Menu
▾
▴
perl-ldap-dev
|
From: Chris R. <Chr...@me...> - 2000-05-04 10:46:19
|
On Thu, 04 May 2000 11:19:51 BST, tim fulcher wrote:
>
> Hi,
>
> I'm trying to write a class which registers and subsequently checks
> itself against a LDAP server.
>
> Firstly, I seem to be able to bind to the server OK when I supply a dn
> for an object that doesn't yet exist, which seems to be contradictory to
> trying, say a command line ldapsearch using the same dn as a bind
> argument. (that gives no such object).
>
> So once I've bound OK, I do a search based on the cn, and if just one
> entry comes back I do the compare on it as follows:
>
> $cr = $self->{ldap}->compare ( $self->{searchresult}->entry(0) ,
> attr => 'port', value => $self->port(),
> attr => 'ipaddress', value => $self->ipaddress(),
> attr => 'seedfile', value =>$self->seedfile()
> );
>
> print "compare returned code: ", $cr->code, " & error: ", $cr->error,
> "\n";
>
> Can you not supply supply multiple attributes to a compare operation ?
The protocol does not permit this. You would probably have to issue
three compare operations in your example, and AND together the results.
Alternatively, just issue a more complex search:
&((cn=whatever)(port=blah)(ipaddress=foo)(seedfile=bletch))
> When I run this I get compare true (code 6), even though as shown below,
> my object attributes differ. When I run compare with just one attribute
> it right gives a false result. Will I have to do the compare for each
> attribute separately?
Yes. Also the way Net::LDAP parses parameters to methods (it converts
them into a hash) will mean that only one of your attr settings is
being used. Dunno which one though, but if you created the Net::LDAP
object with debug => 3 this might help you work it out.
> The output fragment below prints out its attributes, does a search and
> if 1 entry returned, calls the code above.
>
> > ldaptest.pl
>
> service foob
> port 8190
> ip 132.146.3.99
> seedfile /tmp/cdb
> mdn is cn='foob',dc='nip',dc='services'
> bind returned code: 0 & error:
>
> query = (cn=foob)
> search returned code: 0 & error:
>
> ------------------------------------------------------------------------
>
> dn:cn=foob, dc=nip, dc=services
>
> cn: foob
> port: 8192
> description: guinea pig
> seedfile: /tmp/cdb
> ipaddress: 132.146.3.78
> userpassword: {md5}0IcaK1PGLeXgRv7eQvP3qw==
> objectclass: AppServer
>
> search returned code: 0 & error:
> I found me
> compare returned code: 6 & error:
>
>
> btw, I'm using openldap 1.2.9. My db ACL is access * by self write by
> * read
I'm not sure what that ACL means, but you *may* have to grant access to
compare certain attributes as well. The only standard access control
model around at the moment can set different permissions for compare,
searching, and reading.
The other thought that springs to mind is, does comparing a password
held by the server in MD5 require that the compare operation send the
plaintext password, or something else?
> cheers
>
>
> Tim
>
>
Cheers,
Chris
|
|
From: Graham B. <gb...@po...> - 2000-05-04 13:09:36
|
----- Forwarded message from Graham Barr <gb...@po...> -----
Date: Thu, 4 May 2000 13:27:26 +0100
From: Graham Barr <gb...@po...>
To: tim fulcher <ful...@dr...>
Subject: Re: query on ldap->bind & ldap->compare
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <391...@dr...>
On Thu, May 04, 2000 at 01:09:34PM +0100, tim fulcher wrote:
> Graham Barr wrote:
>
> > On Thu, May 04, 2000 at 11:19:51AM +0100, tim fulcher wrote:
> > >
> > > Hi,
> > >
> > > I'm trying to write a class which registers and subsequently checks
> > > itself against a LDAP server.
> > >
> > > Firstly, I seem to be able to bind to the server OK when I supply a dn
> > > for an object that doesn't yet exist, which seems to be contradictory to
> > > trying, say a command line ldapsearch using the same dn as a bind
> > > argument. (that gives no such object).
> >
> > Can you post the code you use to bind and how you check that the bind
> > succeeded.
>
> $br = $self->{ldap}->bind( $self->{mydn}, passwd => $self->{service} );
passwd is not a valid option, you need password. This will result in
bind doing an anonymous bind.
We need to catch this, but I do not want to add option name verification
to all the methods as that will slow things down (too much IMO).
Maybe an anonymous bind should be explicitly specified. ie none, password or sasl
must be given and password => '' is illegal (it must be none)
Does anyone have any thoughts ?
> > > Can you not supply supply multiple attributes to a compare operation ?
