Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Clif H. <ch...@po...> - 2001-04-21 04:05:43
|
Graham, I believe there is a minor problem with the cpan ASN 10 and Perl ldap .23 modules. They end with a *.tar, but they are not tar files. They are gzip`ped files and should have *.gz or *.tgz on the end of them. I just move the *_tar.tar to *_tar.gz and unzipped and untar`ed them as usall. Everything thing went fine from that point on. Regards, Clif Harden ch...@po... |
|
From: Bing D. <Bi...@ci...> - 2001-04-20 22:14:52
|
Hrmm...can OpenLDAP 2.0.7 automatically chase referrals? Say, we have two separate databases for ou=dept,dc=tamu,dc=edu and dc=tamu,dc=edu respectively, I have to use the option -C (automatically chase referals) of ldapsearch to let it look into ou=dept,dc=tamu,dc=edu without returning the referral to me if ldapsearch can not find the entry in the upper level dc=tamu,dc=edu. How should I do the similar thing in Net::LDAP? Thanks, Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix |
|
From: Rafael C. <Raf...@li...> - 2001-04-20 18:52:31
|
Is your $admin variable correctly setted? What's it's value? Can you send it to me? And the password in $password is correct? Rafael -----Original Message----- From: William Richter [mailto:ri...@ed...] Sent: vendredi, 20. avril 2001 19:05 To: per...@li... Subject: RE: Active directory and Perl-ldap I tried your example: die($mesg->error) if $mesg->code; and found an 'AcceptSecurityContext error' reported. I am assuming that MS clients are passing my authentication credentials and this is why they are working and perl-ldap is not. If so, any ideas on how to resolve this error under Active directory. William Richter Technology Specialist, Edinboro University of PA 814-732-2931 -----Original Message----- From: Rafael Corvalan [mailto:Raf...@li...] Sent: Friday, April 20, 2001 5:41 AM To: 'c-h...@ti...'; ri...@ed... Cc: per...@li... Subject: RE: Active directory and Perl-ldap You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: William R. <ri...@ed...> - 2001-04-20 16:58:22
|
I tried your example: die($mesg->error) if $mesg->code; and found an 'AcceptSecurityContext error' reported. I am assuming that MS clients are passing my authentication credentials and this is why they are working and perl-ldap is not. If so, any ideas on how to resolve this error under Active directory. William Richter Technology Specialist, Edinboro University of PA 814-732-2931 -----Original Message----- From: Rafael Corvalan [mailto:Raf...@li...] Sent: Friday, April 20, 2001 5:41 AM To: 'c-h...@ti...'; ri...@ed... Cc: per...@li... Subject: RE: Active directory and Perl-ldap You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: Graham B. <gb...@po...> - 2001-04-20 16:53:53
|
A debug trace is the only way we are going to be able to help you
Graham
On Fri, Apr 20, 2001 at 06:43:43PM +0200, Roland Stigge wrote:
> Hi all,
>
> Clif Harden wrote:
> > > Is it the old (stable) version of OpenLDAP? (1.2.11)
> > > Do you suggest updating to 2.0.7?
> > If you are going to use version 3 ldap you must upgrade
> > to 2.0.7. 1.2.11 is version 2 only.
>
> I upgraded to the new version, now using perl-ldap 0.22, OpenLDAP 2.0.7.
> Still I don't get the referrals:
>
> -----
> $ldap = Net::LDAP->new("eigen");
> $bindresult = $ldap->bind(version => 3, anonymous => 1);
> print "Bind result: ",$bindresult->code,", Message:
> ",$bindresult->error,"\n";
> print "LDAP Version: ",$ldap->version,"\n";
> print "Search: ";
>
> $mesg = $ldap->search( base => "o=epigenomics",
> filter => '(cn=*)',
> deref => 3,
> );
> @referrals = $mesg->referrals;
>
> foreach $ref (@referrals) {
> print "Referral: ",$ref,"\n";
> }
>
> print "Return code: ",$mesg->code,"\n";
> print "Error message: \"",$mesg->error,"\"\n";
>
> $n = $mesg->all_entries;
> print "Number of Entries: ".$n."\n";
>
> foreach $entry ($mesg->entries) {
> print "dn: ",$entry->dn,"\n";
> }
> -----
>
> output:
> -----
> Bind result: 0, Message: Success
> LDAP Version: 3
> Search: Return code: 0
> Error message: "Success"
> Number of Entries: 2
> dn: cn=admin,o=epigenomics
> dn: cn=updated,o=epigenomics
> -----
>
> Where is the referral? Do I use the array in the right way?
