Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Robbie A. <ra...@ci...> - 2001-04-26 17:52:38
|
As far as the user dn, you can use the UPN (User Principle Name) instead.
Just change:
> $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password =>
to:
> $ldap->bind('Adm...@Mc...', password =>
Makes for a portable AD app, just not a portable LDAP app ;-)
Robbie Allen
> -----Original Message-----
> From: Fox [mailto:ld...@cd...]
> Sent: Thursday, April 26, 2001 10:30 AM
> To: per...@li...
> Subject: Re: Active directory and Perl-ldap
>
>
> Here is how I connect to a brand spanking new Active
> Directory server I set
> up authenticating clear text with rights to add users (I
> added 12,000). The
> tricky part is getting the whole user dn correct. Just
> substitute your
> domain for mckee.com and you should have a winner.
>
> Fox
> ld...@cd...
>
> #!/usr/bin/perl
>
> use Net::LDAP;
> use Net::LDAP::Entry;
>
> # ------> Declare leconte ldap server
> $ldap = Net::LDAP->new('ranier.mckee.com') or die "$@";
> # You must bind with write rights to add an entry
> $mesg =
> $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password =>
> 'mypassword');
> print "Connecting to ldap server... " . $mesg->error . "\n";
>
>
>
> ----- Original Message -----
> From: "Robbie Allen" <ra...@ci...>
> To: <per...@li...>
> Sent: Thursday, April 26, 2001 11:26 AM
> Subject: RE: Active directory and Perl-ldap
>
>
> > I second the motion. You absolutely can connect to AD with
> a simple bind.
> >
> > Robbie Allen
> >
> > > -----Original Message-----
> > > From: Rafael Corvalan [mailto:Raf...@li...]
> > > Sent: Tuesday, April 24, 2001 1:44 AM
> > > To: per...@li...
> > > Subject: RE: Active directory and Perl-ldap
> > >
> > >
> > > Sorry, I can connect to my ADS in clear text....
> > > So Kerberos is not the only authentication protocol supported
> > > by ADS...
> > >
> > > rafael
> > >
> > > -----Original Message-----
> > > From: ma...@mj... [mailto:ma...@mj...]
> > > Sent: lundi, 23. avril 2001 19:50
> > > To: per...@li...
> > > Subject: RE: Active directory and Perl-ldap
> > >
> > >
> > > Aha, just as I expected.
> > >
> > > One of the right things MS did with W2K is to realize that LDAP is
> > > not an authentication protocol, however, mightily we try
> to make it
> > > one (and keep in mind that I've written *alot* of LDAP
> > > authentication code in my time).
> > >
> > > No, AD uses Kerberos for its authentication protocol.
> > >
> > > As per, the LDAP specs, out of the box, Net::LDAP authenticates
> > > using simple bind (dn and password). Which AD doesn't support.
> > >
> > > The solution is to use the SASL module (but you'll
> probably have to
> > > code in your own Kerberos module for it) if AD supports SASL.
> > >
> > > If not, then we'll have to devise some other way.
> > >
> > > Mark
> > >
> > > On 23 Apr 01, at 13:17, William Richter wrote:
> > >
> > > > I've added the line:
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > after the bind. A non-authenticated login works fine,
> except I can't
> > > > see anything but root, but as soon as I hit the server with an
> > > > authenticated user, the error: AcceptSecurityContext
> occurs. I then
> > > > went back to LDP and found that by default, it connects using
> > > > NTML/Kerberos. I tried the alternate methods but they failed. My
> > > > question is, what method does Perl-ldap use and if this is the
> > > > problem, how do I change the authentication method? If
> on the other
> > > > hand, default authentication should work, any ideas why the
> > > server is
> > > > denying my credentials? I've tried this on two AD servers
> > > on site and
> > > > both fail.
> > > >
> > > > William Richter
> > > > Technology Specialist
> > > > Edinboro University of PA
> > > > 814-732-2931
> > > >
> > > > -----Original Message-----
> > > > From: Rafael Corvalan [mailto:Raf...@li...]
> > > > Sent: Friday, April 20, 2001 5:41 AM
> > > > To: 'c-h...@ti...'; ri...@ed...
> > > > Cc: per...@li...
> > > > Subject: RE: Active directory and Perl-ldap
> > > >
> > > > You should be able to get your entries without
> requesting ["**] for
> > > > the attributes.
> > > >
> > > > I'm not a really specialist, but here arte my comments:
> > > >
> > > >
> > > > 1) I think you have problems with the authentication. Check your
> > > > credentials. Are you sure you are using
> > > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com"
> > > > as your credentials?
> > > > If you have authentication failure, you will not see
> it (see the
> > > > point 2)
> > > >
> > > > 2) The bind method returns a Net::LDAP::Bind object, so
> unless the
> > > > bind method returns "undefined" (I don't think it can do so),
> > > > avoid writing:
> > > > bind(...) or die(...);
> > > > In other words, try binding with wrong credentials,
> and you will
> > > > see, the die() will not be called. I prefer to use:
> > > >
> > > > $mesg = bind(....);
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > 3) I think that using normal settings, the DC=company,
> DC=com tree
> > > > and DC=Users, DC=company, DC=com tree are protected
> in ADS. You
> > > > must bind with a valid user to get someting, they are not
> > > > accessible anonymously. I think that if you do not
> see anything
> > > > it's because you have authentication failure.
> > > >
> > > > 4) Use protocol version 3. I'ts better since version 2
> doesn't knows
> > > > about referrals. To do that, use "version => 3" as one of the
> > > > parameters in the bind() call.
> > > >
> > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft
> > > > "Active Directory Administration Tool", I only get the
> > > base DN when
> > > > connected without calling bind (and referrals too).
> Are you sure
> > > > that MS LDAP doesn't connect using "transperent" login,
> > > forwarding
> > > > your credentials to ADS? (Using Kerberos or NTLM).
> > > >
> > > > 6) This is an example that works for me. I hope it will do so
> > > > for you:
> > > >
> > > >
> > > > =========================================
> > > > === Example starts here ===
> > > > =========================================
> > > >
> > > > #!/usr/bin/perl -w
> > > >
> > > > use Net::LDAP;
> > > > use strict;
> > > >
> > > >
> > > > # Comment the following line to log on anonymously
> > > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com';
> > > >
> > > >
> > > > # Comment one of the following two lines (Base DN)
> > > > my $base = 'CN=Users, DC=linkvest, DC=com';
> > > > #my $base = 'DC=linkvest, DC=com';
> > > >
> > > >
> > > > my $ldapserver = 'ads.linkvest.com';
> > > > my $password = 'XXXXXXXX';
> > > > my $version = 3;
> > > >
> > > > my $filter = "(objectclass=*)";
> > > > my $scope = '1';
> > > >
> > > >
> > > > my $mesg;
> > > >
> > > > # CONNECTION
> > > > my $ldap = Net::LDAP->new($ldapserver) or die "$@";
> > > >
> > > > # BIND
> > > > if (defined $admin) {
> > > > $mesg = $ldap->bind ( dn => $admin,
> > > > password => $password,
> > > > version => $version);
> > > > } else {
> > > > $mesg = $ldap->bind ( noauth => 1,
> > > > version => $version);
> > > > }
> > > >
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > # SEARCH
> > > > $mesg = $ldap->search( scope => $scope,
> > > > base => $base,
> > > > filter => $filter);
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > >
> > > > # RESULTS
> > > > foreach my $entry ($mesg->entries) { $entry->dump; }
> > > > printf("====\nFound %d entries\n", $mesg->count);
> > > >
> > > >
> > > > =======================================
> > > > === Example ends here ===
> > > > =======================================
> > > >
> > > >
> > > >
> > > > Hope it helps.
