Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Quanah Gibson-M. <qu...@st...> - 2002-11-05 18:44:04
|
Just out of curiousity, has _anyone_ gotten GSSAPI with Cyrus-SASL to work with the Net::LDAP, Authen::SASL, and Authen::SASL::Cyrus modules to work? There seems to be something seriously broken in the current implementation somewhere between Net::LDAP and Authen::SASL when working with the Authen::SASL:Cyrus & its security properties. All I ever get is the error: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context at ./sasl2.pl line 11. Using perl-ldap 0.26 Authen-SASL-2.02 Authen-SASL-Cyrus-0.05 --Quanah -- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html |
|
From: Jim H. <ha...@us...> - 2002-11-04 21:31:01
|
This all depends on what the 2 servers are and how they store passwords. If they are the same 'brand' of server, there may be tools included by the manufacturer. For many pairs of servers the only feasible thing to do is to capture password changes just before they are committed to a server. Some server vendors sell add-on tools that capture at their server as long as you do it their way. We have opted to have a home grown web page for changing passwords and telling the users that the web page is the right way to change passwords. We also have a nightly script that looks at when passwords are about to expire and sends email to the users at specific intervals before the expiration, giving the URL of the password changing page. The password changing script has rougly the following logic: If authenticated binds succeed for either serverA or serverB, consider the user validated. If both succeed, use those binds for password changing. If only one succeeds, then use a reasonably well hidden DN/password of a privileged account to bind to the one that failed. If the password change operation fails for a server, encrypt the dn and password and failed server name for later processing --Jim Harle On Mon, 4 Nov 2002, karl rossing wrote: > Hi, > > I don't really want to re-invent the wheel here. > > I've got 2 LDAP servers. I want to synchronise the > passwd attribute for users in server a with the > attribute in serverB. Also if the user on server 1 > does not exist on server 2 do nothing. > > Container names/path would not be the same on both > servers. > > I'm wondering if there are any prebuilt tools that do > it. > > Thanks > > Karl > > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > > > ------------------------------------------------------- > This SF.net email is sponsored by: ApacheCon, November 18-21 in > Las Vegas (supported by COMDEX), the only Apache event to be > fully supported by the ASF. http://www.apachecon.com > |
|
From: karl r. <un...@ya...> - 2002-11-04 20:15:34
|
Hi, I don't really want to re-invent the wheel here. I've got 2 LDAP servers. I want to synchronise the passwd attribute for users in server a with the attribute in serverB. Also if the user on server 1 does not exist on server 2 do nothing. Container names/path would not be the same on both servers. I'm wondering if there are any prebuilt tools that do it. Thanks Karl __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ |
|
From: Chris R. <chr...@ma...> - 2002-11-04 13:09:41
|
On 4/11/02 9:10 am, pau...@cp... <pau...@cp...> wrote: > Jeffery- > You need to examine the arguments you pass to the search method - see > perldoc net::ldap for full details. You might try something like: > > $result = $ldap->search ( > base => $searchString, > filter => "(objectclass=*)", > attrs => $attrs ); > > Regards, > > Paul. Jeffery was actually binding as $searchString as well, so it probably isn't the right base to use for the search. I don't know enough about Active Directory to know what a good search base for it might be :-( Cheers, Chris |
|
From: Chris R. <C.G...@Br...> - 2002-11-04 12:00:25
|
This confused me for a while too when I got started with LDAP. I now use the
following two functions so I can test by true or false in my main loop plus
print meaningful error codes:
sub LDAPConnect {
my ($Server, $Account, $Password) = @_;
my $LDAP;
$LDAP = Net::LDAP->new($Server) || die "Cannot connect to $Server\n";
my $mesg = $LDAP->bind(dn => $Account, password => $Password);
LDAPError("Binding", $mesg) if $mesg->code();
return 0 if $mesg->code();
return $LDAP;
}
sub LDAPError {
my ($from, $mesg) = @_;
print STDERR "\n";
print STDERR "Return code: ", $mesg->code . "\n";
print STDERR "Message: ", ldap_error_name($mesg->code);
print STDERR " : ", ldap_error_text($mesg->code);
print STDERR "MessageID: ", $mesg->mesg_id . "\n";
print STDERR "DN: ", $mesg->dn;
print STDERR "\n";
}
HTH,
Chris.