>
> ldapsearch finds it:
> -----
> # search reference
> ref: ldap://deledda/c=us,o=epigenomics
> -----
>
> Thank you in advance!
>
> bye,
> --
> Roland Stigge
>
> Epigenomics AG Kastanienallee 24
> www.epigenomics.com 10435 Berlin
>
|
|
From: Roland S. <rol...@ep...> - 2001-04-20 16:43:50
|
Hi all,
Clif Harden wrote:
> > Is it the old (stable) version of OpenLDAP? (1.2.11)
> > Do you suggest updating to 2.0.7?
> If you are going to use version 3 ldap you must upgrade
> to 2.0.7. 1.2.11 is version 2 only.
I upgraded to the new version, now using perl-ldap 0.22, OpenLDAP 2.0.7.
Still I don't get the referrals:
-----
$ldap = Net::LDAP->new("eigen");
$bindresult = $ldap->bind(version => 3, anonymous => 1);
print "Bind result: ",$bindresult->code,", Message:
",$bindresult->error,"\n";
print "LDAP Version: ",$ldap->version,"\n";
print "Search: ";
$mesg = $ldap->search( base => "o=epigenomics",
filter => '(cn=*)',
deref => 3,
);
@referrals = $mesg->referrals;
foreach $ref (@referrals) {
print "Referral: ",$ref,"\n";
}
print "Return code: ",$mesg->code,"\n";
print "Error message: \"",$mesg->error,"\"\n";
$n = $mesg->all_entries;
print "Number of Entries: ".$n."\n";
foreach $entry ($mesg->entries) {
print "dn: ",$entry->dn,"\n";
}
-----
output:
-----
Bind result: 0, Message: Success
LDAP Version: 3
Search: Return code: 0
Error message: "Success"
Number of Entries: 2
dn: cn=admin,o=epigenomics
dn: cn=updated,o=epigenomics
-----
Where is the referral? Do I use the array in the right way?
ldapsearch finds it:
-----
# search reference
ref: ldap://deledda/c=us,o=epigenomics
-----
Thank you in advance!
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Kurt D. Z. <Ku...@Op...> - 2001-04-20 14:24:24
|
At 05:40 AM 4/20/01, Graham Barr wrote: >However, this does mean that no bind request is sent. > >With version 2 a bind was required, but with version 3 it is not. No bind was required in LDAPv2+ (U-Mich based) servers. >The server should assume a version3 anonymous bind if it has not received >a bind request. That's an LDAPv3 requirement. But LDAPv2+ servers where designed and implemented prior to LDAPv3. Kurt |
|
From: Graham B. <gb...@po...> - 2001-04-20 13:28:48
|
This release had a few reported problems with bigint support. I have now uploaded Convert-ASN1-0.10.tar.gz Which is also avaliable from sourceforge Graham. On Fri, Apr 20, 2001 at 12:05:24AM +0100, Graham Barr wrote: > I have just uploaded a new Convert::ASN to CPAN. > > This contains fixed for decoding times and also it can now encode and > decode bigint's > > Graham. > > ----- Forwarded message from PAUSE <up...@p1...> ----- > > Date: Fri, 20 Apr 2001 01:07:25 +0200 > To: "Graham Barr" <GB...@cp...>, cpa...@pe... > From: PAUSE <up...@p1...> > Subject: CPAN Upload: G/GB/GBARR/Convert-ASN1-0.09.tar.gz > > The uploaded file > > Convert-ASN1-0.09.tar.gz > > has entered CPAN as > > file: $CPAN/authors/id/G/GB/GBARR/Convert-ASN1-0.09.tar.gz > size: 36907 bytes > md5: 1105743792469af21fcbe6d226b494b1 > > No action is required on your part > Request entered by: GBARR (Graham Barr) > Request entered on: Thu, 19 Apr 2001 23:07:00 GMT > Request completed: Thu, 19 Apr 2001 23:07:25 GMT > > Virtually Yours, > Id: paused,v 1.72 2000/12/26 15:12:53 k Exp k > > > ----- End forwarded message ----- > |
|
From: Clif H. <cl...@di...> - 2001-04-20 13:26:48
|