> > > >
> > > > Rafael
> > > >
> > > > ________________________________________________________
> > > > Rafael Corvalan
> > > > Systems & Networks Competence Center Manager
> > > > Linkvest SA
> > > > Av des Baumettes 19, 1020 Renens Switzerland
> > > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90
> > > > http://www.linkvest.com Raf...@li...
> > > > ________________________________________________________
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Clif Harden [mailto:cl...@di...]
> > > > Sent: jeudi, 19. avril 2001 23:24
> > > > To: ri...@ed...
> > > > Cc: per...@li...
> > > > Subject: Re: Active directory and Perl-ldap
> > > >
> > > >
> > > > >
> > > > > I am trying to access Active directory using Perl-ldap and I'm
> > > > > having a problem. Here is sample code:
> > > > >
> > > > > my $base = 'DC=edinboro,DC=edu';
> > > > > my $filter = "(objectclass=*)";
> > > > > my $attrs = (); # request all available attributes
> > > > > my $scope = '0';
> > > > >
> > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG)
> or die "$@";
> > > > >
> > > > > # bind to a directory with dn and password - makes no
> difference
> > > > > # whether
> > > > > authenticated or not
> > > > > $ldap->bind (dn => $admin,password => $password) or die "$@";
> > > > >
> > > > > $mesg = $ldap->search(
> > > > > scope => $scope,
> > > > > base => $base,
> > > > > filter => $filter,
> > > > > attrs => $attrs,
> > > > > );
> > > > >
> > > > > If I do a search, all I can manage to find is the
> base DN. If I
> > > > > change
> > > > the
> > > > > scope to 1, I retrieve nothing. If I change the scope to
> > > 'subtree',
> > > > > all I retrieve are root entries. I see no cn or ou
> > > entries. Nor do I
> > > > > retrieve anything if I set my base to
> > > cn=users,dn=edinboro,dn=edu.
> > > > > I've run the
> > > > same
> > > > > search against ldap.itd.umich.edu and I can retrieve
> anything I
> > > > > request. Also if I use MS LDP (even if not authenticated), the
> > > > > search pulls the entries, as it is suppose to. I've checked
> > > > > permissions on the server but I am at a loss. Is
> there anything
> > > > > special I need to make Active Directory
> > > > work
> > > > > correctly with LDAP?
> > > > >
> > > > > Thanks in advance,
> > > > >
> > > > > William Richter
> > > > > Technology Specialist, Edinboro University of PA 814-732-2931
> > > > >
> > > >
> > > > Try requesting a return attribute(s) in your request.
> > > >
> > > > attrs => ["*"],
> > > >
> > > > If I do what you have done all I get is a DN but no data.
> > > >
> > > > Regards,
> > > >
> > > > Clif Harden INTERNET: c-h...@ti...
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > Mark Wilcox
> > > ma...@mj...
> > > Got LDAP?
> > >
> >
> >
>
>
|
|
From: Fox <ld...@cd...> - 2001-04-26 17:30:34
|
Here is how I connect to a brand spanking new Active Directory server I set up authenticating clear text with rights to add users (I added 12,000). The tricky part is getting the whole user dn correct. Just substitute your domain for mckee.com and you should have a winner. Fox ld...@cd... #!/usr/bin/perl use Net::LDAP; use Net::LDAP::Entry; # ------> Declare leconte ldap server $ldap = Net::LDAP->new('ranier.mckee.com') or die "$@"; # You must bind with write rights to add an entry $mesg = $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password => 'mypassword'); print "Connecting to ldap server... " . $mesg->error . "\n"; ----- Original Message ----- From: "Robbie Allen" <ra...@ci...> To: <per...@li...> Sent: Thursday, April 26, 2001 11:26 AM Subject: RE: Active directory and Perl-ldap > I second the motion. You absolutely can connect to AD with a simple bind. > > Robbie Allen > > > -----Original Message----- > > From: Rafael Corvalan [mailto:Raf...@li...] > > Sent: Tuesday, April 24, 2001 1:44 AM > > To: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > > > Sorry, I can connect to my ADS in clear text.... > > So Kerberos is not the only authentication protocol supported > > by ADS... > > > > rafael > > > > -----Original Message----- > > From: ma...@mj... [mailto:ma...@mj...] > > Sent: lundi, 23. avril 2001 19:50 > > To: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > > > Aha, just as I expected. > > > > One of the right things MS did with W2K is to realize that LDAP is > > not an authentication protocol, however, mightily we try to make it > > one (and keep in mind that I've written *alot* of LDAP > > authentication code in my time). > > > > No, AD uses Kerberos for its authentication protocol. > > > > As per, the LDAP specs, out of the box, Net::LDAP authenticates > > using simple bind (dn and password). Which AD doesn't support. > > > > The solution is to use the SASL module (but you'll probably have to > > code in your own Kerberos module for it) if AD supports SASL. > > > > If not, then we'll have to devise some other way. > > > > Mark > > > > On 23 Apr 01, at 13:17, William Richter wrote: > > > > > I've added the line: > > > die($mesg->error) if $mesg->code; > > > > > > after the bind. A non-authenticated login works fine, except I can't > > > see anything but root, but as soon as I hit the server with an > > > authenticated user, the error: AcceptSecurityContext occurs. I then > > > went back to LDP and found that by default, it connects using > > > NTML/Kerberos. I tried the alternate methods but they failed. My > > > question is, what method does Perl-ldap use and if this is the > > > problem, how do I change the authentication method? If on the other > > > hand, default authentication should work, any ideas why the > > server is > > > denying my credentials? I've tried this on two AD servers > > on site and > > > both fail. > > > > > > William Richter > > > Technology Specialist > > > Edinboro University of PA > > > 814-732-2931 > > > > > > -----Original Message----- > > > From: Rafael Corvalan [mailto:Raf...@li...] > > > Sent: Friday, April 20, 2001 5:41 AM > > > To: 'c-h...@ti...'; ri...@ed... > > > Cc: per...@li... > > > Subject: RE: Active directory and Perl-ldap > > > > > > You should be able to get your entries without requesting ["**] for > > > the attributes. > > > > > > I'm not a really specialist, but here arte my comments: > > > > > > > > > 1) I think you have problems with the authentication. Check your > > > credentials. Are you sure you are using > > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > > > as your credentials? > > > If you have authentication failure, you will not see it (see the > > > point 2) > > > > > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > > > bind method returns "undefined" (I don't think it can do so), > > > avoid writing: > > > bind(...) or die(...); > > > In other words, try binding with wrong credentials, and you will > > > see, the die() will not be called. I prefer to use: > > > > > > $mesg = bind(....); > > > die($mesg->error) if $mesg->code; > > > > > > 3) I think that using normal settings, the DC=company, DC=com tree > > > and DC=Users, DC=company, DC=com tree are protected in ADS. You > > > must bind with a valid user to get someting, they are not > > > accessible anonymously. I think that if you do not see anything > > > it's because you have authentication failure. > > > > > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > > > about referrals. To do that, use "version => 3" as one of the > > > parameters in the bind() call. > > > > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > > > "Active Directory Administration Tool", I only get the > > base DN when > > > connected without calling bind (and referrals too). Are you sure > > > that MS LDAP doesn't connect using "transperent" login, > > forwarding > > > your credentials to ADS? (Using Kerberos or NTLM). > > > > > > 6) This is an example that works for me. I hope it will do so > > > for you: > > > > > > > > > ========================================= > > > === Example starts here === > > > ========================================= > > > > > > #!