-----Original Message-----
From: per...@li...
[mailto:per...@li...]On Behalf Of Capacio,
Paula J
Sent: 01 November 2002 16:28
To: Perl-LDAP Mail list (E-mail)
Subject: RE: How to check results of BIND
On Fri, Nov 01, 2002 at 09:40:33AM -0600, Capacio, Paula J wrote:
>> Hi,
>> What's the best way to see if the BIND was successful?
>> I coded...
>> $ldapAsME->bind( dn => $entry, password => $myPWD) or die "$@";
>> ###I'm not dying when I pass a bad PWD....why ???
>>
>On Friday, November 01, 2002 10:11 AM, Graham Barr wrote:
>Because your code is wrong. ->bind does not return a true/false result.
>All methods return a message object which you must use to determine
>sucess by looking at the code.
>
>
http://search.cpan.org/author/GBARR/perl-ldap-0.26/lib/Net/LDAP.pod#METHODS
>
Thanks Graham!
I do check the $mesg code on all other calls, I didn't realize it applied to
the bind as well!
Thanks, my code works like a charm now!
-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
|
|
From: <pau...@cp...> - 2002-11-04 09:10:56
|
Jeffery-
You need to examine the arguments you pass to the search method - see
perldoc net::ldap for full details. You might try something like:
$result =3D $ldap->search (
base =3D> $searchString,
filter =3D> "(objectclass=3D*)",
attrs =3D> $attrs );
Regards,
Paul.
>-- Original Message --
>From: Jeffery Huang <je...@uv...>
>To: Chris Ridd <chr...@ma...>,
> perl-ldap-dev <per...@li...>
>Subject: Re: Ldap module and active directory
>Date: Mon, 04 Nov 2002 10:23:52 +0800
>
>
>Hello! Chris,
> This is my code:
>
>#!/usr/bin/perl
>
>use Net::LDAP;
> use Net::LDAP::Util qw(ldap_error_text
> ldap_error_name
> ldap_error_desc
> );
>
>$ldap =3D Net::LDAP->new("localhost") or die "Initial LDAP error";
>
>$mesg =3D $ldap->bind( 'CN=3DHuangJeffery,CN=3DUsers,DC=3Dmydomain,DC=3D=
com',
>password =3D> '1234' );
>
>
>if ( $mesg->is_error )
>{
> print "bind failed\n";
> print ldap_error_name( $mesg->code );
> print "\n";
>}
>else
>{
> print "bind successful\n";
> print ldap_error_name( $mesg->code );
> print "\n";
>}
>
># if they don't pass an array of attributes...
># set up something for them
>
>$searchString =3D "cn=3DHuangJeffery,cn=3DUsers,dc=3Dmydomain,dc=3Dcom";=
>if (!$attrs ) { $attrs =3D ['mobile' ]; }
>
>
>$result =3D $ldap->search (
> scope =3D> "sub",
> filter =3D> "$searchString",
> attrs =3D> $attrs );
>
>if ( $result->code )
>{
>print ldap_error_name($result->code);
>print "\n";
>}
>else
>{
>my $href =3D $result->as_struct;
>
># get an array of the DN names
>
>my @arrayOfDNs =3D keys %$href ; # use DN hashes
>
># process each DN using it as a key
>
>foreach (@arrayOfDNs) {
> print $_,"\n";
> my $valref =3D $$href{$_};
>
> # get an array of the attribute names
> # passed for this one DN.
> my @arrayOfAttrs =3D sort keys %$valref; #use Attr hashes
> my $attrName;
> foreach $attrName (@arrayOfAttrs) {
>
> # skip any binary data: yuck!
