perl-ldap-dev

Net::LDAP::extension buglet and PasswdModify exop example

[Arne G. G. <ar...@li...>]

Hi,

I've attempted to access my LDAP server's password modify extended
operation via Net::LDAP, and found what appears to be a bug.  In
Net::LDAP::extension a message is encoded with the key
"extendedRequest".  This does not match the id "extendedReq" which is
used in Net::LDAP::ASN (and elsewhere in Net::LDAP as well), and
attempts to use $ldap->extension consequently bomb out.

Upon rectifying this, however, I'm able to access the password modify
operation as below, which might perhaps make for a good example of the
exop-functionality to include with Net::LDAP.  I know I would have
appreciated it. :)


							Arne.

#!/usr/bin/perl

use strict;
use Net::LDAP;
use Convert::ASN1;

use vars qw($ldap);

# LDAP Password Modify Extended Operation, as per RFC 3062

my $id = 'uid=foo,...';

$ldap = Net::LDAP->new('server', version => 3) or die "$@";
$ldap->bind($id, password => 'bar') or die "$!";

my $pwmodoid = '1.3.6.1.4.1.4203.1.11.1';
my $pwmodreq = Convert::ASN1->new;
$pwmodreq->prepare(q{
   PasswdModifyRequestValue ::= SEQUENCE {
     userIdentity    [0]  OCTET STRING OPTIONAL,
     oldPasswd       [1]  OCTET STRING OPTIONAL,
     newPasswd       [2]  OCTET STRING OPTIONAL }
});

my $mesg = $ldap->extension(name => $pwmodoid,
			    value => $pwmodreq->encode(userIdentity => $id,
						       newPasswd => 'zoo'));

die $mesg->error if $mesg->code;

$ldap->unbind;

Re: Net::LDAP::extension buglet and PasswdModify exop example

[Graham B. <gb...@po...>]

On Fri, Jul 12, 2002 at 03:57:33PM +0200, Arne Georg Gleditsch wrote:
> Hi,
> 
> I've attempted to access my LDAP server's password modify extended
> operation via Net::LDAP, and found what appears to be a bug.  In
> Net::LDAP::extension a message is encoded with the key
> "extendedRequest".  This does not match the id "extendedReq" which is
> used in Net::LDAP::ASN (and elsewhere in Net::LDAP as well), and
> attempts to use $ldap->extension consequently bomb out.
> 
> Upon rectifying this, however, I'm able to access the password modify
> operation as below, which might perhaps make for a good example of the
> exop-functionality to include with Net::LDAP.  I know I would have
> appreciated it. :)

When the last person asked about this I posted the attached module.

Install it as Net/LDAP/Extension/SetPassword.pm and then you
should be able todo

use Net::LDAP::Extension::SetPassword;

$result = $ldap->set_password(
  user => $user,
  oldpasswd => $old,
  newpasswd => $new
);

And if you are expecting the server to generate a new password

$result->gen_password; # Need a better name ??

But nobody got back to say if it worked (I cannot test it)

If it works, I will add it to the distribution.

Graham.

Re: Net::LDAP::extension buglet and PasswdModify exop example

[Arne G. G. <ar...@li...>]

* Graham Barr
> When the last person asked about this I posted the attached module.
>
> Install it as Net/LDAP/Extension/SetPassword.pm and then you
> should be able todo
>
> use Net::LDAP::Extension::SetPassword;
>
> $result = $ldap->set_password(
>   user => $user,
>   oldpasswd => $old,
>   newpasswd => $new
> );
>
> And if you are expecting the server to generate a new password
>
> $result->gen_password; # Need a better name ??
>
> But nobody got back to say if it worked (I cannot test it)

How ungrateful.  This works as a charm for me, both supplying a new
password and letting slapd generate one for me, with and without the
user dn explicitly given.  (Supplying a value for old password yields
the error message "use bind to verify old password", but that's
probably server specific and perfectly acceptable.)

Of course, I still need to patch Net/LDAP.pm:

--- Net/LDAP.pm~        Fri Jul 12 16:33:53 2002
+++ Net/LDAP.pm Fri Jul 12 16:34:06 2002
@@ -566,7 +566,7 @@
     if $ldap->{net_ldap_version} < 3;
 
   $mesg->encode(
-    extendedRequest => {
+    extendedReq => {
       requestName  => $arg->{name},
       requestValue => $arg->{value}
     },

But that's no surprise.

Thanks,

							Arne.

Re: Net::LDAP::extension buglet and PasswdModify exop example

[Graham B. <gb...@po...>]

On Fri, Jul 12, 2002 at 04:42:08PM +0200, Arne Georg Gleditsch wrote:
> * Graham Barr
> > When the last person asked about this I posted the attached module.
> >
> > Install it as Net/LDAP/Extension/SetPassword.pm and then you
> > should be able todo
> >
> > use Net::LDAP::Extension::SetPassword;
> >
> > $result = $ldap->set_password(
> >   user => $user,
> >   oldpasswd => $old,
> >   newpasswd => $new
> > );
> >
> > And if you are expecting the server to generate a new password
> >
> > $result->gen_password; # Need a better name ??
> >
> > But nobody got back to say if it worked (I cannot test it)
> 
> How ungrateful.  This works as a charm for me, both supplying a new
> password and letting slapd generate one for me, with and without the
> user dn explicitly given.  (Supplying a value for old password yields
> the error message "use bind to verify old password", but that's
> probably server specific and perfectly acceptable.)

Thanks for letting me know. I will add it in.

I may be pushing my luck here, but as you know how this all works (which is
probably more than me) do you feel like contributing a POD for it ?

And can you think of a better name for gen_password, my thouught is that
generated_password is too long, what do people think ?

Thanks,
Graham.