/usr/bin/perl -w > > > > > > use Net::LDAP; > > > use strict; > > > > > > > > > # Comment the following line to log on anonymously > > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > > > > > > > # Comment one of the following two lines (Base DN) > > > my $base = 'CN=Users, DC=linkvest, DC=com'; > > > #my $base = 'DC=linkvest, DC=com'; > > > > > > > > > my $ldapserver = 'ads.linkvest.com'; > > > my $password = 'XXXXXXXX'; > > > my $version = 3; > > > > > > my $filter = "(objectclass=*)"; > > > my $scope = '1'; > > > > > > > > > my $mesg; > > > > > > # CONNECTION > > > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > > > > > # BIND > > > if (defined $admin) { > > > $mesg = $ldap->bind ( dn => $admin, > > > password => $password, > > > version => $version); > > > } else { > > > $mesg = $ldap->bind ( noauth => 1, > > > version => $version); > > > } > > > > > > die($mesg->error) if $mesg->code; > > > > > > # SEARCH > > > $mesg = $ldap->search( scope => $scope, > > > base => $base, > > > filter => $filter); > > > die($mesg->error) if $mesg->code; > > > > > > > > > # RESULTS > > > foreach my $entry ($mesg->entries) { $entry->dump; } > > > printf("====\nFound %d entries\n", $mesg->count); > > > > > > > > > ======================================= > > > === Example ends here === > > > ======================================= > > > > > > > > > > > > Hope it helps. > > > > > > Rafael > > > > > > ________________________________________________________ > > > Rafael Corvalan > > > Systems & Networks Competence Center Manager > > > Linkvest SA > > > Av des Baumettes 19, 1020 Renens Switzerland > > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > > > http://www.linkvest.com Raf...@li... > > > ________________________________________________________ > > > > > > > > > -----Original Message----- > > > From: Clif Harden [mailto:cl...@di...] > > > Sent: jeudi, 19. avril 2001 23:24 > > > To: ri...@ed... > > > Cc: per...@li... > > > Subject: Re: Active directory and Perl-ldap > > > > > > > > > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > > > having a problem. Here is sample code: > > > > > > > > my $base = 'DC=edinboro,DC=edu'; > > > > my $filter = "(objectclass=*)"; > > > > my $attrs = (); # request all available attributes > > > > my $scope = '0'; > > > > > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > > > > > # bind to a directory with dn and password - makes no difference > > > > # whether > > > > authenticated or not > > > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > > > > > $mesg = $ldap->search( > > > > scope => $scope, > > > > base => $base, > > > > filter => $filter, > > > > attrs => $attrs, > > > > ); > > > > > > > > If I do a search, all I can manage to find is the base DN. If I > > > > change > > > the > > > > scope to 1, I retrieve nothing. If I change the scope to > > 'subtree', > > > > all I retrieve are root entries. I see no cn or ou > > entries. Nor do I > > > > retrieve anything if I set my base to > > cn=users,dn=edinboro,dn=edu. > > > > I've run the > > > same > > > > search against ldap.itd.umich.edu and I can retrieve anything I > > > > request. Also if I use MS LDP (even if not authenticated), the > > > > search pulls the entries, as it is suppose to. I've checked > > > > permissions on the server but I am at a loss. Is there anything > > > > special I need to make Active Directory > > > work > > > > correctly with LDAP? > > > > > > > > Thanks in advance, > > > > > > > > William Richter > > > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > > > > > > > Try requesting a return attribute(s) in your request. > > > > > > attrs => ["*"], > > > > > > If I do what you have done all I get is a DN but no data. > > > > > > Regards, > > > > > > Clif Harden INTERNET: c-h...@ti... > > > > > > > > > > > > > > > > > > Mark Wilcox > > ma...@mj... > > Got LDAP? > > > > |
|
From: Roland S. <rol...@ep...> - 2001-04-26 16:53:05
|
Hi,
> >$ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
> > control => {type => "2.16.16.840.1.113730.3.4.2"});
> >It is the right OID, right? ;)
>
> Yes.
No!
> See http://search.ietf.org/internet-drafts/draft-zeilenga-ldap-namedref-03.txt
Thanks for the reference, I got the right OID: 2.16.840.1.113730.3.4.2
:-)
The wrong one I got from an article searched via OpenLDAP Website Search
and didn't verify it.
So sorry, and thanks everybody for the help!
Have a nice day...
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Kurt D. Z. <Ku...@Op...> - 2001-04-26 16:39:38
|
At 09:11 AM 4/26/01, Roland Stigge wrote:
>"Kurt D. Zeilenga" wrote:
>>
>> At 08:31 AM 4/26/01, Graham Barr wrote:
>> >On Thu, Apr 26, 2001 at 05:20:08PM +0200, Roland Stigge wrote:
>> >>
>> >> Using OpenLDAP 2.0.7 now, I know that the client tools ldapmodify and
>> >> ldapdelete use the Control "ManageDsaIT". I tried this one, but didn't
>> >> succeed:
>> >> -----
>> >> $ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
>> >> control => {type => "ManageDsaIT", value => 1} );
>> >
>> >type need to be an OID
>>
>> and no value.
>
>-----
>$mesg =
>$ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
> control => {type => "2.16.16.840.1.113730.3.4.2"});
>-----
>(perl-ldap 0.23)
>produces:
>
>code: 10, message: Referral received
>
>It is the right OID, right? ;)
Yes.
See http://search.ietf.org/internet-drafts/draft-zeilenga-ldap-namedref-03.txt for details on Named Subordinate Referrals in LDAP. (OpenLDAP
2.0.7 implements an earlier draft, but it should be close enough in
regards to this usage).
I also suggest you use the OpenLDAP provided ldapdelete(1) with -MM
to determine behavior of OpenLDAP. If you have issue with this
behavior, start a thread on the OpenLDAP-software mailing list
<http://www.openldap.org/lists/>.
Kurt
|
|
From: Roland S. <rol...@ep...> - 2001-04-26 16:11:56
|
"Kurt D. Zeilenga" wrote:
>
> At 08:31 AM 4/26/01, Graham Barr wrote:
> >On Thu, Apr 26, 2001 at 05:20:08PM +0200, Roland Stigge wrote:
> >>
> >> Using OpenLDAP 2.0.7 now, I know that the client tools ldapmodify and
> >> ldapdelete use the Control "ManageDsaIT". I tried this one, but didn't
> >> succeed:
> >> -----
> >> $ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
> >> control => {type => "ManageDsaIT", value => 1} );
> >
> >type need to be an OID
>
> and no value.
