Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Graham B. <gb...@po...> - 2001-08-10 19:07:10
|
I suspect your problem is the missing EQUALITY. RFC2256 show uniqueMember
to be defined as
5.51. uniqueMember
( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
Graham.
On Fri, Aug 10, 2001 at 02:51:03PM -0400, Diffenderfer, Randy wrote:
> Folks,
>
> Have run into this and haven't found a "good" way out. I have a workaround
> (grab a complete group entry, edit it, and replace the entire entry), but it
> is potentially dangerous, so I'd rather find the "right" answer!
>
> Background:
>
> Using objectClass 'groupOfUniqueNames' to provide network "group"
> credentials for network-based privilege requests, e.g. authentication for
> Netscape groups and firewall proxy server boxes. A schema dump of the
> directory shows that this class is subtly different from 'groupOfNames'.
> The 'owner' attribute is identical, but the 'members' attributes ( 'member'
> in 'groupOfNames' and 'uniqueMember' in 'groupOfUniqueNames' ) definitions
> are different, one lacking the "EQUALITY" clause:
>
> attributeTypes: ( 2.5.4.31 NAME 'member' EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOperation )
> attributeTypes: ( 2.5.4.50 NAME 'uniqueMember' SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.12{32767} USAGE directoryOperation )
>
> Problem:
>
> The values of the 'uniqueMember' attribute in the groups are true DN's. I
> can 'add' with no problem, but 'delete' of a single value is a problem,
> yielding this message:
>
> $result = $ldap->modify( $dn, 'delete' => { 'uniqueMember' => $user_dn } );
>
> Return code: 18
> Message: LDAP_INAPPROPRIATE_MATCHING: An extensible matching rule in the
> given filter does not apply to the specified attribute
>
> If I try to 'delete' an owner (substitute "owner" for "uniqueMember" in the
> above code snippet), things are fine.
>
> Any ideas?
>
> Thanks,
> Randy Diffenderfer
>
|
|
From: Diffenderfer, R. <ran...@ed...> - 2001-08-10 18:51:26
|
Folks,
Have run into this and haven't found a "good" way out. I have a workaround
(grab a complete group entry, edit it, and replace the entire entry), but it
is potentially dangerous, so I'd rather find the "right" answer!
Background:
Using objectClass 'groupOfUniqueNames' to provide network "group"
credentials for network-based privilege requests, e.g. authentication for
Netscape groups and firewall proxy server boxes. A schema dump of the
directory shows that this class is subtly different from 'groupOfNames'.
The 'owner' attribute is identical, but the 'members' attributes ( 'member'
in 'groupOfNames' and 'uniqueMember' in 'groupOfUniqueNames' ) definitions
are different, one lacking the "EQUALITY" clause:
attributeTypes: ( 2.5.4.31 NAME 'member' EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOperation )
attributeTypes: ( 2.5.4.50 NAME 'uniqueMember' SYNTAX
1.3.6.1.4.1.1466.115.121.1.12{32767} USAGE directoryOperation )
Problem:
The values of the 'uniqueMember' attribute in the groups are true DN's. I
can 'add' with no problem, but 'delete' of a single value is a problem,
yielding this message:
$result = $ldap->modify( $dn, 'delete' => { 'uniqueMember' => $user_dn } );
Return code: 18
Message: LDAP_INAPPROPRIATE_MATCHING: An extensible matching rule in the
given filter does not apply to the specified attribute
If I try to 'delete' an owner (substitute "owner" for "uniqueMember" in the
above code snippet), things are fine.
Any ideas?
Thanks,
Randy Diffenderfer
|
|
From: Chris R. <chr...@me...> - 2001-08-09 14:51:01
|
Edd Dawson <E.J...@de...> wrote:
> Hello,
>
> I am trying to Bind to LDAP with the following code :
>
> #!/usr/bin/perl
>
> use Net::LDAP;
>
> use Net::LDAP::Util qw(ldap_error_text);
>
> my($ldap) = Net::LDAP->new('ldapserver') or die "Can't bind to ldap:
> $!\n";
>
> $mesg = $ldap->bind(
> dn => "cn=username, ou=blah, ou=blah, ou=blah, o=blah",
> password => "password",
> );
>
>
>
>
>
> die ldap_error_text($mesg->code)
> if $mesg->code;
>
> print "success\n";
>
>
>
>
> But I always get the following output :
>
> This result code is returned when confidentiality is required to perform
> a given operation
You might want to use ldap_error_name as well, which should print out
LDAP_CONFIDENTIALITY_REQUIRED (this is easier to look up :-)
>
> It is an NDS system behind the scenes. Is this the cause of my
> problem.
> All I need to do is authenticate a username and password.
