perl-ldap-dev

Re: Using Net::LDAP to retrieve X509 certificates from a directory

[Chris R. <chr...@me...>]

Thierry Van Doninck <Thi...@de...> wrote:
> Hi,
> 
> Has anyone ever tried (and succeeded) to retrieve X509 certificates from
> a directory using Net::LDAP ?
> 
> I tried doing this and get back a string saying : 
> 
> usercertificate:{ASN1}.....
> 
> How could I exploit this ?
> 
> I would greatly appreciate any help / examples / advice.
> 
> Thanx.
> 
> Thierry
> 

Yes, I have.

Have you looked in the Net::LDAP::FAQ? It tells you about storing them,
which might give enough clues to work out how to read them back.

-----------
Using X.509 certificates.
       How do I store X.509 certificates in the directory?

       The first problem here is that there are many different
       formats to hold certificates in, for example PEM, DER,
       PKCS#7 and PKCS#12. The directory *only* uses the DER
       format (more correctly, it only uses the BER format) which
       is a binary format.
       Your first job is to ensure that your certificates are
       therefore in DER/BER format. You could use OpenSSL to
       convert from PEM like this:

               openssl x509 -inform PEM -in cert.pem -outform DER -out
cert.der

       Consult the OpenSSL documentation to find out how to
       perform other conversions.

       To add a certificate to the directory, just slurp in the
       DER/BER certificate into a scalar variable, and add it to
       the entry's userCertificate attribute. How you do that
       will depend on which version of LDAP you are using.

       To slurp in the certificate try something like this:

               my $cert;
               {
                       local $/ = undef; # Slurp mode
                       open CERT, "cert.der" or die;
                       $cert = <CERT>;
                       close CERT;
               }
               # The certificate is now in $cert

       For LDAPv2, because most directory vendors ignore the
       string representation of certificates defined in RFC 1778,
       you should add this value to the directory like this:

               $res = $ldap->modify("cn=My User, o=My Company,c=XY",
                               add => [
                                       'userCertificate' => [ $cert ]
                               ]);
               die "Modify failed (" . ldap_error_name($res->code) . ")\n"
                       if $res->code;

       For LDAPv3, you must do this instead:

               $res = $ldap->modify("cn=My User, o=My Company, c=XY",
                               add => [
                                       'userCertificate;binary' => [ $cert ]
                               ]);
               die "Modify failed (" . ldap_error_name($res->code) . ")\n"
                       if $res->code;

       Of course, the entry you are trying to add the certificate
       to must use object classes that permit the userCertificate
       attribute, otherwise the modify will fail with an object
       class violation error. The inetOrgPerson structural object
       class permits userCertificates, as does the
       strongAuthenticationUser auxiliary object class. Others
       might also.
-----------

Cheers,

Chris

Re: NEW: chasing referrals

[Chris R. <chr...@me...>]

Roland Stigge <rol...@ep...> wrote:
> Hi all,
> 
> I've got a problem understanding the information posted earlier on this
> mailing list:
> 
> ----- begin
>      FROM: Graham Barr
>      DATE: 10/17/2000 22:20:47
>      SUBJECT: RE:  chasing referrals
>       
>      On Tue, Oct 17, 2000 at 05:27:49PM -0700, Robbie Allen wrote:
>      > Can Net::LDAP automatically chase referrals?  Sample code?
> 
>      Not yet. Currently you have to follow them yourself. You can
>      get them with
> 
>        $mesg = $ldap->search( ... );
>        @referrals = $mesg->referrals;
> 
>      Graham.
> ----- end
> 
> (We are using Net::LDAP 0.22 and OpenLDAP 1.2.11)
> 
> It seems that my configuration doesn't return any referrals. I have
> configured two servers, one holding o=epigenomics, the other on
> c=us,o=epigenomics. Via PHP and ldapsearch tools, the inserted referrals
> even seem to transparently redirect the client to the second server when
> accessing/searching the c=us,epigenomics substructure. But with my
> Net::LDAP code:
> 
> --- begin
> $ldap = Net::LDAP->new("wilson"); # connect to root server
> $ldap->bind;
> $mesg = $ldap->search( base => "o=epigenomics",
>                        filter => '(&(cn=*)(objectclass=*))',
>                        deref => 3,
>                        );
> @referrals = $mesg->referrals;
> foreach $ref (@referrals) {
>   print "Referral: ",$ref,"\n";
> }
> 
> print "Return code: ",$mesg->code,"\n";
> print "Error message: \"",$mesg->error,"\"\n";
> $n = $mesg->all_entries;
> print "Number of Entries: ".$n."\n";
> 
> foreach $entry ($mesg->entries) {
>   print "dn: ",$entry->dn,"\n";
> }
> --- end
>  
> I don't get any referrals (the response is:)
> 
> --- begin
> Return code: 9
> Error message: "Referral:
> ldap://deledda/c=us,o=epigenomics"
> Number of Entries: 2
> dn: cn=admin,o=epigenomics
> dn: cn=updated,o=epigenomics
> --- end
> 
> (There should be more users. ldapsearch and PHP functions are able to
> provide them.)
> 
> Thanks for your ideas!
> 
> bye,
>   Roland
> -- 
> Roland Stigge
>  
> Epigenomics AG                              Kastanienallee 24
> www.epigenomics.com                              10435 Berlin
> 
> 

You are binding using LDAPv2. LDAPv2 did not have referrals.

