ldap-bind

[Bryan Irvine]

I'm using ldaps and when I try to bind to a made up FqDN the scripts
still seems to be able to function.

Presently I'm binding with:
$ldaps->bind ("totalBSDN=screwDodge") or die("could not bind");

yes somehow the script continues on, is this correct behavior?

-Bryan

[Yash V Vartak]

Bryan, Could you please send in complete code ? below snippet is just
too little for any programmer to help you troubleshoot.
Also ..may be you did like double check stuff like (FQDN , port , cert
location , password you have used ?

Could you try to trap the error code ? something like error message

$errMsg = $ldaps->bind ("totalBSDN=screwDodge")

print $errMsg ;

Regards,
Yash

[Bryan Irvine]

Yash,

port and cert location is all correct, though maybe my understanding
of ldap->bind is not. I understand it to be an authentication
mechanism to gain rights into a DB.

I expected to bind with a fake user and have the script not work at
all, instead I can search like so:

$mesg = $ldaps->search ( # perform a search
base => "ou=service,ou=users,ou=admin,o=noah",
filter => "(&(cn=$check_CN))"
);
print $mesg ;

outputs:
Net::LDAP::Search=HASH(0x3e1b04)

-Bryan

[Bryan Irvine]

On Wed, Jun 10, 2009 at 12:38 PM, Graham Barr<gb...@pobox.com> wrote:

>
> On Jun 10, 2009, at 1:51 PM, Bryan Irvine wrote:
>
>> I'm using ldaps and when I try to bind to a made up FqDN the scripts
>> still seems to be able to function.
>>
>> Presently I'm binding with:
>> $ldaps->bind ("totalBSDN=screwDodge") or die("could not bind");
>

> Net::LDAP methods return Net::LDAP::Message objects, not true/false
>
> see http://search.cpan.org/~gbarr/perl-ldap-0.39/lib/Net/LDAP.pod#METHODS

Whoops! ;-)

Does the bind fallback to anonymous mode if it fails? or does it not
bother authenticating until a process requriing more privs is needed?
The current operation I'm testing (search) can be done with anonymous
bind just fine.

-Bryan

[Bryan Irvine]

That's my problem then.

Is there a way to check for bind failure?

-Bryan

On Wed, Jun 10, 2009 at 12:53 PM, Clif
Harden<clifton...@sbcglobal.net> wrote:
>
> The bind failure will fall back to an anonymous bind, which will allow you
> to continue to search and return attributes that an anonymous bind can see.
>
> Clif  Harden

[Bryan Irvine]

On Wed, Jun 10, 2009 at 1:15 PM, Graham Barr<gb...@pobox.com> wrote:

>
> On Jun 10, 2009, at 3:07 PM, Bryan Irvine wrote:
>
>> That's my problem then.
>>
>> Is there a way to check for bind failure?
>

> Yes, see Net::LDAP::Message and Net::LDAP::Constant docs
>
> the bind will fail, but the server will allow requests to continue as if the
> bind had not happened. ie it will treat the connection as anonymous
>
> Graham.
>

Am I missing something really obvious?

PERL code:
my $errorMsg = $ldaps->bind ( "cn=crappy code" ) ;
print "dn: " . $errorMsg->dn . "\n" ;
print "error: " . $errorMsg->error . "\n" ;
print "done: " . $errorMsg->done . "\n" ;
print "is_error: " . $errorMsg->is_error . "\n" ;

PERL output:
dn:
error: Success
done: 1
is_error: 0

Is it reporting sucess because it was able to 'fallback and rebind'?
If so how do I get the failure of the initial bind?

-Bryan

[Bryan Irvine]

On Wed, Jun 10, 2009 at 1:53 PM, Graham Barr<gb...@pobox.com> wrote:

>
> On Jun 10, 2009, at 3:34 PM, Bryan Irvine wrote:
>
>> On Wed, Jun 10, 2009 at 1:15 PM, Graham Barr<gb...@pobox.com> wrote:
>>>
>>> On Jun 10, 2009, at 3:07 PM, Bryan Irvine wrote:
>>>
>>>> That's my problem then.
>>>>
>>>> Is there a way to check for bind failure?
>>>
>>> Yes, see Net::LDAP::Message and Net::LDAP::Constant docs
>>>
>>> the bind will fail, but the server will allow requests to continue as if
>>> the
>>> bind had not happened. ie it will treat the connection as anonymous
>>>
>>> Graham.
>>>
>>
>> Am I missing something really obvious?
>>
>> PERL code:
>> my $errorMsg = $ldaps->bind ( "cn=crappy code" ) ;
>

> you did not pass any options, so that is an anonymous bind.
>
> try passing password => $password

/facepalm Everyone look away from me!!! ;-)

[Bryan Irvine]

I got around those problems but I'm still having problems binding to the DB.

The script basically logs in and does a search for itself to make sure
all is well.

I cannot bind with the credentials given me by the LDAP server admin,
but the search shows that the user is there. However if I add more
leading underscores _or remove it, I still get a result. If I add
extra letters such as _lldap.... then it fails the search.

Is the leading underscore causing me grief on the bind as well?