>
> Can anyone help me out ?
>
> Thanks very much
>
> Edd
>
>
It would appear that your server has been configured not to allow simple
binds over plaintext connections. You need to use either LDAPS (Net::LDAPS)
or call $ldap->start_tls() before doing the bind. Both of these techniques
require additional configuration, so you will need to read the
documentation. The start_tls() method only exists in the latest perl-ldap.
Or reconfigure NDS to permit plaintext authentication...
Cheers,
Chris
|
|
From: Graham B. <gb...@po...> - 2001-08-09 14:46:12
|
This is because the server is refusing to except a password passed in the clear
when the connection is not secure. You have several options
1) If the server suppoers SASL, you may be able to use sasl authentication.
2) If the server supports start_tls, you could call $ldap->start_tls before
calling bind
3) If the server listens on a second port and accepts SSL connections, then you
could use Net::LDAPS
Graham.
On Thu, Aug 09, 2001 at 03:21:07PM +0100, Edd Dawson wrote:
> Hello,
>
> I am trying to Bind to LDAP with the following code :
>
> #!/usr/bin/perl
>
> use Net::LDAP;
>
> use Net::LDAP::Util qw(ldap_error_text);
>
> my($ldap) = Net::LDAP->new('ldapserver') or die "Can't bind to ldap: $!\n";
>
> $mesg = $ldap->bind(
> dn => "cn=username, ou=blah, ou=blah, ou=blah, o=blah",
> password => "password",
> );
>
>
>
>
>
> die ldap_error_text($mesg->code)
> if $mesg->code;
>
> print "success\n";
>
>
>
>
> But I always get the following output :
>
> This result code is returned when confidentiality is required to perform
> a given operation
>
>
> It is an NDS system behind the scenes. Is this the cause of my
> problem.
> All I need to do is authenticate a username and password.
>
> Can anyone help me out ?
>
> Thanks very much
>
> Edd
>
>
|
|
From: Edd D. <E.J...@de...> - 2001-08-09 14:21:42
|
Hello,
I am trying to Bind to LDAP with the following code :
#!/usr/bin/perl
use Net::LDAP;
use Net::LDAP::Util qw(ldap_error_text);
my($ldap) = Net::LDAP->new('ldapserver') or die "Can't bind to ldap: $!\n";
$mesg = $ldap->bind(
dn => "cn=username, ou=blah, ou=blah, ou=blah, o=blah",
password => "password",
);
die ldap_error_text($mesg->code)
if $mesg->code;
print "success\n";
But I always get the following output :
This result code is returned when confidentiality is required to perform
a given operation
It is an NDS system behind the scenes. Is this the cause of my
problem.
All I need to do is authenticate a username and password.
Can anyone help me out ?
Thanks very much
Edd
|
|
From: Graham B. <gb...@po...> - 2001-08-08 20:51:20
|
No, but it would not be difficult to modify new so that the hostname passed could instead be a filehandle. We could also add support for the MultiHomed option to be passed to IO::Socket::INET Graham. On Wed, Aug 08, 2001 at 02:38:01PM -0600, Chris Fedde wrote: > I have an ldap 'multiserver' defined as two DNS A records with the > same name (a DNS round robin) > > Is there a way to pass the MultiHomed option forward from Net::LDAP > to IO::Socket::INET, or a way to tell Net::LDAP to use an IO::Socket::INET > that I have created on my own? > > chris > > -- > Chris Fedde > |
|
From: Chris F. <cf...@vi...> - 2001-08-08 20:37:41
|
I have an ldap 'multiserver' defined as two DNS A records with the
same name (a DNS round robin)
Is there a way to pass the MultiHomed option forward from Net::LDAP
to IO::Socket::INET, or a way to tell Net::LDAP to use an IO::Socket::INET
that I have created on my own?
chris
--
Chris Fedde
|
|
From: Chris R. <chr...@me...> - 2001-08-08 07:26:42
|
Graham Barr <gb...@po...> wrote: > After reading through the project documentation and mailing list archives > for perl-ldap, i see that automatic referral chasing is not yet > supported. However, i did not see a recommended technique for manually > chasing referrals. There are some good reasons *not* to support automatic following of referrals, mostly to do with how to authenticate to the referred-to servers. (You don't necessarily want to offer credentials valid on one server to another.) > Would you suggest that i use URI::ldap to pull out the various parts of > the referral URI and then restart the query process with the parsed data? > > Or is there perhaps a part of the API that i missed which takes an ldap > URI and initiates a search? There isn't, but if you take a look at the bin/ldapsearch.PL program it will automatically follow referrals and continuation references by calling the URI object's port, host and dn methods. I think this is pretty much what you'd guessed you'd have to do :-) Cheers, Chris |
|
From: Bing D. <Bi...@ci...> - 2001-08-07 19:45:11
|
The following roughly shows how my entry looks like in the OpenLDAP
directory (2.0.11). The real password is stored in Kerberos. 'bing-du'
is my logon username.
