You can subscribe to this list here.
2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Graham B. <gb...@po...> - 2003-03-21 13:29:42
|
----- Forwarded message from "Bergstrom, Dennis" <den...@cg...> ----- Date: Fri, 21 Mar 2003 10:53:43 +0100 To: "'gb...@po...'" <gb...@po...> From: "Bergstrom, Dennis" <den...@cg...> Subject: Bug in Perl LDAP? Hi Graham, My name is Dennis Bergström and I work for Cap Gemini Ernst & Young in Stockholm, Sweden. I have recently written a Perl script W2kdad.pl (http://www.geocities.com/real_wiseman/) that enumerates users and passwords in a Windows 2000 AD that utilizes your LDAP modules and I have - I think anyway! - stumbled on a bug. I try to bind as a user with a dot in the username (test.user) and the bind returns error every time. (When I bind as a user *without* a dot in the name everything works as intended.) $mesg = $ldap->bind( $base_dn, password => $password, version => 3 ); $foundflag = ($mesg->code); I have tried the same with LDP.exe and it works OK. (I have checked the FAQ and the examples and I as far as I can see I do everything correct...) Do you have any idea what the error might be? Thank you in advance! Best Regards, Dennis Bergström Cap Gemini Ernst & Young Stockholm Sweden This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ----- End forwarded message ----- |
From: Christopher A B. <ca...@tc...> - 2003-03-20 18:23:10
|
> ----- Forwarded message from Douglas Gray Stephens <gr...@ca...> ----- > Can you consider if Net::LDAP should adopt the same user friendly > approach of removing duplicate wild cards (may be the parse subroutine > in Filter.pm so also do > $filter =~ s/\*+/\*/go; > after > $filter =~ s/^\s*//; > ). If this is a concern for your code (i.e. you are allowing arbitrary searches from user input), why not do it yourself before calling Net::LDAP's search? It seems like a waste of processing time in the case where the person writing the code is specifying a static filter. %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
From: Graham B. <gb...@po...> - 2003-03-20 15:09:04
|
----- Forwarded message from Douglas Gray Stephens <gr...@ca...> ----- Date: Thu, 20 Mar 2003 11:19:22 +0000 To: gb...@po... Cc: Thomas Stripling <tst...@ho...> From: Douglas Gray Stephens <gr...@ca...> Subject: Potential bug in Net::LDAP Content-Description: message body text Graham, I think that I may have hit a bug in Net::LDAP, in that it is behaving differently to the other LDAP Perl modules, or the ldapsearch command line clients from iPlanet, openldap and Innosoft (of course all of these use a variant of the C SDK). It appears that the C SDK reduces multiple wild cards to a single wild card. From the server logs, and looking at the OpenLDAP ldapsearch client with debugging enabled, I believe that this is done in the client. The attached file has 3 perl programs for Net::LDAPapi, Net::LDAP, and Mozilla's perldap, extracts from iPlanet LDAP server log, and the command line output from running the perl code, and the openldap ldapsearch command. The Net::LDAP version details are DB<6> p $Net::LDAP::VERSION 0.2701 DB<7> p $Net::LDAP::Util::VERSION 0.09 DB<8> p $Net::LDAP::Filter::VERSION 0.14 Can you consider if Net::LDAP should adopt the same user friendly approach of removing duplicate wild cards (may be the parse subroutine in Filter.pm so also do $filter =~ s/\*+/\*/go; after $filter =~ s/^\s*//; ). Thanks, Douglas. Content-Description: .signature -- ================================ Douglas GRAY STEPHENS Technical Architect (Directories) Schlumberger Cambridge Research High Cross, Madingley Road, Cambridge. CB3 0EL ENGLAND Phone +44 1223 325295 Mobile +44 773 0051628 Fax +44 1223 311830 Email DGr...@sl... ================================ ----- End forwarded message ----- |
From: Graham B. <gb...@po...> - 2003-03-19 13:25:14
|
----- Forwarded message from "Cornily, Jacques" <jac...@ic...> ----- Date: Wed, 19 Mar 2003 13:51:09 +0100 To: "'gb...@po...'" <gb...@po...> From: "Cornily, Jacques" <jac...@ic...> Subject: Callback methode Hi I was wondering if you could help I am currently setting up a callback for a search page result. This works fine. The problem is in the callback functon i want to get access to $self of the calling object Unfortunaly once inside the callback function the context is lost. I have try to pass the context of the calling methode but this works but i am loosing the Net:LDAP seearch context. Hereis the my @searchPageResultArguments = ( 'base' => $self->{"ctxNds"}->{namingContext}, scope => 'subtree', filter => $scenarios{$test_scenario}{filter}, attrs => [ "objectClass" ], sizelimit => $self->{'validDn'}{sizelimit}, control => [ $page ], callback => \&processValidDN($self) , # here i tryied ($self) () ); while(1) { $r=$self->{ "ctxNdsConnectionDescriptor" }->search(@searchPageResultArguments); $r->code and last; $ctrl = $mesg->control( LDAP_CONTROL_PAGED )or last; $cookie = $ctrl->cookie or last; $page->cookie($cookie); print "After a Page :" . $r->error . "\n"; processValidDNs($r); } sub processValidDNs { use Net::LDAP; use Net::LDAP::Entry; use Net::LDAP::Control::Paged; use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED ); use ScMap; my $self = shift; my @keys; if (@_ == 0 ) { @keys = sort keys(%$self); } else { @keys = @_; } my($r) = @keys; print "SELF is " . $self . "\n"; print ":::" . $r->dn; Thanks in advance Jacques ----- End forwarded message ----- |
