Menu
▾
▴
perl-ldap-dev
|
From: Rafael C. <Raf...@li...> - 2001-04-20 09:41:56
|
You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: William R. <ri...@ed...> - 2001-04-20 16:58:22
|
I tried your example: die($mesg->error) if $mesg->code; and found an 'AcceptSecurityContext error' reported. I am assuming that MS clients are passing my authentication credentials and this is why they are working and perl-ldap is not. If so, any ideas on how to resolve this error under Active directory. William Richter Technology Specialist, Edinboro University of PA 814-732-2931 -----Original Message----- From: Rafael Corvalan [mailto:Raf...@li...] Sent: Friday, April 20, 2001 5:41 AM To: 'c-h...@ti...'; ri...@ed... Cc: per...@li... Subject: RE: Active directory and Perl-ldap You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: Rafael C. <Raf...@li...> - 2001-04-20 18:52:31
|
Is your $admin variable correctly setted? What's it's value? Can you send it to me? And the password in $password is correct? Rafael -----Original Message----- From: William Richter [mailto:ri...@ed...] Sent: vendredi, 20. avril 2001 19:05 To: per...@li... Subject: RE: Active directory and Perl-ldap I tried your example: die($mesg->error) if $mesg->code; and found an 'AcceptSecurityContext error' reported. I am assuming that MS clients are passing my authentication credentials and this is why they are working and perl-ldap is not. If so, any ideas on how to resolve this error under Active directory. William Richter Technology Specialist, Edinboro University of PA 814-732-2931 -----Original Message----- From: Rafael Corvalan [mailto:Raf...@li...] Sent: Friday, April 20, 2001 5:41 AM To: 'c-h...@ti...'; ri...@ed... Cc: per...@li... Subject: RE: Active directory and Perl-ldap You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: William R. <ri...@ed...> - 2001-04-23 17:10:07
|
I've added the line: die($mesg->error) if $mesg->code; after the bind. A non-authenticated login works fine, except I can't see anything but root, but as soon as I hit the server with an authenticated user, the error: AcceptSecurityContext occurs. I then went back to LDP and found that by default, it connects using NTML/Kerberos. I tried the alternate methods but they failed. My question is, what method does Perl-ldap use and if this is the problem, how do I change the authentication method? If on the other hand, default authentication should work, any ideas why the server is denying my credentials? I've tried this on two AD servers on site and both fail. William Richter Technology Specialist Edinboro University of PA 814-732-2931 -----Original Message----- From: Rafael Corvalan [mailto:Raf...@li...] Sent: Friday, April 20, 2001 5:41 AM To: 'c-h...@ti...'; ri...@ed... Cc: per...@li... Subject: RE: Active directory and Perl-ldap You should be able to get your entries without requesting ["**] for the attributes. I'm not a really specialist, but here arte my comments: 1) I think you have problems with the authentication. Check your credentials. Are you sure you are using $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" as your credentials? If you have authentication failure, you will not see it (see the point 2) 2) The bind method returns a Net::LDAP::Bind object, so unless the bind method returns "undefined" (I don't think it can do so), avoid writing: bind(...) or die(...); In other words, try binding with wrong credentials, and you will see, the die() will not be called. I prefer to use: $mesg = bind(....); die($mesg->error) if $mesg->code; 3) I think that using normal settings, the DC=company, DC=com tree and DC=Users, DC=company, DC=com tree are protected in ADS. You must bind with a valid user to get someting, they are not accessible anonymously. I think that if you do not see anything it's because you have authentication failure. 4) Use protocol version 3. I'ts better since version 2 doesn't knows about referrals. To do that, use "version => 3" as one of the parameters in the bind() call. 5) I'm disappointed regarding MS LDP.... Using the Microsoft "Active Directory Administration Tool", I only get the base DN when connected without calling bind (and referrals too). Are you sure that MS LDAP doesn't connect using "transperent" login, forwarding your credentials to ADS? (Using Kerberos or NTLM). 6) This is an example that works for me. I hope it will do so for you: ========================================= === Example starts here === ========================================= #!/usr/bin/perl -w use Net::LDAP; use strict; # Comment the following line to log on anonymously my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; # Comment one of the following two lines (Base DN) my $base = 'CN=Users, DC=linkvest, DC=com'; #my $base = 'DC=linkvest, DC=com'; my $ldapserver = 'ads.linkvest.com'; my $password = 'XXXXXXXX'; my $version = 3; my $filter = "(objectclass=*)"; my $scope = '1'; my $mesg; # CONNECTION my $ldap = Net::LDAP->new($ldapserver) or die "$@"; # BIND if (defined $admin) { $mesg = $ldap->bind ( dn => $admin, password => $password, version => $version); } else { $mesg = $ldap->bind ( noauth => 1, version => $version); } die($mesg->error) if $mesg->code; # SEARCH $mesg = $ldap->search( scope => $scope, base => $base, filter => $filter); die($mesg->error) if $mesg->code; # RESULTS foreach my $entry ($mesg->entries) { $entry->dump; } printf("====\nFound %d entries\n", $mesg->count); ======================================= === Example ends here === ======================================= Hope it helps. Rafael ________________________________________________________ Rafael Corvalan Systems & Networks Competence Center Manager Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 http://www.linkvest.com Raf...@li... ________________________________________________________ -----Original Message----- From: Clif Harden [mailto:cl...@di...] Sent: jeudi, 19. avril 2001 23:24 To: ri...@ed... Cc: per...@li... Subject: Re: Active directory and Perl-ldap > > I am trying to access Active directory using Perl-ldap and I'm having a > problem. Here is sample code: > > my $base = 'DC=edinboro,DC=edu'; > my $filter = "(objectclass=*)"; > my $attrs = (); # request all available attributes > my $scope = '0'; > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > # bind to a directory with dn and password - makes no difference whether > authenticated or not > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > $mesg = $ldap->search( > scope => $scope, > base => $base, > filter => $filter, > attrs => $attrs, > ); > > If I do a search, all I can manage to find is the base DN. If I change the > scope to 1, I retrieve nothing. If I change the scope to 'subtree', all I > retrieve are root entries. I see no cn or ou entries. Nor do I retrieve > anything if I set my base to cn=users,dn=edinboro,dn=edu. I've run the same > search against ldap.itd.umich.edu and I can retrieve anything I request. > Also if I use MS LDP (even if not authenticated), the search pulls the > entries, as it is suppose to. I've checked permissions on the server but I > am at a loss. Is there anything special I need to make Active Directory work > correctly with LDAP? > > Thanks in advance, > > William Richter > Technology Specialist, Edinboro University of PA 814-732-2931 > Try requesting a return attribute(s) in your request. attrs => ["*"], If I do what you have done all I get is a DN but no data. Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: Dave M. <dm...@ju...> - 2001-04-23 19:10:50