-----
$mesg =
$ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
control => {type => "2.16.16.840.1.113730.3.4.2"});
-----
(perl-ldap 0.23)
produces:
code: 10, message: Referral received
It is the right OID, right? ;)
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Kurt D. Z. <Ku...@Op...> - 2001-04-26 16:04:41
|
At 08:31 AM 4/26/01, Graham Barr wrote:
>On Thu, Apr 26, 2001 at 05:20:08PM +0200, Roland Stigge wrote:
>>
>> Using OpenLDAP 2.0.7 now, I know that the client tools ldapmodify and
>> ldapdelete use the Control "ManageDsaIT". I tried this one, but didn't
>> succeed:
>> -----
>> $ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
>> control => {type => "ManageDsaIT", value => 1} );
>
>type need to be an OID
and no value.
|
|
From: Roland S. <rol...@ep...> - 2001-04-26 15:50:31
|
Graham Barr wrote:
>
> On Thu, Apr 26, 2001 at 05:20:08PM +0200, Roland Stigge wrote:
> >
> > Using OpenLDAP 2.0.7 now, I know that the client tools ldapmodify and
> > ldapdelete use the Control "ManageDsaIT". I tried this one, but didn't
> > succeed:
> > -----
> > $ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
> > control => {type => "ManageDsaIT", value => 1} );
>
> type need to be an OID
Tried:
$mesg =
$ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
control => {type => "2.16.16.840.1.113730.3.4.2", value => 1} );
But same error.
Could you please give me any hint to a solution or documentation?
Thanks.
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Graham B. <gb...@po...> - 2001-04-26 15:32:48
|
On Thu, Apr 26, 2001 at 05:20:08PM +0200, Roland Stigge wrote:
>
> Using OpenLDAP 2.0.7 now, I know that the client tools ldapmodify and
> ldapdelete use the Control "ManageDsaIT". I tried this one, but didn't
> succeed:
> -----
> $ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
> control => {type => "ManageDsaIT", value => 1} );
type need to be an OID
Graham.
|
|
From: Robbie A. <ra...@ci...> - 2001-04-26 15:26:36
|
I second the motion. You absolutely can connect to AD with a simple bind. Robbie Allen > -----Original Message----- > From: Rafael Corvalan [mailto:Raf...@li...] > Sent: Tuesday, April 24, 2001 1:44 AM > To: per...@li... > Subject: RE: Active directory and Perl-ldap > > > Sorry, I can connect to my ADS in clear text.... > So Kerberos is not the only authentication protocol supported > by ADS... > > rafael > > -----Original Message----- > From: ma...@mj... [mailto:ma...@mj...] > Sent: lundi, 23. avril 2001 19:50 > To: per...@li... > Subject: RE: Active directory and Perl-ldap > > > Aha, just as I expected. > > One of the right things MS did with W2K is to realize that LDAP is > not an authentication protocol, however, mightily we try to make it > one (and keep in mind that I've written *alot* of LDAP > authentication code in my time). > > No, AD uses Kerberos for its authentication protocol. > > As per, the LDAP specs, out of the box, Net::LDAP authenticates > using simple bind (dn and password). Which AD doesn't support. > > The solution is to use the SASL module (but you'll probably have to > code in your own Kerberos module for it) if AD supports SASL. > > If not, then we'll have to devise some other way. > > Mark > > On 23 Apr 01, at 13:17, William Richter wrote: > > > I've added the line: > > die($mesg->error) if $mesg->code; > > > > after the bind. A non-authenticated login works fine, except I can't > > see anything but root, but as soon as I hit the server with an > > authenticated user, the error: AcceptSecurityContext occurs. I then > > went back to LDP and found that by default, it connects using > > NTML/Kerberos. I tried the alternate methods but they failed. My > > question is, what method does Perl-ldap use and if this is the > > problem, how do I change the authentication method? If on the other > > hand, default authentication should work, any ideas why the > server is > > denying my credentials? I've tried this on two AD servers > on site and > > both fail. > > > > William Richter > > Technology Specialist > > Edinboro University of PA > > 814-732-2931 > > > > -----Original Message----- > > From: Rafael Corvalan [mailto:Raf...@li...] > > Sent: Friday, April 20, 2001 5:41 AM > > To: 'c-h...@ti...'; ri...@ed... > > Cc: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > You should be able to get your entries without requesting ["**] for > > the attributes. > > > > I'm not a really specialist, but here arte my comments: > > > > > > 1) I think you have problems with the authentication. Check your > > credentials. Are you sure you are using > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > > as your credentials? > > If you have authentication failure, you will not see it (see the > > point 2) > > > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > > bind method returns "undefined" (I don't think it can do so), > > avoid writing: > > bind(...) or die(...); > > In other words, try binding with wrong credentials, and you will > > see, the die() will not be called. I prefer to use: > > > > $mesg = bind(....); > > die($mesg->error) if $mesg->code; > > > > 3) I think that using normal settings, the DC=company, DC=com tree > > and DC=Users, DC=company, DC=com tree are protected in ADS. You > > must bind with a valid user to get someting, they are not > > accessible anonymously. I think that if you do not see anything > > it's because you have authentication failure. > > > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > > about referrals. To do that, use "version => 3" as one of the > > parameters in the bind() call. > > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > > "Active Directory Administration Tool", I only get the > base DN when > > connected without calling bind (and referrals too). Are you sure > > that MS LDAP doesn't connect using "transperent" login, > forwarding > > your credentials to ADS? (Using Kerberos or NTLM). > > > > 6) This is an example that works for me. I hope it will do so > > for you: > > > > > > ========================================= > > === Example starts here === > > ========================================= > > > > #!/usr/bin/perl -w > > > > use Net::LDAP; > > use strict; > > > > > > # Comment the following line to log on anonymously > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > > > > # Comment one of the following two lines (Base DN) > > my $base = 'CN=Users, DC=linkvest, DC=com'; > > #my $base = 'DC=linkvest, DC=com'; > > > > > > my $ldapserver = 'ads.linkvest.com'; > > my $password = 'XXXXXXXX'; > > my $version = 3; > > > > my $filter = "(objectclass=*)"; > > my $scope = '1'; > > > > > > my $mesg; > > > > # CONNECTION > > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > > > # BIND > > if (defined $admin) { > > $mesg = $ldap->bind ( dn => $admin, > > password => $password, > > version => $version); > > } else { > > $mesg = $ldap->bind ( noauth => 1, > > version => $version); > > } > > > > die($mesg->error) if $mesg->code; > > > > # SEARCH > > $mesg = $ldap->search( scope => $scope, > > base => $base, > > filter => $filter); > > die($mesg->error) if $mesg->code; > > > > > > # RESULTS > > foreach my $entry ($mesg->entries) { $entry->dump; } > > printf("====\nFound %d entries\n", $mesg->count); > > > > > > ======================================= > > === Example ends here === > > ======================================= > > > > > > > > Hope it helps. > > > > Rafael > > > > ________________________________________________________ > > Rafael Corvalan > > Systems & Networks Competence Center Manager > > Linkvest SA > > Av des Baumettes 19, 1020 Renens Switzerland > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > > http://www.linkvest.com Raf...@li... > > ________________________________________________________ > > > > > > -----Original Message----- > > From: Clif Harden [mailto:cl...@di...] > > Sent: jeudi, 19. avril 2001 23:24 > > To: ri...@ed... > > Cc: per...@li... > > Subject: Re: Active directory and Perl-ldap > > > > > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > > having a problem. Here is sample code: > > > > > > my $base = 'DC=edinboro,DC=edu'; > > > my $filter = "(objectclass=*)"; > > > my $attrs = (); # request all available attributes > > > my $scope = '0'; > > > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > > > # bind to a directory with dn and password - makes no difference > > > # whether > > > authenticated or not > > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > > > $mesg = $ldap->search( > > > scope => $scope, > > > base => $base, > > > filter => $filter, > > > attrs => $attrs, > > > ); > > > > > > If I do a search, all I can manage to find is the base DN. If I > > > change > > the > > > scope to 1, I retrieve nothing. If I change the scope to > 'subtree', > > > all I retrieve are root entries. I see no cn or ou > entries. Nor do I > > > retrieve anything if I set my base to > cn=users,dn=edinboro,dn=edu. > > > I've run the > > same > > > search against ldap.itd.umich.edu and I can retrieve anything I > > > request. Also if I use MS LDP (even if not authenticated), the > > > search pulls the entries, as it is suppose to. I've checked > > > permissions on the server but I am at a loss. Is there anything > > > special I need to make Active Directory > > work > > > correctly with LDAP? > > > > > > Thanks in advance, > > > > > > William Richter > > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > > > > Try requesting a return attribute(s) in your request. > > > > attrs => ["*"], > > > > If I do what you have done all I get is a DN but no data. > > > > Regards, > > > > Clif Harden INTERNET: c-h...@ti... > > > > > > > > > > > Mark Wilcox > ma...@mj... > Got LDAP? > |
|
From: Roland S. <rol...@ep...> - 2001-04-26 15:20:16
|
Hi,
Chris Ridd wrote:
> > how can I delete a referral from an LDAP tree?