> next if ( $attrName =3D~ /;binary$/ );
>
> # get the attribute value (pointer) using the
> # attribute name as the hash
> my $attrVal =3D @$valref{$attrName} ;
> print "\t $attrName: @$attrVal \n";
> }
> print "#-------------------------------\n";
> # End of that DN
>}
>#
># end of as_struct method
>#
>#--------
>
>#------------
>#
># handle each of the results independently
># ... i.e. using the walk through method
>
>my @entries =3D $result->entries;
>
>my $entr ;
>foreach $entr ( @entries )
>{
> print "DN: ",$entr->dn,"\n";
> #my @attrs =3D sort $entr->attributes;
>
> my $attr;
> foreach $attr ( sort $entr->attributes ){
> #skip binary we can't handle
> next if ( $attr =3D~ /;binary$/ );
> print " $attr : ",$entr->get_value($attr),"\n";
> }
>
> #print "@attrs\n";
> print "#-------------------------------\n";
>}
>}
>$ldap->unbind;
>1;
>Chris Ridd wrote:
>
>>On 3/11/02 3:23 am, Jeffery Huang <je...@uv...> wrote:
>>
>>
>>
>>>Dear all,
>>> I tried to write a simple program to query microsoft active
>>>directory data use Net::LDAP.
>>>I have binded it successful, but I cannot query it! I use the same
>>>command from ldap browser,
>>>it can query my data. my query string like that:
>>>
>>> $querystring =3D "cn=3DHuangJeffery,cn=3DUsers,dc=3Dmydomain,dc=3D=
com";
>>>
>>>What's problem here! does anyone success to access AD use perl module?=
>>>How to use it!
>>>
>>>
>>
>>I don't know what you mean by a query string. LDAP searches have search=
>>bases and search filters (and a few other things) but no query strings.=
>Can
>>you send us the exact parameters that you send to $ldap->search()?
>>
>>Cheers,
>>
>>Chris
>>
>>
>>
>
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: ApacheCon, November 18-21 in
>Las Vegas (supported by COMDEX), the only Apache event to be
>fully supported by the ASF. http://www.apachecon.com
|
|
From: Jeffery H. <je...@uv...> - 2002-11-04 02:27:39
|
Hello! Chris,
This is my code:
#!/usr/bin/perl
use Net::LDAP;
use Net::LDAP::Util qw(ldap_error_text
ldap_error_name
ldap_error_desc
);
$ldap = Net::LDAP->new("localhost") or die "Initial LDAP error";
$mesg = $ldap->bind( 'CN=HuangJeffery,CN=Users,DC=mydomain,DC=com',
password => '1234' );
if ( $mesg->is_error )
{
print "bind failed\n";
print ldap_error_name( $mesg->code );
print "\n";
}
else
{
print "bind successful\n";
print ldap_error_name( $mesg->code );
print "\n";
}
# if they don't pass an array of attributes...
# set up something for them
$searchString = "cn=HuangJeffery,cn=Users,dc=mydomain,dc=com";
if (!$attrs ) { $attrs = ['mobile' ]; }
$result = $ldap->search (
scope => "sub",
filter => "$searchString",
attrs => $attrs );
if ( $result->code )
{
print ldap_error_name($result->code);
print "\n";
}
else
{
my $href = $result->as_struct;
# get an array of the DN names
my @arrayOfDNs = keys %$href ; # use DN hashes
# process each DN using it as a key
foreach (@arrayOfDNs) {
print $_,"\n";
my $valref = $$href{$_};
# get an array of the attribute names
# passed for this one DN.
my @arrayOfAttrs = sort keys %$valref; #use Attr hashes
my $attrName;