dn:uid=c24b18d4bb4afdf052330678a0000000, ou=People, dc=tamu, dc=edu
objectClass: top
person
organizationalPerson
inetOrgPerson
tamuPerson
tamuEmployee
cn: Du Bing
sn: Du
uid: c24b18d4bb4afdf052330678a0000000
userPassword: {KERBEROS}bing-du
mail: bi...@ta...
searchMailbox: bing-du
deliverMailbox: bi...@ci...
My question is if the following code snippet shows the correct way to
perform authentication?
Right now, no matter what password I give, I can always get 'You've
passwd auth'. I expected to get 'Error: couldn't bind!!!' in the case
of wrong or none password. But I did not. Did I do anything wrong?
====================
#!/usr/local/bin/perl
use Net::LDAP;
$ldap_server = "ds.tamu.edu";
$ldap_port = "389";
$mydn = "uid=c24b18d4bb4afdf052330678af9a601d, ou=People, dc=tamu,
dc=edu";
$mypw = "secret";
if (! ($ld = new Net::LDAP($ldap_server,port => $ldap_port)))
{
die "Can not connect to the directory server!!!\n";
}
if (! ($ld->bind(dn => $mydn,password =>$mypw)))
{
die "Error: couldn't bind!!!\n";
}
print "You've passed auth\n";
=============================
thanks,
Bing
Bing Du <bi...@ta..., 979-845-9577>
Texas A&M University, CIS, Operating Systems, Unix
|
|
From: Graham B. <gb...@po...> - 2001-08-07 18:41:18
|
----- Forwarded message from Mike Schiraldi <ra...@re...> ----- Date: Tue, 7 Aug 2001 14:37:19 -0400 To: gb...@po... From: Mike Schiraldi <ra...@re...> Subject: perl-ldap URLs After reading through the project documentation and mailing list archives for perl-ldap, i see that automatic referral chasing is not yet supported. However, i did not see a recommended technique for manually chasing referrals. Would you suggest that i use URI::ldap to pull out the various parts of the referral URI and then restart the query process with the parsed data? Or is there perhaps a part of the API that i missed which takes an ldap URI and initiates a search? Thanks ----- End forwarded message ----- |
|
From: Bob G. <go...@at...> - 2001-08-06 12:12:30
|
Randy --
You might take a look at the latest code release for Net::LDAP (0.24,
out a couple of weeks ago.). The README talks about getting the Virtual
List facility to work corectly, so that may make the paging work better.
Another other solution is to filter on something like surname, and
programatically segment your request --
for my $i (A-Z) {
my $filter = "surname=$i*";
my $rc = $ldap->search(
base => $tree_root,
filter => $filter,
callback => \my_process_routine,
)
}
This also runs a Looong time against a 100K+ Directory, but due to to
smaller number of objects that need to be marshalled before the
call-back is invoked for the first time, it appears to run faster. I am
running against a Syntegra LDAP server, ao ymmv.
Bob Goolsby
per...@li... wrote:
>
> Send perl-ldap-dev mailing list submissions to
> per...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.sourceforge.net/lists/listinfo/perl-ldap-dev
> or, via email, send a message with subject or body 'help' to
> per...@li...
>
> You can reach the person managing the list at
> per...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of perl-ldap-dev digest..."
>
> Today's Topics:
>
> 1. fastest way to "walk" a directory tree (Diffenderfer, Randy)
>
> --__--__--
>
> Message: 1
> From: "Diffenderfer, Randy" <ran...@ed...>
> To: "'per...@li...'"
> <per...@li...>
> Subject: fastest way to "walk" a directory tree
> Date: Sun, 5 Aug 2001 10:34:20 -0400
>
> Folks:
>
> Any suggestions as to what would be the fastest technique to generate
> entries from an entire directory tree, or a sizable chunk of it? The tree
> in question has over 100,000 entries...
>
> My "default" approach:
> $ldap->search( base=>$base_dn_of_tree, filter="(objectclass=*)" )
> ...deal with entry list returned...
>
> This "sits" for a loooong time, then I get entries at a "respectable" pace
> of about 1,000 every 5 seconds. I have also tried using a callback routine,
> but similar results, a long initial wait, then a stream of entries. I
> haven't tried the "paging" control, but a co-worker suggested that his
> attempts to do the same didn't seem to produce any different results.