Some vendors have 'patched in' some support for referrals in LDAPv2, but
this is completely non-standard and not supported by Net::LDAP.

Try binding with LDAPv3 instead and see what you get. Hint: pass version =>
3 in the bind call.

Cheers,

Chris

NEW: chasing referrals

[Roland S. <rol...@ep...>]

Hi all,

I've got a problem understanding the information posted earlier on this
mailing list:

----- begin
     FROM: Graham Barr
     DATE: 10/17/2000 22:20:47
     SUBJECT: RE:  chasing referrals
      
     On Tue, Oct 17, 2000 at 05:27:49PM -0700, Robbie Allen wrote:
     > Can Net::LDAP automatically chase referrals?  Sample code?

     Not yet. Currently you have to follow them yourself. You can
     get them with

       $mesg = $ldap->search( ... );
       @referrals = $mesg->referrals;

     Graham.
----- end

(We are using Net::LDAP 0.22 and OpenLDAP 1.2.11)

It seems that my configuration doesn't return any referrals. I have
configured two servers, one holding o=epigenomics, the other on
c=us,o=epigenomics. Via PHP and ldapsearch tools, the inserted referrals
even seem to transparently redirect the client to the second server when
accessing/searching the c=us,epigenomics substructure. But with my
Net::LDAP code:

--- begin
$ldap = Net::LDAP->new("wilson"); # connect to root server
$ldap->bind;
$mesg = $ldap->search( base => "o=epigenomics",
                       filter => '(&(cn=*)(objectclass=*))',
                       deref => 3,
                       );
@referrals = $mesg->referrals;
foreach $ref (@referrals) {
  print "Referral: ",$ref,"\n";
}

print "Return code: ",$mesg->code,"\n";
print "Error message: \"",$mesg->error,"\"\n";
$n = $mesg->all_entries;
print "Number of Entries: ".$n."\n";

foreach $entry ($mesg->entries) {
  print "dn: ",$entry->dn,"\n";
}
--- end
 
I don't get any referrals (the response is:)

--- begin
Return code: 9
Error message: "Referral:
ldap://deledda/c=us,o=epigenomics"
Number of Entries: 2
dn: cn=admin,o=epigenomics
dn: cn=updated,o=epigenomics
--- end

(There should be more users. ldapsearch and PHP functions are able to
provide them.)

Thanks for your ideas!

bye,
  Roland
-- 
Roland Stigge
 
Epigenomics AG                              Kastanienallee 24
www.epigenomics.com                              10435 Berlin

Re: looking towards 0.23]

[Graham B. <gb...@po...>]

OK, Well I have heard of no problems, so I will make a release either tonight
or tomorrow.

Graham.

On Tue, Apr 17, 2001 at 09:38:11PM -0500, Clif Harden wrote:
> 
> It does work on 5.004.
> 
> Regards,
> 
> Clif
> 
> 
> 
> 1> 
> > OK, I finally got 5.00404 compiled.
> > 
> >   http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_04.tar.gz
> > 
> > should work with 5.00404
> > 
> > Graham.
> > 
> 

Using Net::LDAP to retrieve X509 certificates from a directory

[Thierry V. D. <Thi...@de...>]

Hi,

Has anyone ever tried (and succeeded) to retrieve X509 certificates from a directory using Net::LDAP ?

I tried doing this and get back a string saying : 

usercertificate:{ASN1}.....

How could I exploit this ?

I would greatly appreciate any help / examples / advice.

Thanx.

Thierry

Re: Net::LDAP questions

[Jim H. <ha...@us...>]

For your specific application, I found that it is best to keep a .dbm of
used or unused uid numbers and select one based on that after verifying
against the directory to make sure that the 2 are in sync.  We have about
8000 uids with a turnover of about 2000 / year.  My first thought was to
do something similar to what you have shown below, but decided that it was
too inefficient.
  --Jim Harle


On Wed, 18 Apr 2001 mur...@po... wrote:

> Hi,
> I find the Net::LDAP very helpful in my work, I have a couple of questions
> though-
>
> Q1. the structure returned by as_struct a bit cumbersome for my normal use-
> use of the DN as a key, hashref to data in array even when only one value is
> present.  I understand why it is that way, it is just over the top for the
> data I am working with and I find myself looping over the results of a
> search and dropping the returned values into a hash using the UID as a key
> (I know this will be unique as it is an employee ID string)-
>
> # this is what I am doing now-
> sub get_ldap_data {
> 	my @attrs = @_;
> 	my $mesg = $ldap_obj->search (
> 		attrs => [@attrs],
> 		base   => "ou=people,dc=domain,dc=com,dc=au",
> 		filter => "(uid=*)",
> 	);
> 	$mesg->code && die $mesg->error;
> 	foreach my $entry ($mesg->all_entries) {
> 		$uid = $entry->get_value('uid');
> 		# etc.
> 		$highest_uid = $uidnumber if ($uidnumber > $highest_uid);
> 		@{$ldap{$uid}}    = ($uidnumber, .....);
> 	}
> 	return %ldap;
> }
>
> Is there any way to process the search results as they are found, this would
> let me create my own structure on the fly and also enable me to look for
> other conditions such as highest used uidnumber as I go, something like
> 	foreach my $entry ($ldap_obj->search()){
> 		....
> 	}
> Or is there a better way to approach the problem?
>
> Q2. is there a way to get a search to halt as soon as an item matching the
> search criteria is found?
>
> Thanks for the help,
> regards
> Murray
>
> --
> Murray Barton
> Unix Systems Administrator
> Western Australian Police Service
> Tel:  (08) 9222 1900
> Fax: (08) 9222 1698
>
>
> ************************************************************************************************
> This email message and any attached files may contain information that is
> confidential and subject of legal privilege intended only for use by the individual
> or entity to whom they are addressed. If you are not the intended recipient or the
> person responsible for delivering the message to the intended recipient be
> advised that you have received this message in error and that any use, copying,
> circulation, forwarding, printing or publication of this message or attached files is
> strictly forbidden, as is the disclosure of the information contained therein.
> If you have received this message in error, please notify the sender immediately
> and delete it from your Inbox.
> ************************************************************************************************
>
>