From: Brad D. <brad@DiggsFamily.net> - 2003-03-18 21:08:20
|
I have written a simple script to load a bunch of users from an input file (comma separated data) into my directory service. This perl script uses Net::LDAP to add the entries. However, the load hangs on adding the first entry. From the server side, I never see an add request. So, it seems like the perl-ldap code is hanging for some reason. Have you seen this before? Here is an excerpt from the perl script: # # Establish LDAP connection to directory service # $ldap = new Net::LDAP ($opt_h, port=> $opt_p); # # will bind as specific user if specified else will be binded anonymously # $ldap->bind( $opt_D, password => $opt_w) || die "failed to bind as $opt_D"; ... # # Add each entry to the directory # $mycn = "$first_name $last_name"; $dn = "cn=$mycn, $base_suffix"; $result = $ldap->add( $dn, attrs => [ 'cn' => $mycn, 'sn' => $last_name, 'objectclass' => [ 'top', 'person', 'organizationalPerson', 'inetOrgPerson' ] ] ); Environment: OS: Red Hat Linux v8.0 Kernel: 2.4.18-14 Perl Version: v5.8.0 built for i386-linux-thread-multi perl-ldap version: perl-ldap-0.2701 Module Versions: Authen-SASL-2.03 Convert-ASN1-0.16 Net_SSLeay.pm-1.22 IO-Socket-SSL-0.92 Results from perl Makefile.PL Checking for OPTIONAL modules URI ..........................ok URI::ldap ....................ok Digest::MD5 ..................ok IO::Socket::SSL ..............ok XML::Parser ..................ok MIME::Base64 .................ok Authen::SASL .................ok Thanks in advance, Brad |
From: Jim H. <ha...@us...> - 2003-03-18 14:59:26
|
On Tue, 18 Mar 2003, Graham Barr wrote: > > need to use LDIF if you only want to display the results. There are lots of > > better ways. > > Can you give examples ? Most people I know of use LDIF to display results, > certainly when in a debugging situation. $entry->dump is quick and easy. > > Graham. > |
From: Graham B. <gb...@po...> - 2003-03-18 14:52:38
|
On Mon, Mar 17, 2003 at 11:07:08AM -0500, Jim Harle wrote: > The problem is in the LDIF code. The following works: > if ($searchobj){ > $ldif = new Net::LDAP::LDIF("XX","a"); > $ldif->write_entry($searchobj->entries()); > $ldif->done(); > } > > but it puts the results in file XX. Substituting - for XX doesn't send it to > stdout. There is nothing in the docs to say that it should. You shouldn't Maybe not, but as "-", "w" will send to stdout I don't see it as unreasonable to expect "-","a" to also go to stdout. > need to use LDIF if you only want to display the results. There are lots of > better ways. Can you give examples ? Most people I know of use LDIF to display results, certainly when in a debugging situation. Graham. |
From: Bing Du <du...@mo...> - 2003-03-17 23:20:20
|
attributeTypes: ( 1.3.6.1.4.1.4391.0.101 NAME 'officeTelephonenumber' SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 ) ======== &connect ldap $dn = "uid=111, ou=People, dc=tamu, dc=edu"; $localmesg = $ld->compare($dn,attr => 'officeTelephonenumber',value => '9798453602'); print "ret code is ",$localmesg->code,"\n"; ======= Result is 'ret code is 18'. This person's phone number is indeed 9798453602. Appreciate any help. Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix |
From: Jim H. <ha...@us...> - 2003-03-17 16:07:44
|
The problem is in the LDIF code. The following works: if ($searchobj){ $ldif = new Net::LDAP::LDIF("XX","a"); $ldif->write_entry($searchobj->entries()); $ldif->done(); } but it puts the results in file XX. Substituting - for XX doesn't send it to stdout. There is nothing in the docs to say that it should. You shouldn't need to use LDIF if you only want to display the results. There are lots of better ways. --Jim Harle On Mon, 17 Mar 2003, Chris Ridd wrote: > On 17/3/03 2:25 pm, Sheahan, John (PCLN-NW) <Joh...@pr...> > wrote: > > > I am using basic code (straight out of the O'Reilly book) to do a bind and > > search on my LDAP directory. I get no error messages and it always returns > > successfully but always shows 0 entries found. I am able to successfully > > search the LDAP structure from a browser and also able to successfully > > search it using the ldapsearch commands as follows: > > > > ##### This works fine > > /usr/local/bin/ldapsearch -x -b 'dc=Priceline,dc=com' '(uid=jsheahan)' > > > > ##### So does this, from a browser > > ldap://172.21.81.101:389/o=People,dc=priceline,dc=com?cn,homephone,title,emp > > loyeetype,mail,telephonenumber?sub? > > > > ##### Here is my basic code > > > > use Net::LDAP; > > use Net::LDAP::LDIF; > > > > $server = "172.21.81.101"; > > $port = "389"; > > $basedn = "o=People,dc=priceline,dc=com"; > > $scope = "sub"; > > $passwd = "secret"; > > $binddn = "cn=Manager,dc=priceline,dc=com"; > > > > > > $c = new Net::LDAP($server, port=>$port) or die "Unable to connect to > > $server: $@\n"; > > > > #$c->bind() or die "Unable to bind: $@\n"; > > > > $c->bind($binddn, password => $passwd) or die "Unable to bind: $@\n"; > > $searchobj = $c->search(base => $basedn, scope => $scope, filter => > > "uid=jsheahan"); > > Firstly these are three different search operations, so it is unreasonable > to expect them to behave identically. > > Your "ldapsearch" search is like this (also make sure ldapsearch is talking > to the same server!): > > $c->search(base => 'dc=Priceline,dc=com', > scope => 'sub', > filter => '(uid=jsheahan)'); > > Your "ldap://" search is like this: > > $c->search(base => 'o=People,dc=priceline,dc=com', > scope => 'sub', > filter => '(objectclass=*)', > attrs => [qw(cn homephone title employeetype > mail telephonenumber)]); > > > die "Bad Search, errorcode #".$searchobj->code() if $searchobj->code(); > > > > > > #process the return values from search() > > if ($searchobj){ > > $ldif = new Net::LDAP::LDIF("-"); > > $ldif->write($searchobj->entries()); > > $ldif->write is deprecated; use $ldif->write_entry instead. > > What does $searchobj->count() return? > > > $ldif->done(); > > } > > Cheers, > > Chris > > > > ------------------------------------------------------- > This SF.net email is sponsored by:Crypto Challenge is now open! > Get cracking and register here for some mind boggling fun and > the chance of winning an Apple iPod: > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en > |
From: Chris R. <chr...@ma...> - 2003-03-17 15:39:47
|
On 17/3/03 2:25 pm, Sheahan, John (PCLN-NW) <Joh...@pr...> wrote: > I am using basic code (straight out of the O'Reilly book) to do a bind and > search on my LDAP directory. I get no error messages and it always returns > successfully but always shows 0 entries found. I am able to successfully > search the LDAP structure from a browser and also able to successfully > search it using the ldapsearch commands as follows: > > ##### This works fine > /usr/local/bin/ldapsearch -x -b 'dc=Priceline,dc=com' '(uid=jsheahan)' > > ##### So does this, from a browser > ldap://172.21.81.101:389/o=People,dc=priceline,dc=com?cn,homephone,title,emp > loyeetype,mail,telephonenumber?sub? > > ##### Here is my basic code > > use Net::LDAP; > use Net::LDAP::LDIF; > > $server = "172.21.81.101"; > $port = "389"; > $basedn = "o=People,dc=priceline,dc=com"; > $scope = "sub"; > $passwd = "secret"; > $binddn = "cn=Manager,dc=priceline,dc=com"; > > > $c = new Net::LDAP($server, port=>$port) or die "Unable to connect to > $server: $@\n"; > > #$c->bind() or die "Unable to bind: $@\n"; > > $c->bind($binddn, password => $passwd) or die "Unable to bind: $@\n"; > $searchobj = $c->search(base => $basedn, scope => $scope, filter => > "uid=jsheahan"); Firstly these are three different search operations, so it is unreasonable to expect them to behave identically. Your "ldapsearch" search is like this (also make sure ldapsearch is talking to the same server!): $c->search(base => 'dc=Priceline,dc=com', scope => 'sub', filter => '(uid=jsheahan)'); Your "ldap://" search is like this: $c->search(base => 'o=People,dc=priceline,dc=com', scope => 'sub', filter => '(objectclass=*)', attrs => [qw(cn homephone title employeetype mail telephonenumber)]); > die "Bad Search, errorcode #".$searchobj->code() if $searchobj->code(); > > > #process the return values from search() > if ($searchobj){ > $ldif = new Net::LDAP::LDIF("-"); > $ldif->write($searchobj->entries()); $ldif->write is deprecated; use $ldif->write_entry instead. What does $searchobj->count() return? > $ldif->done(); > } Cheers, Chris |
From: Jason J. <jas...@ho...> - 2003-03-17 15:05:44
|
John, I'm using the code below (minus variables, etc)......... the checkBindLDAP subroutine is where I found problems with my binding, etc. thnx, ~j ================================= == BEGIN Code use Net::LDAP qw(:all); use Net::LDAP::Util qw(ldap_error_name ldap_error_text ldap_error_desc); use CGI; use CGI::Session qw/-ip-match/; my $cgi = new CGI; sub connectLDAP { local ($_IP_ADDRESS) = @_; $ldap = Net::LDAP->new("$_IP_ADDRESS") || die "$@\n"; } sub bindLDAP { local ($_DN, $_PASSWORD) = @_; local $msg = $ldap->bind(dn=>"$_DN", password=>"$_PASSWORD") || die "No Auth: " . "$@\n"; &checkBindLDAP ($msg); } sub searchLDAP { local ($_BASE, $_BASE_SUFFIX, $_USERID, $_PASSWORD) = @_; $RS = $ldap->search ( base => "dc=$_BASE,dc=$_BASE_SUFFIX", filter => "sAMAccountName=$_USERID" ); if (1 == &checkSearchLDAP ($RS, $_PASSWORD)) { return 1; }else{ return 0; } } sub checkBindLDAP { local ($_MSG) = @_; if ( $_MSG->code ) { ############################################################ ## DEBUG INFORMATION print ("Message Error Code => " . $_MSG->code . "\n"); print ("Message Error Name => " . ldap_error_name($_MSG->code) . "\n"); print ("Message Error Text => " . ldap_error_text($_MSG->code) . "\n"); print ("Message Error Desc => " . ldap_error_desc($_MSG->code) . "\n"); return 1; } else { return 0; } } sub unbindLDAP { $ldap->unbind(); } &connectLDAP($LDAP_IP); &bindLDAP($LDAP_DN,$LDAP_PASS); &unbindLDAP(); ----- Original Message ----- From: "Sheahan, John (PCLN-NW)" <Joh...