>
> So, what's the best I can do? Any tuning on "typical" server side
> parameters that might help?
>
> Thanks,
> Randy Diffenderfer
> EDS Messaging
>
> --__--__--
>
> _______________________________________________
> perl-ldap-dev mailing list
> per...@li...
> http://lists.sourceforge.net/lists/listinfo/perl-ldap-dev
>
> End of perl-ldap-dev Digest
--
Bob Goolsby
go...@at...
The only thing with more energy than a puppy with a bone is a puppy with
*two* bones.
|
|
From: Clif H. <ch...@po...> - 2001-08-06 02:48:11
|
"Diffenderfer, Randy" wrote: > > Folks: > > Any suggestions as to what would be the fastest technique to generate > entries from an entire directory tree, or a sizable chunk of it? The tree > in question has over 100,000 entries... > > My "default" approach: > $ldap->search( base=>$base_dn_of_tree, filter="(objectclass=*)" ) > ...deal with entry list returned... > > This "sits" for a loooong time, then I get entries at a "respectable" pace > of about 1,000 every 5 seconds. I have also tried using a callback routine, > but similar results, a long initial wait, then a stream of entries. I > haven't tried the "paging" control, but a co-worker suggested that his > attempts to do the same didn't seem to produce any different results. > > So, what's the best I can do? Any tuning on "typical" server side > parameters that might help? > > Thanks, > Randy Diffenderfer > EDS Messaging Randy, Most directory vendors provide tool(s) to dump a directory, something like ldbm2ldif or such. Most of the time these tools dump a directory very quickly. Dumping a directory thru ldap would be a very time consuming process. Regards, Clif Harden ch...@po... |
|
From: Diffenderfer, R. <ran...@ed...> - 2001-08-05 14:34:31
|
Folks: Any suggestions as to what would be the fastest technique to generate entries from an entire directory tree, or a sizable chunk of it? The tree in question has over 100,000 entries... My "default" approach: $ldap->search( base=>$base_dn_of_tree, filter="(objectclass=*)" ) ...deal with entry list returned... This "sits" for a loooong time, then I get entries at a "respectable" pace of about 1,000 every 5 seconds. I have also tried using a callback routine, but similar results, a long initial wait, then a stream of entries. I haven't tried the "paging" control, but a co-worker suggested that his attempts to do the same didn't seem to produce any different results. So, what's the best I can do? Any tuning on "typical" server side parameters that might help? Thanks, Randy Diffenderfer EDS Messaging |
|
From: Chris R. <chr...@me...> - 2001-08-03 08:04:16
|
Jim Dutton <ji...@du...> wrote: > Applied patches - still get failure with LDAP (LDAPS works, but it did > before, as well). FWIW - OpenSSL is at V0.9.6b on the "server" and at > V0.9.6a on the "client" machines. I guess that I should install > OpenSSL-0.9.6b on the "client" - sigh! Ah, I think I see what you're doing. There's no need to change versions of OpenSSL at all. The start_tls method in Net::LDAP doesn't just 'switch' the connection over to using TLS, it actually sends the server a special LDAP operation first to say that it wants to do so. It waits for the result, and then does the 'switch'. See RFC 2830 for the gory details. I don't think the openssl s_server program knows how to deal with this extra protocol from the client (at least 'man s_server' doesn't reveal any obvious way to do it), so I suspect you won't be able to test start_tls against 'openssl s_server'. I think you've got to test against a real LDAP server :-) Cheers, Chris |
|
From: dave h. <red...@ya...> - 2001-08-03 01:21:30
|
Sure. The error was occurring when our Net::LDAP wrapper (AMA::Ldap) called Net::LDAP::Entry::update(). The problem was that the dn wasn't being passed with the rest of the attributes. It simply needed to be added to the hash. Once it was added, the problem was solved. Let me know if you would like more details, --Dave --- Graham Barr <gb...@po...> wrote: > Could you explain what it was. It may help make the > error message > a bit better for the future > > Graham. > > On Thu, Aug 02, 2001 at 09:25:55AM -0700, dave > hoover wrote: > > Please disregard my call for help. I figured it > out. > > > > > > --- dave hoover <red...@ya...> > wrote: > > > Perl-LDAP gurus, I need some help. I receive > the > > > following error when I attempt to call a > homegrown > > > ldapadd Perl subroutine that calls other > homegrown > > > Perl wrappers that use the Net::LDAP modules. I > > > inherited this project from a consultant who > left > > > before our LDAP implementation was completed and > I'm > > > struggling under the girth of the code he left > > > behind. > > > > > > Here is the error: > > > > > > Could not add entry to LDAP server: objectName > at > > > > > > /apps/perl/5.6.0/lib/site_perl/5.6.0/Convert/ASN1/_encode.pm > > > line 47. > > > > > > Is there a standard reason that this error would > > > occur? Any suggestions? If you need to see > some > > > code, let me know how much would be appropriate. > > > > > > TIA, > > > > > > Dave Hoover > > > Internet Specialist > > > American Medical Association __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ |
|
From: Graham B. <gb...@po...> - 2001-08-02 21:48:04
|
On Thu, Aug 02, 2001 at 04:43:30PM -0500, Jim Dutton wrote: > Hmmmmmm - now THAT'S interesting? Well, it WORKS, NOW, with both IP > addresses and IP hostnames (sheesh!). > > Please cancel my earlier request for a doc change. Ah, there must be a god. Thats at least twice in the last few days that a reported bug has fixed itself :) Graham. |
|
From: Jim D. <ji...@du...> - 2001-08-02 21:42:02
|
Hmmmmmm - now THAT'S interesting? Well, it WORKS, NOW, with both IP
addresses and IP hostnames (sheesh!).