> >
> > I'm preparing an $entry and update:
> > -----
> > $entry = Net::LDAP::Entry->new;
> > $entry->dn("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics");
> > $entry->changetype("delete");
> > $entry->update($ldap);
> > -----
> >
> > The result is:
> > return code: 10, message: Referral received
>
> :-)
>
> I don't know if the representation of knowledge (which is used when
> returning a referral/continuation reference) over LDAP is standardized or
> not. (It doesn't seem to be.)
>
> As it is therefore a proprietrary feature, you will have to check your
> server's documentation. You might find that you need to use a control. If
> there is a control called something like managedsait, that's the one you
> should probably use.
Using OpenLDAP 2.0.7 now, I know that the client tools ldapmodify and
ldapdelete use the Control "ManageDsaIT". I tried this one, but didn't
succeed:
-----
$ldap->delete("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics",
control => {type => "ManageDsaIT", value => 1} );
-----
Any hint?
Thanks in advance!
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Chris R. <chr...@me...> - 2001-04-26 14:47:33
|
Roland Stigge <rol...@ep...> wrote:
> Hi,
>
> how can I delete a referral from an LDAP tree?
>
> I'm preparing an $entry and update:
> -----
> $entry = Net::LDAP::Entry->new;
> $entry->dn("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics");
> $entry->changetype("delete");
> $entry->update($ldap);
> -----
>
> The result is:
> return code: 10, message: Referral received
:-)
I don't know if the representation of knowledge (which is used when
returning a referral/continuation reference) over LDAP is standardized or
not. (It doesn't seem to be.)
As it is therefore a proprietrary feature, you will have to check your
server's documentation. You might find that you need to use a control. If
there is a control called something like managedsait, that's the one you
should probably use.
Cheers,
Chris
|
|
From: Dean B. <be...@ho...> - 2001-04-26 14:45:46
|
I know that the "Manager" account is secured via passwd, but can anyone t= ell me how to force clients to use password authentication? Example, if = I have Outlook and Netscape mail clients, how can I enforce authenticatio= n as opposed to anonymous transactions? I want the LDAP directroy to be = available to affiliates via the internet and don't want everyones informa= tion available to the greater public of the planet :) Dean<br clear=3Dall><hr>Get your FREE download of MSN Explorer at <a href= =3D"http://explorer.msn.com">http://explorer.msn.com</a><br></p> |
|
From: Roland S. <rol...@ep...> - 2001-04-26 13:45:54
|
Hi,
how can I delete a referral from an LDAP tree?
I'm preparing an $entry and update:
-----
$entry = Net::LDAP::Entry->new;
$entry->dn("ref=\"ldap://asser/c=us,o=epigenomics\",o=epigenomics");
$entry->changetype("delete");
$entry->update($ldap);
-----
The result is:
return code: 10, message: Referral received
Thank you!
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Graham B. <gb...@po...> - 2001-04-26 05:51:17
|
This is due to using syntax that was added in 5.005. Try the attached patch. It turns off bigint testing for 5.004 because Math::BigInt outouts a lot of warnings, but Net::LDAP does not need bigint. Graham. On Wed, Apr 25, 2001 at 04:01:02PM -0700, Bill Corley wrote: > I have been using Net::LDAP for a long time. In fact so long that > I am still on 0.10. (Yes, I am ashamed. But when it is not broken ...) > At any rate it is time that I came up to something more mainstream. So > I was about the install the newest software and have run into a problem > with the make test on Convert::ASN1 version 0.10. > > I am on Solaris 2.6 and 2.7 running perl 5.00404. The make test > results are below. I am sure I am just overlooking something. Anyone > know what it is? |
|
From: Bill C. <Bil...@ns...> - 2001-04-25 23:04:42
|
I have been using Net::LDAP for a long time. In fact so long that
I am still on 0.10. (Yes, I am ashamed. But when it is not broken ...)
At any rate it is time that I came up to something more mainstream. So
I was about the install the newest software and have run into a problem
with the make test on Convert::ASN1 version 0.10.
I am on Solaris 2.6 and 2.7 running perl 5.00404. The make test
results are below. I am sure I am just overlooking something. Anyone
know what it is?
Thanks,
Bill
4 drillbit > make test
PERL_DL_NONLAZY=1 /usr/bin/perl -I./blib/arch -I./blib/lib
-I/usr/local/lib/perl5/sun4-solaris/5.00404 -I/usr/local/lib/perl5 -e
'use Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;'
t/*.t
t/00prim............Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/00prim.t line 7.
dubious
Test returned status 2 (wstat 512, 0x200)
Number found where operator expected at (eval 13) line 1, near ")0"
(Missing operator before 0?)
t/01tag.............Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/01tag.t line 7.
dubious
Test returned status 2 (wstat 512, 0x200)
t/02seq.............Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/02seq.t line 7.
dubious
Test returned status 2 (wstat 512, 0x200)
t/03seqof...........Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/03seqof.t line 9.
dubious
Test returned status 2 (wstat 512, 0x200)
t/04opt.............Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/04opt.t line 7.
dubious
Test returned status 2 (wstat 512, 0x200)
t/06bigint..........Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/06bigint.t line 7.
dubious
Test returned status 2 (wstat 512, 0x200)
t/07io..............Missing $ on loop variable at
blib/lib/Convert/ASN1.pm line 288.