foreach $attrName (@arrayOfAttrs) {
# skip any binary data: yuck!
next if ( $attrName =~ /;binary$/ );
# get the attribute value (pointer) using the
# attribute name as the hash
my $attrVal = @$valref{$attrName} ;
print "\t $attrName: @$attrVal \n";
}
print "#-------------------------------\n";
# End of that DN
}
#
# end of as_struct method
#
#--------
#------------
#
# handle each of the results independently
# ... i.e. using the walk through method
my @entries = $result->entries;
my $entr ;
foreach $entr ( @entries )
{
print "DN: ",$entr->dn,"\n";
#my @attrs = sort $entr->attributes;
my $attr;
foreach $attr ( sort $entr->attributes ){
#skip binary we can't handle
next if ( $attr =~ /;binary$/ );
print " $attr : ",$entr->get_value($attr),"\n";
}
#print "@attrs\n";
print "#-------------------------------\n";
}
}
$ldap->unbind;
1;
Chris Ridd wrote:
>On 3/11/02 3:23 am, Jeffery Huang <je...@uv...> wrote:
>
>
>
>>Dear all,
>> I tried to write a simple program to query microsoft active
>>directory data use Net::LDAP.
>>I have binded it successful, but I cannot query it! I use the same
>>command from ldap browser,
>>it can query my data. my query string like that:
>>
>> $querystring = "cn=HuangJeffery,cn=Users,dc=mydomain,dc=com";
>>
>>What's problem here! does anyone success to access AD use perl module?
>>How to use it!
>>
>>
>
>I don't know what you mean by a query string. LDAP searches have search
>bases and search filters (and a few other things) but no query strings. Can
>you send us the exact parameters that you send to $ldap->search()?
>
>Cheers,
>
>Chris
>
>
>
|
|
From: Chris R. <chr...@ma...> - 2002-11-03 06:32:34
|
On 3/11/02 3:23 am, Jeffery Huang <je...@uv...> wrote: > Dear all, > I tried to write a simple program to query microsoft active > directory data use Net::LDAP. > I have binded it successful, but I cannot query it! I use the same > command from ldap browser, > it can query my data. my query string like that: > > $querystring = "cn=HuangJeffery,cn=Users,dc=mydomain,dc=com"; > > What's problem here! does anyone success to access AD use perl module? > How to use it! I don't know what you mean by a query string. LDAP searches have search bases and search filters (and a few other things) but no query strings. Can you send us the exact parameters that you send to $ldap->search()? Cheers, Chris |
|
From: Jeffery H. <je...@uv...> - 2002-11-03 03:26:51
|
Dear all,
I tried to write a simple program to query microsoft active
directory data use Net::LDAP.
I have binded it successful, but I cannot query it! I use the same
command from ldap browser,
it can query my data. my query string like that:
$querystring = "cn=HuangJeffery,cn=Users,dc=mydomain,dc=com";
What's problem here! does anyone success to access AD use perl module?
How to use it!
Thank you!
Regard,
Jeffery
|
|
From: Kartik S. <sub...@co...> - 2002-11-03 01:54:14
|
I have checked in an updated version of ldifdiff.pl (in the contrib directory) where attribute value comparisons are speeded up significantly. I estimate a 5x speedup in many situations. Enjoy, -Kartik |
|
From: Capacio, P. J <PCA...@am...> - 2002-11-01 16:28:20
|
On Fri, Nov 01, 2002 at 09:40:33AM -0600, Capacio, Paula J wrote: >> Hi,=20 >> What's the best way to see if the BIND was successful? >> I coded... >> $ldapAsME->bind( dn =3D> $entry, password =3D> $myPWD) or die "$@"; >> ###I'm not dying when I pass a bad PWD....why ??? >> >On Friday, November 01, 2002 10:11 AM, Graham Barr wrote:=20 >Because your code is wrong. ->bind does not return a true/false result. >All methods return a message object which you must use to determine >sucess by looking at the code. > > = http://search.cpan.org/author/GBARR/perl-ldap-0.26/lib/Net/LDAP.pod#METHO= DS > Thanks Graham!=20 I do check the $mesg code on all other calls, I didn't realize it = applied to the bind as well! Thanks, my code works like a charm now! |
|
From: Graham B. <gb...@po...> - 2002-11-01 16:10:38