Net::LDAP questions

[<mur...@po...>]

Hi,
I find the Net::LDAP very helpful in my work, I have a couple of questions
though-

Q1. the structure returned by as_struct a bit cumbersome for my normal use-
use of the DN as a key, hashref to data in array even when only one value is
present.  I understand why it is that way, it is just over the top for the
data I am working with and I find myself looping over the results of a
search and dropping the returned values into a hash using the UID as a key
(I know this will be unique as it is an employee ID string)-

# this is what I am doing now-
sub get_ldap_data {
	my @attrs = @_;
	my $mesg = $ldap_obj->search ( 
		attrs => [@attrs],
		base   => "ou=people,dc=domain,dc=com,dc=au",
		filter => "(uid=*)",
	);
	$mesg->code && die $mesg->error;
	foreach my $entry ($mesg->all_entries) {
		$uid = $entry->get_value('uid');
		# etc.
		$highest_uid = $uidnumber if ($uidnumber > $highest_uid);
		@{$ldap{$uid}}    = ($uidnumber, .....);
	}
	return %ldap;
}

Is there any way to process the search results as they are found, this would
let me create my own structure on the fly and also enable me to look for
other conditions such as highest used uidnumber as I go, something like
	foreach my $entry ($ldap_obj->search()){
		....
	} 
Or is there a better way to approach the problem?

Q2. is there a way to get a search to halt as soon as an item matching the
search criteria is found?

Thanks for the help,
regards
Murray

--
Murray Barton
Unix Systems Administrator
Western Australian Police Service
Tel:  (08) 9222 1900
Fax: (08) 9222 1698


************************************************************************************************
This email message and any attached files may contain information that is 
confidential and subject of legal privilege intended only for use by the individual 
or entity to whom they are addressed. If you are not the intended recipient or the 
person responsible for delivering the message to the intended recipient be 
advised that you have received this message in error and that any use, copying, 
circulation, forwarding, printing or publication of this message or attached files is 
strictly forbidden, as is the disclosure of the information contained therein.
If you have received this message in error, please notify the sender immediately 
and delete it from your Inbox.
************************************************************************************************

Re: looking towards 0.23]

[Clif H. <cl...@di...>]

It does work on 5.004.

Regards,

Clif



1> 
> OK, I finally got 5.00404 compiled.
> 
>   http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_04.tar.gz
> 
> should work with 5.00404
> 
> Graham.
> 

RE: How to avoid connecting to LDAP at each Perl CGI-CALL

[<ma...@mj...>]

Glad I was able to help and glad you enjoyed the book.

Mark

On 9 Apr 01, at 8:54, Behruz Rushenas wrote:

> Hi Mark,
> Thanks for your response, i will have a look to www.modperl.com . By
> the way, I found your book very interesting about different solutions
> to implement an LDAP directory.
> 
> Thanks.
> Behruz.
> 
> 
> 
> -----Original Message-----
> From: ma...@mj... [mailto:ma...@mj...]
> Sent: Sunday, April 08, 2001 9:50 AM
> To: Behruz Rushenas
> Cc: per...@li...
> Subject: Re: How to avoid connecting to LDAP at each Perl CGI-CALL
> 
> 
> The only way to do this is to use mod_perl instead of traditional CGI.
> mod_perl allows you to write to the Apache api instead of executing a
> seperate process. And once a mod_perl module is loaded it stays
> loaded.
> 
> See www.modperl.com for more info.
> 
> Mark
> 
> On 4 Apr 01, at 8:24, Behruz Rushenas wrote:
> 
> > Hi,
> >
> > I would like to know if there is way to avoid Binding to LDAP at
> > each time I Call a Perl CGI script? Right now, I have to bind every
> > time I call a script.
> >
> > I would like to keep my ldap instance created at the first begining
> > time and keep using it. Sorry if the question seems stupid to some
> > of you, but i am a novice in Perl and CGI programming.
> >
> > Thanks all of you for your help.
> >
> > Behruz.
> >
> >
> >
> >
> 
> 
> Mark Wilcox
> ma...@mj...
> Got LDAP?
> 
> 
> 
> 


Mark Wilcox
ma...@mj...
Got LDAP?

Re: Anyone used perl-ldap with Perl 5 for Netware?