BEGIN failed--compilation aborted at t/07io.t line 3.
dubious
Test returned status 2 (wstat 512, 0x200)
FAILED--7 test scripts could be run, alas--no output ever seen
|
|
From: Dave M. <dm...@ju...> - 2001-04-25 17:15:27
|
> I'm happy to eat crow if I'm wrong. Information on AD is hard to > come by in particular if you don't have one to play with. > > Ok, you said: > > On 23 Apr 01, at 12:10, Dave Mills wrote: > > > To use a simple bind to AD with LDP specify the > > full DN of the user and the password, unchecking the > "Domain" box, and > > then clicking "Advanced" and set the method to SIMPLE. > > > > Where does one set this? > And does this have to be on a per user basis? > I'm referring to the LDP tool (which is Microsoft's LDAP tool) that comes with the Win2k support tools. The options are available by clicking the Advanced button after selecting "Bind". This has to be set each time you bind... - Dave |
|
From: Booker C. B. <bb...@ne...> - 2001-04-24 21:40:14
|
On Mon, 23 Apr 2001, Dave Mills wrote: > We use only AD here for our LDAP server and haven't had any major issues. I > think I can shed some light on the issues being discussed. Also, I would be > more than happy to write an Active Directory and LDAP FAQ. If anyone's > interested please drop me a note with topics that you'd like to see > covered... See in-line for answers to questions posed in this thread.... > > > -----Original Message----- > > From: ma...@mj... [mailto:ma...@mj...] > > Sent: Monday, April 23, 2001 10:50 AM > > To: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > > > Aha, just as I expected. > > > > One of the right things MS did with W2K is to realize that LDAP is > > not an authentication protocol, however, mightily we try to make it > > one (and keep in mind that I've written *alot* of LDAP > > authentication code in my time). > > > > No, AD uses Kerberos for its authentication protocol. > > > - Sorry to be pendantic, but AD supports SASL/GSSAPI using kerberos V. You need a K5 based gssapi to talk to it. To talk to it using perl-ldap, you'd need a SASL and a kerberos V GSSAPI module. - Microsoft distributes some example code and libraries that will allow you to use Netscape C SDK ( version 3.1) to talk to AD. Unfortunately, you can't use the SASL framework in the netscape SDK[1] to talk to AD. The MS stuff adds an extra bind call that does the ldap sasl gssapi bind. - I <think> it should be possible to use OpenLDAP 2.0 to talk to AD using SASL/GSSAPI, but I haven't had a chance to actually try it yet. - Booker C. Bense [1]- Netscape has some very strange ideas about how to do SASL. |
|
From: Rafael C. <Raf...@li...> - 2001-04-24 08:44:26
|
Sorry, I can connect to my ADS in clear text.... So Kerberos is not the only authentication protocol supported by ADS... rafael -----Original Message----- From: ma...@mj... [mailto:ma...@mj...] Sent: lundi, 23. avril 2001 19:50 To: per...@li... Subject: RE: Active directory and Perl-ldap Aha, just as I expected. One of the right things MS did with W2K is to realize that LDAP is not an authentication protocol, however, mightily we try to make it one (and keep in mind that I've written *alot* of LDAP authentication code in my time). No, AD uses Kerberos for its authentication protocol. As per, the LDAP specs, out of the box, Net::LDAP authenticates using simple bind (dn and password). Which AD doesn't support. The solution is to use the SASL module (but you'll probably have to code in your own Kerberos module for it) if AD supports SASL. If not, then we'll have to devise some other way. Mark On 23 Apr 01, at 13:17, William Richter wrote: > I've added the line: > die($mesg->error) if $mesg->code; > > after the bind. A non-authenticated login works fine, except I can't > see anything but root, but as soon as I hit the server with an > authenticated user, the error: AcceptSecurityContext occurs. I then > went back to LDP and found that by default, it connects using > NTML/Kerberos. I tried the alternate methods but they failed. My > question is, what method does Perl-ldap use and if this is the > problem, how do I change the authentication method? If on the other > hand, default authentication should work, any ideas why the server is > denying my credentials? I've tried this on two AD servers on site and > both fail. > > William Richter > Technology Specialist > Edinboro University of PA > 814-732-2931 > > -----Original Message----- > From: Rafael Corvalan [mailto:Raf...@li...] > Sent: Friday, April 20, 2001 5:41 AM > To: 'c-h...@ti...'; ri...@ed... > Cc: per...@li... > Subject: RE: Active directory and Perl-ldap > > You should be able to get your entries without requesting ["**] for > the attributes. > > I'm not a really specialist, but here arte my comments: > > > 1) I think you have problems with the authentication. Check your > credentials. Are you sure you are using > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > as your credentials? > If you have authentication failure, you will not see it (see the > point 2) > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > bind method returns "undefined" (I don't think it can do so), > avoid writing: > bind(...) or die(...); > In other words, try binding with wrong credentials, and you will > see, the die() will not be called. I prefer to use: > > $mesg = bind(....); > die($mesg->error) if $mesg->code; > > 3) I think that using normal settings, the DC=company, DC=com tree > and DC=Users, DC=company, DC=com tree are protected in ADS. You > must bind with a valid user to get someting, they are not > accessible anonymously. I think that if you do not see anything > it's because you have authentication failure. > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > about referrals. To do that, use "version => 3" as one of the > parameters in the bind() call. > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > "Active Directory Administration Tool", I only get the base DN when > connected without calling bind (and referrals too). Are you sure > that MS LDAP doesn't connect using "transperent" login, forwarding > your credentials to ADS? (Using Kerberos or NTLM). > > 6) This is an example that works for me. I hope it will do so > for you: > > > ========================================= > === Example starts here === > ========================================= > > #!/usr/bin/perl -w > > use Net::LDAP; > use strict; > > > # Comment the following line to log on anonymously > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > # Comment one of the following two lines (Base DN) > my $base = 'CN=Users, DC=linkvest, DC=com'; > #my $base = 'DC=linkvest, DC=com'; > > > my $ldapserver = 'ads.linkvest.com'; > my $password = 'XXXXXXXX'; > my $version = 3; > > my $filter = "(objectclass=*)"; > my $scope = '1'; > > > my $mesg; > > # CONNECTION > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > # BIND > if (defined $admin) { > $mesg = $ldap->bind ( dn => $admin, > password => $password, > version => $version); > } else { > $mesg = $ldap->bind ( noauth => 1, > version => $version); > } > > die($mesg->error) if $mesg->code; > > # SEARCH > $mesg = $ldap->search( scope => $scope, > base => $base, > filter => $filter); > die($mesg->error) if $mesg->code; > > > # RESULTS > foreach my $entry ($mesg->entries) { $entry->dump; } > printf("====\nFound %d entries\n", $mesg->count); > > > ======================================= > === Example ends here === > ======================================= > > > > Hope it helps. > > Rafael > > ________________________________________________________ > Rafael Corvalan > Systems & Networks Competence Center Manager > Linkvest SA > Av des Baumettes 19, 1020 Renens Switzerland > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > http://www.linkvest.com Raf...@li... > ________________________________________________________ > > > -----Original Message----- > From: Clif Harden [mailto:cl...@di...] > Sent: jeudi, 19. avril 2001 23:24 > To: ri...@ed... > Cc: per...