Please cancel my earlier request for a doc change.
> -----Original Message-----
> From: Chris Ridd [mailto:chr...@me...]
> Sent: Thursday, August 02, 2001 3:30 AM
> To: Perl-Ldap mailing list
> Subject: Re: LDAPS Documentation Correction
>
>
> Jim Dutton <ji...@du...> wrote:
>> The documentation for the LDAPS (Perl-Ldap V0.24) module uses an IP
>> hostname in its example of the HOST parameter. The underlying 'connect'
>> subroutine, however, calls for an IP address (PeerAddr) instead.
>>
>> The documentation for IO::Socket::SSL shows support for both "peeraddr"
>> and "peerhost".
>>
>> When using LDAPS with an IP hostname, the program fails. When using
>> LDAPS with an IP address, the program succeeds.
>>
>>
>
> That's curious. One of the changes in 0.24 is that some of the common code
> between Net::LDAP and Net::LDAPS has been centralised, so possibly
> something's gone AWOL during that cleanup, even though Graham and I both
> tested the code.
>
> So there's now a _connect routine in each module that does the dirty work
> of creting the socket. The _connect code looks pretty similar in both
> modules!
>
> # Net::LDAP:
> sub _connect {
> my ($ldap, $host, $arg) = @_; $ldap->{net_ldap_socket} =
> IO::Socket::INET->new(
> PeerAddr => $host,
> PeerPort => $arg->{port} || '389',
> Proto => 'tcp',
> Timeout => defined $arg->{timeout}
> ? $arg->{timeout}
> : 120
> );
> }
>
> # Net::LDAPS:
> sub _connect {
> my ($ldap, $host, $arg) = @_; $ldap->{'net_ldap_socket'} =
> IO::Socket::SSL->new(
> PeerAddr => $host,
> PeerPort => $arg->{'port'} || '636',
> Proto => 'tcp',
> Timeout => defined $arg->{'timeout'} ? $arg->{'timeout'} : 120,
> SSL_context_init_args($arg)
> );
> }
>
> Do you get the same connection problem with Net::LDAP? If so, could it be
> an problem with whatever name resolution you're using locally - DNS etc?
>
> Did you get the same problem before 0.24?
>
> Cheers,
>
> Chris
> This email message is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and destroy all copies
> of the original message.
|
|
From: Jim D. <ji...@du...> - 2001-08-02 20:54:39
|
Applied patches - still get failure with LDAP (LDAPS works, but it did
before, as well). FWIW - OpenSSL is at V0.9.6b on the "server" and at
V0.9.6a on the "client" machines. I guess that I should install
OpenSSL-0.9.6b on the "client" - sigh!
==================== "server" machine =========================
openssl s_server -cert slapd.ssl.certificate -key slapd.ssl.key
-CAfile /var/OpenSSL_CA/cacert.pem -debug -state -accept 637
Using default temp DH parameters
Enter PEM pass phrase:
ACCEPT
SSL_accept:before/accept initialization
read from 0015B270 [00165190] (11 bytes => 11 (0xB))
0000 - 30 1d 02 01 01 77 18 80-16 31 2e 0....w...1.
SSL_accept:error in SSLv2/v3 read client hello A
ERROR
12217:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:565:
shutting down SSL
CONNECTION CLOSED
ACCEPT
openssl s_server -cert slapd.ssl.certificate
-key slapd.ssl.key -CAfile /var/OpenSSL_CA/cacert.pem -debug -state
-accept 637 -tls1
Using default temp DH parameters
Enter PEM pass phrase:
ACCEPT
SSL_accept:before/accept initialization
read from 0015B270 [00165190] (5 bytes => 5 (0x5))
0000 - 30 1d 02 01 01 0....
