", $mesg2) if $mesg2->code();
exit 1 if $mesg2->code();
sub LDAPError {
my ($from, $mesg) = @_;
print STDERR "\n";
print STDERR "Return code: ", $mesg->code . "\n";
print STDERR "Message: ", ldap_error_name($mesg->code);
print STDERR " : ", ldap_error_text($mesg->code);
print STDERR "MessageID: ", $mesg->mesg_id . "\n";
print STDERR "DN: ", $mesg->dn;
print STDERR "\n";
}
===============
When I run it I get:
E:\Inetpub\scripts>ldap.pl myid mypass
uid=myid,ou=PROD-ABH-XYZ-COM,ou=internal,ou=xyzoa,dc=xyz,dc=com
Return code: 1
Message: LDAP_OPERATIONS_ERROR : Server encountered an internal error
MessageID: 4
DN:
Under other versions of the code I get an I/O error.
Any ideas?
Thanks!
-Todd
|
|
From: Shiva P. <sh...@us...> - 2002-11-11 23:41:05
|
In perl, I can specify how sort actually sorts if I don't want things sorted ASCIIbetically. Does Net::LDAP::Entry->sorted() let me do this? I can't find documentation anywhere. Thanks, Shiva Shiva Persaud AIX Security Developer Phone: 512-838-1193 sh...@us... Shiva Persaud wrote: I should have read ALL the documentation: sorted ( [ ATTR_LIST ] ) Return a list of Net::LDAP::Entry objects, sorted by the attributes given in ATTR_LIST. The attributes are compared in the order specified, each only being compared if all the prior attributes compare equal. If all the specified attributes compare equal then the DN is used to determine order. From the Net::LDAP::Entry page on CPAN. Shiva Persaud AIX Security Developer Phone: 512-838-1193 sh...@us... |---------+-----------------------------------------> | | Shiva Persaud/Austin/IBM@IBMUS| | | Sent by: | | | per...@li...ur| | | ceforge.net | | | | | | | | | 11/11/2002 04:46 PM | | | Please respond to Shiva | | | Persaud | | | | |---------+-----------------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: per...@li... | | cc: | | Subject: Sorting the results of search. | | | | | >------------------------------------------------------------------------------------------------------------------------------| The ldapsearch command allows you to specify an attribute to sort search reults by via the -S flag. Does perl-ldap search let you sort your return results (thus putting the work on the ldap server)? If not, what would be the best way to sort the results myself? Shiva Persaud AIX Security Developer Phone: 512-838-1193 sh...@us... ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf |
|
From: Shiva P. <sh...@us...> - 2002-11-11 23:10:08
|
I should have read ALL the documentation: sorted ( [ ATTR_LIST ] ) Return a list of Net::LDAP::Entry objects, sorted by the attributes given in ATTR_LIST. The attributes are compared in the order specified, each only being compared if all the prior attributes compare equal. If all the specified attributes compare equal then the DN is used to determine order. From the Net::LDAP::Entry page on CPAN. Shiva Persaud AIX Security Developer Phone: 512-838-1193 sh...@us... |---------+-----------------------------------------> | | Shiva Persaud/Austin/IBM@IBMUS| | | Sent by: | | | per...@li...ur| | | ceforge.net | | | | | | | | | 11/11/2002 04:46 PM | | | Please respond to Shiva | | | Persaud | | | | |---------+-----------------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: per...@li... | | cc: | | Subject: Sorting the results of search. | | | | | >------------------------------------------------------------------------------------------------------------------------------| The ldapsearch command allows you to specify an attribute to sort search reults by via the -S flag. Does perl-ldap search let you sort your return results (thus putting the work on the ldap server)? If not, what would be the best way to sort the results myself? Shiva Persaud AIX Security Developer Phone: 512-838-1193 sh...@us... ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf |
|
From: Shiva P. <sh...@us...> - 2002-11-11 22:47:34
|
The ldapsearch command allows you to specify an attribute to sort search reults by via the -S flag. Does perl-ldap search let you sort your return results (thus putting the work on the ldap server)? If not, what would be the best way to sort the results myself? Shiva Persaud AIX Security Developer Phone: 512-838-1193 sh...@us... |
|
From: Steve L. <ste...@du...> - 2002-11-11 16:25:54
|
I have found code on the mailing list describing how to extract the Entry Change Control from a persistent search, but does any one have an example of how to implement the Persistent Search Control? Steve Lemons OIT - Systems and Core Services Duke University ste...@du... |
|
From: Graham B. <gb...@po...> - 2002-11-11 16:21:57
|
On Mon, Nov 11, 2002 at 03:08:45PM +0100, Michael Maier wrote:
> Hi!
>
> I have a question concerning start_tls.
> When I use verify=>'required' and my LDAP Server does not know the start_tls
> extension, it sends me a "unsupported extended operation"-error as
> LDAPResult with errornumber 2 (at least Sun DirServ and OpenLDAP does). As
> far as I understood, in this case the following search request should not be
> started but it looks like the resultCode 2 is looked at as success.