> > Hi, > > Graham Barr wrote: > > OK, I see the problem. > > > > You don't check the result of the bind. > > I think now it's clear: > part of message removed. > ----- > > Is it the old (stable) version of OpenLDAP? (1.2.11) > > Do you suggest updating to 2.0.7? If you are going to use version 3 ldap you must upgrade to 2.0.7. 1.2.11 is version 2 only. I upgraded to 2.0.7 quite some time ago and I have had no problems with it. > > Thanks! > > bye, > > -- > Roland Stigge > > Epigenomics AG Kastanienallee 24 > www.epigenomics.com 10435 Berlin > > Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: Roland S. <rol...@ep...> - 2001-04-20 13:07:03
|
> Another option is to pass version => 3 into the contructor. Then > calling $ldap->bind; will do the right thing. Same problem. -- Roland Stigge Epigenomics AG Kastanienallee 24 www.epigenomics.com 10435 Berlin |
|
From: Roland S. <rol...@ep...> - 2001-04-20 13:03:57
|
Hi, Graham Barr wrote: > OK, I see the problem. > > You don't check the result of the bind. I think now it's clear: withOUT version => 3 : ----- Bind result: 0, Message: Success LDAP Version: 2 Return code: 9 Error message: "Referral: ldap://deledda/c=gdr,o=epigenomics ldap://deledda/c=us,o=epigenomics" Number of Entries: 2 dn: cn=admin,o=epigenomics dn: cn=updated,o=epigenomics ----- WITH version => 3 : ----- Bind result: 2, Message: version not supported LDAP Version: 3 Return code: 9 Error message: "Referral: ldap://deledda/c=gdr,o=epigenomics ldap://deledda/c=us,o=epigenomics" Number of Entries: 2 dn: cn=admin,o=epigenomics dn: cn=updated,o=epigenomics ----- Is it the old (stable) version of OpenLDAP? (1.2.11) Do you suggest updating to 2.0.7? Thanks! bye, -- Roland Stigge Epigenomics AG Kastanienallee 24 www.epigenomics.com 10435 Berlin |
|
From: Graham B. <gb...@po...> - 2001-04-20 13:01:58
|
On Fri, Apr 20, 2001 at 01:40:24PM +0100, Graham Barr wrote: > Anyway, changing your bind to > > $ldap->bind(version => 3, anonymous => 1); > > should do the trick. Another option is to pass version => 3 into the contructor. Then calling $ldap->bind; will do the right thing. Graham. |
|
From: Graham B. <gb...@po...> - 2001-04-20 12:42:27
|
On Fri, Apr 20, 2001 at 02:27:19PM +0200, Roland Stigge wrote: > Hi, > > Graham Barr wrote: > > It would seem the server thinks you are a version 2 client. Error code 9 is > > > > LDAP_PARTIAL_RESULTS > > > > Returned to version 2 clients when a referral is returned. The response > > will contain a list of URL's for other servers. > > > > It is then returning the referrals in the error message. > > Does this mean that I'll have to use this for manually chasing referrals > or is there a way to make the server talk to me LDAPv3? > > > Can you turn on debug by adding debug => 15 into the arguments > > of the constructor > > It's 7k, so I will only forward it to you personally. > > The others can request it, if needed. ;) OK, I see the problem. You don't check the result of the bind. A few versions back a test was introduced to avoid acidental anonymous binds. This test was that if any arbuments were passed to bind, then you must specify how you want to bind. So $ldap->(version => 3); will just fail with LDAP_INAPPROPRIATE_AUTH, "No AUTH supplied" This probably needs to be fixed. However, this does mean that no bind request is sent. With version 2 a bind was required, but with version 3 it is not. The server should assume a version3 anonymous bind if it has not received a bind request. Anyway, changing your bind to $ldap->bind(version => 3, anonymous => 1); should do the trick. Graham. |
|
From: Chris R. <chr...@me...> - 2001-04-20 12:29:30
|
