Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Kartik S. <sub...@co...> - 2003-02-14 14:08:32
|
Graham Barr wrote: >On Thu, Feb 13, 2003 at 01:22:27PM -0500, FALTERMIER,DAVID >(HP-PaloAlto,ex1) wrote: >> >> Hello Graham, >> >> What do you think of the idea of adding a clone() method to >> Net::LDAP::Entry? > > > Seems a reasonable idea to me. > > Graham. Cool. Confession time -- Dave and I work on the same team (HP's Directory Services team). Dave's written many internal scripts that heavily use Net::LDAP, and he's got some interesting ideas for enhancements. I encouraged him to post to the list and see what you thought. Given that you approve of the clone() function, I was thinking it might be convenient for me to check in the clone code into CVS. Let me know if there's a specific process I should follow when doing this. Regards, -Kartik |
|
From: Hirmke M. <Mic...@ar...> - 2003-02-14 12:39:45
|
Hi,
I try to get all smtp addresses from an Exchange 5.5 directory using
Perl::LDAP 0.2701. The search, though, either hangs around forever or
returns after about ten minutes without giving any results (I suspect
this is the idle disconnect time configured in Exchange).
System is SuSE Linux 8.1 with kernel 2.4.19 and Perl::LDAP 0.2701.
Btw. the same query with ldapsearch from the OpenLDAP package works as
expected.
The maximum result limit in the Exchange LDAP protocol ist configured to
250000 and we have about 150000 entries in our directory.
Here is the according code snippet:
---------------------------< schnipp schnapp >--------------------------
#!/usr/bin/perl -w
use strict;
use Net::LDAP 0.27;
use LibUtil;
my( $ret_val );
my( $LDAPSRV ) = "my.exchange.machine";
my( $LDAPPORT ) = 389;
my( $LDAPVER ) = 3;
my( $LDAPDBG ) = 0;
my( $AUTHDN ) = "cn=myaccount,cn=mydomain,cn=Admin";
my( $AUTHPASS ) = "mypasswd";
my( $sBase ) = "o=myexchangeorg";
my( $sFilter ) = '(objectClass=*)';
my( @lAttrs, %hSearch, $oLDAP, $lohEntries );
$sFilter = &Latin1UTF8( $sFilter ) if( $sFilter && $LDAPVER >= 3 );
@lAttrs = ( "rfc822Mailbox", "otherMailbox", "Hide-From-Address-Book", "Is-Deleted" );
$oLDAP = new Net::LDAP( $LDAPSRV,
version => $LDAPVER,
port => $LDAPPORT,
debug => $LDAPDBG,
) or die $@;
print "new ok\n";
$ret_val = $oLDAP->bind( $AUTHDN,
version => $LDAPVER,
password => $AUTHPASS
);
die ldap_error_text( $ret_val->code ) if( $ret_val->code );
print "bind ok\n";
%hSearch = (
scope => "sub",
base => $sBase,
);
$hSearch{ "filter" } = $sFilter if( $sFilter );
$hSearch{ "attrs" } = [ @lAttrs ] if( @lAttrs );
$lohEntries = $oLDAP->search( %hSearch ) || die $@;
print "search ok\n";
print "hits: ", $lohEntries->count, "\n";
$oLDAP->unbind;
---------------------------< schnipp schnapp >--------------------------
I can see in the Exchange Servers log that the client has connected and it
even tells me, what attributes the script had requested. But that is the
last log file entry before disconnecting.
Any idea?
TIA.
Bye.
Michael.
|
|
From: Graham B. <gb...@po...> - 2003-02-13 22:56:59
|
On Thu, Feb 13, 2003 at 01:43:28PM -0800, FALTERMIER,DAVID (HP-PaloAlto,ex1) wrote: > > Hello Graham, > > Let me see if I can push my luck with another feature suggestion... > > There seems to be no clear way to get at the LDIF representation of an > Net::LDAP::Entry object. I looked at the Net::LDAP::LDIF package but it > seems to fall short a bit in this regard: > Am I pushing my luck, yet? Yes :) LDIF generation belongs in the LDIF module, not Entry. If you want something to generate ldif into a string then we should reorg the code in ::LDIF so that is available. eg $ldif = Net::LDAP::LDIF->entry2ldif($entry); As thats a bit ugly we could have ::LDIF or ::Util export ldap_entry2ldif Graham. |
|
From: FALTERMIER,DAVID (HP-PaloAlto,ex1) <dav...@hp...> - 2003-02-13 21:43:33
|
Hello Graham,
Let me see if I can push my luck with another feature suggestion...