|
We use only AD here for our LDAP server and haven't had any major issues. I think I can shed some light on the issues being discussed. Also, I would be more than happy to write an Active Directory and LDAP FAQ. If anyone's interested please drop me a note with topics that you'd like to see covered... See in-line for answers to questions posed in this thread.... > -----Original Message----- > From: ma...@mj... [mailto:ma...@mj...] > Sent: Monday, April 23, 2001 10:50 AM > To: per...@li... > Subject: RE: Active directory and Perl-ldap > > > Aha, just as I expected. > > One of the right things MS did with W2K is to realize that LDAP is > not an authentication protocol, however, mightily we try to make it > one (and keep in mind that I've written *alot* of LDAP > authentication code in my time). > > No, AD uses Kerberos for its authentication protocol. > This is correct and incorrect at the same time. By default the LDP tool will use Kerberos (and fallback to NTLM if necessary) to authenticate to AD. Active directory accepts a really wide variety of auth methods (including simple bind). To use a simple bind to AD with LDP specify the full DN of the user and the password, unchecking the "Domain" box, and then clicking "Advanced" and set the method to SIMPLE. > As per, the LDAP specs, out of the box, Net::LDAP authenticates > using simple bind (dn and password). Which AD doesn't support. > See above, it does support simple bind. > The solution is to use the SASL module (but you'll probably have to > code in your own Kerberos module for it) if AD supports SASL. Yup, it supports SASL as well... > > If not, then we'll have to devise some other way. > > Mark > > On 23 Apr 01, at 13:17, William Richter wrote: > > > I've added the line: > > die($mesg->error) if $mesg->code; > > > > after the bind. A non-authenticated login works fine, > except I can't > > see anything but root, but as soon as I hit the server with an > > authenticated user, the error: AcceptSecurityContext occurs. I then > > went back to LDP and found that by default, it connects using > > NTML/Kerberos. I tried the alternate methods but they failed. My > > question is, what method does Perl-ldap use and if this is the > > problem, how do I change the authentication method? If on the other > > hand, default authentication should work, any ideas why the > server is > > denying my credentials? I've tried this on two AD servers > on site and > > both fail. > > > > William Richter > > Technology Specialist > > Edinboro University of PA > > 814-732-2931 > > > > -----Original Message----- > > From: Rafael Corvalan [mailto:Raf...@li...] > > Sent: Friday, April 20, 2001 5:41 AM > > To: 'c-h...@ti...'; ri...@ed... > > Cc: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > You should be able to get your entries without requesting ["**] for > > the attributes. > > > > I'm not a really specialist, but here arte my comments: > > > > > > 1) I think you have problems with the authentication. Check your > > credentials. Are you sure you are using > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > > as your credentials? > > If you have authentication failure, you will not see it (see the > > point 2) > > > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > > bind method returns "undefined" (I don't think it can do so), > > avoid writing: > > bind(...) or die(...); > > In other words, try binding with wrong credentials, and you will > > see, the die() will not be called. I prefer to use: > > > > $mesg = bind(....); > > die($mesg->error) if $mesg->code; > > > > 3) I think that using normal settings, the DC=company, DC=com tree > > and DC=Users, DC=company, DC=com tree are protected in ADS. You > > must bind with a valid user to get someting, they are not > > accessible anonymously. I think that if you do not see anything > > it's because you have authentication failure. > > > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > > about referrals. To do that, use "version => 3" as one of the > > parameters in the bind() call. > > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > > "Active Directory Administration Tool", I only get the > base DN when > > connected without calling bind (and referrals too). Are you sure > > that MS LDAP doesn't connect using "transperent" login, > forwarding > > your credentials to ADS? (Using Kerberos or NTLM). > > > > 6) This is an example that works for me. I hope it will do so > > for you: > > > > > > ========================================= > > === Example starts here === > > ========================================= > > > > #!/usr/bin/perl -w > > > > use Net::LDAP; > > use strict; > > > > > > # Comment the following line to log on anonymously > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > > > > # Comment one of the following two lines (Base DN) > > my $base = 'CN=Users, DC=linkvest, DC=com'; > > #my $base = 'DC=linkvest, DC=com'; > > > > > > my $ldapserver = 'ads.linkvest.com'; > > my $password = 'XXXXXXXX'; > > my $version = 3; > > > > my $filter = "(objectclass=*)"; > > my $scope = '1'; > > > > > > my $mesg; > > > > # CONNECTION > > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > > > # BIND > > if (defined $admin) { > > $mesg = $ldap->bind ( dn => $admin, > > password => $password, > > version => $version); This should not have the "dn =>", so the correct code would be: $mesg = $ldap->bind ( $admin, password => $password, version => $version); The first sample in the man page for Net::LDAP is incorrect: ---- begin incorrect portion ---- $ldap->bind ( # bind to a directory with dn and password dn => 'cn=root, o=University of Michigan, c=us', password => 'secret' ); ---- end incorrect portion ---- A correct sample can be found later in the man page: ---- begin correct portion ---- $ldap->bind( $DN, password => $password); ---- end correct portion ---- And here's the code I use: ---- begin my code ---- $ldap = Net::LDAP->new('dcjnprmrc1.jnpr.net', port => 389, debug => 0, timeout => 2 ) or $ldap = Net::LDAP->new('dcjnprmrc2.jnpr.net', port => 389, debug => 0, timeout => 5 ) or die $@; $bindargs{password} = '**************'; $bindargs{version} = 3; my $result = $ldap->bind('cn=Web Guest,ou=Users,ou=Common,dc=jnpr,dc=net', %bindargs); if ($result->code != 0) { if ($result->code == 49) { printf "Password incorrect\n"; die "\n"; } else { printf "Error %i occurred while binding - aborting.\n",($result->code); die "\n"; } } ---- end of my code ---- > > } else { > > $mesg = $ldap->bind ( noauth => 1, > > version => $version); > > } > > > > die($mesg->error) if $mesg->code; > > > > # SEARCH > > $mesg = $ldap->search( scope => $scope, > > base => $base, > > filter => $filter); > > die($mesg->error) if $mesg->code; > > > > > > # RESULTS > > foreach my $entry ($mesg->entries) { $entry->dump; } > > printf("====\nFound %d entries\n", $mesg->count); > > > > > > ======================================= > > === Example ends here === > > ======================================= - clipped - Dave Mills Juniper Networks, Inc. |
|
From: Booker C. B. <bb...@ne...> - 2001-04-24 21:40:14
|