Graham Barr <gb...@po...> wrote: > It would seem the server thinks you are a version 2 client. Error code 9 > is > > LDAP_PARTIAL_RESULTS > > Returned to version 2 clients when a referral is returned. The response > will contain a list of URL's for other servers. Result code 9 is not defined in RFC 2251 (LDAPv3) or RFC 1777 (LDAPv2), so I'm not surprised Net::LDAP isn't doing anything with the contents of the error message. (In fact, the RFCs say you MUST NOT rely on any values of the error message, so returning something apparently necessary in there seems wrong.) Cheers, Chris |
|
From: Roland S. <rol...@ep...> - 2001-04-20 12:27:31
|
Hi, Graham Barr wrote: > It would seem the server thinks you are a version 2 client. Error code 9 is > > LDAP_PARTIAL_RESULTS > > Returned to version 2 clients when a referral is returned. The response > will contain a list of URL's for other servers. > > It is then returning the referrals in the error message. Does this mean that I'll have to use this for manually chasing referrals or is there a way to make the server talk to me LDAPv3? > Can you turn on debug by adding debug => 15 into the arguments > of the constructor It's 7k, so I will only forward it to you personally. The others can request it, if needed. ;) bye, -- Roland Stigge Epigenomics AG Kastanienallee 24 www.epigenomics.com 10435 Berlin |
|
From: Graham B. <gb...@po...> - 2001-04-20 12:09:53
|
It would seem the server thinks you are a version 2 client. Error code 9 is
LDAP_PARTIAL_RESULTS
Returned to version 2 clients when a referral is returned. The response
will contain a list of URL's for other servers.
It is then returning the referrals in the error message.
Can you turn on debug by adding debug => 15 into the arguments
of the constructor
Graham.
On Fri, Apr 20, 2001 at 01:23:43PM +0200, Roland Stigge wrote:
> Hi,
>
> Chris Ridd wrote:
>
> > > (We are using Net::LDAP 0.22 and OpenLDAP 1.2.11)
> > > It seems that my configuration doesn't return any referrals. I have
> > > configured two servers, one holding o=epigenomics, the other on
> > > c=us,o=epigenomics. Via PHP and ldapsearch tools, the inserted referrals
> > > even seem to transparently redirect the client to the second server when
> > > accessing/searching the c=us,epigenomics substructure. But with my
> > > Net::LDAP code:
>
> > You are binding using LDAPv2. LDAPv2 did not have referrals.
> >
> > Some vendors have 'patched in' some support for referrals in LDAPv2, but
> > this is completely non-standard and not supported by Net::LDAP.
> >
> > Try binding with LDAPv3 instead and see what you get. Hint: pass version =>
> > 3 in the bind call.
>
> I already tried that:
> -----
> $ldap = Net::LDAP->new("wilson");
> $ldap->bind(version => 3);
> print "LDAP Version: ",$ldap->version,"\n";
> $mesg = $ldap->search( base => "o=epigenomics",
> filter => '(cn=*)',
> deref => 3,
> );
>
> @referrals = $mesg->referrals;
> foreach $ref (@referrals) {
> print "Referral: ",$ref,"\n";
> }
>
> print "Return code: ",$mesg->code,"\n";
> print "Error message: \"",$mesg->error,"\"\n";
>
> $n = $mesg->all_entries;
> print "Number of Entries: ".$n."\n";
>
> foreach $entry ($mesg->entries) {
> print "dn: ",$entry->dn,"\n";
> }
> -----
>
> but got the same result:
> -----
> LDAP Version: 3
> Return code: 9
> Error message: "Referral:
> ldap://deledda/c=gdr,o=epigenomics
> ldap://deledda/c=us,o=epigenomics"
> Number of Entries: 2
> dn: cn=admin,o=epigenomics
> dn: cn=updated,o=epigenomics
> -----
>
> Even with LDAPv3, I get the same result. "Real" referrals seem to be
> suppressed (in the array). Instead, the error message (!) contains the
> referral. As you see, I added a referral. So even multiple referrals are
> displayed in the error message.
>
> Is this the desired behavior of Net::LDAP? I don't like the idea to
> parse error strings instead of being able to use the native referrals in
> $mesg->referrals.