There seems to be no clear way to get at the LDIF representation of an
Net::LDAP::Entry object. I looked at the Net::LDAP::LDIF package but it
seems to fall short a bit in this regard:
1. It contains a few methods for returning [raw] lines
read from an LDIF file (current_lines(), next_lines()),
but it does not provide a method for just converting an
entry that I'm already holding in my hand to an LDIF
string.
2. The only way to get at the LDIF form of an entry is to
write_entry() to a file [handle] and then read its contents;
a round-about way at best.
What do you think of adding a method to Net::LDAP::Entry that would allow an
entry to convert itself into an appropriate LDIF string? The following code
snippet is one such example but I'm sure the internals could be streamlined
so as to not depend on IO::String (see below).
package Net::LDAP::Entry;
use IO::String;
use Net::LDAP::LDIF;
# Returns a reference to an LDIF string representation of itself.
sub get_LDIF
{
# The Net::LDAP::LDIF package converts an entry to LDIF
# form by printing to a filehandle. Since we want to
# slurp the LDIF into a scalar variable, we'll have to
# use something like IO::String to capture the output.
my $self = shift;
my $fh = IO::String->new;
my $ldif = Net::LDAP::LDIF->new($fh, "w");
$ldif->write_entry($self);
return $fh->string_ref();
}
The alternative would be to add a class method to Net::LDAP::LDIF that
performs the same conversion given any entry.
Am I pushing my luck, yet?
David Faltermier
|
|
From: Graham B. <gb...@po...> - 2003-02-13 18:30:50
|
On Thu, Feb 13, 2003 at 01:22:27PM -0500, FALTERMIER,DAVID (HP-PaloAlto,ex1) wrote:
>
> Hello Graham,
>
> What do you think of the idea of adding a clone() method to
> Net::LDAP::Entry?
Seems a reasonable idea to me.
Graham.
> On occasion, I need to duplicate a working copy of an entry (e.g.: creating
> a new entry based on attributes in another, etc..). I wonder if enough
> folks would benefit if this feature were added to Net::LDAP::Entry(?)
>
> I was thinking of something along the lines of:
>
> package Net::LDAP::Entry;
>
> sub clone
> {
> my $self = shift;
> my $clone = $self->new();
>
> $clone->dn($self->dn());
> foreach ($self->attributes()) {
> $clone->add($_ => [$self->get_value($_)]);
> }
> return $clone;
> }
>
> Your thoughts?
>
> David Faltermier
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
|
|
From: FALTERMIER,DAVID (HP-PaloAlto,ex1) <dav...@hp...> - 2003-02-13 18:22:47
|
Hello Graham,
What do you think of the idea of adding a clone() method to
Net::LDAP::Entry?
On occasion, I need to duplicate a working copy of an entry (e.g.: creating
a new entry based on attributes in another, etc..). I wonder if enough
folks would benefit if this feature were added to Net::LDAP::Entry(?)
I was thinking of something along the lines of:
package Net::LDAP::Entry;
sub clone
{
my $self = shift;
my $clone = $self->new();
$clone->dn($self->dn());
foreach ($self->attributes()) {
$clone->add($_ => [$self->get_value($_)]);
}
return $clone;
}
Your thoughts?
David Faltermier
|
|
From: Peter M. <pet...@ma...> - 2003-02-10 12:58:51
|
Hi,
On Monday 10 February 2003 13:17, Sean Lee (eRexi) wrote:
> My first question is - what is the correct way to bind as cn=3DManager =
(or
> whatever) to OpenLDAP if your password is in slapd.conf (not in LDAP
> database itself)?
> This below produces "Invalid credentials" on RH 8.0 and stock OpenLDAP.
> my $ldap_msg =3D $ldap->bind( dn =3D> $bind_dn, password =3D> $bind_pas=
sword);
Try:
my $ldap_msg =3D $ldap->bind($bind_dn, password =3D> $bind_password);
The bind_dn should match the one in slapd.conf (please note that slapd
wants it normalized [i.e. no spaces after commas between DN parts])
The bind_password should be the cleatext equivalent of the one
in slapd.conf. I.e. even if the rootpw is crypted in slapd.conf, you have
to give it in cleartext here.