On Mon, 23 Apr 2001, Dave Mills wrote: > We use only AD here for our LDAP server and haven't had any major issues. I > think I can shed some light on the issues being discussed. Also, I would be > more than happy to write an Active Directory and LDAP FAQ. If anyone's > interested please drop me a note with topics that you'd like to see > covered... See in-line for answers to questions posed in this thread.... > > > -----Original Message----- > > From: ma...@mj... [mailto:ma...@mj...] > > Sent: Monday, April 23, 2001 10:50 AM > > To: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > > > Aha, just as I expected. > > > > One of the right things MS did with W2K is to realize that LDAP is > > not an authentication protocol, however, mightily we try to make it > > one (and keep in mind that I've written *alot* of LDAP > > authentication code in my time). > > > > No, AD uses Kerberos for its authentication protocol. > > > - Sorry to be pendantic, but AD supports SASL/GSSAPI using kerberos V. You need a K5 based gssapi to talk to it. To talk to it using perl-ldap, you'd need a SASL and a kerberos V GSSAPI module. - Microsoft distributes some example code and libraries that will allow you to use Netscape C SDK ( version 3.1) to talk to AD. Unfortunately, you can't use the SASL framework in the netscape SDK[1] to talk to AD. The MS stuff adds an extra bind call that does the ldap sasl gssapi bind. - I <think> it should be possible to use OpenLDAP 2.0 to talk to AD using SASL/GSSAPI, but I haven't had a chance to actually try it yet. - Booker C. Bense [1]- Netscape has some very strange ideas about how to do SASL. |
|
From: <ma...@mj...> - 2001-04-23 21:26:06
|
I'm happy to eat crow if I'm wrong. Information on AD is hard to come by in particular if you don't have one to play with. Ok, you said: On 23 Apr 01, at 12:10, Dave Mills wrote: > To use a simple bind to AD with LDP specify the > full DN of the user and the password, unchecking the "Domain" box, and > then clicking "Advanced" and set the method to SIMPLE. > Where does one set this? And does this have to be on a per user basis? thanks, Mark Mark Wilcox ma...@mj... Got LDAP? |
|
From: Rafael C. <Raf...@li...> - 2001-04-24 08:44:26
|
Sorry, I can connect to my ADS in clear text.... So Kerberos is not the only authentication protocol supported by ADS... rafael -----Original Message----- From: ma...@mj... [mailto:ma...@mj...] Sent: lundi, 23. avril 2001 19:50 To: per...@li... Subject: RE: Active directory and Perl-ldap Aha, just as I expected. One of the right things MS did with W2K is to realize that LDAP is not an authentication protocol, however, mightily we try to make it one (and keep in mind that I've written *alot* of LDAP authentication code in my time). No, AD uses Kerberos for its authentication protocol. As per, the LDAP specs, out of the box, Net::LDAP authenticates using simple bind (dn and password). Which AD doesn't support. The solution is to use the SASL module (but you'll probably have to code in your own Kerberos module for it) if AD supports SASL. If not, then we'll have to devise some other way. Mark On 23 Apr 01, at 13:17, William Richter wrote: > I've added the line: > die($mesg->error) if $mesg->code; > > after the bind. A non-authenticated login works fine, except I can't > see anything but root, but as soon as I hit the server with an > authenticated user, the error: AcceptSecurityContext occurs. I then > went back to LDP and found that by default, it connects using > NTML/Kerberos. I tried the alternate methods but they failed. My > question is, what method does Perl-ldap use and if this is the > problem, how do I change the authentication method? If on the other > hand, default authentication should work, any ideas why the server is > denying my credentials? I've tried this on two AD servers on site and > both fail. > > William Richter > Technology Specialist > Edinboro University of PA > 814-732-2931 > > -----Original Message----- > From: Rafael Corvalan [mailto:Raf...@li...] > Sent: Friday, April 20, 2001 5:41 AM > To: 'c-h...@ti...'; ri...@ed... > Cc: per...@li... > Subject: RE: Active directory and Perl-ldap > > You should be able to get your entries without requesting ["**] for > the attributes. > > I'm not a really specialist, but here arte my comments: > > > 1) I think you have problems with the authentication. Check your > credentials. Are you sure you are using > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > as your credentials? > If you have authentication failure, you will not see it (see the > point 2) > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > bind method returns "undefined" (I don't think it can do so), > avoid writing: > bind(...) or die(...); > In other words, try binding with wrong credentials, and you will > see, the die() will not be called. I prefer to use: > > $mesg = bind(....); > die($mesg->error) if $mesg->code; > > 3) I think that using normal settings, the DC=company, DC=com tree > and DC=Users, DC=company, DC=com tree are protected in ADS. You > must bind with a valid user to get someting, they are not > accessible anonymously. I think that if you do not see anything > it's because you have authentication failure. > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > about referrals. To do that, use "version => 3" as one of the > parameters in the bind() call. > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > "Active Directory Administration Tool", I only get the base DN when > connected without calling bind (and referrals too). Are you sure > that MS LDAP doesn't connect using "transperent" login, forwarding > your credentials to ADS? (Using Kerberos or NTLM). > > 6) This is an example that works for me. I hope it will do so > for you: > > > ========================================= > === Example starts here === > ========================================= > > #!/usr/bin/perl -w > > use Net::LDAP; > use strict; > > > # Comment the following line to log on anonymously > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > # Comment one of the following two lines (Base DN) > my $base = 'CN=Users, DC=linkvest, DC=com'; > #my $base = 'DC=linkvest, DC=com'; > > > my $ldapserver = 'ads.linkvest.com'; > my $password = 'XXXXXXXX'; > my $version = 3; > > my $filter = "(objectclass=*)"; > my $scope = '1'; > > > my $mesg; > > # CONNECTION > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > # BIND > if (defined $admin) { > $mesg = $ldap->bind ( dn => $admin, > password => $password, > version => $version); > } else { > $mesg = $ldap->bind ( noauth => 1, > version => $version); > } > > die($mesg->error) if $mesg->code; > > # SEARCH > $mesg = $ldap->search( scope => $scope, > base => $base, > filter => $filter); > die($mesg->error) if $mesg->code; > > > # RESULTS > foreach my $entry ($mesg->entries) { $entry->dump; } > printf("====\nFound %d entries\n", $mesg->count); > > > ======================================= > === Example ends here === > ======================================= > > > > Hope it helps. > > Rafael > > ________________________________________________________ > Rafael Corvalan > Systems & Networks Competence Center Manager > Linkvest SA > Av des Baumettes 19, 1020 Renens Switzerland > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > http://www.linkvest.com Raf...@li... > ________________________________________________________ > > > -----Original Message----- > From: Clif Harden [mailto:cl...@di...] > Sent: jeudi, 19. avril 2001 23:24 > To: ri...@ed... > Cc: per...