@pr...> To: <per...@li...> Sent: Monday, March 17, 2003 8:25 AM Subject: Basic search always returning 0 entries > I am using basic code (straight out of the O'Reilly book) to do a bind and > search on my LDAP directory. I get no error messages and it always returns > successfully but always shows 0 entries found. I am able to successfully > search the LDAP structure from a browser and also able to successfully > search it using the ldapsearch commands as follows: > > ##### This works fine > /usr/local/bin/ldapsearch -x -b 'dc=Priceline,dc=com' '(uid=jsheahan)' > > ##### So does this, from a browser > ldap://172.21.81.101:389/o=People,dc=priceline,dc=com?cn,homephone,title,emp > loyeetype,mail,telephonenumber?sub? > > ##### Here is my basic code > > use Net::LDAP; > use Net::LDAP::LDIF; > > $server = "172.21.81.101"; > $port = "389"; > $basedn = "o=People,dc=priceline,dc=com"; > $scope = "sub"; > $passwd = "secret"; > $binddn = "cn=Manager,dc=priceline,dc=com"; > > > $c = new Net::LDAP($server, port=>$port) or die "Unable to connect to > $server: $@\n"; > > #$c->bind() or die "Unable to bind: $@\n"; > > $c->bind($binddn, password => $passwd) or die "Unable to bind: $@\n"; > $searchobj = $c->search(base => $basedn, scope => $scope, filter => > "uid=jsheahan"); > die "Bad Search, errorcode #".$searchobj->code() if $searchobj->code(); > > > #process the return values from search() > if ($searchobj){ > $ldif = new Net::LDAP::LDIF("-"); > $ldif->write($searchobj->entries()); > $ldif->done(); > } > > > ------------------------------------------------------- > This SF.net email is sponsored by:Crypto Challenge is now open! > Get cracking and register here for some mind boggling fun and > the chance of winning an Apple iPod: > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en > |
From: Sheahan, J. (PCLN-NW) <Joh...@pr...> - 2003-03-17 14:25:48
|
I am using basic code (straight out of the O'Reilly book) to do a bind and search on my LDAP directory. I get no error messages and it always returns successfully but always shows 0 entries found. I am able to successfully search the LDAP structure from a browser and also able to successfully search it using the ldapsearch commands as follows: ##### This works fine /usr/local/bin/ldapsearch -x -b 'dc=Priceline,dc=com' '(uid=jsheahan)' ##### So does this, from a browser ldap://172.21.81.101:389/o=People,dc=priceline,dc=com?cn,homephone,title,emp loyeetype,mail,telephonenumber?sub? ##### Here is my basic code use Net::LDAP; use Net::LDAP::LDIF; $server = "172.21.81.101"; $port = "389"; $basedn = "o=People,dc=priceline,dc=com"; $scope = "sub"; $passwd = "secret"; $binddn = "cn=Manager,dc=priceline,dc=com"; $c = new Net::LDAP($server, port=>$port) or die "Unable to connect to $server: $@\n"; #$c->bind() or die "Unable to bind: $@\n"; $c->bind($binddn, password => $passwd) or die "Unable to bind: $@\n"; $searchobj = $c->search(base => $basedn, scope => $scope, filter => "uid=jsheahan"); die "Bad Search, errorcode #".$searchobj->code() if $searchobj->code(); #process the return values from search() if ($searchobj){ $ldif = new Net::LDAP::LDIF("-"); $ldif->write($searchobj->entries()); $ldif->done(); } |
From: Peter M. <pe...@ad...> - 2003-03-14 11:39:45
|
Hi Jacques, On Friday 14 March 2003 12:04, Graham Barr wrote: > If i change the filter and this is my case i am getting > $correct_filter->parse("(telephonenumber=3D(0711) 17-20350)"); > > In this case the filter hash has no assertionValue and so on > thus the search fails You have to quote the brace inside the filter according to the RFCs. One possible way is to apply the following expression to all the values used in the filter before constructing a filter: $val =3D~ s/([\x00-\x1F\*\(\)\\])/"\\".unpack("H2",$1)/oge; So, your filter could then be constructed like $correct_filter->parse("(telephonenumber=3D$val)"); Peter --=20 Peter Marschall eMail: pe...@ad... |
From: Chris R. <chr...@ma...> - 2003-03-14 11:25:59
|
On 14/3/03 11:04 am, Graham Barr <gb...@po...> wrote: > ----- Forwarded message from "Cornily, Jacques" > <jac...@ic...> ----- > > Date: Fri, 14 Mar 2003 11:54:01 +0100 > To: "'gb...@po...'" <gb...@po...> > From: "Cornily, Jacques" <jac...@ic...> > Subject: Filter/Bug ? > > Bonjour > I am currently using NEt:LDAP. > I am getting stuck in the following case > i am trying to match a phone number > with > ... > $correct_filter->parse("(telephonenumber=0711 17-20350)"); > my $parsed_filter = $correct_filter; > > when i print the content of $correct_filter hash i get this > which is i think normal > equalityMatch for HASH(0x2089f94) > assertionValue >0711 17-20350< > attributeDesc >telephonenumber< > > If i change the filter and this is my case i am getting > $correct_filter->parse("(telephonenumber=(0711) 17-20350)"); > > In this case the filter hash has no assertionValue and so on > thus the search fails > > Can you help ? > > Merci > Jacques Cornily Hi Jacques, Since ( and ) are special in the string representation of search filters, you will probably have to hex-escape them (ie "\28" for "(" and "\29" for ")") when they're inside an assertion value. See RFC 2254 section 4. NB the telephone number matching rule ignores spaces and "-"s. Cheers, Chris |