[<ma...@mj...>]

I'm pretty sure I got this to work once. As long as it's Perl 5.00503 
compliant you should be cool because Net::LDAP is pure Perl it's 
not dependent upon any C libraries except for MD5 (only used for 
SASL & if necessary there's a pure Perl MD5 module out there that 
would be easy to substitute in), XML::Parser (used for DSML) and 
SSL (only for Net::LDAPS). These are extension to the core 
Net::LDAP library, so most likely you won't have any problems.

Mark

On 10 Apr 01, at 13:20, Gary Flynn wrote:

> I've got someone that wants to authenticate against an
> external LDAP server. They're running Perl 5 for Netware
> for CGI scripts on the Netscape web server. Anyone have
> any experiences with perl-ldap on this platform?
> 
> thanks,
> -- 
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
> 
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
> 
> 
> 


Mark Wilcox
ma...@mj...
Got LDAP?

RE: Question about comparing perl variables to LDAP values...

[Cruz d. <cru...@ya...>]

Tom & Jim,  

Many thanks for all your assistance on this!  With your help, I've got the
change-password page working smoothly.  Much appreciated!!

-Cruz deWilde

> -----Original Message-----
> From: Tom Jordan [mailto:tj...@do...]
> Sent: Friday, April 13, 2001 11:05 AM
> To: Cruz deWilde
> Cc: per...@li...
> Subject: RE: Question about comparing perl variables to LDAP values...
> 
>  
> Sure,
> Just assign the return from #ldap->modify to something:
> $mesg = $ldap->modify( dn => $dn, replace => $dataref);
> You can then get the return code with:
> $result = $msg->code();
> If $result is 0, things worked. If not, $result will hold the 
> LDAP error
> code describing what happened.
> 
> 	--Tom
> 

> -----Original Message-----
> From: Jim Harle [mailto:ha...@us...]
> Sent: Friday, April 13, 2001 11:26 AM
> To: Cruz deWilde
> Cc: tj...@do...; per...@li...
> Subject: RE: Question about comparing perl variables to LDAP values...
> 
> Cruz,
>   The short answer to your question is to just check the code() values
> from the return.  E.g.,
>    $refs = $ldap->modify ($dn,
>    if ($refs->code ) {
>      process the return - it didn't work
> 
> The log answer is that at least on Novell eDirectory, the changing of
> passwords can be tricky.  In version 8.3, I could bind with 
> the user's old
> password, then do a modify like:
>     $refs = $ldap->modify ($dn,
>                   delete => {userPassword => $pass0} ,
>                   add => {userPassword => $pass1} );
> replace didn't work.  In version 8.5, I needed to bind with 
> an admin dn
> and password then do separate deletes and adds.  Ugly!!
> 
>   --Jim Harle


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

RE: Question about comparing perl variables to LDAP values...

[Jim H. <ha...@us...>]

Cruz,
  The short answer to your question is to just check the code() values
from the return.  E.g.,
   $refs = $ldap->modify ($dn,
   if ($refs->code ) {
     process the return - it didn't work

The log answer is that at least on Novell eDirectory, the changing of
passwords can be tricky.  In version 8.3, I could bind with the user's old
password, then do a modify like:
    $refs = $ldap->modify ($dn,
                  delete => {userPassword => $pass0} ,
                  add => {userPassword => $pass1} );
replace didn't work.  In version 8.5, I needed to bind with an admin dn
and password then do separate deletes and adds.  Ugly!!

  --Jim Harle


On Fri, 13 Apr 2001, Cruz deWilde wrote:

> Thanks for your quick and very helpful response, Tom!
>
> That is unquestionably the best way to do this.  One last question, though --
> is there any way to get a return value from $ldap->modify (so I can tell the
> user whether the password change was successful)?  Thanks again -- I truly
> appreciate your help.
>
> -Cruz deWilde

RE: Question about comparing perl variables to LDAP values...

[Tom J. <tj...@do...>]

Sure,

Just assign the return from #ldap->modify to something:

$mesg = $ldap->modify( dn => $dn, replace => $dataref);

You can then get the return code with:

$result = $msg->code();

If $result is 0, things worked. If not, $result will hold the LDAP error
code describing what happened.

	--Tom

On Fri, 13 Apr 2001, Cruz deWilde wrote:

> Thanks for your quick and very helpful response, Tom!
>
> That is unquestionably the best way to do this.  One last question, though --
> is there any way to get a return value from $ldap->modify (so I can tell the
> user whether the password change was successful)?  Thanks again -- I truly
> appreciate your help.
>
> -Cruz deWilde
>
> > -----Original Message-----
> > From: Tom Jordan [mailto:tj...@do...]
> > Sent: Friday, April 13, 2001 7:07 AM
> > To: Cruz deWilde
> > Cc: per...@li...
> > Subject: Re: Question about comparing perl variables to LDAP values...
> >
> >
> >
> > Rather than comparing the attributes (which would require
> > your script to
> > have 'compare' access to the userpassword attribute, why not
> > attempt to
> > bind to the directory as the user? That way you don't have to
> > give your
> > script as much access (and don't need to worry as much about hashing
> > algorithms).
> >
> > 	--Tom
> >
> > On Thu, 12 Apr 2001, Cruz deWilde wrote:
> >
> > > Hi all,
> > >
> > > I'm more or less a neophyte when it comes to working with
> > LDAP, and I'm hoping
> > > someone out there might help me with something.  I'm trying
> > to build a
> > > web-based "Change Password" form for our new iPlanet LDAP
> > implementation, and
> > > I've been having trouble figuring out how to compare the
> > user's old password to
> > > their existing LDAP password for verification.  The web
> > form I built encrypts
> > > their passwords (old and new) using MD5, and then passes
> > them to the perl cgi
> > > form-processor, which is supposed to first figure out if
> > their old password
> > > matches their existing one, and then update the password
> > entry with the new
> > > encrypted one...
> > >
> > > I'm connecting to the LDAP server without any trouble, but
> > I really don't
> > > understand the usage of Net::LDAP's $ldap->compare
> > function.  In short, the
> > > function doesn't seem to return anything which indicates
> > whether or not the
> > > passwords match.  I'm pretty sure that it comes down to the
> > fact that I don't
> > > really know what I'm doing here, but if anyone out there
> > could provide some
> > > example of this function in action, it would ease my
> > suffering greatly  :)  I'm
> > > quite sure that building a web-based, perl-driven password
> > update form for LDAP
> > > has been done a thousand times before, so any sample code
> > would be tremendously
> > > appreciated.  Thanks!!
> > >
> > > -Cruz deWilde
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get email at your own domain with Yahoo! Mail.
> > > http://personal.mail.yahoo.com/
> > >
> >
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>