@li... > Subject: Re: Active directory and Perl-ldap > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > having a problem. Here is sample code: > > > > my $base = 'DC=edinboro,DC=edu'; > > my $filter = "(objectclass=*)"; > > my $attrs = (); # request all available attributes > > my $scope = '0'; > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > # bind to a directory with dn and password - makes no difference > > # whether > > authenticated or not > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > $mesg = $ldap->search( > > scope => $scope, > > base => $base, > > filter => $filter, > > attrs => $attrs, > > ); > > > > If I do a search, all I can manage to find is the base DN. If I > > change > the > > scope to 1, I retrieve nothing. If I change the scope to 'subtree', > > all I retrieve are root entries. I see no cn or ou entries. Nor do I > > retrieve anything if I set my base to cn=users,dn=edinboro,dn=edu. > > I've run the > same > > search against ldap.itd.umich.edu and I can retrieve anything I > > request. Also if I use MS LDP (even if not authenticated), the > > search pulls the entries, as it is suppose to. I've checked > > permissions on the server but I am at a loss. Is there anything > > special I need to make Active Directory > work > > correctly with LDAP? > > > > Thanks in advance, > > > > William Richter > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > Try requesting a return attribute(s) in your request. > > attrs => ["*"], > > If I do what you have done all I get is a DN but no data. > > Regards, > > Clif Harden INTERNET: c-h...@ti... > > > > Mark Wilcox ma...@mj... Got LDAP? |
|
From: Dave M. <dm...@ju...> - 2001-04-25 17:15:27
|
> I'm happy to eat crow if I'm wrong. Information on AD is hard to > come by in particular if you don't have one to play with. > > Ok, you said: > > On 23 Apr 01, at 12:10, Dave Mills wrote: > > > To use a simple bind to AD with LDP specify the > > full DN of the user and the password, unchecking the > "Domain" box, and > > then clicking "Advanced" and set the method to SIMPLE. > > > > Where does one set this? > And does this have to be on a per user basis? > I'm referring to the LDP tool (which is Microsoft's LDAP tool) that comes with the Win2k support tools. The options are available by clicking the Advanced button after selecting "Bind". This has to be set each time you bind... - Dave |
|
From: Robbie A. <ra...@ci...> - 2001-04-26 15:26:36
|
I second the motion. You absolutely can connect to AD with a simple bind. Robbie Allen > -----Original Message----- > From: Rafael Corvalan [mailto:Raf...@li...] > Sent: Tuesday, April 24, 2001 1:44 AM > To: per...@li... > Subject: RE: Active directory and Perl-ldap > > > Sorry, I can connect to my ADS in clear text.... > So Kerberos is not the only authentication protocol supported > by ADS... > > rafael > > -----Original Message----- > From: ma...@mj... [mailto:ma...@mj...] > Sent: lundi, 23. avril 2001 19:50 > To: per...@li... > Subject: RE: Active directory and Perl-ldap > > > Aha, just as I expected. > > One of the right things MS did with W2K is to realize that LDAP is > not an authentication protocol, however, mightily we try to make it > one (and keep in mind that I've written *alot* of LDAP > authentication code in my time). > > No, AD uses Kerberos for its authentication protocol. > > As per, the LDAP specs, out of the box, Net::LDAP authenticates > using simple bind (dn and password). Which AD doesn't support. > > The solution is to use the SASL module (but you'll probably have to > code in your own Kerberos module for it) if AD supports SASL. > > If not, then we'll have to devise some other way. > > Mark > > On 23 Apr 01, at 13:17, William Richter wrote: > > > I've added the line: > > die($mesg->error) if $mesg->code; > > > > after the bind. A non-authenticated login works fine, except I can't > > see anything but root, but as soon as I hit the server with an > > authenticated user, the error: AcceptSecurityContext occurs. I then > > went back to LDP and found that by default, it connects using > > NTML/Kerberos. I tried the alternate methods but they failed. My > > question is, what method does Perl-ldap use and if this is the > > problem, how do I change the authentication method? If on the other > > hand, default authentication should work, any ideas why the > server is > > denying my credentials? I've tried this on two AD servers > on site and > > both fail. > > > > William Richter > > Technology Specialist > > Edinboro University of PA > > 814-732-2931 > > > > -----Original Message----- > > From: Rafael Corvalan [mailto:Raf...@li...] > > Sent: Friday, April 20, 2001 5:41 AM > > To: 'c-h...@ti...'; ri...@ed... > > Cc: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > You should be able to get your entries without requesting ["**] for > > the attributes. > > > > I'm not a really specialist, but here arte my comments: > > > > > > 1) I think you have problems with the authentication. Check your > > credentials. Are you sure you are using > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > > as your credentials? > > If you have authentication failure, you will not see it (see the > > point 2) > > > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > > bind method returns "undefined" (I don't think it can do so), > > avoid writing: > > bind(...) or die(...); > > In other words, try binding with wrong credentials, and you will > > see, the die() will not be called. I prefer to use: > > > > $mesg = bind(....); > > die($mesg->error) if $mesg->code; > > > > 3) I think that using normal settings, the DC=company, DC=com tree > > and DC=Users, DC=company, DC=com tree are protected in ADS. You > > must bind with a valid user to get someting, they are not > > accessible anonymously. I think that if you do not see anything > > it's because you have authentication failure. > > > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > > about referrals. To do that, use "version => 3" as one of the > > parameters in the bind() call. > > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > > "Active Directory Administration Tool", I only get the > base DN when > > connected without calling bind (and referrals too). Are you sure > > that MS LDAP doesn't connect using "transperent" login, > forwarding > > your credentials to ADS? (Using Kerberos or NTLM). > > > > 6) This is an example that works for me. I hope it will do so > > for you: > > > > > > ========================================= > > === Example starts here === > > ========================================= > > > > #!/usr/bin/perl -w > > > > use Net::LDAP; > > use strict; > > > > > > # Comment the following line to log on anonymously > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > > > > # Comment one of the following two lines (Base DN) > > my $base = 'CN=Users, DC=linkvest, DC=com'; > > #my $base = 'DC=linkvest, DC=com'; > > > > > > my $ldapserver = 'ads.linkvest.com'; > > my $password = 'XXXXXXXX'; > > my $version = 3; > > > > my $filter = "(objectclass=*)"; > > my $scope = '1'; > > > > > > my $mesg; > > > > # CONNECTION > > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > > > # BIND > > if (defined $admin) { > > $mesg = $ldap->bind ( dn => $admin, > > password => $password, > > version => $version); > > } else { > > $mesg = $ldap->bind ( noauth => 1, > > version => $version); > > } > > > > die($mesg->error) if $mesg->code; > > > > # SEARCH > > $mesg = $ldap->search( scope => $scope, > > base => $base, > > filter => $filter); > > die($mesg->error) if $mesg->code; > > > > > > # RESULTS > > foreach my $entry ($mesg->entries) { $entry->dump; } > > printf("====\nFound %d entries\n", $mesg->count); > > > > > > ======================================= > > === Example ends here === > > ======================================= > > > > > > > > Hope it helps. > > > > Rafael > > > > ________________________________________________________ > > Rafael Corvalan > > Systems & Networks Competence Center Manager > > Linkvest SA > > Av des Baumettes 19, 1020 Renens Switzerland > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > > http://www.linkvest.com Raf...