SSL_accept:error in SSLv3 read client hello B
ERROR
12218:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:290:
shutting down SSL
CONNECTION CLOSED
ACCEPT
============ Perl-Ldap script portion used for above ==============
#!/usr/local/bin/perl
use Net::LDAP qw(:all);
use Data::Dumper;
my $ldaphost = "<remote host>";
my $ldapconn = Net::LDAP->new($ldaphost,port=>637,version=>3,debug=>1) or die "$
@";
print Dumper($ldapconn);
my $cafile = "<remote host CA certificate>";
my $result = $ldapconn->start_tls(verify=>'require',cafile=>"$cafile");
print Dumper($result);
exit;
> Chris Ridd <chr...@me...> wrote:
>>
>> We may need to set SSL_version to 'tlsv1' in the start_tls method - TLS is
>> *not* exactly the same as SSL, after all. If you step through start_tls,
>> can you tweak that after the call to Net::LDAPS::SSL_context_init_args?
>>
>> Cheers,
>>
>> Chris
>>
>
> Does the attached patch help? It basically allows the SSL_version to be
> configured, but defaults it to sslv2/3 for LDAPS and to tlsv1 in
> LDAP::start_tls.
>
> Cheers,
>
> Chris
> --==========2282117794==========
> Content-type: text/x-patch; charset="iso-8859-1"; name="starttls.patch"
> Content-transfer-encoding: quoted-printable
> Content-Disposition: attachment; filename="starttls.patch"; size=1369
>
> Index: lib/Net/LDAP.pm
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /cvsroot/perl-ldap/ldap/lib/Net/LDAP.pm,v
> retrieving revision 1.23
> diff -b -c -r1.23 LDAP.pm
> *** lib/Net/LDAP.pm 2001/07/17 12:52:56 1.23
> --- lib/Net/LDAP.pm 2001/08/02 09:45:18
> ***************
> *** 788,793 ****
> --- 788,794 ----
> if $mesg->code;
> =
> require Net::LDAPS;
> + $arg->{sslversion} =3D 'tlsv1' unless defined $arg->{sslversion};
> IO::Socket::SSL::context_init( { =
> Net::LDAPS::SSL_context_init_args($arg) } );
> (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, =
> 'IO::Socket::SSL', $sock)
> ? $mesg
> Index: lib/Net/LDAPS.pm
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /cvsroot/perl-ldap/ldap/lib/Net/LDAPS.pm,v
> retrieving revision 1.8
> diff -b -c -r1.8 LDAPS.pm
> *** lib/Net/LDAPS.pm 2001/07/06 11:53:01 1.8
> --- lib/Net/LDAPS.pm 2001/08/02 09:45:18
> ***************
> *** 55,61 ****
> SSL_use_cert =3D> $clientcert ? 1 : 0,
> SSL_cert_file =3D> $clientcert,
> SSL_verify_mode =3D> $verify,
> ! SSL_version =3D> 'sslv2/3',
> );
> }
> =
> --- 55,62 ----
> SSL_use_cert =3D> $clientcert ? 1 : 0,
> SSL_cert_file =3D> $clientcert,
> SSL_verify_mode =3D> $verify,
> ! SSL_version =3D> defined $arg->{'sslversion'} ? =
> $arg->{'sslversion'} :
> ! 'sslv2/3',
> );
> }
> =
>
> --==========2282117794==========--
|
|
From: Graham B. <gb...@po...> - 2001-08-02 19:48:27
|
Could you explain what it was. It may help make the error message a bit better for the future Graham. On Thu, Aug 02, 2001 at 09:25:55AM -0700, dave hoover wrote: > Please disregard my call for help. I figured it out. > > > --- dave hoover <red...@ya...> wrote: > > Perl-LDAP gurus, I need some help. I receive the > > following error when I attempt to call a homegrown > > ldapadd Perl subroutine that calls other homegrown > > Perl wrappers that use the Net::LDAP modules. I > > inherited this project from a consultant who left > > before our LDAP implementation was completed and I'm > > struggling under the girth of the code he left > > behind. > > > > Here is the error: > > > > Could not add entry to LDAP server: objectName at > > > /apps/perl/5.6.0/lib/site_perl/5.6.0/Convert/ASN1/_encode.pm > > line 47. > > > > Is there a standard reason that this error would > > occur? Any suggestions? If you need to see some > > code, let me know how much would be appropriate. > > > > TIA, > > > > Dave Hoover > > Internet Specialist > > American Medical Association > > > > __________________________________________________ > > Do You Yahoo!? > > Make international calls for as low as $.04/minute > > with Yahoo! Messenger > > http://phonecard.yahoo.com/> sub ldapAdd { > > my $hash = parse_args(@_); > > > > my $config = AMA::Config->new( source => > > 'main', > > configFile => > > 'conf/main.conf', > > path => > > $hs->get_LDAPpath, > > ) || return 0; > > > > # DHH - Determining source based on amaMENumber > > contents > > # Associates => alphas & numbers > > # Physicians => numbers only > > > > my ($source, $convert); > > if ( $$hash{amaMENumber} =~ /^[a-zA-Z0-9]+$/ ) { > > > > $source = "Associates"; > > $convert = AMA::Converters::Associates->new( > > config => $config ) || return 0; > > > > } elsif ( $$hash{amaMENumber} =~ /^\d+$/ ) { > > > > $source = "Physicians"; > > $convert = AMA::Converters::Physicians->new( > > config => $config ) || return 0; > > > > } else { return 0; } > > > > while ( my($key,$raw) = each %$hash) { > > $$hash{$key} = $convert->$key($raw); # > > standardize the data > > } > > > > $convert->addNonDbAttrs; # add the attributes not > > found in the database > > $convert->flushCache; # clean up cache used by non > > database attributes > > > > my $ldap = AMA::Ldap->new( source => > > $source, > > config => > > $config, > > ) || return 0; > > $ldap->addEntry($hash) || return 0; > > > > return 1; > > } # end ldapAdd > > > > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ > |
|
From: Cuthbert, L. (D. Bank)
<Lan...@De...> - 2001-08-02 17:41:46
|
I am trying to find a way to monitor the changelog for a Netscape 4.11 LDAP server. I would like to monitor what changes take place and then produce an LDIF file accordingly. Does anyone have any suggestions? Lance Cuthbert |
|
From: dave h. <red...@ya...> - 2001-08-02 16:28:36
|
Please disregard my call for help. I figured it out. --- dave hoover <red...@ya...> wrote: > Perl-LDAP gurus, I need some help. I receive the > following error when I attempt to call a homegrown > ldapadd Perl subroutine that calls other homegrown > Perl wrappers that use the Net::LDAP modules. I > inherited this project from a consultant who left > before our LDAP implementation was completed and I'm > struggling under the girth of the code he left > behind. > > Here is the error: > > Could not add entry to LDAP server: objectName at > /apps/perl/5.6.0/lib/site_perl/5.6.0/Convert/ASN1/_encode.pm > line 47. > > Is there a standard reason that this error would > occur? Any suggestions? If you need to see some > code, let me know how much would be appropriate. > > TIA, > > Dave Hoover > Internet Specialist > American Medical Association > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute > with Yahoo! Messenger > http://phonecard.yahoo.com/> sub ldapAdd { > my $hash = parse_args(@_); > > my $config = AMA::Config->new( source => > 'main', > configFile => > 'conf/main.conf', > path => > $hs->get_LDAPpath, > ) || return 0; > > # DHH - Determining source based on amaMENumber > contents > # Associates => alphas & numbers > # Physicians => numbers only > > my ($source, $convert); > if ( $$hash{amaMENumber} =~ /^[a-zA-Z0-9]+$/ ) { > > $source = "Associates"; > $convert = AMA::Converters::Associates->new( > config => $config ) || return 0; > > } elsif ( $$hash{amaMENumber} =~ /^\d+$/ ) { > > $source = "Physicians"; > $convert = AMA::Converters::Physicians->new( > config => $config ) || return 0; > > } else { return 0; } > > while ( my($key,$raw) = each %$hash) { > $$hash{$key} = $convert->$key($raw); # > standardize the data > } > > $convert->addNonDbAttrs; # add the attributes not > found in the database > $convert->flushCache; # clean up cache used by non > database attributes > > my $ldap = AMA::Ldap->new( source => > $source, > config => > $config, > ) || return 0; > $ldap->addEntry($hash) || return 0; > > return 1; > } # end ldapAdd > __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ |
|
From: Samara M. <Sam...@sd...> - 2001-08-02 14:31:14
|
What's the latest version of perLDAP now?
-----Original Message-----
From: Chris Ridd [mailto:chr...@me...]
Sent: Thursday, August 02, 2001 3:30 AM
To: Perl-Ldap mailing list
Subject: Re: LDAPS Documentation Correction
Jim Dutton <ji...@du...> wrote:
> The documentation for the LDAPS (Perl-Ldap V0.24) module uses an IP
> hostname in its example of the HOST parameter. The underlying 'connect'
> subroutine, however, calls for an IP address (PeerAddr) instead.
>
> The documentation for IO::Socket::SSL shows support for both "peeraddr"
> and "peerhost".