+++++++++++++++++++
code:
$check_CN = "_ldapmonitor_test";

my $problem = $ldaps->bind (
'cn=_ldapmonitor_test,ou=service,ou=users,ou=admin,o=noah',
password=> 'oursupersecretpassword'
);

print "dn: " . $problem->dn . "\n" ;
print "error: " . $problem->error . "\n" ;
print "done: " . $problem->done . "\n" ;
print "is_error: " . $problem->is_error . "\n" ;

$mesg = $ldaps->search ( # perform a search
base => "ou=service,ou=users,ou=admin,o=noah",
filter => "(&(cn=$check_CN))"
);

print "search error: " . $mesg->error . "\n" ;

++++++++++++++++++++++++++++++++++
code output:
dn:
error: NDS error: failed authentication (-669)
done: 1
is_error: 49
search error: Success

[Dieter Kluenter]

Bryan Irvine <sparc...@gmail.com> writes:

> I got around those problems but I'm still having problems binding to the DB.
>
> The script basically logs in and does a search for itself to make sure
> all is well.
>
> I cannot bind with the credentials given me by the LDAP server admin,
> but the search shows that the user is there. However if I add more
> leading underscores _or remove it, I still get a result. If I add
> extra letters such as _lldap.... then it fails the search.
>
> Is the leading underscore causing me grief on the bind as well?
>
> +++++++++++++++++++
> code:
> $check_CN = "_ldapmonitor_test";
>
> my $problem = $ldaps->bind (
> 'cn=_ldapmonitor_test,ou=service,ou=users,ou=admin,o=noah',
> password=> 'oursupersecretpassword'
> );
>

perldoc Net::LDAPS
capath is missing.

-Dieter

--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

[Bryan Irvine]

On Thu, Jun 11, 2009 at 12:06 PM, Dieter Kluenter<die...@dkluenter.de> wrote:
> Bryan Irvine <sparc...@gmail.com> writes:
>
>> I got around those problems but I'm still having problems binding to the DB.
>>
>> The script basically logs in and does a search for itself to make sure
>> all is well.
>>
>> I cannot bind with the credentials given me by the LDAP server admin,
>> but the search shows that the user is there.  However if I add more
>> leading underscores _or remove it, I  still get a result.  If I add
>> extra letters such as _lldap.... then it fails the search.
>>
>> Is the leading underscore causing me grief on the bind as well?
>>
>> +++++++++++++++++++
>> code:
>> $check_CN             = "_ldapmonitor_test";
>>
>> my $problem = $ldaps->bind (
>>                 'cn=_ldapmonitor_test,ou=service,ou=users,ou=admin,o=noah',
>>                 password=> 'oursupersecretpassword'
>>                 );
>>
>
> perldoc Net::LDAPS
> capath is missing.

I don't see that error in the perldoc. According to the limited
information I have, error 49 is a bad username or password. I"m
trying to figure out if the leading underscore is that culprit because
if I do a search for "___________ldapmonitor_test" it works just as
well as "ldamonitor_test". I"m wondering If I should ask admin to
remove leading underscore or if I'm barking up the wrong tree.

I don't think it has anything to do with capath because I can connect
and search the tree. The error is authenticating on the bind.

-Bryan

[Buchan Milne]

On Thursday 11 June 2009 20:10:17 Bryan Irvine wrote:
> I got around those problems but I'm still having problems binding to the
> DB.

Have you tested the account via different means? E.g., assuming you have
OpenLDAP client binaries available:

ldapsearch -x -H ldaps://myldapserver.mydomain.com -D
_ldapmonitor_test,ou=service,ou=users,ou=admin,o=noah -w
oursupersecretpassword

or, assuming the server also supports the "Who Am I?" extended operation:
ldapwhoami -x -H ldaps://myldapserver.mydomain.com -D
_ldapmonitor_test,ou=service,ou=users,ou=admin,o=noah -w
oursupersecretpassword

> The script basically logs in and does a search for itself to make sure
> all is well.

I note that a number of network monitoring systems have native LDAP support
(e.g. Xymon).

> I cannot bind with the credentials given me by the LDAP server admin,
> but the search shows that the user is there. However if I add more
> leading underscores _or remove it, I still get a result.

A search that returns no entries is still a successful search, you should
check that you got an entry before assuming that this is the DN you should
use.

> If I add
> extra letters such as _lldap.... then it fails the search.

If you create an invalid filter, then the search will fail ... since you don't
provide the exact filter, it is difficult to tell.

> Is the leading underscore causing me grief on the bind as well?
>
> +++++++++++++++++++
> code:
> $check_CN = "_ldapmonitor_test";
>
> my $problem = $ldaps->bind (
> 'cn=_ldapmonitor_test,ou=service,ou=users,ou=admin,o=noah',
> password=> 'oursupersecretpassword'
> );
>
> print "dn: " . $problem->dn . "\n" ;
> print "error: " . $problem->error . "\n" ;
> print "done: " . $problem->done . "\n" ;
> print "is_error: " . $problem->is_error . "\n" ;
>
> $mesg = $ldaps->search ( # perform a search
> base => "ou=service,ou=users,ou=admin,o=noah",
> filter => "(&(cn=$check_CN))"
> );
> print "search error: " . $mesg->error . "\n" ;
>
> ++++++++++++++++++++++++++++++++++
> code output:
> dn:
> error: NDS error: failed authentication (-669)
> done: 1
> is_error: 49

This really looks like your DN or password are incorrect.

> search error: Success