RE: Question about comparing perl variables to LDAP values...

[Cruz d. <cru...@ya...>]

Thanks for your quick and very helpful response, Tom!

That is unquestionably the best way to do this.  One last question, though --
is there any way to get a return value from $ldap->modify (so I can tell the
user whether the password change was successful)?  Thanks again -- I truly
appreciate your help.

-Cruz deWilde

> -----Original Message-----
> From: Tom Jordan [mailto:tj...@do...]
> Sent: Friday, April 13, 2001 7:07 AM
> To: Cruz deWilde
> Cc: per...@li...
> Subject: Re: Question about comparing perl variables to LDAP values...
> 
> 
> 
> Rather than comparing the attributes (which would require 
> your script to
> have 'compare' access to the userpassword attribute, why not 
> attempt to
> bind to the directory as the user? That way you don't have to 
> give your
> script as much access (and don't need to worry as much about hashing
> algorithms).
> 
> 	--Tom
> 
> On Thu, 12 Apr 2001, Cruz deWilde wrote:
> 
> > Hi all,
> >
> > I'm more or less a neophyte when it comes to working with 
> LDAP, and I'm hoping
> > someone out there might help me with something.  I'm trying 
> to build a
> > web-based "Change Password" form for our new iPlanet LDAP 
> implementation, and
> > I've been having trouble figuring out how to compare the 
> user's old password to
> > their existing LDAP password for verification.  The web 
> form I built encrypts
> > their passwords (old and new) using MD5, and then passes 
> them to the perl cgi
> > form-processor, which is supposed to first figure out if 
> their old password
> > matches their existing one, and then update the password 
> entry with the new
> > encrypted one...
> >
> > I'm connecting to the LDAP server without any trouble, but 
> I really don't
> > understand the usage of Net::LDAP's $ldap->compare 
> function.  In short, the
> > function doesn't seem to return anything which indicates 
> whether or not the
> > passwords match.  I'm pretty sure that it comes down to the 
> fact that I don't
> > really know what I'm doing here, but if anyone out there 
> could provide some
> > example of this function in action, it would ease my 
> suffering greatly  :)  I'm
> > quite sure that building a web-based, perl-driven password 
> update form for LDAP
> > has been done a thousand times before, so any sample code 
> would be tremendously
> > appreciated.  Thanks!!
> >
> > -Cruz deWilde
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get email at your own domain with Yahoo! Mail.
> > http://personal.mail.yahoo.com/
> >
> 

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

Re: Question about comparing perl variables to LDAP values...

[Tom J. <tj...@do...>]

Rather than comparing the attributes (which would require your script to
have 'compare' access to the userpassword attribute, why not attempt to
bind to the directory as the user? That way you don't have to give your
script as much access (and don't need to worry as much about hashing
algorithms).

	--Tom

On Thu, 12 Apr 2001, Cruz deWilde wrote:

> Hi all,
>
> I'm more or less a neophyte when it comes to working with LDAP, and I'm hoping
> someone out there might help me with something.  I'm trying to build a
> web-based "Change Password" form for our new iPlanet LDAP implementation, and
> I've been having trouble figuring out how to compare the user's old password to
> their existing LDAP password for verification.  The web form I built encrypts
> their passwords (old and new) using MD5, and then passes them to the perl cgi
> form-processor, which is supposed to first figure out if their old password
> matches their existing one, and then update the password entry with the new
> encrypted one...
>
> I'm connecting to the LDAP server without any trouble, but I really don't
> understand the usage of Net::LDAP's $ldap->compare function.  In short, the
> function doesn't seem to return anything which indicates whether or not the
> passwords match.  I'm pretty sure that it comes down to the fact that I don't
> really know what I'm doing here, but if anyone out there could provide some
> example of this function in action, it would ease my suffering greatly  :)  I'm
> quite sure that building a web-based, perl-driven password update form for LDAP
> has been done a thousand times before, so any sample code would be tremendously
> appreciated.  Thanks!!
>
> -Cruz deWilde
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>

Question about comparing perl variables to LDAP values...