> My second question is regarding update example in FAQs (code below);
> what exactly is %$whatToChange here? If someone can share a real-life
> example with OpenLDAP (or, for example for above setup, if I wanted to
> modify attribute "mail" in ou=3Dmail, from a...@so... to
> b...@so...?) that would be great.
> my $result =3D $ldap->modify($dn,
> replace =3D> { %$whatToChange }
No way to do it this way.
replace expects the same type of arguments as the add() method
A reference to a list of key value pairs.
I.e. it wants a reference to a list (also called an ARRAY ref.
So:
my $result =3D $ldap->modify($dn, replace =3D> [ %$whatToChange ]);
should work. because a hash is nothing more than a list with an even
number of elements where the even numbered ones [starting with 0]
are keys and the odd numbered ones are the values.
So you get a perfect list of key-value pairs ;-)
Yours
Peter
--=20
Peter Marschall | eMail: pet...@ma...
Scheffelstra=DFe 15 | pet...@ad...
D-97072 W=FCrzburg | Tel: +49 931 14721
PGP: 0BB1 04A3 0FB0 E27F 8018 52BA A286 7B23 9C22 2C83
|
|
From: Sean L. (eRexi) <se...@er...> - 2003-02-10 12:17:54
|
Hi
My first question is - what is the correct way to bind as cn=Manager (or
whatever) to OpenLDAP if your password is in slapd.conf (not in LDAP
database itself)?
This below produces "Invalid credentials" on RH 8.0 and stock OpenLDAP.
my $host = '127.0.0.1';
my $port = 389;
my $base = 'ou=mail,dc=someweb,dc=com,dc=tw';
my $bind_dn = 'cn=manager,dc=someweb,dc=com,dc=tw';
my $bind_password = 'secret';
my $ldap = Net::LDAP->new( $host, port => 389 );
die "Cannot make LDAP connection\n" unless ( $ldap );
my $ldap_msg = $ldap->bind( dn => $bind_dn, password => $bind_password
);
if ( my $code = $ldap_msg->code ) {
die "Error during bind (Code: $code)\n", $ldap_msg->error, "\n";
}
print "Connect/bind ok.";
I tried several other ways, I get different errors every time.
I wrote several other scripts, some use CGI-bash, and Perl anonymous
bind all work fine on that server; it's only authenticated bind that I
can't get to work. I use Digest::SHA (I'm not sure if I need it) and I
tried using both SHA and clear password in the password field.
My second question is regarding update example in FAQs (code below);
what exactly is %$whatToChange here? If someone can share a real-life
example with OpenLDAP (or, for example for above setup, if I wanted to
modify attribute "mail" in ou=mail, from a...@so... to
b...@so...?) that would be great.
Currently I write bash/shell scripts to do this but I'd like to move
everything to Perl
Thanks.