From: Graham B. <gb...@po...> - 2003-03-14 11:04:34
|
----- Forwarded message from "Cornily, Jacques" <jac...@ic...> ----- Date: Fri, 14 Mar 2003 11:54:01 +0100 To: "'gb...@po...'" <gb...@po...> From: "Cornily, Jacques" <jac...@ic...> Subject: Filter/Bug ? Bonjour I am currently using NEt:LDAP. I am getting stuck in the following case i am trying to match a phone number with ... $correct_filter->parse("(telephonenumber=0711 17-20350)"); my $parsed_filter = $correct_filter; when i print the content of $correct_filter hash i get this which is i think normal equalityMatch for HASH(0x2089f94) assertionValue >0711 17-20350< attributeDesc >telephonenumber< If i change the filter and this is my case i am getting $correct_filter->parse("(telephonenumber=(0711) 17-20350)"); In this case the filter hash has no assertionValue and so on thus the search fails Can you help ? Merci Jacques Cornily ----- End forwarded message ----- |
From: Johnson, B. K <bri...@lm...> - 2003-03-14 03:00:29
|
Constructing a DN can be somewhat problematical in AD as users MAY be distributed among multiple domains and OU's in an AD forest. I take the tack in my code of using the NT domain and username as search keys to find the user's DN and then authenticate. The combination of NT domain and username is unique in AD. In order for this simple code to work as it is, anonymous queries must be enabled in AD. Here is some example code: ($domain,$user,$pass,$execnode)=@ARGV; use Net::LDAP; # Build Search filter $filter="(\&(userPrincipalName=*$domain*)(sAMAccountName=$user))"; $port=3268; print "NODE:$execnode PORT: $port\n"; # Get the users DN via anonymous bind to Active Directory # set the DN to null $dn=""; # For performance reasons limit the data returned to the sAMAccountName @attr=("sAMAccountName"); if ($ldap = new Net::LDAP("$execnode",port => $port,debug => 0,version =>3)){ if ($result=$ldap->ldapbind()){ $result=$mesg = $ldap->search(filter => $filter,scope => "sub",attrs =>[@attr]); foreach $entry ($mesg->all_entries) { $dn=$entry->dn; } $ldap->unbind; } else { print "Anonymous Bind Failed to $execnode\n"; } } else { print "Initial connect to $execnode failed\n"; } print "DN: $dn\n"; # Do an authenticated bind to a domain controller if we have a DN. Use port 3268 # so that the controller responds as a Global Catalog Server. IF you have no network firewalls # ANY domain controller will authenticate any user in any domain in the forest. if ($dn){ if ($ldap = new Net::LDAP("$execnode",port => $port,debug => 0,version =>3)){ if ($result=$ldap->ldapbind('dn' => "$dn",'password' => "$pass" )){ $err=$result->code; if ($err){ if ($err==49){ print "Incorrect username and/or password (49)"; } else { print "ERROR:$err\n"; } } else { print "Authenticated!"; } } else { print "Authenticated Bind Failed to $execnode\n"; } } else { print "Initial connect to $execnode failed\n"; } } else { print "No user found that corresponds to $user\n"; } -----Original Message----- From: Rick Tatem [mailto:Ric...@sa...] Sent: Thursday, March 13, 2003 2:31 PM To: per...@li... Subject: RE: Active Directory authenticaion via UNIX You're dn syntax is probably wrong... backwards, actually. Try "cn=MY_USER_ID,dc=MY_DOMAIN_SUFFIX,dc=MY_DOMAIN" instead (like "cn=Joe User,dc=company,dc=com") I've actually been working on a proxy do handle this very thing (i.e. take an anonymous bind to Active Directory and use a general use account instead) It also proxies to the Global Catalog port, instead of the general LDAP port since, in AD, port 389 only give access to the domain level, not the entire forest. I'll tidy it up and share it soon, if there's interest. Rick --- Rick Tatem Messaging and Directory Resources -----Original Message----- From: Jason Jolly [mailto:jas...@ho...] Sent: Thursday, March 13, 2003 5:14 PM To: Ken Cornetet Cc: per...@li... Subject: Re: Active Directory authenticaion via UNIX Thanks Ken. I wasn't aware of that....... You don't, by chance, happen to know how to determine what dc / cn information should be used for the connection: $ldap->bind(dn=>"dc=MY_DOMAIN,dc=MY_DOMAIN_SUFFIX,cn=MY_USER_ID", password=>"MY_PASSWORD") on the Active Directory side (AD browser, etc)? I've talked to my NT administrator and he states this is correct, but this syntax always fails and I get this sinking feeling that I'm doing something wrong that is *VERY* easy.... thnx, ~j |
From: Diffenderfer, R. <ran...@ed...> - 2003-03-13 23:37:51
|
