Menu
▾
▴
perl-ldap-dev
|
From: <Sim...@wi...> - 2000-05-25 17:48:29
|
Dear all,
I'm having some difficulty with ldap->bind which I hope someone can help
me with.
In the following code I am binding to an ldap server, doing a search for a
dn and then binding again with the resulting dn.
I'm writing routines to provide web-site authorisation, based on
Apache::AuthCookie and Apache::Session and some code ideas from
Apache::AuthNetLdap too :-)
I am using Net::NetLDAP v0.18 and Convert::ASN1 0.06
Perl is 5.6.0 and the LDAP server is Novell's eDirectory for NT
Basically what seems to happen is that the second bind is not transmitting
the password I've given it, so the ldap server decides it is an anonymous
bind and it does that and returns success.
Any ideas ?
I've also attached the relevant output pack from debug and also a trace
from the LDAP server which bears this out.
All help would be appreciated as I'm now completely stuck !
Simon Wilcox.
-------------------CODE--------------
#!/perl/5.6.0/bin/mswin32-x86/perl.exe -w
use strict;
use Net::LDAP;
my $lookdn = "cn=nexusadm,ou=SysUsers,o=wl";
my $lookpwd = "apple77";
my $basedn = "ou=users,o=wl";
my $ldapserver = "nexus.williamslea.com";
my $ldapport = 389;
my $matchattr = "uid";
my $username = "testuser";
my $userpwd = "fred";
my $ldap = new Net::LDAP($ldapserver, port => $ldapport, debug=>1) or die
"Damn: ($@)";
#initial bind as lookup user
my $mesg = $ldap->bind(dn=> $lookdn, password=>$lookpwd);
if (my $error = $mesg->code()) {
die"Lookup: LDAP Connection Failed :$error";
}
my $attrs = ['dn'];
$mesg = $ldap->search(
base => $basedn,
scope => 'sub',
filter => "($matchattr=$username)",
attrs => $attrs
);
if (my $error = $mesg->code()) {
die"user $username: LDAP Connection Failed: $error";
}
unless ($mesg->count()) {
die"user $username: user entry not found for filter:
$matchattr=$username";
}
#now try to authenticate as user
my $authdn = $mesg->shift_entry->dn();
#$ldap->unbind;
$mesg = $ldap->bind(dn=>$authdn, password=>$userpwd);
if (my $error = $mesg->code()) {
my $txt=$mesg->error();
die"user $username failed bind: $error, $txt";
}
my $error = $mesg->code();
die"EndResult: user $authdn:$userpwd bind: $error";
-------------------OUTPUT TRACE---------------------------
Net::LDAP=HASH(0x866071c) sending:
30 2F 02 01 01 60 2A 02 01 02 04 1C 63 6E 3D 6E 0/...`*.....cn=n
65 78 75 73 61 64 6D 2C 6F 75 3D 53 79 73 55 73 exusadm,ou=SysUs
65 72 73 2C 6F 3D 77 6C 80 07 61 70 70 6C 65 37 ers,o=wl..apple7
37 __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ 7
Net::LDAP=HASH(0x866071c) received:
Net::LDAP=HASH(0x866071c) sending:
30 3A 02 01 02 63 35 04 0D 6F 75 3D 75 73 65 72 0:...c5..ou=user
73 2C 6F 3D 77 6C 0A 01 02 0A 01 02 02 01 00 02 s,o=wl..........
01 00 01 01 00 A3 0F 04 03 75 69 64 04 08 74 65 .........uid..te
73 74 75 73 65 72 30 04 04 02 64 6E __ __ __ __ stuser0...dn
Net::LDAP=HASH(0x866071c) received:
Net::LDAP=HASH(0x866071c) received:
Net::LDAP=HASH(0x866071c) sending:
30 25 02 01 03 60 20 02 01 02 04 19 63 6E 3D 74 0%...` .....cn=t
65 73 74 75 73 65 72 2C 6F 75 3D 75 73 65 72 73 estuser,ou=users
2C 6F 3D 77 6C 80 00 __ __ __ __ __ __ __ __ __ ,o=wl..