>
> Thanks in advance.
>
> bye,
>
> --
> Roland Stigge
>
> Epigenomics AG Kastanienallee 24
> www.epigenomics.com 10435 Berlin
>
|
|
From: Roland S. <rol...@ep...> - 2001-04-20 11:23:53
|
Hi,
Chris Ridd wrote:
> > (We are using Net::LDAP 0.22 and OpenLDAP 1.2.11)
> > It seems that my configuration doesn't return any referrals. I have
> > configured two servers, one holding o=epigenomics, the other on
> > c=us,o=epigenomics. Via PHP and ldapsearch tools, the inserted referrals
> > even seem to transparently redirect the client to the second server when
> > accessing/searching the c=us,epigenomics substructure. But with my
> > Net::LDAP code:
> You are binding using LDAPv2. LDAPv2 did not have referrals.
>
> Some vendors have 'patched in' some support for referrals in LDAPv2, but
> this is completely non-standard and not supported by Net::LDAP.
>
> Try binding with LDAPv3 instead and see what you get. Hint: pass version =>
> 3 in the bind call.
I already tried that:
-----
$ldap = Net::LDAP->new("wilson");
$ldap->bind(version => 3);
print "LDAP Version: ",$ldap->version,"\n";
$mesg = $ldap->search( base => "o=epigenomics",
filter => '(cn=*)',
deref => 3,
);
@referrals = $mesg->referrals;
foreach $ref (@referrals) {
print "Referral: ",$ref,"\n";
}
print "Return code: ",$mesg->code,"\n";
print "Error message: \"",$mesg->error,"\"\n";
$n = $mesg->all_entries;
print "Number of Entries: ".$n."\n";
foreach $entry ($mesg->entries) {
print "dn: ",$entry->dn,"\n";
}
-----
but got the same result:
-----
LDAP Version: 3
Return code: 9
Error message: "Referral:
ldap://deledda/c=gdr,o=epigenomics
ldap://deledda/c=us,o=epigenomics"
Number of Entries: 2
dn: cn=admin,o=epigenomics
dn: cn=updated,o=epigenomics
-----
Even with LDAPv3, I get the same result. "Real" referrals seem to be
suppressed (in the array). Instead, the error message (!) contains the
referral. As you see, I added a referral. So even multiple referrals are
displayed in the error message.
Is this the desired behavior of Net::LDAP? I don't like the idea to
parse error strings instead of being able to use the native referrals in
$mesg->referrals.
Thanks in advance.
bye,
--
Roland Stigge
Epigenomics AG Kastanienallee 24
www.epigenomics.com 10435 Berlin
|
|
From: Rafael C. <Raf...@li...> - 2001-04-20 09:41:56
|
You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: Graham B. <gb...@po...> - 2001-04-19 23:39:48
|
I have just uploaded perl-ldap-0.23 to CPAN, it should be on mirrors soon. It is also avaliable on sourceforge at http://prdownloads.sourceforge.net/perl-ldap/perl-ldap-0.23.tar.gz The RELEASE_NOTES are perl-ldap 0.23 April 20 2001 ============================ * Fixed bug in Net::LDAP::Filter when the filter contained an escaped * * Fixed SASL bind to call challenge with serverSaslCreds * Fixed some uninit errors in Net::LDAP::Entry * Various documention updates * Added Net::LDAP::Util::canonical_dn * Net::LDAP::LDIF will now call canonical_dn for any DN which contains non-printable characters * Added support for matchingruleuse, ditstructurerules, ditcontentrules and nameForms into Net::LDAP::Schema * The ->schema method in Net::LDAP has changed how it finds the schema to return. The new method is more correct, but there may be a possibility that this change has created an incompatability. * New control module Net::LDAP::Control::ProxyAuth from Olivier Dubois added * Added support for moddn in Net::LDAP::LDIF. * Minor fixes to the DSML output (fixing illegal XML.) Many thanks to all those who have contributed to this release Graham. |
|
From: Graham B. <gb...@po...> - 2001-04-19 23:06:45
|
I have just uploaded a new Convert::ASN to CPAN.
This contains fixed for decoding times and also it can now encode and
decode bigint's
Graham.