No its not.
> By the way, shouldn't a not supported extension result in a resultCode of
> 12?
No. That is the code that is returned when a request is sent with a control
that is marked critical and the server does not support it.
> Here is my code:
> use Net::LDAP;
> $ldap = Net::LDAP->new('localhost', version => 3, port => 389) or die "$@";
> $ldap->debug(12);
> $ldap->start_tls(verify => 'required', cafile => 'somefile') or die "$@";
start_tls, like other methods, does not return true/false. It returns
a message object that you must call methods on yourself.
$mesg = $ldap->start_tls(verify => 'required', cafile => 'somefile');
die $mesg->error if $mesg->code;
Graham.
> ...
>
>
>
> And here the response to my start_tls from debug:
>
> 42: SEQUENCE {
> 1: INTEGER=1
> 37: [APPLICATION 24] {
> 1: ENUM = 2
> 0: STRING = ''
> 30: STRING = 'unsupported extended operation'
> : }
> : }
>
>
> Thanks!
> Florian
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
|
|
From: Michael M. <mmn...@gm...> - 2002-11-11 16:14:40
|
> Hi!
>
> I have a question concerning start_tls.
> When I use verify=>'required' and my LDAP Server does not know the
start_tls
> extension, it sends me a "unsupported extended operation"-error as
> LDAPResult with errornumber 2 (at least Sun DirServ and OpenLDAP does). As
> far as I understood, in this case the following search request should not
be
> started but it looks like the resultCode 2 is looked at as success.
> By the way, shouldn't a not supported extension result in a resultCode of
> 12?
>
> Here is my code:
> use Net::LDAP;
> $ldap = Net::LDAP->new('localhost', version => 3, port => 389) or die
"$@";
> $ldap->debug(12);
> $ldap->start_tls(verify => 'required', cafile => 'somefile') or die "$@";
> ...
>
>
>
> And here the response to my start_tls from debug:
>
> 42: SEQUENCE {
> 1: INTEGER=1
> 37: [APPLICATION 24] {
> 1: ENUM = 2
> 0: STRING = ''
> 30: STRING = 'unsupported extended operation'
> : }
> : }
>
>
> Thanks!
> Florian
The start_tls code returns (should return!) an error whenever the result
message it got back has a non-zero code value ("return $mesg if
$mesg->code"). Is this not happening?
According to RFC 2252 if the server doesn't recognize the request name, it
MUST return a protocol error. Unavailable critical extension is reserved for
LDAP controls which are marked as critical but which the server doesn't
recognize (or is unwilling to obey for whatever reason).
So I'd say the server's returning the right sort of result iff we're
screwing up the initial extended operation. What does that look like if you
turn on debugging?
Also check you've got the latest & greatest version of LDAP.pm, as some bugs
crept in to start_tls which have only recently been fixed.
Cheers,
Chris
I'm using perl-ldap 0.26 the ldap.pm file says something about version 1.10
The LDAP Server does return a protocal error, I posted the errorcode above.
It's errorcode "2", which is called "protocolError" in RFC 2252. Here is my
whole program and the complete debug:
use Net::LDAP;
$ldap = Net::LDAP->new('localhost',version => 3, port => 389 ) or die "$@";
$ldap->debug(12);
$ldap->start_tls(verify=> 'required', cafile=>'/somefile.pem') or die "$@";
$ldap->bind (dn => "uid=flh,ou=MV,ou=People,o=architur",
password => "test");
$mesg = $ldap->search ( # perform a search
base => "o=architur",
filter => "(&(sn=aName) (givenname=Florian))",
attrs => ['cn ', 'uid '],
timelimit => "10"
);
if($mesg->code) {die $mesg->error;}
foreach $entry ($mesg->all_entries) { $entry->dump; }
$ldap->unbind; # take down session
Net::LDAP=HASH(0x80f46b0) sending:
0000 29: SEQUENCE {
0002 1: INTEGER = 1
0005 24: [APPLICATION 23] {
0007 22: [CONTEXT 0]
0009 : 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
1.3.6.1.4.1.1466
0019 : 2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
001F : }
001F : }
Net::LDAP=HASH(0x80f46b0) received:
0000 42: SEQUENCE {
0002 1: INTEGER = 1
0005 37: [APPLICATION 24] {
0007 1: ENUM = 2
000A 0: STRING = ''
000C 30: STRING = 'unsupported extended operation'
002C : }
002C : }
Net::LDAP=HASH(0x80f46b0) sending:
0000 50: SEQUENCE {
0002 1: INTEGER = 2
0005 45: [APPLICATION 0] {
0007 1: INTEGER = 3
000A 34: STRING = 'uid=flh,ou=MV,ou=People,o=architur'
002E 4: [CONTEXT 0]
0030 : 74 65 73 74 __ __ __ __ __ __ __ __ __ __ __ __ test