Net::LDAP=HASH(0x866071c) received:
EndResult: user cn=testuser,ou=users,o=wl:fred bind: 0 at test.pl line 54.
-----------------------LDAP SERVER LOG--------------------------
*** NDS Trace Utility - BEGIN Logging *** Thu May 25 16:53:39 2000
LDAP: listening for activity in monitor thread 0x718 on:
LDAP: 0x83ddd0r
LDAP: before select in monitor thread 0x718, active_threads 0
LDAP: select activity
LDAP: Accepting TCP connection
LDAP: Found usable monitor thread 0x718
LDAP: new connection on 0x83d8bc
LDAP: select activity in monitor thread 0x718
LDAP: read activity on 0x83ddd0
LDAP: listening for activity in monitor thread 0x718 on:
LDAP: 0x83ddd0r
LDAP: 0x83d8bcr
LDAP: before select in monitor thread 0x718, active_threads 0
LDAP: select activity in monitor thread 0x718
LDAP: read activity on 0x83d8bc
LDAP: listening for activity in monitor thread 0x718 on:
LDAP: 0x83ddd0r
LDAP: 0x83d8bcr
LDAP: before select in monitor thread 0x718, active_threads 1
LDAP: do_bind
LDAP: bind: protocol version 2 dn (cn=nexusadm,ou=SysUsers,o=wl) method 128
LDAP: dn (cn=nexusadm,ou=SysUsers,o=wl), ndsDn (CN=nexusadm.OU=SysUsers.O=wl)
LDAP: send_ldap_result 0::
LDAP: select activity in monitor thread 0x718
LDAP: read activity on 0x83d8bc
LDAP: listening for activity in monitor thread 0x718 on:
LDAP: 0x83ddd0r
LDAP: 0x83d8bcr
LDAP: before select in monitor thread 0x718, active_threads 1
LDAP: do_search
LDAP: SRCH base "ou=users,o=wl" scope 2 deref 2
LDAP: sizelimit 0 timelimit 0 attrsonly 0
LDAP: begin get_filter
LDAP: EQUALITY
LDAP: filter: (uid=testuser)
LDAP: attrs:
LDAP: dn
LDAP: => send_search_entry (cn=testuser,ou=users,o=wl)
LDAP: send_ldap_result 0::
LDAP: select activity in monitor thread 0x718
LDAP: read activity on 0x83d8bc
LDAP: listening for activity in monitor thread 0x718 on:
LDAP: 0x83ddd0r
LDAP: 0x83d8bcr
LDAP: before select in monitor thread 0x718, active_threads 1
LDAP: do_bind
LDAP: Treating simple bind request with dn = "cn=testuser,ou=users,o=wl" and
empty password as anonymous.
LDAP: bind: protocol version 2 dn () method 128
LDAP: accepting NULL bind
LDAP: send_ldap_result 0::
LDAP: select activity in monitor thread 0x718
LDAP: read activity on 0x83d8bc
LDAP: ber_get_next on fd 0x83d8bc failed errno 10057
LDAP: *** got 0 of 0 so far
LDAP: close conn in close_connection 0x5635c78 on skt 0x83d8bc from opid -1
LDAP: called by "connection_activity"
LDAP: freeing conn 0x5635c78 at index 1 in monitor thread 0x6239d88
LDAP: listening for activity in monitor thread 0x718 on:
LDAP: 0x83ddd0r
LDAP: before select in monitor thread 0x718, active_threads 0
*** NDS Trace Utility - END Logging *** Thu May 25 16:53:52 2000
|
|
From: Christopher A. <ch...@xp...> - 2000-05-25 18:02:44
|
On Thu, 25 May 2000 Sim...@wi... wrote: > In the following code I am binding to an ldap server, doing a search for a > dn and then binding again with the resulting dn. Hmm, yes this was what i was going to report a couple of days before... > I am using Net::NetLDAP v0.18 and Convert::ASN1 0.06 > Perl is 5.6.0 and the LDAP server is Novell's eDirectory for NT > > Basically what seems to happen is that the second bind is not transmitting > the password I've given it, so the ldap server decides it is an anonymous > bind and it does that and returns success. > I have noticed the same problem with what i belive was v0.17 and ASN 0.05 running on FreeBSD 4.0-RELEASE with perl, version 5.005_03. We are running against a iplanet LDAP server. > Any ideas ? As a workaround i made a bind in the beginning of the program and an unbind in the end... Not so elegant but it enabled me to work on other issues. > I've also attached the relevant output pack from debug and also a trace > from the LDAP server which bears this out. > I also have some traces (and example code) if someone needs them for debugging. /chris |