Sean
#######################################
#
# MODIFY using a HASH
#
my %ReplaceHash = ( keyword => "x", proxy => "x" );
my $result = LDAPmodifyUsingHash($ldap,$dn, \%ReplaceHash );
sub LDAPmodifyUsingHash
{
my ($ldap,$dn,$whatToChange ) = @_ ;
my $result = $ldap->modify($dn,
replace => { %$whatToChange }
);
return ($result );
}
|
|
From: Maurice M. <rm...@IT...> - 2003-02-07 00:37:44
|
hi, > > but this explains why you can make ldap searches and the like > > with an unmodified Authen-SASL-Cyrus *g*. > > Hi Maurice, > > Very odd... I've applied your patches to security.pm and cyrus.pm, and I > still do not get an ssf=56. libdes425 exists locally on my machine, so I'm > not sure why it isn't doing the encryption. > hmm.. when I think more about it, I believe that my patch is only neccessary to make it work with perl 5.8.0.... this thing with ssf=56/0 is probably more something related to the openldap/libsasl/libkrb you or I are using.... cu Maurice |
|
From: Quanah Gibson-M. <qu...@st...> - 2003-02-06 23:35:30
|
--On Thursday, February 06, 2003 11:52 PM +0100 Maurice Massar <rm...@IT...> wrote: >> Follow up on this -> >> >> The Authen::SASL::Cyrus is missing the routines to set the minssf and >> maxssf bits when creating a connection, therefore it will never >> negotiate any encryption (ssf=0). >> > > hmm.... I can't verify that. In fact, I've got ssf=56 per default > > [slapd -d 5 output] > ==> sasl_bind: dn="" mech=<continuing> datalen=65 > SASL Authorize [conn=3]: authcid="rm/ldapadm" authzid="<empty>" > SASL Authorize [conn=3]: "rm/ldapadm" as "u:rm/ldapadm" > slap_sasl_bind: username="u:rm/ldapadm" realm="" ssf=56 > <== slap_sasl_bind: authzdn: "uid=rm/ldapadm" > > I'm using perl-ldap 0.27 (from cvs Feb 4 21:36 GMT), > Authen-SASL-Cyrus-0.07 with the patch I posted earlier, > and the following debian packages: >|| / Name Version > +++-=====================-============ > ii perl 5.8.0-13 > ii slapd 2.0.27-3 > ii libsasl7 1.5.27-3.3 > ii libsasl-dev 1.5.27-3.3 > ii libsasl-gssapi-mit 1.5.24-15 > ii libkrb53 1.2.7-2 > > but this explains why you can make ldap searches and the like > with an unmodified Authen-SASL-Cyrus *g*. Hi Maurice, Very odd... I've applied your patches to security.pm and cyrus.pm, and I still do not get an ssf=56. libdes425 exists locally on my machine, so I'm not sure why it isn't doing the encryption. --Quanah -- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html |
|
From: Maurice M. <rm...@IT...> - 2003-02-06 22:52:46
|
> Follow up on this -> > > The Authen::SASL::Cyrus is missing the routines to set the minssf and > maxssf bits when creating a connection, therefore it will never negotiate > any encryption (ssf=0). > hmm.... I can't verify that. In fact, I've got ssf=56 per default [slapd -d 5 output] ==> sasl_bind: dn="" mech=<continuing> datalen=65 SASL Authorize [conn=3]: authcid="rm/ldapadm" authzid="<empty>" SASL Authorize [conn=3]: "rm/ldapadm" as "u:rm/ldapadm" slap_sasl_bind: username="u:rm/ldapadm" realm="" ssf=56 <== slap_sasl_bind: authzdn: "uid=rm/ldapadm" I'm using perl-ldap 0.27 (from cvs Feb 4 21:36 GMT), Authen-SASL-Cyrus-0.07 with the patch I posted earlier, and the following debian packages: ||/ Name Version +++-=====================-============ ii perl 5.8.0-13 ii slapd 2.0.27-3 ii libsasl7 1.5.27-3.3 ii libsasl-dev 1.5.27-3.3 ii libsasl-gssapi-mit 1.5.24-15 ii libkrb53 1.2.7-2 but this explains why you can make ldap searches and the like with an unmodified Authen-SASL-Cyrus *g*. cu Maurice |
|
From: Quanah Gibson-M. <qu...@st...> - 2003-02-06 22:23:35
|
Follow up on this ->
The Authen::SASL::Cyrus is missing the routines to set the minssf and
maxssf bits when creating a connection, therefore it will never negotiate
any encryption (ssf=0).
--Quanah
--On Wednesday, February 05, 2003 2:52 PM -0800 Quanah Gibson-Mount
<qu...@St...> wrote:
> Hello,
>
> I'm trying to force Authen::SASL::Cyrus to use an ssf=56, however, in my
> code, when I put in:
>
> my $sasl = Authen::SASL->new(
> mechanism=>'GSSAPI',
> property=> {
> 'ssf'='56',
> },
> );
>
> the property piece is apparently ignored. Anyone have any hints on what
> I can do to remedy this?
>
> Thanks,
> Quanah
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: A K S. <ksh...@ds...> - 2003-02-06 21:58:27
|
Can I obtain an E-mail address list for members of the American Society = of Interior Designers (ASID)?Thank you. Kelly = Shelton=3D=3Dkshelton@dslextreme |
|
From: Csigas <nu...@sc...> - 2003-02-06 10:03:07
|
Hi!