0034 : }
0034 : }
Net::LDAP=HASH(0x80f46b0) received:
0000 12: SEQUENCE {
0002 1: INTEGER = 2
0005 7: [APPLICATION 1] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Net::LDAP=HASH(0x80f46b0) sending:
0000 86: SEQUENCE {
0002 1: INTEGER = 3
0005 81: [APPLICATION 3] {
0007 10: STRING = 'o=architur'
0013 1: ENUM = 2
0016 1: ENUM = 2
0019 1: INTEGER = 0
001C 1: INTEGER = 10
001F 1: BOOLEAN = FALSE
0022 39: [CONTEXT 0] {
0024 15: [CONTEXT 3] {
0026 2: STRING = 'sn'
002A 9: STRING = 'aName'
0035 : }
0035 20: [CONTEXT 3] {
0037 9: STRING = 'givenname'
0042 7: STRING = 'Florian'
004B : }
004B : }
004B 11: SEQUENCE {
004D 3: STRING = 'cn '
0052 4: STRING = 'uid '
0058 : }
0058 : }
0058 : }
Net::LDAP=HASH(0x80f46b0) received:
0000 86: SEQUENCE {
0002 1: INTEGER = 3
0005 81: [APPLICATION 4] {
0007 34: STRING = 'uid=flh,ou=MV,ou=People,o=architur'
002B 43: SEQUENCE {
002D 26: SEQUENCE {
002F 3: STRING = 'cn '
0034 19: SET {
0036 17: STRING = 'Florian aName'
0049 : }
0049 : }
0049 13: SEQUENCE {
004B 4: STRING = 'uid '
0051 5: SET {
0053 3: STRING = 'flh'
0058 : }
0058 : }
0058 : }
0058 : }
0058 : }
Net::LDAP=HASH(0x80f46b0) received:
0000 12: SEQUENCE {
0002 1: INTEGER = 3
0005 7: [APPLICATION 5] {
0007 1: ENUM = 0
000A 0: STRING = ''
000C 0: STRING = ''
000E : }
000E : }
Net::LDAP=HASH(0x80f46b0) sending:
0000 5: SEQUENCE {
0002 1: INTEGER = 4
0005 0: [APPLICATION 2]
0007 : }
|
|
From: Chris R. <chr...@ma...> - 2002-11-11 14:48:38
|
On 11/11/02 2:08 pm, Michael Maier <mmn...@gm...> wrote:
> Hi!
>
> I have a question concerning start_tls.
> When I use verify=>'required' and my LDAP Server does not know the start_tls
> extension, it sends me a "unsupported extended operation"-error as
> LDAPResult with errornumber 2 (at least Sun DirServ and OpenLDAP does). As
> far as I understood, in this case the following search request should not be
> started but it looks like the resultCode 2 is looked at as success.
> By the way, shouldn't a not supported extension result in a resultCode of
> 12?
>
> Here is my code:
> use Net::LDAP;
> $ldap = Net::LDAP->new('localhost', version => 3, port => 389) or die "$@";
> $ldap->debug(12);
> $ldap->start_tls(verify => 'required', cafile => 'somefile') or die "$@";
> ...
>
>
>
> And here the response to my start_tls from debug:
>
> 42: SEQUENCE {
> 1: INTEGER=1
> 37: [APPLICATION 24] {
> 1: ENUM = 2
> 0: STRING = ''
> 30: STRING = 'unsupported extended operation'
> : }
> : }
>
>
> Thanks!
> Florian
The start_tls code returns (should return!) an error whenever the result
message it got back has a non-zero code value ("return $mesg if
$mesg->code"). Is this not happening?
According to RFC 2252 if the server doesn't recognize the request name, it
MUST return a protocol error. Unavailable critical extension is reserved for
LDAP controls which are marked as critical but which the server doesn't
recognize (or is unwilling to obey for whatever reason).
So I'd say the server's returning the right sort of result iff we're
screwing up the initial extended operation. What does that look like if you
turn on debugging?
Also check you've got the latest & greatest version of LDAP.pm, as some bugs
crept in to start_tls which have only recently been fixed.
Cheers,
Chris
|
|
From: Gerald (J. C. <je...@sa...> - 2002-11-11 14:19:29
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 11 Nov 2002 Rai...@bo... wrote: > I need some help for a simple task: > > Has anyone managed in accessing the Netmeeting ILS-Service of > Windows2K Advanced Server from ldap-perl (from an unix system)? > > Even basic connects are failing with perl-ldap (using a LDAP-Browser > accessing the LDAP-Structure of the ils server works fine). ... > The Perl-Script (basic code): > > > $ldap = Net::LDAP->new($ServerName, port => 1002); > $msg = ldap->bind; AD doesn't allow for searching using an anonymous bind. Other than the rootDSE of course. > > @attrs = [ "giveName" ]; > > $ldap_result = $ldap->search ( > base => "o=IntraNet,ou=Dynamic", > filter => "&(objectClass=RTPerson)(cn=%)", > attrs => @attrs > ); cheers, jerry --------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9z7wmIR7qMdg1EfYRAgZMAJ0c1f+kQ3YFkbLN3nhbckvutFz7UACgw7xl N4xsUMV+3IfFP3niD3wqCBc= =ePfQ -----END PGP SIGNATURE----- |
|
From: Michael M. <mmn...@gm...> - 2002-11-11 14:15:17
|
Hi!