@li... > Subject: Re: Active directory and Perl-ldap > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > having a problem. Here is sample code: > > > > my $base = 'DC=edinboro,DC=edu'; > > my $filter = "(objectclass=*)"; > > my $attrs = (); # request all available attributes > > my $scope = '0'; > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > # bind to a directory with dn and password - makes no difference > > # whether > > authenticated or not > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > $mesg = $ldap->search( > > scope => $scope, > > base => $base, > > filter => $filter, > > attrs => $attrs, > > ); > > > > If I do a search, all I can manage to find is the base DN. If I > > change > the > > scope to 1, I retrieve nothing. If I change the scope to 'subtree', > > all I retrieve are root entries. I see no cn or ou entries. Nor do I > > retrieve anything if I set my base to cn=users,dn=edinboro,dn=edu. > > I've run the > same > > search against ldap.itd.umich.edu and I can retrieve anything I > > request. Also if I use MS LDP (even if not authenticated), the > > search pulls the entries, as it is suppose to. I've checked > > permissions on the server but I am at a loss. Is there anything > > special I need to make Active Directory > work > > correctly with LDAP? > > > > Thanks in advance, > > > > William Richter > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > Try requesting a return attribute(s) in your request. > > attrs => ["*"], > > If I do what you have done all I get is a DN but no data. > > Regards, > > Clif Harden INTERNET: c-h...@ti... > > > > Mark Wilcox ma...@mj... Got LDAP? |
|
From: Clif H. <ch...@po...> - 2001-04-24 01:55:44
|
I have updated the perl-ldap faq. It is available on the WEB at URL: http://www.utdallas.edu/~charden/FAQ.html It is also available in CVS on sourceforge. Changes. I added paragraphs warning about Microsoft systems renaming files ending in *.gz. I added a section explaining the difference between a ldap referral and a ldap reference. I added a section explaining how to set the version number of a ldap connection. I added a new book reference; Solaris and LDAP Naming Services: Deploying LDAP in the Enterprise. -- Regards, Clif Harden ch...@po... |
|
From: David B. <d.b...@ma...> - 2001-04-24 00:04:50
|
Cliff, That's actually a quite common problem in Netscape, it has to do with the fact that Windows filenames use the extension of the filename as the key indicator to determining the type of the file rather than "magic numbers" and the like(which unix does better), and when downloading files, netscape trys to determine the type of the file (so that it can open it/run it/action it automatically) by parsing the filename for a recognised (up to three letter) extension following a fullstop. I'm guessing that they parse from the beginning of the filename rather than the end, and the double extension confuses it. to avoid this, rather than clicking on a link to download the file that it points to, right-click and choose 'save link as', and it skips over the bit where it try's to figure out what it's extension means. David. At 07:02 AM 4/23/01 -0500, you wrote: > >It appears that my Win98 and NT systems strip the .gz off the >end of the file name. On my Linux and Solaris systems it pulls >the file down with the proper file name. In the passed I guess >I pulled down the files with linux and then moved them to >the Windows systems. > >Something for the faq I guess. > >Regards, > >Clif Harden INTERNET: c-h...@ti... > > > >> >> Thats odd, I just looked in the CPAN mirror directory on search.cpan.org >> and the file there is compressed with a tar.gz extension. >> >> Did your browser remove the .gz on download ? I have had that problem >> before. >> >> Graham. >> >> On Sat, Apr 21, 2001 at 09:13:17PM -0500, Clif Harden wrote: >> > > >> > > Where did you get these files ? CPAN or SouceForge ? >> > > >> > > They had .tar.gz what I uploaded, but I must confess I was using >> > > IE on windows and the files were on a samba server at the time >> > > so anything is possible I guess. >> > > >> > > Graham. >> > > >> > > On Fri, Apr 20, 2001 at 11:08:59PM -0500, Clif Harden wrote: >> > > > >> > > > Graham, >> > > > >> > > > I believe there is a minor problem with the cpan >> > > > ASN 10 and Perl ldap .23 modules. >> > > > >> > > > They end with a *.tar, but they are not tar files. They >> > > > are gzip`ped files and should have *.gz or *.tgz on the >> > > > end of them. >> > > > >> > > > I just move the *_tar.tar to *_tar.gz and unzipped and untar`ed >> > > > them as usall. Everything thing went fine from that >> > > > point on. >> > > > >> > > > Regards, >> > > > >> > > > Clif Harden ch...@po... >> > > > >> > > > >> > > >> > > >> > >> > CPAN. >> > >> > >> > Regards, >> > >> > Clif Harden INTERNET: c-h...@ti... >> > Texas Instruments >> > Directory Services >> > 6500 Chase Oaks Blvd, M/S 8412 >> > Plano, TX 75023 >> > Voice: 972-575-0855 >> > FAX: 972-575-2418 >> > >> >> > > >-- > > > -------------------------------------------------------------------- David Bussenschutt Email: D.B...@ma... Senior Computing Support Officer & Systems Administrator/Programmer Location: Griffith University. Information Technology Services Brisbane Qld. Aust. (TEN bldg. rm 1.33) Ph: (07)38757079 -------------------------------------------------------------------- |
|
From: Eric N. <eni...@cp...> - 2001-04-23 22:04:09
|
Sure, I'll volunteer. I'd like to give something back to the perl-ldap effort. Graham Barr wrote: > In the hope that a recent subscriber might help. > > The perl-ldap website at http://perl-ldap.sourceforge.net is in desparate > need of a maintainer/redesign > > Any volunteers ? > > Graham |
|
From: <ma...@mj...> - 2001-04-23 21:26:06
|
I'm happy to eat crow if I'm wrong. Information on AD is hard to come by in particular if you don't have one to play with. Ok, you said: On 23 Apr 01, at 12:10, Dave Mills wrote: > To use a simple bind to AD with LDP specify the > full DN of the user and the password, unchecking the "Domain" box, and > then clicking "Advanced" and set the method to SIMPLE. > Where does one set this? And does this have to be on a per user basis? thanks, Mark Mark Wilcox ma...@mj... Got LDAP? |
|
From: Graham B. <gb...@po...> - 2001-04-23 19:46:34
|
OK, as add is different. Anyone want to write a patch that clarifies the docs ?
Graham.
On Mon, Apr 23, 2001 at 09:36:02PM +0200, Roland Stigge wrote:
>
> Hi,
>
> OK, thanks. But I don't understand, why $ldap->add($entry) works just right, not only
> with dn, but with complete attributes of $entry. "add" is documented the same way as
> "modify".
>
> ---- Original Message ----
> From: Graham Barr
> Date: Mon 4/23/01 20:08
> To: Roland Stigge
> Cc: per...@li...
> Subject: Re: Net::LDAP->modify
>
> On Mon, Apr 23, 2001 at 12:01:22PM +0200, Roland Stigge wrote:
> > Hi,
> >
> > another one:
> >
> > I'm trying to modify:
> >
> > this works:
> > -----
> > $mesg = $ldap->modify("cn=onemore,o=epigenomics",
> > replace => {'sn' => 'Jackson'});
> > print "code: ",$mesg->code,"\nerror: ",$mesg->error,"\n";
> > -----
> >
> > but this way (another documented way for performing that):
> > -----
> > # ... binding ...
> >
> > $entry = Net::LDAP::Entry->new;
> > $entry->dn("cn=onemore,o=epigenomics");
> > $entry->replace("sn" => "Jackson");
> > $mesg=$ldap->modify($entry);
> > print "code: ",$mesg->code,"\nerror: ",$mesg->error,"\n";
> > -----
>
> Actually the docs are bit ambigious here. But I would say that this
> is not documented to work as you expect here.
>
> Although what should work, and is documented is
>
> $entry->update($ldap);
>
> The docs should clarify that if an Entry is passed as the DN only the DN is
> extracted from it. This is the same for ant Net::LDAP method.
>
> Graham.
>
>
|
|
From: Roland S. <rol...@ep...> - 2001-04-23 19:36:12
|
Hi,
OK, thanks. But I don't understand, why $ldap->add($entry) works just right, not only
with dn, but with complete attributes of $entry. "add" is documented the same way as
"modify".
---- Original Message ----
From: Graham Barr
Date: Mon 4/23/01 20:08
To: Roland Stigge
Cc: per...@li...