|
On Fri, Nov 01, 2002 at 09:40:33AM -0600, Capacio, Paula J wrote: > Hi, > What's the best way to see if the BIND was successful? > I coded... > $ldapAsME->bind( dn => $entry, password => $myPWD) or die "$@"; > ###I'm not dying when I pass a bad PWD....why ??? Because your code is wrong. ->bind does not return a true/false result. All methods return a message object which you must use to determine sucess by looking at the code. http://search.cpan.org/author/GBARR/perl-ldap-0.26/lib/Net/LDAP.pod#METHODS Graham. |
|
From: Capacio, P. J <PCA...@am...> - 2002-11-01 15:53:35
|
b.r,=20 I'm not sure what you're telling me. When I pass the correct password, = things work fine. I can use the $ldapAsME handle to search and retrieve = results. Is their a way for me to tell if my valid uid/password is = resulting in an anonymous identity?=20 Regardless, when I pass a bad password, I want the script to stop, but = it continues with the search and gets:=20 Can't call method "attributes" on an undefined value at = U:\Perl_Info\ActiveDir3.pl line 18. Paula -----Original Message----- From: Behruz RUSHENAS [mailto:beh...@cp...] Sent: Friday, November 01, 2002 9:45 AM To: Capacio, Paula J; Perl-LDAP Mail list (E-mail) Subject: RE: How to check results of BIND I guess your Directory DSA should consider you as an "anonymous" = identitiy. b.r >-- Original Message -- >Subject: How to check results of BIND >From: "Capacio, Paula J" <PCA...@am...> >To: "Perl-LDAP Mail list (E-mail)" = <per...@li...> >Date: Fri, 1 Nov 2002 09:40:33 -0600 > > >Hi,=20 >What's the best way to see if the BIND was successful? >I coded... >$ldapAsME->bind( dn =3D> $entry, password =3D> $myPWD) or die "$@"; >###I'm not dying when I pass a bad PWD....why ??? >TIA=20 >Paula > > >------------------------------------------------------- >This sf.net email is sponsored by: See the NEW Palm >Tungsten T handheld. Power & Color in a compact size! >http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en Mr Behruz RUSHENAS Consulting Architect Critical Path Inc. 3420 Ocean Park Blvd. Suite 2010 Santa Monica, CA 90405 310 752 3286 (Direct) 310 717 2437 (Mobile) 310 581 8138 (Fax) E-mail: beh...@cr... www.cp.net Critical Path Inc. A global leader in digital communications software and services |
|
From: Behruz R. <beh...@cp...> - 2002-11-01 15:45:27
|
I guess your Directory DSA should consider you as an "anonymous" identiti= y. b.r >-- Original Message -- >Subject: How to check results of BIND >From: "Capacio, Paula J" <PCA...@am...> >To: "Perl-LDAP Mail list (E-mail)" <per...@li...>= >Date: Fri, 1 Nov 2002 09:40:33 -0600 > > >Hi, >What's the best way to see if the BIND was successful? >I coded... >$ldapAsME->bind( dn =3D> $entry, password =3D> $myPWD) or die "$@"; >###I'm not dying when I pass a bad PWD....why ??? >TIA >Paula > > >------------------------------------------------------- >This sf.net email is sponsored by: See the NEW Palm >Tungsten T handheld. Power & Color in a compact size! >http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en Mr Behruz RUSHENAS Consulting Architect Critical Path Inc. 3420 Ocean Park Blvd. Suite 2010 Santa Monica, CA 90405 310 752 3286 (Direct) 310 717 2437 (Mobile) 310 581 8138 (Fax) E-mail: beh...@cr... www.cp.net Critical Path Inc. A global leader in digital communications software and services |
|
From: Capacio, P. J <PCA...@am...> - 2002-11-01 15:40:41
|
Hi,=20 What's the best way to see if the BIND was successful? I coded... $ldapAsME->bind( dn =3D> $entry, password =3D> $myPWD) or die "$@"; ###I'm not dying when I pass a bad PWD....why ??? TIA=20 Paula |
|
From: Peter M. <pet...@ma...> - 2002-10-25 15:01:21
|