I have a question concerning start_tls.
When I use verify=>'required' and my LDAP Server does not know the start_tls
extension, it sends me a "unsupported extended operation"-error as
LDAPResult with errornumber 2 (at least Sun DirServ and OpenLDAP does). As
far as I understood, in this case the following search request should not be
started but it looks like the resultCode 2 is looked at as success.
By the way, shouldn't a not supported extension result in a resultCode of
12?
Here is my code:
use Net::LDAP;
$ldap = Net::LDAP->new('localhost', version => 3, port => 389) or die "$@";
$ldap->debug(12);
$ldap->start_tls(verify => 'required', cafile => 'somefile') or die "$@";
...
And here the response to my start_tls from debug:
42: SEQUENCE {
1: INTEGER=1
37: [APPLICATION 24] {
1: ENUM = 2
0: STRING = ''
30: STRING = 'unsupported extended operation'
: }
: }
Thanks!
Florian
|
|
From: <Rai...@bo...> - 2002-11-11 10:25:58
|
Hi,
I need some help for a simple task:
Has anyone managed in accessing the Netmeeting ILS-Service of
Windows2K Advanced Server from ldap-perl (from an unix system)?
Even basic connects are failing with perl-ldap (using a LDAP-Browser
accessing the LDAP-Structure of the ils server works fine).
What do I do:
Win2K: Running: net start "Site Server ILS Service"
This starts the ILS Server 3.0 (which is different to ILS 2.0).
ILS is a LDAP Directory Service running on Port 1002.
The Perl-Script (basic code):
$ldap = Net::LDAP->new($ServerName, port => 1002);
$msg = ldap->bind;
@attrs = [ "giveName" ];
$ldap_result = $ldap->search (
base => "o=IntraNet,ou=Dynamic",
filter => "&(objectClass=RTPerson)(cn=%)",
attrs => @attrs
);
Connect is working fine.
But perl-ldap stalls on bind, or search. From a ldap call it never
returns. I tried different stuff, different base, filters, ldap versions,
als different bind/no bind.
Has anyone a hint, how to solve this problem.
Otherwise I have to switch from perl-ldap to ASP stuff.
What wonders me, is a ldap browser program (www.ldapbrowser.com) has
no problem to retrieve the informations (anon access).
Tnx for any help in advance
Rainer
---
Rainer Scherg
BRI/TDV6 - Internet,IntraNet,eMail
Industrial Hydraulics
Bosch Rexroth AG
"The Drive & Control Company"
97813, Lohr am Main
Phone: +49-(0)9352-18-1510
Fax: +49-(0)9352-18-1500
www.boschrexroth.de
|
|
From: Eric N. <eri...@di...> - 2002-11-08 23:54:42
|
I've searched all over the web. But I'm stumpted. I've writen a Perl application for IIS that does some LDAP work on an Active Directory server. I'd like to use IIS' Integrated Authentication, where the end user passes their NTLM credentials to IIS. Now the tricky part. How do I pass on those credentials through LDAP to Active Directory (or Exchange 5.5)? Many thanks! Eric |
|
From: Quanah Gibson-M. <qu...@st...> - 2002-11-07 22:37:04
|
--On Thursday, November 07, 2002 2:53 PM -0500 Mark Adamson
<ad...@an...> wrote:
> I just now uploaded a 0.06 module. I haven't done heavy testing of it
> since there are those anxious to get their hands on it. Appended below is
> the patch to Cyrus.xs, and you will need to tell Makefile.PL to grab the
> sasl2 library.
Okay,
A little bit further investigation reveals that I'm getting a result code
in Bind.pm of 49 (invalid credentials), not LDAP_SUCCESS, so it never
creates the securesocket. There is something simply wrong in the manner in
which it is binding to the ldap machine for this to be occurring, since I
can do an ldapsearch with my credentials without problem.
more sasl2.pl
#!/usr/local/bin/perl -w
use Net::LDAP;
use Authen::SASL;
my $ldap = Net::LDAP->new('ldap.stanford.edu', version=>3) || die "$@";
my $joe = Authen::SASL->new(mechanism=> 'GSSAPI',
host=>'ldap.stanford.edu', user=>'quanah', service=>'ldap');
my $mesg = $ldap->bind('', sasl=> $joe);
$mesg->code && die $mesg->error;
SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec context
at ./sasl2.pl line 11.