Jason -- my $msg = $ldap->bind(dn=>"dc=MY_DOMAIN,dc=net,cn=MY_USER_ID", password=>"MY_PASSWORD") || die "No Auth: " . "$@\n"; May be a little dyslexia on the dn-- try flipping things around. AD dn's tend to look like: dn= "cn=xxx, ou=xxx, dc=xxx, dc=xxx, dc=xxx" but only your AD admin knows for sure... :-) HTH |
From: Rick T. <Ric...@sa...> - 2003-03-13 22:40:33
|
You're dn syntax is probably wrong... backwards, actually. Try = "cn=3DMY_USER_ID,dc=3DMY_DOMAIN_SUFFIX,dc=3DMY_DOMAIN" instead (like = "cn=3DJoe User,dc=3Dcompany,dc=3Dcom") =20 I've actually been working on a proxy do handle this very thing (i.e. = take an anonymous bind to Active Directory and use a general use account = instead) It also proxies to the Global Catalog port, instead of the = general LDAP port since, in AD, port 389 only give access to the domain = level, not the entire forest. I'll tidy it up and share it soon, if = there's interest. =20 Rick ---=20 Rick Tatem=20 Messaging and Directory Resources=20 -----Original Message----- From: Jason Jolly [mailto:jas...@ho...] Sent: Thursday, March 13, 2003 5:14 PM To: Ken Cornetet Cc: per...@li... Subject: Re: Active Directory authenticaion via UNIX Thanks Ken. I wasn't aware of that....... =20 You don't, by chance, happen to know how to determine what dc / cn = information should be used for the connection: =20 = $ldap->bind(dn=3D>"dc=3DMY_DOMAIN,dc=3DMY_DOMAIN_SUFFIX,cn=3DMY_USER_ID",= password=3D>"MY_PASSWORD")=20 =20 on the Active Directory side (AD browser, etc)? =20 I've talked to my NT administrator and he states this is correct, but = this syntax always fails and I get this sinking feeling that I'm doing = something wrong that is *VERY* easy.... =20 thnx, =20 ~j |
From: Jason J. <jas...@ho...> - 2003-03-13 22:22:01
|
Thanks Jim, My bind now works.......I'm off to figure out why my search won't return any items.....*sigh* thnx, ~j ----- Original Message ----- From: "Jim Harle" <ha...@us...> To: "Jason Jolly" <jas...@ho...> Cc: <per...@li...> Sent: Thursday, March 13, 2003 4:13 PM Subject: Re: Active Directory authenticaion via UNIX > Jason, > > One of the rules of Active Directory is no Anonymous bind. One way to get > around that is to build an account that is only used for 'anonymous' LDAP > searches and use that account's DN and password in the initial bind. > > AD meets the letter of the law on this, but not the spirit. Sigh. > > --Jim harle > > On Thu, 13 Mar 2003, Jason Jolly wrote: > > > I'm currently having a problem while trying to authenticate an NT userid > > (Active Directory) from UNIX over LDAP. > > > > I'm using the following code snippit to perform the search/authentication: > > > > =========================== > > == BEGIN > > > > #!/bin/perl -w > > > > use Net::LDAP qw(:all); > > use Net::LDAP::Util qw(ldap_error_name ldap_error_text ldap_error_desc); > > > > $ldap = Net::LDAP->new("XX.XX.X.XXX") || die "$@\n"; > > my $msg = $ldap->bind(anonymous => 1, version => 3); > > > > if ( $msg->code ) { > > print ("Message Error Code => " . $msg->code . "\n"); > > print ("Message Error Name => " . ldap_error_name($msg->code) . "\n"); > > print ("Message Error Text => " . ldap_error_text($msg->code) . "\n"); > > print ("Message Error Desc => " . ldap_error_desc($msg->code) . "\n"); > > } > > > > $RS = $ldap->search ( > > base => "MY_DOMAIN.net", > > scope => "sub", # still doesn't work with or w/out this..... > > filter => "(uid=*)" # also tried "mail=*", etc. > > ); > > > > print ( "RS Count => " . $RS->count . "\n"); > > > > $ldap->unbind(); > > > > == END > > =========================== > > > > Now, > > > > This always returns the output: > > > > RS Count => 0 > > > > I can only assume that the bind is working...when I try to bind using the following command: > > > > my $msg = $ldap->bind(dn=>"dc=MY_DOMAIN,dc=net,cn=MY_USER_ID", password=>"MY_PASSWORD") || die "No Auth: " . "$@\n"; > > > > I receive the output: > > > > Message Error Code => 49 > > Message Error Name => LDAP_INVALID_CREDENTIALS > > Message Error Text => The wrong password was supplied or the SASL credentials could not be processed > > Message Error Desc => Invalid credentials > > > > which is strange since I know that the credentials being sent are correct, nevertheless..... > > > > In talking with my NT admin, he sees no log of either binding attempt? > > > > Any suggestions -- I'm hoping that I just can't see the forest for the trees on this one. > > > > thnx, > > > > ~j > |
From: Jason J. <jas...@ho...> - 2003-03-13 22:13:59
|