Hi Norbert, you are right If you feed canonical_dn() the DN as a array ref (as descri= bed=20 in the man page), but sometimes it is useful to have the (de-)quoting=20 functions as standalone routines Maybe Graham will reorg his code a bit to have similar function as separa= te=20 routines ;-)) Yours / Sch=F6nes Wochenende Peter On Friday 25 October 2002 16:19, you wrote: > > I was having the same problem a few moths ago, so I wrote > > a module for my private use and use in my company. > > > > It provides 4 functions > > * quoteFilterValue(@) > > * unquoteFilterValue(@) > > * quoteDNValue(@) > > * unquoteDNValue(@) > > > > The functions with weilter in their names operate on strings > > that are going to be pattern parts of LDAP filters, > > while the functions with DN in their name operate > > on strings that are to become RDN values. > > These functions for DNs are already part of Net::LDAP::Utils. E.g. > canonical_dn can be used to construct a correctly encoded DN from RDN > values. > > Mit freundlichen Gr=FC=DFen / Best Regards > > Norbert Klasen > Avinci - The Know-How Company > http://www.avinci.biz --=20 Peter Marschall | eMail: pet...@ma... Scheffelstra=DFe 15 | pet...@is... 97072 W=FCrzburg | Tel: 0931/14721 PGP: D7 FF 20 FE E6 6B 31 74 D1 10 88 E0 3C FE 28 35 |
|
From: <Nor...@av...> - 2002-10-25 14:45:42
|
Hi Martin,
> i want to add an attribute to an entry. The attribute should=20
> be visible and
> encode the content like the given attribute userPassword.
> I've created an attribute called initpw with the same=20
> definition as the
> attribute userPassword. The syntax is 'binary octet'.
The Syntax of "userPassword" is "octet string".
> I try to add content to the attribute initpw with the code line:
>=20
> $ldap->modify( $dnldap, add =3D> { initpw =3D> $ipw })
>=20
> When I take a look at the directory i alway see the attribute=20
> encoded in
> cleartext it neither hashed nor binary format. My questions are
> How can i tell the modify method to give an binary attribute=20
> to the LDAP ?
Some servers, e.g. Netscape, automatically apply a hash function when =
values of the "userPassword" attribute are added or modified. Strictly =
speaking this behavior does not conform to the X.500 information model. =
Normally a=20
server returns the same data you store to it, whether it is a pure ASCII =
string or arbitrary data.=20
What you see as "binary" data is probably the Base64 encoding of the =
hashed password. For your custom attribute "initpw", you'll have to hash =
the password string yourself and then store the result to the LDAP =
server.
=20
Mit freundlichen Gr=FC=DFen / Best Regards
Norbert Klasen
Avinci - The Know-How Company
http://www.avinci.biz
|
|
From: <Nor...@av...> - 2002-10-25 14:18:04
|
Hi Peter, > Hi, >=20 > On Thursday 24 October 2002 14:51, Graham Barr wrote: > > > I was just wondering if there was a method in Net::LDAP::Filter to > > > do this, I take it the answer is no. (Note, remember to=20 > convert the > > > '\' first!) > > > > There is no method to do the escaping, but one might be=20 > useful to add. >=20 > I was having the same problem a few moths ago, so I wrote > a module for my private use and use in my company. >=20 > It provides 4 functions > * quoteFilterValue(@) > * unquoteFilterValue(@) > * quoteDNValue(@) > * unquoteDNValue(@) >=20 > The functions with weilter in their names operate on strings > that are going to be pattern parts of LDAP filters,=20 > while the functions with DN in their name operate > on strings that are to become RDN values. These functions for DNs are already part of Net::LDAP::Utils. E.g. = canonical_dn can be used to construct a correctly encoded DN from RDN = values. Mit freundlichen Gr=FC=DFen / Best Regards Norbert Klasen Avinci - The Know-How Company http://www.avinci.biz |
|
From: Peter M. <pet...@ma...> - 2002-10-24 15:18:51
|