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: Joshua J. E. <jj...@sa...> - 2002-11-07 21:16:56
|
Same here. Downloaded the 0.06 module -- it compiles with sasl2, but
segfaults at runtime when I call the client_new constructor:
#!/usr/bin/perl
use Net::LDAP;
use Authen::SASL;
use Authen::SASL::Cyrus;
$ldap = Net::LDAP->new('cplant-son', onerror => 'die');
$sasl = Authen::SASL->new();
$conn = $sasl->client_new("ldap", "ldapserver");
-JE
-----------------------------------------------
Josh England
Sandia National Laboratory, Livermore, CA
Distributed Information Systems
email: jj...@sa...
phone: (925) 294-2076
On Thu, 2002-11-07 at 13:10, Quanah Gibson-Mount wrote:
>
>
> --On Thursday, November 07, 2002 2:53 PM -0500 Mark Adamson
> <ad...@an...> wrote:
>
> >
> >
> >> This is great news! Do you have a web page where you'll release the
> >> module, or will it be on CPAN?
> >
> >
> > I just now uploaded a 0.06 module. I haven't done heavy testing of it
> > since there are those anxious to get their hands on it. Appended below is
> > the patch to Cyrus.xs, and you will need to tell Makefile.PL to grab the
> > sasl2 library.
>
> Patches applied, compiled against sasl2, SASL2 defined, and fixed the
> include for sasl.h.
>
> I still get the same exact error as before.
>
> --Quanah
>
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: Quanah Gibson-M. <qu...@st...> - 2002-11-07 21:10:38
|
--On Thursday, November 07, 2002 2:53 PM -0500 Mark Adamson <ad...@an...> wrote: > > >> This is great news! Do you have a web page where you'll release the >> module, or will it be on CPAN? > > > I just now uploaded a 0.06 module. I haven't done heavy testing of it > since there are those anxious to get their hands on it. Appended below is > the patch to Cyrus.xs, and you will need to tell Makefile.PL to grab the > sasl2 library. Patches applied, compiled against sasl2, SASL2 defined, and fixed the include for sasl.h. I still get the same exact error as before. --Quanah -- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html |
|
From: Mark A. <ad...@an...> - 2002-11-07 19:53:36
|
> This is great news! Do you have a web page where you'll release the
> module, or will it be on CPAN?
I just now uploaded a 0.06 module. I haven't done heavy testing of it
since there are those anxious to get their hands on it. Appended below is
the patch to Cyrus.xs, and you will need to tell Makefile.PL to grab the
sasl2 library.
-Mark
diff -ur Authen-SASL-Cyrus-0.05/Cyrus.xs Authen-SASL-Cyrus-0.05-sasl2/Cyrus.xs
--- Authen-SASL-Cyrus-0.05/Cyrus.xs Wed Jun 26 17:39:51 2002
+++ Authen-SASL-Cyrus-0.05-sasl2/Cyrus.xs Thu Oct 17 20:18:43 2002
@@ -21,7 +21,11 @@
char *mech;
char *user;
char *initstring;
+#if defined(SASL2)
+ const char *errormsg;
+#else
char *errormsg;
+#endif
};
@@ -186,7 +190,10 @@
-
+#ifdef SASL2
+#define SASL_IP_LOCAL 5
+#define SASL_IP_REMOTE 6
+#endif
static
int PropertyNumber(char *name)
@@ -194,13 +201,30 @@
if (!strcasecmp(name, "user")) return SASL_USERNAME;
else if (!strcasecmp(name, "ssf")) return SASL_SSF;
else if (!strcasecmp(name, "maxout")) return SASL_MAXOUTBUF;
- else if (!strcasecmp(name, "realm")) return SASL_REALM;
else if (!strcasecmp(name, "optctx")) return SASL_GETOPTCTX;
+#if defined(SASL2)
+ else if (!strcasecmp(name, "realm")) return SASL_DEFUSERREALM;
+ else if (!strcasecmp(name, "iplocalport")) return SASL_IPLOCALPORT;
+ else if (!strcasecmp(name, "ipremoteport")) return SASL_IPREMOTEPORT;
+ else if (!strcasecmp(name, "service")) return SASL_SERVICE;
+ else if (!strcasecmp(name, "serverfqdn")) return SASL_SERVERFQDN;
+ else if (!strcasecmp(name, "authsource")) return SASL_AUTHSOURCE;
+ else if (!strcasecmp(name, "mechname")) return SASL_MECHNAME;
+ else if (!strcasecmp(name, "authuser")) return SASL_AUTHUSER;