@li... > > ________________________________________________________ > > > > > > -----Original Message----- > > From: Clif Harden [mailto:cl...@di...] > > Sent: jeudi, 19. avril 2001 23:24 > > To: ri...@ed... > > Cc: per...@li... > > Subject: Re: Active directory and Perl-ldap > > > > > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > > having a problem. Here is sample code: > > > > > > my $base = 'DC=edinboro,DC=edu'; > > > my $filter = "(objectclass=*)"; > > > my $attrs = (); # request all available attributes > > > my $scope = '0'; > > > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > > > # bind to a directory with dn and password - makes no difference > > > # whether > > > authenticated or not > > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > > > $mesg = $ldap->search( > > > scope => $scope, > > > base => $base, > > > filter => $filter, > > > attrs => $attrs, > > > ); > > > > > > If I do a search, all I can manage to find is the base DN. If I > > > change > > the > > > scope to 1, I retrieve nothing. If I change the scope to > 'subtree', > > > all I retrieve are root entries. I see no cn or ou > entries. Nor do I > > > retrieve anything if I set my base to > cn=users,dn=edinboro,dn=edu. > > > I've run the > > same > > > search against ldap.itd.umich.edu and I can retrieve anything I > > > request. Also if I use MS LDP (even if not authenticated), the > > > search pulls the entries, as it is suppose to. I've checked > > > permissions on the server but I am at a loss. Is there anything > > > special I need to make Active Directory > > work > > > correctly with LDAP? > > > > > > Thanks in advance, > > > > > > William Richter > > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > > > > Try requesting a return attribute(s) in your request. > > > > attrs => ["*"], > > > > If I do what you have done all I get is a DN but no data. > > > > Regards, > > > > Clif Harden INTERNET: c-h...@ti... > > > > > > > > > > > Mark Wilcox > ma...@mj... > Got LDAP? > |
|
From: Fox <ld...@cd...> - 2001-04-26 17:30:34
|
Here is how I connect to a brand spanking new Active Directory server I set up authenticating clear text with rights to add users (I added 12,000). The tricky part is getting the whole user dn correct. Just substitute your domain for mckee.com and you should have a winner. Fox ld...@cd... #!/usr/bin/perl use Net::LDAP; use Net::LDAP::Entry; # ------> Declare leconte ldap server $ldap = Net::LDAP->new('ranier.mckee.com') or die "$@"; # You must bind with write rights to add an entry $mesg = $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password => 'mypassword'); print "Connecting to ldap server... " . $mesg->error . "\n"; ----- Original Message ----- From: "Robbie Allen" <ra...@ci...> To: <per...@li...> Sent: Thursday, April 26, 2001 11:26 AM Subject: RE: Active directory and Perl-ldap > I second the motion. You absolutely can connect to AD with a simple bind. > > Robbie Allen > > > -----Original Message----- > > From: Rafael Corvalan [mailto:Raf...@li...] > > Sent: Tuesday, April 24, 2001 1:44 AM > > To: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > > > Sorry, I can connect to my ADS in clear text.... > > So Kerberos is not the only authentication protocol supported > > by ADS... > > > > rafael > > > > -----Original Message----- > > From: ma...@mj... [mailto:ma...@mj...] > > Sent: lundi, 23. avril 2001 19:50 > > To: per...@li... > > Subject: RE: Active directory and Perl-ldap > > > > > > Aha, just as I expected. > > > > One of the right things MS did with W2K is to realize that LDAP is > > not an authentication protocol, however, mightily we try to make it > > one (and keep in mind that I've written *alot* of LDAP > > authentication code in my time). > > > > No, AD uses Kerberos for its authentication protocol. > > > > As per, the LDAP specs, out of the box, Net::LDAP authenticates > > using simple bind (dn and password). Which AD doesn't support. > > > > The solution is to use the SASL module (but you'll probably have to > > code in your own Kerberos module for it) if AD supports SASL. > > > > If not, then we'll have to devise some other way. > > > > Mark > > > > On 23 Apr 01, at 13:17, William Richter wrote: > > > > > I've added the line: > > > die($mesg->error) if $mesg->code; > > > > > > after the bind. A non-authenticated login works fine, except I can't > > > see anything but root, but as soon as I hit the server with an > > > authenticated user, the error: AcceptSecurityContext occurs. I then > > > went back to LDP and found that by default, it connects using > > > NTML/Kerberos. I tried the alternate methods but they failed. My > > > question is, what method does Perl-ldap use and if this is the > > > problem, how do I change the authentication method? If on the other > > > hand, default authentication should work, any ideas why the > > server is > > > denying my credentials? I've tried this on two AD servers > > on site and > > > both fail. > > > > > > William Richter > > > Technology Specialist > > > Edinboro University of PA > > > 814-732-2931 > > > > > > -----Original Message----- > > > From: Rafael Corvalan [mailto:Raf...@li...] > > > Sent: Friday, April 20, 2001 5:41 AM > > > To: 'c-h...@ti...'; ri...@ed... > > > Cc: per...@li... > > > Subject: RE: Active directory and Perl-ldap > > > > > > You should be able to get your entries without requesting ["**] for > > > the attributes. > > > > > > I'm not a really specialist, but here arte my comments: > > > > > > > > > 1) I think you have problems with the authentication. Check your > > > credentials. Are you sure you are using > > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > > > as your credentials? > > > If you have authentication failure, you will not see it (see the > > > point 2) > > > > > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > > > bind method returns "undefined" (I don't think it can do so), > > > avoid writing: > > > bind(...) or die(...); > > > In other words, try binding with wrong credentials, and you will > > > see, the die() will not be called. I prefer to use: > > > > > > $mesg = bind(....); > > > die($mesg->error) if $mesg->code; > > > > > > 3) I think that using normal settings, the DC=company, DC=com tree > > > and DC=Users, DC=company, DC=com tree are protected in ADS. You > > > must bind with a valid user to get someting, they are not > > > accessible anonymously. I think that if you do not see anything > > > it's because you have authentication failure. > > > > > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > > > about referrals. To do that, use "version => 3" as one of the > > > parameters in the bind() call. > > > > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > > > "Active Directory Administration Tool", I only get the > > base DN when > > > connected without calling bind (and referrals too). Are you sure > > > that MS LDAP doesn't connect using "transperent" login, > > forwarding > > > your credentials to ADS? (Using Kerberos or NTLM). > > > > > > 6) This is an example that works for me. I hope it will do so > > > for you: > > > > > > > > > ========================================= > > > === Example starts here === > > > ========================================= > > > > > > #!