> $name =3D encode('utf8',decode('iso-8859-2',"blabla=E1=E9=E1=FA")=
);
> $entry =3D Net::LDAP::Entry->new;
> $entry->dn($name);
>
> The $entry->dn function doesn't convert its parameter to base64
> (and use dn:: NOT dn:) like $entry->add does.
We made the mistake.
In this line, we used the word encoding instead of encode.
Net::LDAP::LDIF->new("win.ldif","w", encode =3D> "base64");
Sorry for the false report.
bye,
Nandor Toth
|
|
From: Csigas <nu...@sc...> - 2003-02-06 00:03:39
|
Hi!
$name =3D encode('utf8',decode('iso-8859-2',"blabla=E1=E9=E1=FA"));
$entry =3D Net::LDAP::Entry->new;
$entry->dn($name);
The $entry->dn function doesn't convert its parameter to base64
(and use dn:: NOT dn:) like $entry->add does.
So we can not use any special character in the dn field.
bye,
Nandor Toth
|
|
From: Quanah Gibson-M. <qu...@st...> - 2003-02-05 22:53:10
|
Hello,
I'm trying to force Authen::SASL::Cyrus to use an ssf=56, however, in my
code, when I put in:
my $sasl = Authen::SASL->new(
mechanism=>'GSSAPI',
property=> {
'ssf'='56',
},
);
the property piece is apparently ignored. Anyone have any hints on what I
can do to remedy this?
Thanks,
Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: Christopher A B. <ca...@tc...> - 2003-02-05 21:11:27
|
As Keith A. Clay once put it so eloquently:
> Here is what I think I know about Net::LDAP and Active Directory:
>
> 1) I can create accounts in ADS through LDAP and these are domain accounts
>
> 2) I can reset passwords and manipulate other setting
>
>
> Here is what I am not sure about:
>
> 1) what secure mechanism/transport can I use to make password changes in
> ADS coming from a solaris box
>
> 2) any other limitations.
We use Net::LDAP running on Solaris to update Active Directory,
including creating objects and making changes.
The biggest gotchas relate to password changes.
(1) You MUST use LDAP over SSL (i.e. Net::LDAPS) to make password
changes.
(2) You have to specially format the password in order for it to be
accepted.
Below is the snippet of code we use to do the formatting ($entry is an
LDAP::Entry representing the changes to be made, in our case read in
using Net::LDAP::LDIF::read_cmd). &change_changes must be used
because normally Net::LDAP "adds" changes rather than changing
existing changes, so AD would see both the "before" and "after"
versions of the password, and the "before" version makes it choke.
{
# done; now, if there's still a unicodePwd, then UTF-16(?) it
# and base64 encode it and make sure it gets sent that way.
my $opw = $entry->get_value('unicodePwd');
if (defined $opw) {
my $upw = pack "v*", unpack "C*", qq("$opw");
&change_changes($entry, 'replace', 'unicodePwd', $upw);
}
}
sub change_changes {
my ($entry, $op, $attr, @values) = @_;
# add/delete entry operations don't have this problem
# so just use the regular method to update them
unless ($entry->changetype eq 'modify') {
$entry->$op($attr, \@values);
return;
}
# ok, this is a modify, do it the hard way
$attr = lc $attr;
my $changes = $entry->{changes};
for (my $i = 0; $i < @$changes; $i += 2) {
my ($oldop, $oldargs) = @{$changes}[$i, $i+1];
my ($oldattr, $oldvals) = @$oldargs;
if ($oldattr eq $attr) {
$changes->[$i] = $op;
$oldargs->[1] = \@values;
last;
}
}
}
And just for kicks, here's how to use Net::DNS to look up the primary
domain controller (i.e. the system you should connect to to make
changes) for a given domain:
sub lookup_pdc {
my ($domain) = @_;
my $res = new Net::DNS::Resolver;
my $query = $res->send("_ldap._tcp.pdc._msdcs.$domain", "SRV");
if ($query) {
foreach $rr ($query->answer) {
next unless $rr->type eq 'SRV';
# return first found; find ldaps port from services file since
# there's no _ldaps SRV record
return $rr->target, scalar getservbyname('ldaps', 'tcp');
}
} else {
¬e("SRV RR lookup failed: " . $res->errorstring);
}
return;
}
%% Christopher A. Bongaarts %% ca...@tc... %%
%% Internet Services %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
|
|
From: Peter M. <pet...@ma...> - 2003-02-05 19:24:14
|
Hi,
On Tuesday 04 February 2003 23:38, Spidle, Mark wrote:
> I have been through the archives and found the SetPassword.pm I can no=
t
> however get this to work with our company's Active Directory.