> >
> > No, LDAP only supports the compare of a single attribute at a time.
>
> Yeah, OK, I've fixed that so the compare only does one attr at a time.
As suggested by Chris, it may be better to do a search using the given dn as a base
and a scope of 'one' This would mean only one request would be sent to the server.
Graham.
----- End forwarded message -----
|
|
From: Chris R. <Chr...@me...> - 2000-05-04 13:51:26
|
On Thu, 04 May 2000 14:07:30 BST, Graham Barr wrote:
> ----- Forwarded message from Graham Barr <gb...@po...> -----
>
> Date: Thu, 4 May 2000 13:27:26 +0100
> From: Graham Barr <gb...@po...>
> To: tim fulcher <ful...@dr...>
> Subject: Re: query on ldap->bind & ldap->compare
> X-Mailer: Mutt 1.0pre3i
> In-Reply-To: <391...@dr...>
>
> On Thu, May 04, 2000 at 01:09:34PM +0100, tim fulcher wrote:
> > Graham Barr wrote:
> >
> > > On Thu, May 04, 2000 at 11:19:51AM +0100, tim fulcher wrote:
> > > >
> > > > Hi,
> > > >
> > > > I'm trying to write a class which registers and subsequently checks
> > > > itself against a LDAP server.
> > > >
> > > > Firstly, I seem to be able to bind to the server OK when I supply a dn
> > > > for an object that doesn't yet exist, which seems to be contradictory to
> > > > trying, say a command line ldapsearch using the same dn as a bind
> > > > argument. (that gives no such object).
> > >
> > > Can you post the code you use to bind and how you check that the bind
> > > succeeded.
> >
>
> > $br = $self->{ldap}->bind( $self->{mydn}, passwd => $self->{service} );
>
> passwd is not a valid option, you need password. This will result in
> bind doing an anonymous bind.
>
> We need to catch this, but I do not want to add option name verification
> to all the methods as that will slow things down (too much IMO).
>
> Maybe an anonymous bind should be explicitly specified. ie none, password or sasl
> must be given and password => '' is illegal (it must be none)
>
> Does anyone have any thoughts ?
That makes sense. Something like a 'method' parameter, with values
'anonymous'/'none' (empty name + empty password), 'nameonly' (name +
empty password), 'simple' (name + password), or 'sasl' (erm, "stuff").
The current default of 'none' should be kept.
Cheers,
Chris
|
|
From: Graham B. <gb...@po...> - 2000-05-04 14:14:40
|
On Thu, May 04, 2000 at 02:49:22PM +0100, Chris Ridd wrote:
> >
> > > $br = $self->{ldap}->bind( $self->{mydn}, passwd => $self->{service} );
> >
> > passwd is not a valid option, you need password. This will result in
> > bind doing an anonymous bind.
> >
> > We need to catch this, but I do not want to add option name verification
> > to all the methods as that will slow things down (too much IMO).
> >
> > Maybe an anonymous bind should be explicitly specified. ie none, password or sasl
> > must be given and password => '' is illegal (it must be none)
> >
> > Does anyone have any thoughts ?
>
> That makes sense. Something like a 'method' parameter, with values
> 'anonymous'/'none' (empty name + empty password), 'nameonly' (name +
> empty password), 'simple' (name + password), or 'sasl' (erm, "stuff").
Hm, you mean split the method and password into two like
method => 'sasl', password => $sasl
method => 'anonymous'
method => 'simple', password => $pass
was just tinking of requiring one of sasl anon (none anonymous whatever) or
simple to be passed. This gives compatability with the current syntax and
gives checking too. Also a password of '' should probably not be allowed
with simple.
> The current default of 'none' should be kept.
You mean anonymous bind if no method is given ? That would leave
use where we are now if someone misspells method. I would rather
requier a method parameter.
Graham.
|
|
From: Chris R. <Chr...@me...> - 2000-05-04 14:45:40
|
On Thu, 04 May 2000 15:12:54 BST, Graham Barr wrote:
> On Thu, May 04, 2000 at 02:49:22PM +0100, Chris Ridd wrote:
> > That makes sense. Something like a 'method' parameter, with values
> > 'anonymous'/'none' (empty name + empty password), 'nameonly' (name +
> > empty password), 'simple' (name + password), or 'sasl' (erm, "stuff").
>
> Hm, you mean split the method and password into two like
>
> method => 'sasl', password => $sasl
> method => 'anonymous'
> method => 'simple', password => $pass
Yes, but still including 'dn'.
> was just tinking of requiring one of sasl anon (none anonymous whatever) or
> simple to be passed. This gives compatability with the current syntax and
> gives checking too. Also a password of '' should probably not be allowed
> with simple.