[Cruz d. <cru...@ya...>]

Hi all,

I'm more or less a neophyte when it comes to working with LDAP, and I'm hoping
someone out there might help me with something.  I'm trying to build a
web-based "Change Password" form for our new iPlanet LDAP implementation, and
I've been having trouble figuring out how to compare the user's old password to
their existing LDAP password for verification.  The web form I built encrypts
their passwords (old and new) using MD5, and then passes them to the perl cgi
form-processor, which is supposed to first figure out if their old password
matches their existing one, and then update the password entry with the new
encrypted one...

I'm connecting to the LDAP server without any trouble, but I really don't
understand the usage of Net::LDAP's $ldap->compare function.  In short, the
function doesn't seem to return anything which indicates whether or not the
passwords match.  I'm pretty sure that it comes down to the fact that I don't
really know what I'm doing here, but if anyone out there could provide some
example of this function in action, it would ease my suffering greatly  :)  I'm
quite sure that building a web-based, perl-driven password update form for LDAP
has been done a thousand times before, so any sample code would be tremendously
appreciated.  Thanks!!

-Cruz deWilde 

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

Perl version suggestion

[Clif H. <cl...@di...>]

I have a suggestion about supporting perl versions.

I would like to see us stop supporting perl version 5.004
with perl-ldap version .25.

This gives a 2 release notice (.23 and .24) that we will stop 
supporting perl 5.004.  We can publish this on the web page, 
put a notice in the module, and Graham can mention it during 
the Perl-Ldap class that he is teaching at TPC 5.

Regards,

Clif Harden           INTERNET:  c-h...@ti...

Re: looking towards 0.23]

[Graham B. <gb...@po...>]

OK, I finally got 5.00404 compiled.

  http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_04.tar.gz

should work with 5.00404

Graham.

On Thu, Apr 12, 2001 at 03:26:16PM +0100, Graham Barr wrote:
> OK, sounds good. Although I have only had a handful of people test things.
> 
> However I am unable to get perl5.00404 to compile here, so unless
> someone can send me some patches, 0.23 is unlikely to be 5.00404 compatable.
> 
> Graham.
> 
> On Wed, Apr 11, 2001 at 11:05:46PM -0500, Clif Harden wrote:
> > Graham Barr wrote:
> > > 
> > > For those who do not have CVS access there is now a fixed release at
> > > 
> > >   http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_03.tar.gz
> > > 
> > > This does not yet have any fixes for 5.004
> > > 
> > > Graham.
> > > 
> > 
> > Loaded and tested on my Linux Mandrake 6.2 system, perl version
> > 5.005_03 and OpenLdap 2.0.7.
> > 
> > I loaded and displayed a couple of jpegPhotos, pulled schema and records
> > using the tklkup script in the contrib section.
> > 
> > I did not have any problems. 
> >  
> > Regards,
> > 
> > Clif Harden          ch...@po...
> > 

Re: looking towards 0.23]

[Graham B. <gb...@po...>]

OK, sounds good. Although I have only had a handful of people test things.

However I am unable to get perl5.00404 to compile here, so unless
someone can send me some patches, 0.23 is unlikely to be 5.00404 compatable.

Graham.

On Wed, Apr 11, 2001 at 11:05:46PM -0500, Clif Harden wrote:
> Graham Barr wrote:
> > 
> > For those who do not have CVS access there is now a fixed release at
> > 
> >   http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_03.tar.gz
> > 
> > This does not yet have any fixes for 5.004
> > 
> > Graham.
> > 
> 
> Loaded and tested on my Linux Mandrake 6.2 system, perl version
> 5.005_03 and OpenLdap 2.0.7.
> 
> I loaded and displayed a couple of jpegPhotos, pulled schema and records
> using the tklkup script in the contrib section.
> 
> I did not have any problems. 
>  
> Regards,
> 
> Clif Harden          ch...@po...
> 

Re: Lost connection

[Graham B. <gb...@po...>]

On Thu, Apr 12, 2001 at 10:09:11AM -0400, Eric Nichols wrote:
> I'm doing some searches on a Netscape server which has poor
> communications.
> 
> These are the error codes I get back:
> 
> $sourcemsg->code  returns 1 (Operations Error)
> 
> $sourcemsg->error returns :
> I/O Error Unknown error
> 494f3a3a536f636b65743a3a494e45543d474c4f422830783165623734663429
> 
> Any ideas?

Convert::ASN1 had problems reading a packet from the socket.

The text "Unknown error" is what "$!" returns, so it is unclear
exactly what happend. The hex values are what asn_read has
already read og the PDU.

Does ths happen on a regular basis ?

Graham.

Lost connection

[Eric N. <eni...@cp...>]

I'm doing some searches on a Netscape server which has poor
communications.

These are the error codes I get back:

$sourcemsg->code  returns 1 (Operations Error)

$sourcemsg->error returns :
I/O Error Unknown error
494f3a3a536f636b65743a3a494e45543d474c4f422830783165623734663429

Any ideas?

Re: looking towards 0.23]

[Clif H. <ch...@po...>]

Graham Barr wrote:
> 
> For those who do not have CVS access there is now a fixed release at
> 
>   http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_03.tar.gz
> 
> This does not yet have any fixes for 5.004
> 
> Graham.
> 

Loaded and tested on my Linux Mandrake 6.2 system, perl version
5.005_03 and OpenLdap 2.0.7.