>
> Here is my code and the result
>
> #from search
> $dn =3D $entries[0]->dn;$mesg =3D $ldap->set_password(user =3D>$dn, old=
passwd =3D>
> $passwd, newpasswd=3D> $newpass) || die "failed to set password"; if =
(
> $mesg->code ) { =09LDAPerror("Binding",$mesg); =09#print "Err=
or code:
> $errstr\n"; }
>
> resulting in
> -----------------------
> CN=3DDESMOINES\,
> Test,OU=3DUsers,OU=3DDesMoines,DC=3Dus,DC=3Dad,DC=3Dgannett,DC=3DcomRet=
urn code: 84
> Message: LDAP_DECODING_ERROR :C<Net::LDAP> encountered an error while
> decoding a response packet fromthe server.MessageID: 3 DN:
>
> What am I doing wrong. Something is obviously missing.
IIRC the set_password() extension is only supported by the Op=FCenLDPA se=
rver.
Peter
--=20
Peter Marschall | eMail: pet...@ma...
Scheffelstra=DFe 15 | pet...@ad...
D-97072 W=FCrzburg | Tel: +49 931 14721
PGP: 0BB1 04A3 0FB0 E27F 8018 52BA A286 7B23 9C22 2C83
|
|
From: Ken C. <Ken...@ki...> - 2003-02-05 15:40:35
|
Some of the timestamps used by AD objects are in Microsoft's VT_FILETIME which is the number of 100 ns intervals since 1601 or some such. -----Original Message----- From: Keith A. Clay [mailto:cl...@ac...]=20 Sent: Wednesday, February 05, 2003 10:14 AM To: per...@li... Subject: ADS Questions Folks, Here is what I think I know about Net::LDAP and Active Directory: 1) I can create accounts in ADS through LDAP and these are domain accounts 2) I can reset passwords and manipulate other setting Here is what I am not sure about: 1) what secure mechanism/transport can I use to make password changes in ADS coming from a solaris box 2) any other limitations. Please respond to let me know if I am off base on what I think I know,=20 and how to implement the other items. keith --=20 ------------------------------------------------- Keith Clay, Kei...@ac... Lead Programmer, Web Integration and Programming 286 Adams Center for Teaching Excellence Abilene Christian University Abilene, TX 79699 (915) 674-2187 (915) 674-2834 ------------------------------------------------- |
|
From: Keith A. C. <cl...@ac...> - 2003-02-05 15:15:49
|
Folks, Here is what I think I know about Net::LDAP and Active Directory: 1) I can create accounts in ADS through LDAP and these are domain accounts 2) I can reset passwords and manipulate other setting Here is what I am not sure about: 1) what secure mechanism/transport can I use to make password changes in ADS coming from a solaris box 2) any other limitations. Please respond to let me know if I am off base on what I think I know, and how to implement the other items. keith -- ------------------------------------------------- Keith Clay, Kei...@ac... Lead Programmer, Web Integration and Programming 286 Adams Center for Teaching Excellence Abilene Christian University Abilene, TX 79699 (915) 674-2187 (915) 674-2834 ------------------------------------------------- |
|
From: Quanah Gibson-M. <qu...@st...> - 2003-02-05 03:14:58
|
--On Wednesday, February 05, 2003 3:32 AM +0100 Maurice Massar
<rm...@IT...> wrote:
> hi,
>
>> Followup on this:
>>
>> Thanks to help from Maurice, I can now bind & search my openldap-2.1.12
>> server. The problem is that Authen::SASL::Cyrus is not sending an empty
>> AuthZID by default, which is bad behaviour. Changing my sasl piece in
>> my script to:
>>
>> my $sasl = Authen::SASL->new(
>> mechanism=>'GSSAPI',
>> callback=> {
>> 'user'=> sub {''},
>> 'password'=> sub {''},
>> },
>> );
>>
>> Fixes the problem. Thank you again, Maurice!!