----- Forwarded message from PAUSE <up...@p1...> -----
Date: Fri, 20 Apr 2001 01:07:25 +0200
To: "Graham Barr" <GB...@cp...>, cpa...@pe...
From: PAUSE <up...@p1...>
Subject: CPAN Upload: G/GB/GBARR/Convert-ASN1-0.09.tar.gz
The uploaded file
Convert-ASN1-0.09.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GB/GBARR/Convert-ASN1-0.09.tar.gz
size: 36907 bytes
md5: 1105743792469af21fcbe6d226b494b1
No action is required on your part
Request entered by: GBARR (Graham Barr)
Request entered on: Thu, 19 Apr 2001 23:07:00 GMT
Request completed: Thu, 19 Apr 2001 23:07:25 GMT
Virtually Yours,
Id: paused,v 1.72 2000/12/26 15:12:53 k Exp k
----- End forwarded message -----
|
|
From: Clif H. <cl...@di...> - 2001-04-19 21:22:26
|
> > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: William R. <ri...@ed...> - 2001-04-19 20:17:34
|
I am trying to access Active directory using Perl-ldap and I'm having a
problem. Here is sample code:
my $base = 'DC=edinboro,DC=edu';
my $filter = "(objectclass=*)";
my $attrs = (); # request all available attributes
my $scope = '0';
my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@";
# bind to a directory with dn and password - makes no difference whether
authenticated or not
$ldap->bind (dn => $admin,password => $password) or die "$@";
$mesg = $ldap->search(
scope => $scope,
base => $base,
filter => $filter,
attrs => $attrs,
);
If I do a search, all I can manage to find is the base DN. If I change the
scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I
retrieve are root entries. I see no cn or ou entries. Nor do I retrieve
anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same
search against ldap.itd.umich.edu and I can retrieve anything I request.
Also if I use MS LDP (even if not authenticated), the search pulls the
entries, as it is suppose to. I've checked permissions on the server but I
am at a loss. Is there anything special I need to make Active Directory work
correctly with LDAP?
Thanks in advance,
William Richter
Technology Specialist, Edinboro University of PA 814-732-2931
|
|
From: Graham B. <gb...@po...> - 2001-04-19 20:08:26
|
dn is not an attribute. So you need to pick an attribute that
you know will be there. try objectclass=*
Graham.
On Thu, Apr 19, 2001 at 08:50:21PM +0200, Dan G. Lunde wrote:
> I would like to quickly check if an entry exists in LDAP. I struggled to find
> a good solution. This is what I've come up with so far. It works for now, but
> I would like to hear if anyone has any suggestions on improvements.
>
> The idea is to start searching directly in the leafnode, and match any dn.
>
> # See if the dn exists
> $mesg = $ldap->search (
> base => "$dn",
> filter => "dn=*"
> );
>
> I tried the $entry->exists('dn') without any luck. Any examples of working
> code using exists?
>
> Dan
> --
> Dan G. Lunde - dan...@c2...
> http://home.world-online.no/~danglund/pgp/pgp...@c2...c
>
>
|
|
From: Dan G. L. <dan...@ta...> - 2001-04-19 18:51:06
|
I would like to quickly check if an entry exists in LDAP. I struggled to find
a good solution. This is what I've come up with so far. It works for now, but
I would like to hear if anyone has any suggestions on improvements.
The idea is to start searching directly in the leafnode, and match any dn.
# See if the dn exists
$mesg = $ldap->search (
base => "$dn",
filter => "dn=*"
);
I tried the $entry->exists('dn') without any luck. Any examples of working
code using exists?
Dan
--
Dan G. Lunde - dan...@c2...
http://home.world-online.no/~danglund/pgp/pgp...@c2...c
|
|
From: Bing D. <Bi...@ci...> - 2001-04-19 18:17:25
|
I have a dumb question. For bulk modifications, does anybody have any comparison and comments on using ldapmodify vs. using Net::LDAP in regard of performance? One way I can use the modify function of Net::LDAP to change every entry, and the other way I can first write all the changes to ldif first and then run ldapmodify against the ldif. Any big difference? Thanks in advance for inputs. Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix |
7902 messages has been excluded from this view by a project administrator.