Hi, On Thursday 24 October 2002 14:51, Graham Barr wrote: > > I was just wondering if there was a method in Net::LDAP::Filter to > > do this, I take it the answer is no. (Note, remember to convert the > > '\' first!) > > There is no method to do the escaping, but one might be useful to add. I was having the same problem a few moths ago, so I wrote a module for my private use and use in my company. It provides 4 functions * quoteFilterValue(@) * unquoteFilterValue(@) * quoteDNValue(@) * unquoteDNValue(@) The functions with weilter in their names operate on strings that are going to be pattern parts of LDAP filters,=20 while the functions with DN in their name operate on strings that are to become RDN values. I do not exactly know if theay are correct, but in our company we use them regularly. Maybe they can become a part of a future Net::LDAP::Util ;-)) (the first version of Net::LDAP::extraTools contained routines=20 to split DN, but now that these are in Net::LDAP::Util, I cut them out. Maybe I can gt rid of this extraTools module ;-) Yours Peter --=20 Peter Marschall | eMail: pet...@ma... Scheffelstra=DFe 15 | pet...@is... 97072 W=FCrzburg | Tel: 0931/14721 PGP: D7 FF 20 FE E6 6B 31 74 D1 10 88 E0 3C FE 28 35 |
|
From: Graham B. <gb...@po...> - 2002-10-24 12:58:22
|
Net::LDAP has not used Convert::BER for a long time, it changed to Convert::ASN1 a long time ago. The internal data-structure of the Filter object is the data structure expected by the ASN1 encode as described by the ASN1 definition in Net::LDAP::ASN Graham. On Tue, Oct 22, 2002 at 03:19:43PM -0700, Yary Hluchan wrote: > Once upon a time my LDAP server used Net::LDAP::BER->read to get and > parse binary data all at once. It then used the "tag" and "decode" > methods to see what it had to do. > > Now I'm converting to an OpenLDAP server w/a perl backend. The filter > is passed as a flat string. I see that Net::LDAP::Filter will parse > the string for me- but after that, I'm lost. What do I do with the > Filter object? I would like to turn it into a BER object so I can > re-use my code, but if there was any other way to traverse the tree > I can use that too. > > I could use the internal representation of the Filter object, looks > pretty straightforward, but don't want to be doing something undocumented > that could break. > > -y > > ~~~~~ > The Moon is Waning Gibbous (99% of Full) > > > ------------------------------------------------------- > This sf.net emial is sponsored by: Influence the future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote |
|
From: Graham B. <gb...@po...> - 2002-10-24 12:55:19
|
On Tue, Oct 22, 2002 at 02:20:35PM -0400, ti...@uc... wrote:
> No, the dn of the user is not available. The dn in the cert is not the
> dn of user in the directory. In this case, I HAVE to use the cert in
> the filter, it is the only thing guaranteed to be unique that I have
> access to at this point.
>
> Since the userceritificate entry is indexed in the directory, a search
> works just fine, as long as the 5 characters ('*','(',')','\', and 'nul')
> mentioned in RFC 2254 are converted beforehand, as detailed in
> the RFC.
>
> I was just wondering if there was a method in Net::LDAP::Filter to
> do this, I take it the answer is no. (Note, remember to convert the
> '\' first!)
There is no method to do the escaping, but one might be useful to add.
It also used to be possible to build a filter without going via the
string form, but that got dropped when we moved from Convert::BER
to Convert::ASN1. As nobody screamed I assumed nobody was using it.
Graham.
|
|
From: Graham B. <gb...@po...> - 2002-10-24 12:50:44
|
On Thu, Oct 10, 2002 at 07:00:48PM +0200, Peter Marschall wrote: > Hi, > > please forget my previous mail. > Here is a more correct version if the patch Thanks, applied. > > PS: Graham, the current version of perl-ldap according to the > > perl-ldap.sf.net home page is still 0.25. Hm, I should fix that. Graham. |
|
From: Chris R. <chr...@ma...> - 2002-10-24 12:39:30
|
On 24/10/02 1:24 pm, pau...@cp... <pau...@cp...> wrote:
>> Typically it isn't possible to use a certificate in a search filter. Well
>> you might be able to on some servers, but as there aren't any real standards
>> in this area yet you'd be best off avoiding it for now.