MessageThanks Ken. I wasn't aware of that....... You don't, by chance, happen to know how to determine what dc / cn = information should be used for the connection: = $ldap->bind(dn=3D>"dc=3DMY_DOMAIN,dc=3DMY_DOMAIN_SUFFIX,cn=3DMY_USER_ID",= password=3D>"MY_PASSWORD")=20 on the Active Directory side (AD browser, etc)? I've talked to my NT administrator and he states this is correct, but = this syntax always fails and I get this sinking feeling that I'm doing = something wrong that is *VERY* easy.... thnx, ~j AD does not allow anonymous binds to do sub-level searches. You will = have to bind with an explicit user id/password, or configure your AD to = allow anonymous searches. -----Original Message----- From: Jason Jolly Sent: Thursday, March 13, 2003 4:32 PM To: per...@li... Subject: Active Directory authenticaion via UNIX I'm currently having a problem while trying to authenticate an NT = userid (Active Directory) from UNIX over LDAP. I'm using the following code snippit to perform the = search/authentication: = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =3D=3D BEGIN #!/bin/perl -w use Net::LDAP qw(:all); use Net::LDAP::Util qw(ldap_error_name ldap_error_text = ldap_error_desc); $ldap =3D Net::LDAP->new("XX.XX.X.XXX") || die "$@\n"; my $msg =3D $ldap->bind(anonymous =3D> 1, version =3D> 3); if ( $msg->code ) { print ("Message Error Code =3D> " . $msg->code . "\n"); print ("Message Error Name =3D> " . = ldap_error_name($msg->code) . "\n"); print ("Message Error Text =3D> " . = ldap_error_text($msg->code) . "\n"); print ("Message Error Desc =3D> " . = ldap_error_desc($msg->code) . "\n"); =20 } $RS =3D $ldap->search ( base =3D> "MY_DOMAIN.net", scope =3D> "sub", # still doesn't work = with or w/out this..... filter =3D> "(uid=3D*)" # also tried = "mail=3D*", etc. ); print ( "RS Count =3D> " . $RS->count . "\n"); $ldap->unbind(); =3D=3D END = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D Now,=20 This always returns the output: RS Count =3D> 0 I can only assume that the bind is working...when I try to bind = using the following command: my $msg =3D = $ldap->bind(dn=3D>"dc=3DMY_DOMAIN,dc=3Dnet,cn=3DMY_USER_ID", = password=3D>"MY_PASSWORD") || die "No Auth: " . "$@\n"; I receive the output: Message Error Code =3D> 49 Message Error Name =3D> LDAP_INVALID_CREDENTIALS Message Error Text =3D> The wrong password was supplied or the = SASL credentials could not be processed Message Error Desc =3D> Invalid credentials which is strange since I know that the credentials being sent are = correct, nevertheless..... In talking with my NT admin, he sees no log of either binding = attempt? Any suggestions -- I'm hoping that I just can't see the forest for = the trees on this one. thnx, ~j |
From: Jim H. <ha...@us...> - 2003-03-13 22:13:28
|
Jason, One of the rules of Active Directory is no Anonymous bind. One way to get around that is to build an account that is only used for 'anonymous' LDAP searches and use that account's DN and password in the initial bind. AD meets the letter of the law on this, but not the spirit. Sigh. --Jim harle On Thu, 13 Mar 2003, Jason Jolly wrote: > I'm currently having a problem while trying to authenticate an NT userid > (Active Directory) from UNIX over LDAP. > > I'm using the following code snippit to perform the search/authentication: > > =========================== > == BEGIN > > #!/bin/perl -w > > use Net::LDAP qw(:all); > use Net::LDAP::Util qw(ldap_error_name ldap_error_text ldap_error_desc); > > $ldap = Net::LDAP->new("XX.XX.X.XXX") || die "$@\n"; > my $msg = $ldap->bind(anonymous => 1, version => 3); > > if ( $msg->code ) { > print ("Message Error Code => " . $msg->code . "\n"); > print ("Message Error Name => " . ldap_error_name($msg->code) . "\n"); > print ("Message Error Text => " . ldap_error_text($msg->code) . "\n"); > print ("Message Error Desc => " . ldap_error_desc($msg->code) . "\n"); > } > > $RS = $ldap->search ( > base => "MY_DOMAIN.net", > scope => "sub", # still doesn't work with or w/out this..... > filter => "(uid=*)" # also tried "mail=*", etc. > ); > > print ( "RS Count => " . $RS->count . "\n"); > > $ldap->unbind(); > > == END > =========================== > > Now, > > This always returns the output: > > RS Count => 0 > > I can only assume that the bind is working...when I try to bind using the following command: > > my $msg = $ldap->bind(dn=>"dc=MY_DOMAIN,dc=net,cn=MY_USER_ID", password=>"MY_PASSWORD") || die "No Auth: " . "$@\n"; > > I receive the output: > > Message Error Code => 49 > Message Error Name => LDAP_INVALID_CREDENTIALS > Message Error Text => The wrong password was supplied or the SASL credentials could not be processed > Message Error Desc => Invalid credentials > > which is strange since I know that the credentials being sent are correct, nevertheless..... > > In talking with my NT admin, he sees no log of either binding attempt? > > Any suggestions -- I'm hoping that I just can't see the forest for the trees on this one. > > thnx, > > ~j |
From: Jason J. <jas...@ho...> - 2003-03-13 21:31:59
|