+ else if (!strcasecmp(name, "sockname")) return SASL_IP_LOCAL;
+ else if (!strcasecmp(name, "peername")) return SASL_IP_REMOTE;
+#else
+ else if (!strcasecmp(name, "realm")) return SASL_REALM;
else if (!strcasecmp(name, "iplocal")) return SASL_IP_LOCAL;
else if (!strcasecmp(name, "sockname")) return SASL_IP_LOCAL;
else if (!strcasecmp(name, "ipremote")) return SASL_IP_REMOTE;
else if (!strcasecmp(name, "peername")) return SASL_IP_REMOTE;
+#endif
+#if defined(SASL2)
+ croak("Unknown SASL property: '%s' (user|ssf|maxout|realm|optctx|iplocalport|ipremoteport|service|serverfqdn|authsource|mechname|authuser)\n", name);
+#else
croak("Unknown SASL property: '%s' (user|ssf|maxout|realm|optctx|sockname|peername)\n", name);
+#endif
return -1;
}
@@ -360,7 +384,11 @@
CODE:
{
const char *mech=NULL;
+#if defined(SASL2)
+ const char *init=NULL;
+#else
char *init=NULL;
+#endif
int rc;
unsigned int initlen=0;
struct authensasl *sasl;
@@ -399,17 +427,28 @@
}
sasl_client_init(NULL);
- rc = sasl_client_new(sasl->service, sasl->server, sasl->callbacks, 1, &sasl->conn);
+ rc = sasl_client_new(sasl->service, sasl->server, 0, 0, sasl->callbacks, 1, &sasl->conn);
if (rc != SASL_OK) {
+#ifdef SASL2
+ if (!sasl->errormsg) sasl->errormsg = sasl_errdetail(sasl->conn);
+#endif
if (!sasl->errormsg) sasl->errormsg = "sasl_client_new failed";
}
else {
+#if defined(SASL2)
+ rc = sasl_client_start(sasl->conn, sasl->mech, NULL, &init, &initlen, &mech);
+#else
rc = sasl_client_start(sasl->conn, sasl->mech, NULL, NULL, &init, &initlen, &mech);
+#endif
if (rc == SASL_NOMECH) {
if (!sasl->errormsg)
sasl->errormsg = "No mechanisms available (did you set all needed callbacks?)";
}
else if ((rc != SASL_OK) && (rc != SASL_CONTINUE)) {
+#ifdef SASL2
+ if (!sasl->errormsg) sasl->errormsg = sasl_errdetail(sasl->conn);
+#endif
+
if (!sasl->errormsg) sasl->errormsg = "sasl_client_start failed";
}
else {
@@ -424,6 +463,8 @@
+
+
char *
client_start(sasl)
struct authensasl *sasl
@@ -442,7 +483,11 @@
char *instring
PPCODE:
{
+#if defined(SASL2)
+ const char *outstring=NULL;
+#else
char *outstring=NULL;
+#endif
int rc;
unsigned int inlen, outlen=0;
@@ -457,7 +502,10 @@
sasl->errormsg = "OK";
}
else if (rc != SASL_CONTINUE) {
- sasl->errormsg = "sasl_client_step failed";
+#ifdef SASL2
+ if (!sasl->errormsg) sasl->errormsg = sasl_errdetail(sasl->conn);
+#endif
+ if (!sasl->errormsg) sasl->errormsg = "sasl_client_step failed";
XSRETURN_UNDEF;
}
XPUSHp(outstring, outlen);
@@ -472,7 +520,11 @@
char *instring
PPCODE:
{
+#if defined(SASL2)
+ const char *outstring=NULL;
+#else
char *outstring=NULL;
+#endif
int rc;
unsigned int inlen, outlen=0;
@@ -484,7 +536,10 @@
rc = sasl_encode(sasl->conn, instring, inlen, &outstring, &outlen);
if (rc != SASL_OK) {
- sasl->errormsg = "sasl_encode failed";
+#ifdef SASL2
+ if (!sasl->errormsg) sasl->errormsg = sasl_errdetail(sasl->conn);
+#endif
+ if (!sasl->errormsg) sasl->errormsg = "sasl_encode failed";
XSRETURN_UNDEF;
}
XPUSHp(outstring, outlen);
@@ -499,7 +554,11 @@
char *instring
PPCODE:
{
+#if defined(SASL2)
+ const char *outstring=NULL;
+#else
char *outstring=NULL;
+#endif
int rc;
unsigned int inlen, outlen=0;
@@ -511,7 +570,10 @@
rc = sasl_decode(sasl->conn, instring, inlen, &outstring, &outlen);
if (rc != SASL_OK) {
- sasl->errormsg = "sasl_decode failed";
+#ifdef SASL2
+ if (!sasl->errormsg) sasl->errormsg = sasl_errdetail(sasl->conn);
+#endif
+ if (!sasl->errormsg) sasl->errormsg = "sasl_decode failed";
XSRETURN_UNDEF;
}
XPUSHp(outstring, outlen);
@@ -595,7 +657,7 @@
error(sasl)
struct authensasl *sasl
CODE:
- RETVAL = sasl->errormsg;
+ RETVAL = (char *)sasl->errormsg;
sasl->errormsg = NULL;
OUTPUT:
RETVAL
@@ -671,7 +733,11 @@
struct authensasl *sasl
PPCODE:
{
+#if defined(SASL2)
+ const void *value=NULL;
+#else
void *value=NULL;
+#endif