I loaded and displayed a couple of jpegPhotos, pulled schema and records
using the tklkup script in the contrib section.

I did not have any problems. 
 
Regards,

Clif Harden          ch...@po...

Re: looking towards 0.23]

[Graham B. <gb...@po...>]

For those who do not have CVS access there is now a fixed release at

  http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_03.tar.gz

This does not yet have any fixes for 5.004

Graham.

On Wed, Apr 11, 2001 at 08:41:44AM -0700, Christoph Neumann wrote:
> 
> Test errors on:
> RedHat 6.2  2.2.18  i686
> 
> [enigma@perelandra perl-ldap-0.22_02]$ make test
> PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib
> -I/usr/lib/perl5/5.00503/i386-linux -I/usr/lib/perl5/5.00503 -e 'use
> Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
> t/00ldif-entry......ok
> t/01canon_dn........Name "main::reforig" used only once: possible typo at
> t/01canon_dn.t line 86.
> Use of uninitialized value at blib/lib/Net/LDAP/Util.pm line 318.
> FAILED tests 23-28
>         Failed 6/28 tests, 78.57% okay
> t/02filter..........ok
> t/50populate........skipping test on this platform
> t/51search..........skipping test on this platform
> t/52modify..........skipping test on this platform
> t/53schema..........ok
> Failed Test  Status Wstat Total Fail  Failed  List of failed
> -------------------------------------------------------------------------------
> t/01canon_dn.t               28    6  21.43%  23-28
> 3 tests skipped.
> Failed 1/7 test scripts, 85.71% okay. 6/194 subtests failed, 96.91% okay.
> make: *** [test_dynamic] Error 29
> 
> I just grabbed 
> http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_02.tar.gz
> and compiled
> 
> - Christoph
> 
> 
> On Wed, 11 Apr 2001, Graham Barr wrote:
> 
> > OK, I have fixed these error in CVS.
> > 
> > If a few people could test this release on some real scripts
> > I will make a .23 release.
> > 
> > Graham.
> > 
> > On Tue, Apr 10, 2001 at 09:12:00PM -0500, Clif Harden wrote:
> > > 
> > > 
> > > Looks like we have a problem on this release when
> > > you do a make test.  I get the following errors;
> > > 
> > > 
> > > 
> > > /apps/clif/perls/perl-ldap-0.22_02 15 : make test
> > > PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib
> > > -I/usr/lib/perl5/5.00503/i386-linux -I/usr/lib/perl5/5.00503 -e 'use
> > > Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
> > > t/00ldif-entry......ok
> > > t/01canon_dn........Name "main::reforig" used only once: possible typo
> > > at t/01canon_dn.t line 86.
> > > Use of uninitialized value at blib/lib/Net/LDAP/Util.pm line 318.
> > > FAILED tests 23-28
> > >         Failed 6/28 tests, 78.57% okay
> > > t/02filter..........ok
> > > t/50populate........skipping test on this platform
> > > t/51search..........skipping test on this platform
> > > t/52modify..........skipping test on this platform
> > > t/53schema..........ok
> > > Failed Test  Status Wstat Total Fail  Failed  List of failed
> > > -------------------------------------------------------------------------------
> > > t/01canon_dn.t               28    6  21.43%  23-28
> > > 3 tests skipped.
> > > Failed 1/7 test scripts, 85.71% okay. 6/194 subtests failed, 96.91%
> > > okay.
> > > make: *** [test_dynamic] Error
> > > 29                                               
> > > 
> > > 
> > > Once we fix these errors I think we should release .23.
> > > 
> > > Regards,
> > > 
> > > Clif Harden          ch...@po...
> > > 
> > > 
> > > 
> > > 
> > > Graham Barr wrote:
> > > > 
> > > > Whoops, sorry the file had the wrong permissions. It is there now
> > > > 
> > > > Graham.
> > > > 
> > > > On Tue, Apr 10, 2001 at 06:08:44PM +0100, Graham Barr wrote:
> > > > > I think it is about time we looked forward to a 0.23 release.
> > > > >
> > > > > I have put together a snapshot at http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_02.tar.gz
> > > > >
> > > > > The release notes are
> > > > >
> > > > >
> > > > > perl-ldap 0.23
> > > > > ================================
> > > > >
> > > > > * Fixed bug in Net::LDAP::Filter when the filter contained an escaped *
> > > > > * Fixed SASL bind to call challenge with serverSaslCreds
> > > > > * Fixed some uninit errors in Net::LDAP::Entry
> > > > > * Various documention updates
> > > > > * Added Net::LDAP::Util::canonical_dn
> > > > > * Net::LDAP::LDIF will now call canonical_dn for any DN which
> > > > >   contains non-printable characters
> > > > > * Added support for matchingruleuse, ditstructurerules, ditcontentrules
> > > > >   and nameForms into Net::LDAP::Schema
> > > > > * The ->schema method in Net::LDAP has changed how it finds the
> > > > >   schema to return. The new method is more correct, but there may
> > > > >   be a possibility that this change has created an incompatability.
> > > > > * New control module Net::LDAP::Control::ProxyAuth from
> > > > >   Olivier Dubois added
> > > > >
> > > > >
> > > > > If I have missed anything please let me know.
> > > > >
> > > > > Graham.
> > > > >
> > > 
> > > --
> > > 
> > > 
> > 
> > 
> 
> 