I'm currently having a problem while trying to authenticate an NT userid = (Active Directory) from UNIX over LDAP. I'm using the following code snippit to perform the = search/authentication: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =3D=3D BEGIN #!/bin/perl -w use Net::LDAP qw(:all); use Net::LDAP::Util qw(ldap_error_name ldap_error_text ldap_error_desc); $ldap =3D Net::LDAP->new("XX.XX.X.XXX") || die "$@\n"; my $msg =3D $ldap->bind(anonymous =3D> 1, version =3D> 3); if ( $msg->code ) { print ("Message Error Code =3D> " . $msg->code . "\n"); print ("Message Error Name =3D> " . ldap_error_name($msg->code) = . "\n"); print ("Message Error Text =3D> " . ldap_error_text($msg->code) = . "\n"); print ("Message Error Desc =3D> " . ldap_error_desc($msg->code) = . "\n"); =20 } $RS =3D $ldap->search ( base =3D> "MY_DOMAIN.net", scope =3D> "sub", # still doesn't work = with or w/out this..... filter =3D> "(uid=3D*)" # also tried = "mail=3D*", etc. ); print ( "RS Count =3D> " . $RS->count . "\n"); $ldap->unbind(); =3D=3D END =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D Now,=20 This always returns the output: RS Count =3D> 0 I can only assume that the bind is working...when I try to bind using = the following command: my $msg =3D = $ldap->bind(dn=3D>"dc=3DMY_DOMAIN,dc=3Dnet,cn=3DMY_USER_ID", = password=3D>"MY_PASSWORD") || die "No Auth: " . "$@\n"; I receive the output: Message Error Code =3D> 49 Message Error Name =3D> LDAP_INVALID_CREDENTIALS Message Error Text =3D> The wrong password was supplied or the SASL = credentials could not be processed Message Error Desc =3D> Invalid credentials which is strange since I know that the credentials being sent are = correct, nevertheless..... In talking with my NT admin, he sees no log of either binding attempt? Any suggestions -- I'm hoping that I just can't see the forest for the = trees on this one. thnx, ~j |
From: Chris R. <chr...@ma...> - 2003-03-13 20:30:11
|
On 13/3/03 7:56 pm, Susan Aurand <sa...@ha...> wrote: > When I enter $ldap->search(sizelimit => 0) > > I am receiving the following error message: > > syntax error at phsmodify.pl line 97, near ") I think you misunderstood Ian's suggestion. You need to *add* the arguments sizelimit => 0 to the list of arguments you are already passing to search. For instance, $res = $ldap->search(base => 'o=My School,c=US', scope => 'subtree', filter => '(uid=*)', sizelimit => 0); > Execution of phsmodify.pl aborted due to compilation errors. I have typed > actually what is shown > above. I don't see anything wrong with it. What version of perl-ldap are you Missing semi-colon after the close parenthesis, I'd suspect. > running? The server > limit seems find. If I go into my GQ Ldap Client on the desk top, I can do a > search uid=* and all > 1055 entries show. Anyways, any suggestions on the error? Maybe GQ is using a mechanism like paged results or VLV to do this. Directories weren't originally designed to let you grab *everything* from them at once, in fact they were designed to prevent you from doing that using the sizelimit mechanism. (The idea being to stop spammers simply asking for all the email addresses in a directory.) However certain cases do require the directory to return lots of results, but not all at once. Instead, some directories support being asked for lots of stuff back, but in chunks at a time. That's called paged results, and there's something similar called virtual list views. Not all directory servers support these. Perl-ldap is capable of requesting paged results and VLV; see the manual pages for Net::LDAP::Control::Paged and Net::LDAP::Control::VLV. Cheers, Chris |
From: Jim H. <ha...@us...> - 2003-03-13 20:22:29
|
Chris, In general, things look great. Here are a few Nits: The Introduction says 'LDAP will be an integral part of .. Netscape ONE and ... Exchange 5.0'. This is outdated. Netscape hardle exists and ONE is a Sun product. Exchange is currently 5.5. That statement should be replaced by something like: LDAP interfaces exist for a growing number of major software products. The 'LDAP Web Resources' and 'Other' should be made consistent with the equivalent sections in the FAQ. --Jim Harle On Thu, 13 Mar 2003, Chris Ridd wrote: > I've been doing some updating of the web site : > > <http://perl-ldap.sourceforge.net/> > > (eg the documentation link now points to CPAN, and is thus always up to > date) but if there's anything not there that folks think should be there, > please say! > > Cheers, > > Chris > > > > ------------------------------------------------------- > This SF.net email is sponsored by:Crypto Challenge is now open! > Get cracking and register here for some mind boggling fun and > the chance of winning an Apple iPod: > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en > |
From: Chris R. <chr...@ma...> - 2003-03-13 20:14:38
|
On 13/3/03 7:55 pm, Jim Harle <ha...@us...> wrote: > Chris, > In general, things look great. Here are a few Nits: > > The Introduction says 'LDAP will be an integral part of .. Netscape ONE and > ... Exchange 5.0'. This is outdated. Netscape hardle exists and ONE is a Sun > product. Exchange is currently 5.5. That statement should be replaced by > something like: LDAP interfaces exist for a growing number of major software > products. Good point, I've reworded it somewhat. > The 'LDAP Web Resources' and 'Other' should be made consistent with the > equivalent sections in the FAQ. Yes, but I don't really want to just duplicate things. (The FAQ's on the web site too.) I'll review that bit of the FAQ and that section of the home page when I've got a moment. > --Jim Harle Cheers, Chris |