/usr/bin/perl -w > > > > > > use Net::LDAP; > > > use strict; > > > > > > > > > # Comment the following line to log on anonymously > > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > > > > > > > # Comment one of the following two lines (Base DN) > > > my $base = 'CN=Users, DC=linkvest, DC=com'; > > > #my $base = 'DC=linkvest, DC=com'; > > > > > > > > > my $ldapserver = 'ads.linkvest.com'; > > > my $password = 'XXXXXXXX'; > > > my $version = 3; > > > > > > my $filter = "(objectclass=*)"; > > > my $scope = '1'; > > > > > > > > > my $mesg; > > > > > > # CONNECTION > > > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > > > > > # BIND > > > if (defined $admin) { > > > $mesg = $ldap->bind ( dn => $admin, > > > password => $password, > > > version => $version); > > > } else { > > > $mesg = $ldap->bind ( noauth => 1, > > > version => $version); > > > } > > > > > > die($mesg->error) if $mesg->code; > > > > > > # SEARCH > > > $mesg = $ldap->search( scope => $scope, > > > base => $base, > > > filter => $filter); > > > die($mesg->error) if $mesg->code; > > > > > > > > > # RESULTS > > > foreach my $entry ($mesg->entries) { $entry->dump; } > > > printf("====\nFound %d entries\n", $mesg->count); > > > > > > > > > ======================================= > > > === Example ends here === > > > ======================================= > > > > > > > > > > > > Hope it helps. > > > > > > Rafael > > > > > > ________________________________________________________ > > > Rafael Corvalan > > > Systems & Networks Competence Center Manager > > > Linkvest SA > > > Av des Baumettes 19, 1020 Renens Switzerland > > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > > > http://www.linkvest.com Raf...@li... > > > ________________________________________________________ > > > > > > > > > -----Original Message----- > > > From: Clif Harden [mailto:cl...@di...] > > > Sent: jeudi, 19. avril 2001 23:24 > > > To: ri...@ed... > > > Cc: per...@li... > > > Subject: Re: Active directory and Perl-ldap > > > > > > > > > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > > > having a problem. Here is sample code: > > > > > > > > my $base = 'DC=edinboro,DC=edu'; > > > > my $filter = "(objectclass=*)"; > > > > my $attrs = (); # request all available attributes > > > > my $scope = '0'; > > > > > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > > > > > # bind to a directory with dn and password - makes no difference > > > > # whether > > > > authenticated or not > > > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > > > > > $mesg = $ldap->search( > > > > scope => $scope, > > > > base => $base, > > > > filter => $filter, > > > > attrs => $attrs, > > > > ); > > > > > > > > If I do a search, all I can manage to find is the base DN. If I > > > > change > > > the > > > > scope to 1, I retrieve nothing. If I change the scope to > > 'subtree', > > > > all I retrieve are root entries. I see no cn or ou > > entries. Nor do I > > > > retrieve anything if I set my base to > > cn=users,dn=edinboro,dn=edu. > > > > I've run the > > > same > > > > search against ldap.itd.umich.edu and I can retrieve anything I > > > > request. Also if I use MS LDP (even if not authenticated), the > > > > search pulls the entries, as it is suppose to. I've checked > > > > permissions on the server but I am at a loss. Is there anything > > > > special I need to make Active Directory > > > work > > > > correctly with LDAP? > > > > > > > > Thanks in advance, > > > > > > > > William Richter > > > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > > > > > > > Try requesting a return attribute(s) in your request. > > > > > > attrs => ["*"], > > > > > > If I do what you have done all I get is a DN but no data. > > > > > > Regards, > > > > > > Clif Harden INTERNET: c-h...@ti... > > > > > > > > > > > > > > > > > > Mark Wilcox > > ma...@mj... > > Got LDAP? > > > > |
|
From: Robbie A. <ra...@ci...> - 2001-04-26 17:52:38
|
As far as the user dn, you can use the UPN (User Principle Name) instead.
Just change:
> $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password =>
to:
> $ldap->bind('Adm...@Mc...', password =>
Makes for a portable AD app, just not a portable LDAP app ;-)
Robbie Allen
> -----Original Message-----
> From: Fox [mailto:ld...@cd...]
> Sent: Thursday, April 26, 2001 10:30 AM
> To: per...@li...
> Subject: Re: Active directory and Perl-ldap
>
>
> Here is how I connect to a brand spanking new Active
> Directory server I set
> up authenticating clear text with rights to add users (I
> added 12,000). The
> tricky part is getting the whole user dn correct. Just
> substitute your
> domain for mckee.com and you should have a winner.
>
> Fox
> ld...@cd...
>
> #!/usr/bin/perl
>
> use Net::LDAP;
> use Net::LDAP::Entry;
>
> # ------> Declare leconte ldap server
> $ldap = Net::LDAP->new('ranier.mckee.com') or die "$@";
> # You must bind with write rights to add an entry
> $mesg =
> $ldap->bind('cn=Administrator,cn=Users,dc=McKee,dc=com', password =>
> 'mypassword');
> print "Connecting to ldap server... " . $mesg->error . "\n";
>
>
>
> ----- Original Message -----
> From: "Robbie Allen" <ra...@ci...>
> To: <per...@li...>
> Sent: Thursday, April 26, 2001 11:26 AM
> Subject: RE: Active directory and Perl-ldap
>
>
> > I second the motion. You absolutely can connect to AD with
> a simple bind.
> >
> > Robbie Allen
> >
> > > -----Original Message-----
> > > From: Rafael Corvalan [mailto:Raf...@li...]
> > > Sent: Tuesday, April 24, 2001 1:44 AM
> > > To: per...@li...
> > > Subject: RE: Active directory and Perl-ldap
> > >
> > >
> > > Sorry, I can connect to my ADS in clear text....
> > > So Kerberos is not the only authentication protocol supported
> > > by ADS...
> > >
> > > rafael
> > >
> > > -----Original Message-----
> > > From: ma...@mj... [mailto:ma...@mj...]
> > > Sent: lundi, 23. avril 2001 19:50
> > > To: per...@li...
> > > Subject: RE: Active directory and Perl-ldap
> > >
> > >
> > > Aha, just as I expected.
> > >
> > > One of the right things MS did with W2K is to realize that LDAP is
> > > not an authentication protocol, however, mightily we try
> to make it
> > > one (and keep in mind that I've written *alot* of LDAP
> > > authentication code in my time).
> > >
> > > No, AD uses Kerberos for its authentication protocol.
> > >
> > > As per, the LDAP specs, out of the box, Net::LDAP authenticates
> > > using simple bind (dn and password). Which AD doesn't support.
> > >
> > > The solution is to use the SASL module (but you'll
> probably have to
> > > code in your own Kerberos module for it) if AD supports SASL.
> > >
> > > If not, then we'll have to devise some other way.
> > >
> > > Mark
> > >
> > > On 23 Apr 01, at 13:17, William Richter wrote:
> > >
> > > > I've added the line:
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > after the bind. A non-authenticated login works fine,
> except I can't
> > > > see anything but root, but as soon as I hit the server with an
> > > > authenticated user, the error: AcceptSecurityContext
> occurs. I then
> > > > went back to LDP and found that by default, it connects using
> > > > NTML/Kerberos. I tried the alternate methods but they failed. My
> > > > question is, what method does Perl-ldap use and if this is the
> > > > problem, how do I change the authentication method? If
> on the other
> > > > hand, default authentication should work, any ideas why the
> > > server is
> > > > denying my credentials? I've tried this on two AD servers
> > > on site and
> > > > both fail.