|
From: Graham B. <gb...@po...> - 2000-05-25 19:20:53
|
This one is puzzling, there is no reason why a second bind should do anything diffeent. The debug report from Simon is excellent help, but if you have anything more it can only help Thanks, Graham. On Thu, May 25, 2000 at 08:00:55PM +0200, Christopher Arnold wrote: > > On Thu, 25 May 2000 Sim...@wi... wrote: > > > In the following code I am binding to an ldap server, doing a search for a > > dn and then binding again with the resulting dn. > Hmm, yes this was what i was going to report a couple of days before... > > > I am using Net::NetLDAP v0.18 and Convert::ASN1 0.06 > > Perl is 5.6.0 and the LDAP server is Novell's eDirectory for NT > > > > Basically what seems to happen is that the second bind is not transmitting > > the password I've given it, so the ldap server decides it is an anonymous > > bind and it does that and returns success. > > > I have noticed the same problem with what i belive was v0.17 and ASN 0.05 > running on FreeBSD 4.0-RELEASE with perl, version 5.005_03. > We are running against a iplanet LDAP server. > > > Any ideas ? > As a workaround i made a bind in the beginning of the program and an > unbind in the end... Not so elegant but it enabled me to work on other > issues. > > > I've also attached the relevant output pack from debug and also a trace > > from the LDAP server which bears this out. > > > I also have some traces (and example code) if someone needs them for > debugging. > > > /chris > > |
|
From: Chris R. <Chr...@me...> - 2000-05-26 12:08:40
|
On Thu, 25 May 2000 20:15:17 BST, Graham Barr wrote: > This one is puzzling, there is no reason why a second bind should > do anything diffeent. > > The debug report from Simon is excellent help, but if you have > anything more it can only help > > Thanks, > Graham. This might be related to the "what does unbind really do" discussion that Kurt from OpenLDAP had with us recently. I am of the opinion that unbind leaves the TCP connection open, and it looks like Simon is too. Kurt was of the opinion that unbind closed the TCP connection. The workaround is probably to destroy the $ldap object after unbinding the first time, and then recreate it before binding the second time. Cheers, Chris |
|
From: Graham B. <gb...@po...> - 2000-05-26 13:37:17
|
On Fri, May 26, 2000 at 01:06:40PM +0100, Chris Ridd wrote: > I am of the opinion that unbind leaves the TCP connection open, and it > looks like Simon is too. Kurt was of the opinion that unbind closed the > TCP connection. If you look at the packet trace there was no unbind() sent to the server. The question is why was no password sent in the second bind packet. Graham. |
|
From: Graham B. <gb...@po...> - 2000-05-26 17:05:49
|
On Fri, May 26, 2000 at 02:31:30PM +0100, Graham Barr wrote:
> On Fri, May 26, 2000 at 01:06:40PM +0100, Chris Ridd wrote:
> > I am of the opinion that unbind leaves the TCP connection open, and it
> > looks like Simon is too. Kurt was of the opinion that unbind closed the
> > TCP connection.
>
> If you look at the packet trace there was no unbind() sent to the
> server. The question is why was no password sent in the second
> bind packet.
And the answer is
while(my($param,$type) = each %ptype) {
if (exists $arg->{$param}) {
($auth_type,$passwd) = ($type,$arg->{$param});
last;
}
}
the iterator for each %ptype is not reset and the last causes the loop
to exit early.
Adding
keys %ptype
before the while should fix it. (perldoc -f each will explain)
Thanks to Simon for investigating this and nudging my memory :)
Graham.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X