Subject: Re: Net::LDAP->modify
On Mon, Apr 23, 2001 at 12:01:22PM +0200, Roland Stigge wrote:
> Hi,
>
> another one:
>
> I'm trying to modify:
>
> this works:
> -----
> $mesg = $ldap->modify("cn=onemore,o=epigenomics",
> replace => {'sn' => 'Jackson'});
> print "code: ",$mesg->code,"\nerror: ",$mesg->error,"\n";
> -----
>
> but this way (another documented way for performing that):
> -----
> # ... binding ...
>
> $entry = Net::LDAP::Entry->new;
> $entry->dn("cn=onemore,o=epigenomics");
> $entry->replace("sn" => "Jackson");
> $mesg=$ldap->modify($entry);
> print "code: ",$mesg->code,"\nerror: ",$mesg->error,"\n";
> -----
Actually the docs are bit ambigious here. But I would say that this
is not documented to work as you expect here.
Although what should work, and is documented is
$entry->update($ldap);
The docs should clarify that if an Entry is passed as the DN only the DN is
extracted from it. This is the same for ant Net::LDAP method.
Graham.
|
|
From: Dave M. <dm...@ju...> - 2001-04-23 19:10:50
|
We use only AD here for our LDAP server and haven't had any major issues. I think I can shed some light on the issues being discussed. Also, I would be more than happy to write an Active Directory and LDAP FAQ. If anyone's interested please drop me a note with topics that you'd like to see covered... See in-line for answers to questions posed in this thread.... > -----Original Message----- > From: ma...@mj... [mailto:ma...@mj...] > Sent: Monday, April 23, 2001 10:50 AM > To: per...@li... > Subject: RE: Active directory and Perl-ldap > > > Aha, just as I expected. > > One of the right things MS did with W2K is to realize that LDAP is > not an authentication protocol, however, mightily we try to make it > one (and keep in mind that I've written *alot* of LDAP > authentication code in my time). > > No, AD uses Kerberos for its authentication protocol. > This is correct and incorrect at the same time. By default the LDP tool will use Kerberos (and fallback to NTLM if necessary) to authenticate to AD. Active directory accepts a really wide variety of auth methods (including simple bind). To use a simple bind to AD with LDP specify the full DN of the user and the password, unchecking the "Domain" box, and then clicking "Advanced" and set the method to SIMPLE. > As per, the LDAP specs, out of the box, Net::LDAP authenticates > using simple bind (dn and password). Which AD doesn't support. > See above, it does support simple bind. > The solution is to use the SASL module (but you'll probably have to > code in your own Kerberos module for it) if AD supports SASL. Yup, it supports SASL as well... > > If not, then we'll have to devise some other way. > > Mark > > On 23 Apr 01, at 13:17, William Richter wrote: > > > I've added the line: > > die($mesg->error) if $mesg->code; > > > > after the bind. A non-authenticated login works fine, > except I can't > > see anything but root, but as soon as I hit the server with an > > authenticated user, the error: AcceptSecurityContext occurs. I then > > went back to LDP and found that by default, it connects using > > NTML/Kerberos. I tried the alternate methods but they failed. My > > question is, what method does Perl-ldap use and if this is the > > problem, how do I change the authentication method? If on the other > > hand, default authentication should work, any ideas why the > server is > > denying my credentials? I've tried this on two AD servers > on site and > > both fail. > > > > William Richter > > Technology Specialist > > Edinboro University of PA > > 814-732-2931 > > > > -----Original Message----- > > From: Rafael Corvalan [mailto:Raf...@li...] > > Sent: Friday, April 20, 2001 5:41 AM > > To: 'c-h...@ti...'; ri...@ed... > > Cc: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > You should be able to get your entries without requesting ["**] for > > the attributes. > > > > I'm not a really specialist, but here arte my comments: > > > > > > 1) I think you have problems with the authentication. Check your > > credentials. Are you sure you are using > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > > as your credentials? > > If you have authentication failure, you will not see it (see the > > point 2) > > > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > > bind method returns "undefined" (I don't think it can do so), > > avoid writing: > > bind(...) or die(...); > > In other words, try binding with wrong credentials, and you will > > see, the die() will not be called. I prefer to use: > > > > $mesg = bind(....); > > die($mesg->error) if $mesg->code; > > > > 3) I think that using normal settings, the DC=company, DC=com tree > > and DC=Users, DC=company, DC=com tree are protected in ADS. You > > must bind with a valid user to get someting, they are not > > accessible anonymously. I think that if you do not see anything > > it's because you have authentication failure. > > > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > > about referrals. To do that, use "version => 3" as one of the > > parameters in the bind() call. > > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > > "Active Directory Administration Tool", I only get the > base DN when > > connected without calling bind (and referrals too). Are you sure > > that MS LDAP doesn't connect using "transperent" login, > forwarding > > your credentials to ADS? (Using Kerberos or NTLM). > > > > 6) This is an example that works for me. I hope it will do so > > for you: > > > > > > ========================================= > > === Example starts here === > > ========================================= > > > > #!/usr/bin/perl -w > > > > use Net::LDAP; > > use strict; > > > > > > # Comment the following line to log on anonymously > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > > > > # Comment one of the following two lines (Base DN) > > my $base = 'CN=Users, DC=linkvest, DC=com'; > > #my $base = 'DC=linkvest, DC=com'; > > > > > > my $ldapserver = 'ads.linkvest.com'; > > my $password = 'XXXXXXXX'; > > my $version = 3; > > > > my $filter = "(objectclass=*)"; > > my $scope = '1'; > > > > > > my $mesg; > > > > # CONNECTION > > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > > > # BIND > > if (defined $admin) { > > $mesg = $ldap->bind ( dn => $admin, > > password => $password, > > version => $version); This should not have the "dn =>", so the correct code would be: $mesg = $ldap->bind ( $admin, password => $password, version => $version); The first sample in the man page for Net::LDAP is incorrect: ---- begin incorrect portion ---- $ldap->bind ( # bind to a directory with dn and password dn => 'cn=root, o=University of Michigan, c=us', password => 'secret' ); ---- end incorrect portion ---- A correct sample can be found later in the man page: ---- begin correct portion ---- $ldap->bind( $DN, password => $password); ---- end correct portion ---- And here's the code I use: ---- begin my code ---- $ldap = Net::LDAP->new('dcjnprmrc1.jnpr.net', port => 389, debug => 0, timeout => 2 ) or $ldap = Net::LDAP->new('dcjnprmrc2.jnpr.net', port => 389, debug => 0, timeout => 5 ) or die $@; $bindargs{password} = '**************'; $bindargs{version} = 3; my $result = $ldap->bind('cn=Web Guest,ou=Users,ou=Common,dc=jnpr,dc=net', %bindargs); if ($result->code != 0) { if ($result->code == 49) { printf "Password incorrect\n"; die "\n"; } else { printf "Error %i occurred while binding - aborting.\n",($result->code); die "\n"; } } ---- end of my code ---- > > } else { > > $mesg = $ldap->bind ( noauth => 1, > > version => $version); > > } > > > > die($mesg->error) if $mesg->code; > > > > # SEARCH > > $mesg = $ldap->search( scope => $scope, > > base => $base, > > filter => $filter); > > die($mesg->error) if $mesg->code; > > > > > > # RESULTS > > foreach my $entry ($mesg->entries) { $entry->dump; } > > printf("====\nFound %d entries\n", $mesg->count); > > > > > > ======================================= > > === Example ends here === > > ======================================= - clipped - Dave Mills Juniper Networks, Inc. |
7902 messages has been excluded from this view by a project administrator.