>
> interesting... I first had to rewrite the Authen::SASL::Cyrus::Security
> module to do things a bit more like IO::Socket::SSL before I got it
> working (with perl v5.8.0) (patch (or hack? *g*) attached).
>
> As posted earlier I got this messages:
> Use of uninitialized value in print at ./ldap-test1 line 18.
> syswrite() on unopened filehandle GLOB at /usr/share/perl5/Net/LDAP.pm
> line 627. [line 18 of ./ldap-test1 is: print "FD:
> ",fileno($ldap->socket()),"\n";]
Maurice,
I wonder if the major difference here is that I'm using perl 5.6.1.
--Quanah
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: Maurice M. <rm...@IT...> - 2003-02-05 02:33:26
|
hi,
> Followup on this:
>
> Thanks to help from Maurice, I can now bind & search my openldap-2.1.12
> server. The problem is that Authen::SASL::Cyrus is not sending an empty
> AuthZID by default, which is bad behaviour. Changing my sasl piece in my
> script to:
>
> my $sasl = Authen::SASL->new(
> mechanism=>'GSSAPI',
> callback=> {
> 'user'=> sub {''},
> 'password'=> sub {''},
> },
> );
>
> Fixes the problem. Thank you again, Maurice!!
interesting... I first had to rewrite the Authen::SASL::Cyrus::Security
module to do things a bit more like IO::Socket::SSL before I got it
working (with perl v5.8.0) (patch (or hack? *g*) attached).
As posted earlier I got this messages:
Use of uninitialized value in print at ./ldap-test1 line 18.
syswrite() on unopened filehandle GLOB at /usr/share/perl5/Net/LDAP.pm line 627.
[line 18 of ./ldap-test1 is: print "FD: ",fileno($ldap->socket()),"\n";]
cu
Maurice Massar
|
|
From: Quanah Gibson-M. <qu...@st...> - 2003-02-04 23:13:12
|
Followup on this:
Thanks to help from Maurice, I can now bind & search my openldap-2.1.12
server. The problem is that Authen::SASL::Cyrus is not sending an empty
AuthZID by default, which is bad behaviour. Changing my sasl piece in my
script to:
my $sasl = Authen::SASL->new(
mechanism=>'GSSAPI',
callback=> {
'user'=> sub {''},
'password'=> sub {''},
},
);
Fixes the problem. Thank you again, Maurice!!
--Quanah
--On Tuesday, February 04, 2003 11:27 AM -0800 Quanah Gibson-Mount
<qu...@St...> wrote:
> Hello,
>
> I am curious if anyone on this list has been able to make K5 GSSAPI binds
> to a server using SASL. I've yet to have this be successful, but do not
> know if I am doing something wrong. I can do K5 GSSAPI binds via SASL
> with ldapsearch, so I have a valid K5 ticket, etc. Any help much
> appreciated.
>
> My script looks like:
>
># !/usr/local/bin/perl
> use Net::LDAP;
> use Authen::SASL;
>
> my $ldap = Net::LDAP->new('ldap3.stanford.edu') or die "$@";
>
> my $sasl = Authen::SASL->new(
> mechanism=>'GSSAPI',
> );
>
> $ldap->bind(sasl=>$sasl, version=>3);
>
> The output on the server from this search is:
>
> Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 848112 local4.debug]
> conn=52 fd=11 ACCEPT from IP=171.64.19.55:36091 (IP=0.0.0.0:389) Feb 4
> 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 347666 local4.debug] conn=52
> op=0 BIND dn="" method=163 Feb 4 11:15:45 ldap3.Stanford.EDU
> slapd[6671]: [ID 668004 local4.debug] SASL [conn=52] Failure: not
> authorized Feb 4 11:15:45 ldap3.Stanford.EDU slapd[6671]: [ID 217296
> local4.debug] conn=52 op=2 RESULT tag=97 err=50 text=SASL(-14):
> authorization failure: not authorized Feb 4 11:15:45 ldap3.Stanford.EDU
> slapd[6671]: [ID 850449 local4.debug] conn=52 fd=11 closed
>
>
> Here is the output from an ldapsearch:
>
> Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 848112 local4.debug]
> conn=51 fd=11 ACCEPT from IP=171.64.19.55:36088 (IP=0.0.0.0:389) Feb 4
> 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 902418 local4.debug] conn=51