char *name;
int rc, x, propnum=-1;
SV *prop;
@@ -693,17 +759,42 @@
if (rc != SASL_OK) XSRETURN_UNDEF;
switch(propnum){
case SASL_USERNAME:
+#if defined(SASL2)
+ case SASL_DEFUSERREALM:
+#else
case SASL_REALM:
+#endif
XPUSHp( (char *)value, strlen((char *)value));
break;
case SASL_SSF:
case SASL_MAXOUTBUF:
XPUSHi((int *)value);
break;
+#if defined(SASL2)
+ case SASL_IPLOCALPORT:
+ case SASL_IPREMOTEPORT:
+ XPUSHp( (char *)value, strlen((char *)value));
+ break;
+ case SASL_IP_LOCAL:
+ propnum = SASL_IPLOCALPORT;
+ {
+ char *addr = inet_ntoa( (*(struct in_addr *)value));
+ XPUSHp( addr, strlen(addr));
+ }
+ break;
+ case SASL_IP_REMOTE:
+ propnum = SASL_IPREMOTEPORT;
+ {
+ char *addr = inet_ntoa( (*(struct in_addr *)value));
+ XPUSHp( addr, strlen(addr));
+ }
+ break;
+#else
case SASL_IP_LOCAL:
case SASL_IP_REMOTE:
XPUSHp( (char *)value, sizeof(struct sockaddr_in));
break;
+#endif
default:
XPUSHi(-1);
}
@@ -725,6 +816,9 @@
}
rc = sasl_setprop(sasl->conn, propnum, value);
if (rc != SASL_OK) {
+#ifdef SASL2
+ if (!sasl->errormsg) sasl->errormsg = sasl_errdetail(sasl->conn);
+#endif
if (!sasl->errormsg) sasl->errormsg="sasl_setprop failed";
RETVAL = 1;
}
@@ -746,7 +840,9 @@
}
if (sasl->service) free(sasl->service);
if (sasl->mech) free(sasl->mech);
+#ifndef SASL2
if (sasl->errormsg) free(sasl->errormsg);
+#endif
if (sasl->initstring)free(sasl->initstring);
free(sasl);
|
|
From: Joshua J. E. <jj...@sa...> - 2002-11-07 18:43:33
|
This is great news! Do you have a web page where you'll release the module, or will it be on CPAN? -JE On Thu, 2002-11-07 at 10:29, Mark Adamson wrote: > Gents, > > The problem you're seeing is with the SASL versions. The perl module > uses SASL V1 calls into the libsasl, and you're linking with SASL V2 > libraries. Another developer has sent me some patches to make the perl > module V2 aware; I'll be looking into getting a new module out soon. > > -Mark > > > |
|
From: Mark A. <ma...@nb...> - 2002-11-07 18:29:34
|
Gents, The problem you're seeing is with the SASL versions. The perl module uses SASL V1 calls into the libsasl, and you're linking with SASL V2 libraries. Another developer has sent me some patches to make the perl module V2 aware; I'll be looking into getting a new module out soon. -Mark |
|
From: Quanah Gibson-M. <qu...@st...> - 2002-11-07 18:02:14
|
--On Thursday, November 07, 2002 9:48 AM -0800 "Joshua J. England"
<jj...@sa...> wrote:
> Environment:
> perl-ldap-0.26
> Authen-SASL-2.02
> cyrus-sasl-2.1.7
>
> I am trying to write some perl scripts to manipulate data in my LDAP
> directory that authenticates with Cyrus SASL (DIGEST-MD5). Nothing I'm
> trying seems to work though. When I try to run my program I get:
>
> No SASL mechanism found
> at /usr/lib/perl5/site_perl/5.6.1/Authen/SASL.pm line 62
>
>
> When I try the EXTERNAL mechanism I get:
>
> SASL(-4): no mechanism available: External SSF not good enough
>
>
> I've tried installing Authen-SASL-Cyrus-0.05, but it will not even
> compile and doesn't seem to support libsasl2. I've hacked it out enough
> to make it compile, but I get a segfault when running. I think it just
> won't work with sasl2.
>
> Has anyone gotten authentication to work with Cyrus SASL and libsasl2?
> Is anything obviously wrong?
>
># !/usr/bin/perl
> use Net::LDAP;
> use Authen::SASL;
># use Authen::SASL::Cyrus;
>
># Initiate LDAP session
> $ldap = Net::LDAP->new('ldapserver', onerror => 'die');
> $sasl = Authen::SASL->new(
> mechanism => 'DIGEST-MD5',
> callback => {
> pass => \&fetch_password,
> user => $user,
> }
> );
>
># $conn = $sasl->client_new('ldap', 'ldapserver');
Josh,
I've been working on a similar problem with GSSAPI authentication. From
what I can tell, there is some problem with how the Net::LDAP piece is
setting up the bind to the ldapserver.
