perl-ldap-dev

userpassword

[Howard, M. J <Mic...@pn...>]

I am unable to bind to my LDAP directory using the traditional method of
retreiving a dn through an anonymous connection, and then binding using the dn
and password.  So instead, I am trying to authenticate into a website by
comparing username/password login values with the values of a uid: and
userpassword: attributes stored in my LDAP directory.  I can successfully
retreive the uid,  however, I cannot retreive the password.  This seems logical,
because it would be a security issue, however, is there a way I can compare
these values to the value of the userpassword attribute?  Any help with the
syntax for doing something like this is much appreciated.    

Here is what I have so far.  

       $ldap = Net::LDAP->new('[LDAP SERVER]') or die "$@";

      $ldap->bind;

      my $result = $ldap->search(
          base => "[BASE]",
          scope => "sub",
          filter => "(&(uid = $user) (userpassword = $sent_pw))",
      );

      if ($result->count != 1) {
        #Authentication Failed
        return "Failed - User does not exist in the LDAP server";
      }
      else {
        #Successfull Authentication
        return 0;
      }

Thanks,

Michael Howard
Information Sciences and Engineering
Pacific Northwest National Laboratory
(509) 375-6981                                    ISB2 528

userpassword

[Odell, C. (Dyncorp) <COd...@DT...>]

I found in the archives from last August (with slight modification to
protect the fish)
================
to do a compare:
 use Net::LDAP::Constant;
$mesg = $ldap->compare($dn,"userpassword",_properly_encoded_password);
      
if ($mesg->code() == LDAP_COMPARE_TRUE)
{
       auth success
}
==================

I assume that '_properly_encoded_password' is the encripted password held by
the directory server because
the plain text password does not provide LDAP_COMPARE_TRUE.

Is it possible to obtain username / password validation using perl-ldap if I
have the plain text password. 
I can use normal prompt for user / password for the CGI portion of my
program, but I also need to validate the user as part of a daemon request.
My security folks  feel that passing the encripted password to the daemon
only proves that I was able to access the directory server and ask for the
encripted password.

Thanks,
chauncey

Re: userpassword

[Graham B. <gb...@po...>]

On Tue, Jul 03, 2001 at 03:24:16PM -0400, Odell, Chauncey (Dyncorp) wrote:
> I found in the archives from last August (with slight modification to
> protect the fish)
> ================
> to do a compare:
>  use Net::LDAP::Constant;
> $mesg = $ldap->compare($dn,"userpassword",_properly_encoded_password);

That should be

 $mesg = $ldap->compare($dn, attr => "userpassword", value => _properly_encoded_password);

Graham.

>       
> if ($mesg->code() == LDAP_COMPARE_TRUE)
> {
>        auth success
> }
> ==================
> 
> I assume that '_properly_encoded_password' is the encripted password held by
> the directory server because
> the plain text password does not provide LDAP_COMPARE_TRUE.
> 
> Is it possible to obtain username / password validation using perl-ldap if I
> have the plain text password. 
> I can use normal prompt for user / password for the CGI portion of my
> program, but I also need to validate the user as part of a daemon request.
> My security folks  feel that passing the encripted password to the daemon
> only proves that I was able to access the directory server and ask for the
> encripted password.
> 
> Thanks,
> chauncey
> 
> 
> 

Re: userpassword

[Mark W. <mew...@un...>]

You'll only be able to compare the password if the server's ACLS allow you
to do so.

to do a compare:
$mesg = $ldap->compare($dn,"userpassword",_properly_encoded_password);

if ($mesg->code() == 6)
{
  auth success
}

Mark

On Tue, 15 Aug 2000, Howard, Michael J wrote:

> I am unable to bind to my LDAP directory using the traditional method of
> retreiving a dn through an anonymous connection, and then binding using the dn
> and password.  So instead, I am trying to authenticate into a website by
> comparing username/password login values with the values of a uid: and
> userpassword: attributes stored in my LDAP directory.  I can successfully
> retreive the uid,  however, I cannot retreive the password.  This seems logical,
> because it would be a security issue, however, is there a way I can compare
> these values to the value of the userpassword attribute?  Any help with the
> syntax for doing something like this is much appreciated.    
> 
> Here is what I have so far.  
> 
>        $ldap = Net::LDAP->new('[LDAP SERVER]') or die "$@";
> 
>       $ldap->bind;
> 
>       my $result = $ldap->search(
>           base => "[BASE]",
>           scope => "sub",
>           filter => "(&(uid = $user) (userpassword = $sent_pw))",
>       );
> 
>       if ($result->count != 1) {
>         #Authentication Failed
>         return "Failed - User does not exist in the LDAP server";
>       }
>       else {
>         #Successfull Authentication
>         return 0;
>       }
> 
> Thanks,
> 
> Michael Howard
> Information Sciences and Engineering
> Pacific Northwest National Laboratory
> (509) 375-6981                                    ISB2 528
> 
> 
> 
> 

Re: userpassword

[Graham B. <gb...@po...>]

On Tue, Aug 15, 2000 at 01:59:36PM -0500, Mark Wilcox wrote:
> You'll only be able to compare the password if the server's ACLS allow you
> to do so.
> 
> to do a compare:
> $mesg = $ldap->compare($dn,"userpassword",_properly_encoded_password);
> 
> if ($mesg->code() == 6)

Somebody slap that man with a fish :)

  use Net::LDAP::Constant;
  if ($mesg->code() == LDAP_COMPARE_TRUE)
> {
>   auth success
> }

Graham.

Re: userpassword

[Mark W. <mew...@un...>]

On Wed, 16 Aug 2000, Graham Barr wrote:

> On Tue, Aug 15, 2000 at 01:59:36PM -0500, Mark Wilcox wrote:
> > You'll only be able to compare the password if the server's ACLS allow you
> > to do so.
> > 
> > to do a compare:
> > $mesg = $ldap->compare($dn,"userpassword",_properly_encoded_password);
> > 
> > if ($mesg->code() == 6)
> 
> Somebody slap that man with a fish :)
Only if it's a pickled herring. :)

> 
>   use Net::LDAP::Constant;
>   if ($mesg->code() == LDAP_COMPARE_TRUE)
> > {
> >   auth success
> > }
> 
> Graham.
>