> > > >
> > > > William Richter
> > > > Technology Specialist
> > > > Edinboro University of PA
> > > > 814-732-2931
> > > >
> > > > -----Original Message-----
> > > > From: Rafael Corvalan [mailto:Raf...@li...]
> > > > Sent: Friday, April 20, 2001 5:41 AM
> > > > To: 'c-h...@ti...'; ri...@ed...
> > > > Cc: per...@li...
> > > > Subject: RE: Active directory and Perl-ldap
> > > >
> > > > You should be able to get your entries without
> requesting ["**] for
> > > > the attributes.
> > > >
> > > > I'm not a really specialist, but here arte my comments:
> > > >
> > > >
> > > > 1) I think you have problems with the authentication. Check your
> > > > credentials. Are you sure you are using
> > > > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com"
> > > > as your credentials?
> > > > If you have authentication failure, you will not see
> it (see the
> > > > point 2)
> > > >
> > > > 2) The bind method returns a Net::LDAP::Bind object, so
> unless the
> > > > bind method returns "undefined" (I don't think it can do so),
> > > > avoid writing:
> > > > bind(...) or die(...);
> > > > In other words, try binding with wrong credentials,
> and you will
> > > > see, the die() will not be called. I prefer to use:
> > > >
> > > > $mesg = bind(....);
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > 3) I think that using normal settings, the DC=company,
> DC=com tree
> > > > and DC=Users, DC=company, DC=com tree are protected
> in ADS. You
> > > > must bind with a valid user to get someting, they are not
> > > > accessible anonymously. I think that if you do not
> see anything
> > > > it's because you have authentication failure.
> > > >
> > > > 4) Use protocol version 3. I'ts better since version 2
> doesn't knows
> > > > about referrals. To do that, use "version => 3" as one of the
> > > > parameters in the bind() call.
> > > >
> > > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft
> > > > "Active Directory Administration Tool", I only get the
> > > base DN when
> > > > connected without calling bind (and referrals too).
> Are you sure
> > > > that MS LDAP doesn't connect using "transperent" login,
> > > forwarding
> > > > your credentials to ADS? (Using Kerberos or NTLM).
> > > >
> > > > 6) This is an example that works for me. I hope it will do so
> > > > for you:
> > > >
> > > >
> > > > =========================================
> > > > === Example starts here ===
> > > > =========================================
> > > >
> > > > #!/usr/bin/perl -w
> > > >
> > > > use Net::LDAP;
> > > > use strict;
> > > >
> > > >
> > > > # Comment the following line to log on anonymously
> > > > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com';
> > > >
> > > >
> > > > # Comment one of the following two lines (Base DN)
> > > > my $base = 'CN=Users, DC=linkvest, DC=com';
> > > > #my $base = 'DC=linkvest, DC=com';
> > > >
> > > >
> > > > my $ldapserver = 'ads.linkvest.com';
> > > > my $password = 'XXXXXXXX';
> > > > my $version = 3;
> > > >
> > > > my $filter = "(objectclass=*)";
> > > > my $scope = '1';
> > > >
> > > >
> > > > my $mesg;
> > > >
> > > > # CONNECTION
> > > > my $ldap = Net::LDAP->new($ldapserver) or die "$@";
> > > >
> > > > # BIND
> > > > if (defined $admin) {
> > > > $mesg = $ldap->bind ( dn => $admin,
> > > > password => $password,
> > > > version => $version);
> > > > } else {
> > > > $mesg = $ldap->bind ( noauth => 1,
> > > > version => $version);
> > > > }
> > > >
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > > # SEARCH
> > > > $mesg = $ldap->search( scope => $scope,
> > > > base => $base,
> > > > filter => $filter);
> > > > die($mesg->error) if $mesg->code;
> > > >
> > > >
> > > > # RESULTS
> > > > foreach my $entry ($mesg->entries) { $entry->dump; }
> > > > printf("====\nFound %d entries\n", $mesg->count);
> > > >
> > > >
> > > > =======================================
> > > > === Example ends here ===
> > > > =======================================
> > > >
> > > >
> > > >
> > > > Hope it helps.
> > > >
> > > > Rafael
> > > >
> > > > ________________________________________________________
> > > > Rafael Corvalan
> > > > Systems & Networks Competence Center Manager
> > > > Linkvest SA
> > > > Av des Baumettes 19, 1020 Renens Switzerland
> > > > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90
> > > > http://www.linkvest.com Raf...@li...
> > > > ________________________________________________________
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Clif Harden [mailto:cl...@di...]
> > > > Sent: jeudi, 19. avril 2001 23:24
> > > > To: ri...@ed...
> > > > Cc: per...@li...
> > > > Subject: Re: Active directory and Perl-ldap
> > > >
> > > >
> > > > >
> > > > > I am trying to access Active directory using Perl-ldap and I'm
> > > > > having a problem. Here is sample code:
> > > > >
> > > > > my $base = 'DC=edinboro,DC=edu';
> > > > > my $filter = "(objectclass=*)";
> > > > > my $attrs = (); # request all available attributes
> > > > > my $scope = '0';
> > > > >
> > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG)
> or die "$@";
> > > > >
> > > > > # bind to a directory with dn and password - makes no
> difference
> > > > > # whether
> > > > > authenticated or not
> > > > > $ldap->bind (dn => $admin,password => $password) or die "$@";
> > > > >
> > > > > $mesg = $ldap->search(
> > > > > scope => $scope,
> > > > > base => $base,
> > > > > filter => $filter,
> > > > > attrs => $attrs,
> > > > > );
> > > > >
> > > > > If I do a search, all I can manage to find is the
> base DN. If I
> > > > > change
> > > > the
> > > > > scope to 1, I retrieve nothing. If I change the scope to
> > > 'subtree',
> > > > > all I retrieve are root entries. I see no cn or ou
> > > entries. Nor do I
> > > > > retrieve anything if I set my base to
> > > cn=users,dn=edinboro,dn=edu.
> > > > > I've run the
> > > > same
> > > > > search against ldap.itd.umich.edu and I can retrieve
> anything I
> > > > > request. Also if I use MS LDP (even if not authenticated), the
> > > > > search pulls the entries, as it is suppose to. I've checked
> > > > > permissions on the server but I am at a loss. Is
> there anything
> > > > > special I need to make Active Directory
> > > > work
> > > > > correctly with LDAP?
> > > > >
> > > > > Thanks in advance,
> > > > >
> > > > > William Richter
> > > > > Technology Specialist, Edinboro University of PA 814-732-2931
> > > > >
> > > >
> > > > Try requesting a return attribute(s) in your request.
> > > >
> > > > attrs => ["*"],
> > > >
> > > > If I do what you have done all I get is a DN but no data.