Re: looking towards 0.23]

[Christoph N. <en...@ap...>]

Test errors on:
RedHat 6.2  2.2.18  i686

[enigma@perelandra perl-ldap-0.22_02]$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib
-I/usr/lib/perl5/5.00503/i386-linux -I/usr/lib/perl5/5.00503 -e 'use
Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
t/00ldif-entry......ok
t/01canon_dn........Name "main::reforig" used only once: possible typo at
t/01canon_dn.t line 86.
Use of uninitialized value at blib/lib/Net/LDAP/Util.pm line 318.
FAILED tests 23-28
        Failed 6/28 tests, 78.57% okay
t/02filter..........ok
t/50populate........skipping test on this platform
t/51search..........skipping test on this platform
t/52modify..........skipping test on this platform
t/53schema..........ok
Failed Test  Status Wstat Total Fail  Failed  List of failed
-------------------------------------------------------------------------------
t/01canon_dn.t               28    6  21.43%  23-28
3 tests skipped.
Failed 1/7 test scripts, 85.71% okay. 6/194 subtests failed, 96.91% okay.
make: *** [test_dynamic] Error 29

I just grabbed 
http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_02.tar.gz
and compiled

- Christoph


On Wed, 11 Apr 2001, Graham Barr wrote:

> OK, I have fixed these error in CVS.
> 
> If a few people could test this release on some real scripts
> I will make a .23 release.
> 
> Graham.
> 
> On Tue, Apr 10, 2001 at 09:12:00PM -0500, Clif Harden wrote:
> > 
> > 
> > Looks like we have a problem on this release when
> > you do a make test.  I get the following errors;
> > 
> > 
> > 
> > /apps/clif/perls/perl-ldap-0.22_02 15 : make test
> > PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib
> > -I/usr/lib/perl5/5.00503/i386-linux -I/usr/lib/perl5/5.00503 -e 'use
> > Test::Harness qw(&runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t
> > t/00ldif-entry......ok
> > t/01canon_dn........Name "main::reforig" used only once: possible typo
> > at t/01canon_dn.t line 86.
> > Use of uninitialized value at blib/lib/Net/LDAP/Util.pm line 318.
> > FAILED tests 23-28
> >         Failed 6/28 tests, 78.57% okay
> > t/02filter..........ok
> > t/50populate........skipping test on this platform
> > t/51search..........skipping test on this platform
> > t/52modify..........skipping test on this platform
> > t/53schema..........ok
> > Failed Test  Status Wstat Total Fail  Failed  List of failed
> > -------------------------------------------------------------------------------
> > t/01canon_dn.t               28    6  21.43%  23-28
> > 3 tests skipped.
> > Failed 1/7 test scripts, 85.71% okay. 6/194 subtests failed, 96.91%
> > okay.
> > make: *** [test_dynamic] Error
> > 29                                               
> > 
> > 
> > Once we fix these errors I think we should release .23.
> > 
> > Regards,
> > 
> > Clif Harden          ch...@po...
> > 
> > 
> > 
> > 
> > Graham Barr wrote:
> > > 
> > > Whoops, sorry the file had the wrong permissions. It is there now
> > > 
> > > Graham.
> > > 
> > > On Tue, Apr 10, 2001 at 06:08:44PM +0100, Graham Barr wrote:
> > > > I think it is about time we looked forward to a 0.23 release.
> > > >
> > > > I have put together a snapshot at http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.22_02.tar.gz
> > > >
> > > > The release notes are
> > > >
> > > >
> > > > perl-ldap 0.23
> > > > ================================
> > > >
> > > > * Fixed bug in Net::LDAP::Filter when the filter contained an escaped *
> > > > * Fixed SASL bind to call challenge with serverSaslCreds
> > > > * Fixed some uninit errors in Net::LDAP::Entry
> > > > * Various documention updates
> > > > * Added Net::LDAP::Util::canonical_dn
> > > > * Net::LDAP::LDIF will now call canonical_dn for any DN which
> > > >   contains non-printable characters
> > > > * Added support for matchingruleuse, ditstructurerules, ditcontentrules
> > > >   and nameForms into Net::LDAP::Schema
> > > > * The ->schema method in Net::LDAP has changed how it finds the
> > > >   schema to return. The new method is more correct, but there may
> > > >   be a possibility that this change has created an incompatability.
> > > > * New control module Net::LDAP::Control::ProxyAuth from
> > > >   Olivier Dubois added
> > > >
> > > >
> > > > If I have missed anything please let me know.
> > > >
> > > > Graham.
> > > >
> > 
> > --
> > 
> > 
> 
> 

Re: looking towards 0.23]

[Graham B. <gb...@po...>]

> > What is the minimum version of perl that perl-ldap needs? We should test
> > for that in Makefile.PL.
> 
> In my opinion the lowest version should be 5.004.  
> 
> All previous perl-ldap verisons installed with no
> problem(s) on 5.004.  This is the first version that I 
> know of that has had problems on 5.004.
> 
> If we are going to set the mimimum version to 5.00503
> then I think we need to let users (list) know about this 
> well in advance of doing it.

Well that is fine. As I said "as some point" we need to drop support
for older versions.

I am happy to support them as long as supporting older versions
does not hold back new features.

Right now I don't think that is the case. The problem we currently
have are probably just oversights, in which case we should fix
them.

Graham.