> op=0 SRCH base="" scope=0 filter="(objectClass=*)" Feb 4 11:10:43
> ldap3.Stanford.EDU slapd[6671]: [ID 706578 local4.debug] conn=51 op=0
> SRCH attr=supportedSASLMechanisms Feb 4 11:10:43 ldap3.Stanford.EDU
> slapd[6671]: [ID 217296 local4.debug] conn=51 op=0 RESULT tag=101 err=0
> text= Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 347666
> local4.debug] conn=51 op=1 BIND dn="" method=163 Feb 4 11:10:43
> ldap3.Stanford.EDU slapd[6671]: [ID 951063 local4.debug] conn=51 op=3
> BIND authcid="qu...@st..." Feb 4 11:10:43 ldap3.Stanford.EDU
> slapd[6671]: [ID 988814 local4.debug] conn=51 op=3 AUTHZ
> dn="suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu
> " mech=GSSAPI ssf=56 Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID
> 902418 local4.debug] conn=51 op=4 SRCH
> base="cn=accounts,dc=stanford,dc=edu" scope=2
> filter="(suSeasSunetID=quanah)" Feb 4 11:10:43 ldap3.Stanford.EDU
> slapd[6671]: [ID 706578 local4.debug] conn=51 op=4 SRCH attr=sumaildrop
> Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 362707 local4.debug]
> conn=51 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 4 11:10:43
> ldap3.Stanford.EDU slapd[6671]: [ID 338319 local4.debug] conn=51 op=5
> UNBIND Feb 4 11:10:43 ldap3.Stanford.EDU slapd[6671]: [ID 850449
> local4.debug] conn=51 fd=11 closed
>
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
|
|
From: Spidle, M. <ms...@de...> - 2003-02-04 22:41:05
|
I have been through the archives and found the SetPassword.pm I can not =
however get this to work with our company's Active Directory.
Here is my code and the result
#from search
$dn =3D $entries[0]->dn;=0D=0D$mesg =3D $ldap->set_password(user =
=3D>$dn, oldpasswd =3D> $passwd, newpasswd=3D> $newpass) || die "failed =
to set password";=0D if ( $mesg->code ) =0D {=0D =
LDAPerror("Binding",$mesg); =0D #print "Error code: $errstr\n"; =0D =
}=20
resulting in=20
-----------------------
CN=3DDESMOINES\, =
Test,OU=3DUsers,OU=3DDesMoines,DC=3Dus,DC=3Dad,DC=3Dgannett,DC=3Dcom=0DRe=
turn code: 84 Message: LDAP_DECODING_ERROR :C<Net::LDAP> encountered an =
error while decoding a response packet from=0Dthe server.=0DMessageID: 3 =
DN:
What am I doing wrong. Something is obviously missing.
Any help is appreciated.
I would really like to look at someone's code that has this working with =
Active Directory.
Thanks in advance.
Mark
|
|
From: Jim H. <ha...@us...> - 2003-02-04 19:42:38
|
Yes, That is fine. What is generally done is that an anonymous bind is used to look up a DN based on a uid (if your directory tree keeps them unique), then does a bind like you have indicated below. --Jim Harle On Tue, 4 Feb 2003 pll...@la... wrote: > > In a message dated: Tue, 04 Feb 2003 14:17:15 EST > Jim Harle said: > > >In fact, userPassword may not exist on your server or may not allow compare. > >A bind with DN and password is appropriate. Many servers do not let you co > >password compares or reads to help cut down on password cracking attempts. > > Okay, that makes sense. Can someone show me what a bind with a DN/ > password would look like? > > Is is something like this: > > $dn = 'uid=12345, ou=people,ou=corporate,ou=intranet,o=foo.com > $r = $ldap->bind ($dn, > password=>'F00B4r'); > > ? > > Then I would test that $r->code == 0? > > It seems to work, I just want to make sure I'm not missing something. > > Thansk, > -- > > Seeya, > Paul > -- > Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE > > It may look like I'm just sitting here doing nothing, > but I'm really actively waiting for all my problems to go away. > > If you're not having fun, you're not doing it right! > > |
7902 messages has been excluded from this view by a project administrator.