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: Joshua J. E. <jj...@sa...> - 2002-11-07 17:54:06
|
Environment:
perl-ldap-0.26
Authen-SASL-2.02
cyrus-sasl-2.1.7
I am trying to write some perl scripts to manipulate data in my LDAP
directory that authenticates with Cyrus SASL (DIGEST-MD5). Nothing I'm
trying seems to work though. When I try to run my program I get:
No SASL mechanism found
at /usr/lib/perl5/site_perl/5.6.1/Authen/SASL.pm line 62
When I try the EXTERNAL mechanism I get:
SASL(-4): no mechanism available: External SSF not good enough
I've tried installing Authen-SASL-Cyrus-0.05, but it will not even
compile and doesn't seem to support libsasl2. I've hacked it out enough
to make it compile, but I get a segfault when running. I think it just
won't work with sasl2.
Has anyone gotten authentication to work with Cyrus SASL and libsasl2?
Is anything obviously wrong?
#!/usr/bin/perl
use Net::LDAP;
use Authen::SASL;
#use Authen::SASL::Cyrus;
# Initiate LDAP session
$ldap = Net::LDAP->new('ldapserver', onerror => 'die');
$sasl = Authen::SASL->new(
mechanism => 'DIGEST-MD5',
callback => {
pass => \&fetch_password,
user => $user,
}
);
#$conn = $sasl->client_new('ldap', 'ldapserver');
-JE
-----------------------------------------------
Josh England
Sandia National Laboratory, Livermore, CA
Distributed Information Systems
email: jj...@sa...
phone: (925) 294-2076
|
|
From: Quanah Gibson-M. <qu...@st...> - 2002-11-07 15:04:40
|
--On Thursday, November 07, 2002 5:58 AM -0800 Quanah Gibson-Mount <qu...@St...> wrote: > > > --On Thursday, November 07, 2002 1:44 AM -0600 "Gerald (Jerry) Carter" > <je...@sa...> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Tue, 5 Nov 2002, Quanah Gibson-Mount wrote: >> >>> has _anyone_ gotten GSSAPI with Cyrus-SASL to work with the Net::LDAP, >>> Authen::SASL, and Authen::SASL::Cyrus modules to work? There seems to >>> be something seriously broken in the current implementation somewhere >>> between Net::LDAP and Authen::SASL when working with the >>> Authen::SASL:Cyrus & its security properties. >>> >>> All I ever get is the error: >>> >>> SASL(-13): authentication failure: GSSAPI Failure: >>> gss_accept_sec_context at ./sasl2.pl line 11. >>> >>> Using perl-ldap 0.26 >>> Authen-SASL-2.02 >>> Authen-SASL-Cyrus-0.05 >> >> Did you run kinit first ? > > Yes, and I have a valid K5 ticket. Using ldapsearch with GSSAPI I can > bind to my openldap servers without problem. One other quick note -- It gets far enough along in the exchange to get an ldap/<host> tgt. --Quanah -- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html |
|
From: Quanah Gibson-M. <qu...@st...> - 2002-11-07 13:59:00
|
--On Thursday, November 07, 2002 1:44 AM -0600 "Gerald (Jerry) Carter" <je...@sa...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 5 Nov 2002, Quanah Gibson-Mount wrote: > >> has _anyone_ gotten GSSAPI with Cyrus-SASL to work with the Net::LDAP, >> Authen::SASL, and Authen::SASL::Cyrus modules to work? There seems to >> be something seriously broken in the current implementation somewhere >> between Net::LDAP and Authen::SASL when working with the >> Authen::SASL:Cyrus & its security properties. >> >> All I ever get is the error: >> >> SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context at ./sasl2.pl line 11. >> >> Using perl-ldap 0.26 >> Authen-SASL-2.02 >> Authen-SASL-Cyrus-0.05 > > Did you run kinit first ? Yes, and I have a valid K5 ticket. Using ldapsearch with GSSAPI I can bind to my openldap servers without problem. --Quanah -- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html |
|
From: Gerald (J. C. <je...@sa...> - 2002-11-07 07:44:40
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 5 Nov 2002, Quanah Gibson-Mount wrote: > has _anyone_ gotten GSSAPI with Cyrus-SASL to work with the Net::LDAP, > Authen::SASL, and Authen::SASL::Cyrus modules to work? There seems to be > something seriously broken in the current implementation somewhere between > Net::LDAP and Authen::SASL when working with the Authen::SASL:Cyrus & its > security properties. > > All I ever get is the error: > > SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context > at ./sasl2.pl line 11. > > Using perl-ldap 0.26 > Authen-SASL-2.02 > Authen-SASL-Cyrus-0.05 Did you run kinit first ? cheers, jerry --------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2 "SAMS Teach Yourself Samba in 24 Hours" 2ed "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9yhnVIR7qMdg1EfYRAgmtAKCt2PSWTnW6jzSmc3yjn2sDuconMgCeMzDf 7CLMGiUYlkFaKZxmMZ/JNNM= =o5eR -----END PGP SIGNATURE----- |
7902 messages has been excluded from this view by a project administrator.
