Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

obscur problems after LDAP update

18 views
Skip to first unread message

Sebastian Knapp

unread,
Dec 6, 2005, 4:57:51 PM12/6/05
to perl...@perl.org
Dear net-ldap users,

We have an perl application based on Net::LDAP, which runs fine under
LDAP 2.0.23. Then we make an update to LDAP version 2.2.23.

Now when a script modifies some entries, breaks this the ldap
functionalty. It seems some data is lost, but after a run of slapindex
all seems well again.

What have to be changed. Current Net::LDAP version is 0.32.

Please help. :)

Sebastian Knapp

Chris Ridd

unread,
Dec 7, 2005, 5:03:04 AM12/7/05
to Sebastian Knapp, perl...@perl.org

I suspect you need to talk to whoever wrote your server software, as
Net::LDAP talks over protocol "just fine" with many different makes of
server.

Cheers,

Chris


Sebastian Knapp

unread,
Dec 7, 2005, 11:29:43 AM12/7/05
to perl...@perl.org

Greetings
Sebastian Knapp

Quanah Gibson-Mount

unread,
Dec 7, 2005, 3:03:24 PM12/7/05
to Sebastian Knapp, perl...@perl.org

--On Tuesday, December 06, 2005 10:57 PM +0100 Sebastian Knapp
<s...@computer-leipzig.de> wrote:

Well, aside from the fact that you seem to have some flaw in the script you
are running, I'd suggest updating to a current 2.2 release (say 2.2.30?) or
moving to OpenLDAP 2.3, since OpenLDAP 2.2 is at end of life right now.

What database backend are you using in OpenLDAP? back-bdb, back-ldbm, ?

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Daniel M.

unread,
Dec 8, 2005, 1:59:52 PM12/8/05
to perl...@perl.org
Problem: Given an application that stores users
accounts in a database table as "user" and "password"
(encrypted of course) what would be the best way to
convert this app to use LDAP.

Do I store the login and password in the LDAP
directory as attributes to a DN such as:
cn=john.doe,cn=webUsers,dn=whatever.com
attributes:
login = string
password = string

Any help or articles would be appreciated. I have
been searching and reading on the web for a while but
have not been able to find a good example or article
on the subject yet.

Thank you.

Marc Chantreux

unread,
Dec 8, 2005, 4:51:53 PM12/8/05
to perl...@perl.org
Hi,

I think you're off topic.

I also think you need to look at posix.schema, there is a posixAccount
object with userPassword and uid attributes there.

regards
mc

Gerry Smyth

unread,
Dec 8, 2005, 9:28:55 PM12/8/05
to Daniel M., perl...@perl.org
Hi Daniel,
One thought could be to use Kerberos V for authentication and use LDAP for
authorisation tied in with pam (all on Linux of course).

Your web application say assuming php is used would call the pam_auth
module, which interrogates Kerberos.

In this way, your web app is loosely coupled form the back-end of LDAP /
Kerberos (although you may need to write an interface program to
facilitate). Nevertheless, it would be worth the effort as you would be
using the 'facade' design pattern and other web app could be used
longside.

This is just a high-level thought for you.

Regards
Gerry


"Daniel M." <dann...@yahoo.com>
09/12/2005 07:59 AM

To
perl...@perl.org
cc

Subject
LDAP storing web accounts...

Quanah Gibson-Mount

unread,
Dec 8, 2005, 10:26:33 PM12/8/05
to perl...@perl.org, Daniel M.

--On Friday, December 09, 2005 3:28 PM +1300 Gerry Smyth
<gsm...@nz1.ibm.com> wrote:

> Hi Daniel,
> One thought could be to use Kerberos V for authentication and use LDAP
> for authorisation tied in with pam (all on Linux of course).
>
> Your web application say assuming php is used would call the pam_auth
> module, which interrogates Kerberos.
>
> In this way, your web app is loosely coupled form the back-end of LDAP /
> Kerberos (although you may need to write an interface program to
> facilitate). Nevertheless, it would be worth the effort as you would be
> using the 'facade' design pattern and other web app could be used
> longside.

No need to write an interface program for that, Stanford already wrote an
opensource solution that uses SASL/GSSAPI with Apache to access an LDAP V3
server for authorization.

<http://webauth.stanford.edu>

Marc Chantreux

unread,
Dec 9, 2005, 2:57:44 AM12/9/05
to perl...@perl.org
Daniel M. wrote:

> Lets say you were going to write a web application
> using Perl and wanted to authenticate your users
> agains the LDAP directory. Would you use a
> posixAccount entry to verify their credentials?

I think it's OT 'cause it's an ldap question. Not perl-ldap one.
in fact, your web app. can relies to the ldap authentification.

You need something like this in your slapd.conf :

access to attrs=userPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none

"by anonymous auth" is important.

now, you just have to
- bind as anonymous to find your user's dn
- bind again with the dn and his password

if the second bind success, so your auth success.

regards
mc

Daniel M.

unread,
Dec 9, 2005, 11:07:03 AM12/9/05
to Gerry Smyth, perl...@perl.org
Thank you all for your help. I got a solution.

Dan.

0 new messages