>
> When using LDAPS with an IP hostname, the program fails. When using
> LDAPS with an IP address, the program succeeds.
>
>
That's curious. One of the changes in 0.24 is that some of the common code
between Net::LDAP and Net::LDAPS has been centralised, so possibly
something's gone AWOL during that cleanup, even though Graham and I both
tested the code.
So there's now a _connect routine in each module that does the dirty work
of creting the socket. The _connect code looks pretty similar in both
modules!
# Net::LDAP:
sub _connect {
my ($ldap, $host, $arg) = @_; $ldap->{net_ldap_socket} =
IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $arg->{port} || '389',
Proto => 'tcp',
Timeout => defined $arg->{timeout}
? $arg->{timeout}
: 120
);
}
# Net::LDAPS:
sub _connect {
my ($ldap, $host, $arg) = @_; $ldap->{'net_ldap_socket'} =
IO::Socket::SSL->new(
PeerAddr => $host,
PeerPort => $arg->{'port'} || '636',
Proto => 'tcp',
Timeout => defined $arg->{'timeout'} ? $arg->{'timeout'} : 120,
SSL_context_init_args($arg)
);
}
Do you get the same connection problem with Net::LDAP? If so, could it be
an problem with whatever name resolution you're using locally - DNS etc?
Did you get the same problem before 0.24?
Cheers,
Chris
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
|
|
From: Shanker B. <sh...@ex...> - 2001-08-02 12:15:00
|
|
From: Tony A. <ton...@ma...> - 2001-08-02 10:16:07
|
Marshall, > Hi. Could you possibly be more specific about which > version of "native perl for NT outside the CYGWIN environment" > you were referring to? (I'm guessing its from ActiveState.com, but > I'd like to confirm the version and build number before I download > their perl.) Sure, here is the output from perl -v when run from a Win2K command prompt window: This is perl, v5.6.0 built for MSWin32-x86-multi-thread (with 1 registered patch, see perl -V for more detail) Copyright 1987-2000, Larry Wall Binary build 618 provided by ActiveState Tool Corp. http://www.ActiveState.com Built 21:03:54 Sep 13 2000 And here is the output from my cygwin version of perl: This is perl, v5.6.1 built for cygwin (with 1 registered patch, see perl -V for more detail) Copyright 1987-2000, Larry Wall Here is the very simple perl script that I used to test it: #!/usr/bin/perl use Net::LDAP; $ldap = Net::LDAP->new('ldap.man.ac.uk') or die "$@"; $ldap->bind or die "$@"; print("\nGetting username ...\n\n"); print("Username: ");chop ($user=<STDIN>); print("Searching LDAP for username ...\n"); $mesg = $ldap->search(base=>"c=UK",filter=>"(uid=$user)"); sleep(1); $mesg->code && die $mesg->error; $y = $mesg->count(); printf "$y entries found.\n"; foreach $entry ($mesg->all_entries) { $dn=$entry->dn(); @mail=$entry->get('mail'); print("Distinguished name: $dn\nMail address: $mail[0]\n"); } Run with cygwin perl I get: [508]zzalsaca@ACA-VNT$ perl find.pl Getting username ... Username: zzalsaca Searching LDAP for username ... I/O Error Resource temporarily unavailable 494f3a3a536f636b65743a3a494e45543d474 c4f422830786130323265313829 at find.pl line 15, <STDIN> line 1. [509]zzalsaca@ACA-VNT$ and run with Active State Perl I get: C:\users\zzalsaca\Programming\ldap>perl find.pl Getting username ... Username: zzalsaca Searching LDAP for username ... 1 entries found. Distinguished name: uid=Zzalsaca,ou=mcc,o=ac,c=uk Mail address: Ton...@ma... C:\users\zzalsaca\Programming\ldap> I hope this is useful! Regards, Tony. -- Tony Arnold, Deputy to the Head of COS Division, Manchester Computing, University of Manchester, Oxford Road, Manchester M13 9PL. T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039 E-mail: ton...@ma..., Home: http://www.man.ac.uk/Tony.Arnold |
|
From: Chris R. <chr...@me...> - 2001-08-02 09:50:53
|
Chris Ridd <chr...@me...> wrote: > > We may need to set SSL_version to 'tlsv1' in the start_tls method - TLS is > *not* exactly the same as SSL, after all. If you step through start_tls, > can you tweak that after the call to Net::LDAPS::SSL_context_init_args? > > Cheers, > > Chris > Does the attached patch help? It basically allows the SSL_version to be configured, but defaults it to sslv2/3 for LDAPS and to tlsv1 in LDAP::start_tls. Cheers, Chris |
7902 messages has been excluded from this view by a project administrator.