I think we're saying the same thing.
Examples:
bind(method => 'none')
bind(method => 'simple',
dn => 'blah', password => 'blah')
bind(method => 'nameonly',
dn => 'blah')
bind(method => 'sasl',
dn => 'blah', ... more stuff for SASL ... )
Bind can look at method and do whatever checking it wants on the other
parameters, like checking for empty passwords in certain cases.
> > The current default of 'none' should be kept.
>
> You mean anonymous bind if no method is given ? That would leave
> use where we are now if someone misspells method. I would rather
> requier a method parameter.
Oh yeah :-) Sorry I must have been thinking about something else...
> Graham.
Chris
|
|
From: Mark W. <mew...@un...> - 2000-05-04 14:57:10
|
On Thu, 4 May 2000, Chris Ridd wrote: > > > was just tinking of requiring one of sasl anon (none anonymous whatever) or > > simple to be passed. This gives compatability with the current syntax and > > gives checking too. Also a password of '' should probably not be allowed > > with simple. > > I think we're saying the same thing. > > Examples: > > bind(method => 'none') > bind(method => 'simple', > dn => 'blah', password => 'blah') > bind(method => 'nameonly', > dn => 'blah') > bind(method => 'sasl', > dn => 'blah', ... more stuff for SASL ... ) +1 from me. > > Bind can look at method and do whatever checking it wants on the other > parameters, like checking for empty passwords in certain cases. > > > > The current default of 'none' should be kept. > > > > You mean anonymous bind if no method is given ? That would leave > > use where we are now if someone misspells method. I would rather > > requier a method parameter. > > Oh yeah :-) Sorry I must have been thinking about something else... > By not allowing us to use blank passwords (except for none) I think this will eliminate one more critical LDAP programming mistake (wish other APIs would follow this path). Mark > > Graham. > > Chris > > > |
|
From: Graham B. <gb...@po...> - 2000-05-04 16:05:45
|
On Thu, May 04, 2000 at 03:43:27PM +0100, Chris Ridd wrote: > I think we're saying the same thing. > > Examples: > > bind(method => 'none') > bind(method => 'simple', > dn => 'blah', password => 'blah') > bind(method => 'nameonly', > dn => 'blah') > bind(method => 'sasl', > dn => 'blah', ... more stuff for SASL ... ) > > Bind can look at method and do whatever checking it wants on the other > parameters, like checking for empty passwords in certain cases. Yes. And for now if method does not exist we can be compatable and give a warning. Anyone want to submit a patch Graham. |
|
From: Jim H. <ha...@us...> - 2000-05-04 17:26:35
|
> Yes. And for now if method does not exist we can be compatable and give > a warning. This seems that it would eventually break every currently existing script, since method isn't used. Arghh!! --Jim Harle On Thu, 4 May 2000, Graham Barr wrote: > On Thu, May 04, 2000 at 03:43:27PM +0100, Chris Ridd wrote: > > I think we're saying the same thing. > > > > Examples: > > > > bind(method => 'none') > > bind(method => 'simple', > > dn => 'blah', password => 'blah') > > bind(method => 'nameonly', > > dn => 'blah') > > bind(method => 'sasl', > > dn => 'blah', ... more stuff for SASL ... ) > > > > Bind can look at method and do whatever checking it wants on the other > > parameters, like checking for empty passwords in certain cases. > > Yes. And for now if method does not exist we can be compatable and give > a warning. > > Anyone want to submit a patch > > Graham. > > |
|
From: Graham B. <gb...@po...> - 2000-05-04 17:52:24
|
On Thu, May 04, 2000 at 01:26:16PM -0400, Jim Harle wrote: > > Yes. And for now if method does not exist we can be compatable and give > > a warning. > > This seems that it would eventually break every currently existing script, > since method isn't used. Arghh!! > --Jim Harle Yes, but I have said before Net::FTP is still alpha and as such can change. Although script would not break until the backwards compat is removed, which would not be for quite a while. Graham. |
|
From: Graham B. <gb...@po...> - 2000-05-04 20:23:43
|
On Thu, May 04, 2000 at 06:50:41PM +0100, Graham Barr wrote: > On Thu, May 04, 2000 at 01:26:16PM -0400, Jim Harle wrote: > > > Yes. And for now if method does not exist we can be compatable and give > > > a warning. > > > > This seems that it would eventually break every currently existing script, > > since method isn't used. Arghh!! > > --Jim Harle > > Yes, but I have said before Net::FTP is still alpha and as such can change. Someone give me coffee :) Graham. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X