Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Authen::SASL and Net::LDAP::LDAPI

56 views
Skip to first unread message

Kartik Subbarao

unread,
Nov 10, 2009, 3:46:22 PM11/10/09
to perl...@perl.org
What is the right way to use SASL EXTERNAL authentication with
Net::LDAP::LDAPI? I'm trying to do the equivalent of:

ldapwhoami -Y EXTERNAL -H ldapi:///

I tried approaches like:

$ldap->bind(undef, sasl => Authen::SASL->new(mechanism => 'EXTERNAL'));

But ended up with:

Can't locate object method "peerhost" via package "IO::Socket::UNIX" at
/usr/local/share/perl/5.10.0/Net/LDAP.pm line 384, <DATA> line 275.

It seems that Authen::SASL doesn't like UNIX sockets. Is it a case of
missing functionality that needs to be implemented, or is there a simple
workaround?

Thanks,

-Kartik

Kartik Subbarao

unread,
Nov 13, 2009, 12:57:01 PM11/13/09
to perl...@perl.org
On 11/10/2009 04:32 PM, Graham Barr wrote:

>
> On Nov 10, 2009, at 2:46 PM, Kartik Subbarao wrote:
>
>> What is the right way to use SASL EXTERNAL authentication with
>> Net::LDAP::LDAPI? I'm trying to do the equivalent of:
[...]
> This is a case where you will need to pass a sasl client object instead
> of Authen::SASL object

>
> $ldap->bind(undef, sasl => Authen::SASL->new(mechanism =>
> 'EXTERNAL')->client_new("ldap",$peername));
>
> however to use that you need to be using the next branch from git
>
> http://github.com/gbarr/perl-ldap/blob/next
>
> you will need to determine what needs to be passed for $peername

I downloaded the next branch and tried this, but the code seems to hang
indefinitely (the debugger complains about 99 levels deep in subroutine
calls, probably some infinite recursion).

Here's the code that I'm using:

use Net::LDAP;
use Net::LDAPI;
use Authen::SASL;

$ldap = Net::LDAP->new('ldapi://');
$sasl = Authen::SASL->new(mechanism => 'EXTERNAL');
$sasl_client = $sasl->client_new('ldap', 'localhost');
$ldap->bind(undef, sasl => $sasl_client);

Dieter Kluenter

unread,
Nov 13, 2009, 4:16:13 PM11/13/09
to perl...@perl.org
Kartik Subbarao <subb...@computer.org> writes:

> On 11/10/2009 04:32 PM, Graham Barr wrote:
>>
>> On Nov 10, 2009, at 2:46 PM, Kartik Subbarao wrote:
>>
>>> What is the right way to use SASL EXTERNAL authentication with
>>> Net::LDAP::LDAPI? I'm trying to do the equivalent of:
[...]

> I downloaded the next branch and tried this, but the code seems to


> hang indefinitely (the debugger complains about 99 levels deep in
> subroutine calls, probably some infinite recursion).
>
> Here's the code that I'm using:
>
> use Net::LDAP;
> use Net::LDAPI;
> use Authen::SASL;
>
> $ldap = Net::LDAP->new('ldapi://');
> $sasl = Authen::SASL->new(mechanism => 'EXTERNAL');
> $sasl_client = $sasl->client_new('ldap', 'localhost');
> $ldap->bind(undef, sasl => $sasl_client);

I think you should define a path to ldapi, something like

my $host = 'ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi';
my $ldap = Net::LDAP->new("$host");

-Dieter

--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E

Kartik Subbarao

unread,
Nov 17, 2009, 10:05:41 AM11/17/09
to perl...@perl.org
On 11/13/2009 04:16 PM, Dieter Kluenter wrote:
>> $ldap = Net::LDAP->new('ldapi://');
>> $sasl = Authen::SASL->new(mechanism => 'EXTERNAL');
>> $sasl_client = $sasl->client_new('ldap', 'localhost');
>> $ldap->bind(undef, sasl => $sasl_client);
>
> I think you should define a path to ldapi, something like
>
> my $host = 'ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi';
> my $ldap = Net::LDAP->new("$host");

Tried that too, same problem.

-Kartik

Graham Barr

unread,
Nov 17, 2009, 10:53:36 AM11/17/09
to Kartik Subbarao, perl...@perl.org
On Nov 13, 2009, at 11:57 AM, Kartik Subbarao wrote:
> I downloaded the next branch and tried this, but the code seems to hang indefinitely (the debugger complains about 99 levels deep in subroutine calls, probably some infinite recursion).
>
> Here's the code that I'm using:
>
> use Net::LDAP;
> use Net::LDAPI;
> use Authen::SASL;
>
> $ldap = Net::LDAP->new('ldapi://');
> $sasl = Authen::SASL->new(mechanism => 'EXTERNAL');
> $sasl_client = $sasl->client_new('ldap', 'localhost');
> $ldap->bind(undef, sasl => $sasl_client);

I do not think the passing of client_new causes this, so perhaps there is a different issue at hand.

Do you know where the recursion is happening ?

Graham.

Kartik Subbarao

unread,
Dec 4, 2009, 2:46:52 PM12/4/09
to perl...@perl.org, Graham Barr, perl...@perl.org

It looks like this is looping because the initial bind returns error
code 14 SASL_BIND_IN_PROGRESS. For some reason the module is not able to
handle the negotiation properly (or I'm still somehow not passing the
right $sasl variable).

Just as an example, here's how a successful SASL EXTERNAL bind via
ldapi:// looks like, with the OpenLDAP ldapwhoami command:

ldapwhoami -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth
SASL SSF: 0 dn:gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth

Can you try running this script on your system? Do you get the same results?

-Kartik

0 new messages