>
> It is possible to perform a search on a binary attribute via LDAP by escaping
> the binary values of the cert in the filter appropriatly. See
You could try that, however since there is no standardized equality matching
rule defined for the userCertificate attribute there's no guarantee what the
server's going to do, which was my point. I'll raise your RFC with another
;-) - from RFC 2256:
-----
5.37. userCertificate
This attribute is to be stored and requested in the binary form, as
'userCertificate;binary'.
( 2.5.4.36 NAME 'userCertificate'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
-----
I believe there's work going in in the PKIX groups to define certificate
matching rules.
Cheers,
Chris
|
|
From: <pau...@cp...> - 2002-10-24 12:24:56
|
>-- Original Message --
>Subject: Re: Net::LDAP::Filter question
>From: Chris Ridd <chr...@ma...>
>To: <ti...@uc...>, <per...@li...>
>Date: Tue, 22 Oct 2002 12:32:24 +0100
>
>
>On 22/10/02 12:14 pm, ti...@uc... <ti...@uc...> wrote:
>
>> I am working on a script that starts with a server cert and proxies as=
>a user.
>> To do
>> this I need to determine which user presented his cert to the web serv=
er.
> The
>> web
>> server puts the cert (MIME base 64 encoded) into the environment. It
also
>> puts
>> other things like the user's CN, but that is not unique. So I need to=
>do a
>> search on
>> the usercertificate;binary. I extract the cert from the env, then dec=
ode
>it.
>>
>> If I use regexs to replace the characters described by RFC 2254 with
the
>> proper
>> encoding, everything works. Since this is sample code for others, I
would
>> like to use
>> Net::LDAP::Filter, but so far I can't seem to get it to work.
>>
>> Is there an option to get Net::LDAP::Filter to do the encoding?
>>
>> I would like to do something like:
>>
>> $filter =3D Net::LDAP::Filter->new("(usercertificate=3D$webcert)");
>> $mesg =3D $ldap->search( base =3D> 'the base',
>> scope =3D> 'sub',
>> filter =3D> $filter);
>>
>> Is this a change or is it possible now?
>
>Typically it isn't possible to use a certificate in a search filter. Wel=
l
>you might be able to on some servers, but as there aren't any real stand=
ards
>in this area yet you'd be best off avoiding it for now.
It is possible to perform a search on a binary attribute via LDAP by esca=
ping
the binary values of the cert in the filter appropriatly. See http://www.=
ietf.org/rfc/rfc2254.txt
for details.
e.g. (usercertificate=3D\01\00\03)
Make sure usercertificate is indexed appropriatly.
>Does the entry containing the cert have a DN of the cert's subject name?=
>
>I posted some snippets which decoded certs (including the subject and is=
suer
>DNs) to this list a while back. If you can't find them in the archives,
I'll
>have a hunt to see if I've still got 'em.
>
>Cheers,
>
>Chris
>
>
>
>-------------------------------------------------------
>This sf.net emial is sponsored by: Influence the future of
>Java(TM) technology. Join the Java Community Process(SM) (JCP(SM))
>program now. http://ad.doubleclick.net/clk;4699841;7576301;v?
>http://www.sun.com/javavote
|
|
From: Chris R. <chr...@ma...> - 2002-10-23 05:54:44
|
On 22/10/02 8:36 pm, Graham Barr <gb...@po...> wrote: > ----- Forwarded message from Reena John <rp...@ho...> ----- > > Date: Tue, 22 Oct 2002 14:19:36 -0500 > To: gb...@po... > From: Reena John <rp...@ho...> > Subject: Net::LDAP read/write pre-dn info? > > Graham, > > Is there a way using the Net::LDAP module to read/write pre-dn lines in > Net::LDAP? The ldif would be like this (also attached: sample.ldif.txt): > > replica: 163.185.18.246:392 > time: 1028702892 > dn: cn=Francois Leclerc 102494,ou=employee,o=slb,c=AN The LDIF standard (RFC 2849) REQUIRES that the first line in each record be the DN, so your files aren't really LDIF :-) Would subclassing Net::LDAP::LDIF get you your desired behaviour? Cheers, Chris |
7902 messages has been excluded from this view by a project administrator.