> > > >
> > > > Regards,
> > > >
> > > > Clif Harden INTERNET: c-h...@ti...
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > Mark Wilcox
> > > ma...@mj...
> > > Got LDAP?
> > >
> >
> >
>
>
|
|
From: <ma...@mj...> - 2001-04-23 18:06:19
|
Aha, just as I expected. One of the right things MS did with W2K is to realize that LDAP is not an authentication protocol, however, mightily we try to make it one (and keep in mind that I've written *alot* of LDAP authentication code in my time). No, AD uses Kerberos for its authentication protocol. As per, the LDAP specs, out of the box, Net::LDAP authenticates using simple bind (dn and password). Which AD doesn't support. The solution is to use the SASL module (but you'll probably have to code in your own Kerberos module for it) if AD supports SASL. If not, then we'll have to devise some other way. Mark On 23 Apr 01, at 13:17, William Richter wrote: > I've added the line: > die($mesg->error) if $mesg->code; > > after the bind. A non-authenticated login works fine, except I can't > see anything but root, but as soon as I hit the server with an > authenticated user, the error: AcceptSecurityContext occurs. I then > went back to LDP and found that by default, it connects using > NTML/Kerberos. I tried the alternate methods but they failed. My > question is, what method does Perl-ldap use and if this is the > problem, how do I change the authentication method? If on the other > hand, default authentication should work, any ideas why the server is > denying my credentials? I've tried this on two AD servers on site and > both fail. > > William Richter > Technology Specialist > Edinboro University of PA > 814-732-2931 > > -----Original Message----- > From: Rafael Corvalan [mailto:Raf...@li...] > Sent: Friday, April 20, 2001 5:41 AM > To: 'c-h...@ti...'; ri...@ed... > Cc: per...@li... > Subject: RE: Active directory and Perl-ldap > > You should be able to get your entries without requesting ["**] for > the attributes. > > I'm not a really specialist, but here arte my comments: > > > 1) I think you have problems with the authentication. Check your > credentials. Are you sure you are using > $admin = "CN=XXXX, CN=Users, DC=edinboro, DC=com" > as your credentials? > If you have authentication failure, you will not see it (see the > point 2) > > 2) The bind method returns a Net::LDAP::Bind object, so unless the > bind method returns "undefined" (I don't think it can do so), > avoid writing: > bind(...) or die(...); > In other words, try binding with wrong credentials, and you will > see, the die() will not be called. I prefer to use: > > $mesg = bind(....); > die($mesg->error) if $mesg->code; > > 3) I think that using normal settings, the DC=company, DC=com tree > and DC=Users, DC=company, DC=com tree are protected in ADS. You > must bind with a valid user to get someting, they are not > accessible anonymously. I think that if you do not see anything > it's because you have authentication failure. > > 4) Use protocol version 3. I'ts better since version 2 doesn't knows > about referrals. To do that, use "version => 3" as one of the > parameters in the bind() call. > > 5) I'm disappointed regarding MS LDP.... Using the Microsoft > "Active Directory Administration Tool", I only get the base DN when > connected without calling bind (and referrals too). Are you sure > that MS LDAP doesn't connect using "transperent" login, forwarding > your credentials to ADS? (Using Kerberos or NTLM). > > 6) This is an example that works for me. I hope it will do so > for you: > > > ========================================= > === Example starts here === > ========================================= > > #!/usr/bin/perl -w > > use Net::LDAP; > use strict; > > > # Comment the following line to log on anonymously > my $admin = 'cn=testrco, cn=Users, dc=linkvest, dc=com'; > > > # Comment one of the following two lines (Base DN) > my $base = 'CN=Users, DC=linkvest, DC=com'; > #my $base = 'DC=linkvest, DC=com'; > > > my $ldapserver = 'ads.linkvest.com'; > my $password = 'XXXXXXXX'; > my $version = 3; > > my $filter = "(objectclass=*)"; > my $scope = '1'; > > > my $mesg; > > # CONNECTION > my $ldap = Net::LDAP->new($ldapserver) or die "$@"; > > # BIND > if (defined $admin) { > $mesg = $ldap->bind ( dn => $admin, > password => $password, > version => $version); > } else { > $mesg = $ldap->bind ( noauth => 1, > version => $version); > } > > die($mesg->error) if $mesg->code; > > # SEARCH > $mesg = $ldap->search( scope => $scope, > base => $base, > filter => $filter); > die($mesg->error) if $mesg->code; > > > # RESULTS > foreach my $entry ($mesg->entries) { $entry->dump; } > printf("====\nFound %d entries\n", $mesg->count); > > > ======================================= > === Example ends here === > ======================================= > > > > Hope it helps. > > Rafael > > ________________________________________________________ > Rafael Corvalan > Systems & Networks Competence Center Manager > Linkvest SA > Av des Baumettes 19, 1020 Renens Switzerland > Tel: +41 21 632 90 00 Fax: +41 21 632 90 90 > http://www.linkvest.com Raf...@li... > ________________________________________________________ > > > -----Original Message----- > From: Clif Harden [mailto:cl...@di...] > Sent: jeudi, 19. avril 2001 23:24 > To: ri...@ed... > Cc: per...@li... > Subject: Re: Active directory and Perl-ldap > > > > > > I am trying to access Active directory using Perl-ldap and I'm > > having a problem. Here is sample code: > > > > my $base = 'DC=edinboro,DC=edu'; > > my $filter = "(objectclass=*)"; > > my $attrs = (); # request all available attributes > > my $scope = '0'; > > > > my $ldap = Net::LDAP->new($ldapserver,debug=>$DEBUG) or die "$@"; > > > > # bind to a directory with dn and password - makes no difference > > # whether > > authenticated or not > > $ldap->bind (dn => $admin,password => $password) or die "$@"; > > > > $mesg = $ldap->search( > > scope => $scope, > > base => $base, > > filter => $filter, > > attrs => $attrs, > > ); > > > > If I do a search, all I can manage to find is the base DN. If I > > change > the > > scope to 1, I retrieve nothing. If I change the scope to 'subtree', > > all I retrieve are root entries. I see no cn or ou entries. Nor do I > > retrieve anything if I set my base to cn=users,dn=edinboro,dn=edu. > > I've run the > same > > search against ldap.itd.umich.edu and I can retrieve anything I > > request. Also if I use MS LDP (even if not authenticated), the > > search pulls the entries, as it is suppose to. I've checked > > permissions on the server but I am at a loss. Is there anything > > special I need to make Active Directory > work > > correctly with LDAP? > > > > Thanks in advance, > > > > William Richter > > Technology Specialist, Edinboro University of PA 814-732-2931 > > > > Try requesting a return attribute(s) in your request. > > attrs => ["*"], > > If I do what you have done all I get is a DN but no data. > > Regards, > > Clif Harden INTERNET: c-h...@ti... > > > > Mark Wilcox ma...@mj... Got LDAP? |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X