Problem in LDAP authentication

[Praki]

Greetings All,

I m trying to authenticate the user for my web page using the ldap
server.i m able to get the info using user name. but i m not able to
authenticate the password. here is the below code i m using.even if i
give the wrong password it access the ldap server.i m not able to
authenticate the user with their password. i tried in all ways.

use Net::LDAP;
$ldap = Net::LDAP->new("ldap.abc.com");
$mesg = $ldap->bind("$userid",userPassword =>"$pw");

use Net::LDAP;
$ldap = Net::LDAP->new("ldap.abc.com");
$ldap->bind("ou=active,ou=employees,ou=people,o=abc.com",
password=>"$pw");

i m using Sun OS and Perl 5. can anyone tell me where i m going
wrong...

thanks,
Prakash

 

[Praki]

Could it be that you are using the wrong attribute name for the password?
(userPassword instead of password). You are also not checking the error
returned from the bind. That would at least point you in the right
direction.

is there any doc to study and get through..

thanks,
Prakash

 

[Peter J. Holzer]

To valid date with LDAP:

a) Open an *anonymous* connexion
b) search() for the given id with a relevant base (so probably the
ou=active,ou=employees,ou=people,o=abc.com" you mention)
c) check that you get one, and only one, result from b) and get the dn
(distinguished name)
d) bind using the dn and the given password
e) check whether d) succeeds

If your LDAP server doesn't allow anonymous connexions then a) needs to be
done using a known (to you) LDAP dn + password (so not allowing anon
connexions is a bit silly, since you'd need to supply all clienst with an
known id/pwd anyway).

If there is a known mapping from the given id to the DN you can skip
steps a) to c). Just compute the DN from the id, then do steps d) and
e). Voila, no anonymous access needed.

hp

 

[Praki]

If there is a known mapping from the given id to the DN you can skip
steps a) to c). Just compute the DN from the id, then do steps d) and
e). Voila, no anonymous access needed.

hp

Really thanks for your replies..

really it was clearing my doubts..

as it is known user i tried with the last two stpes.here is the full
code i m using.

#!/usr/local/bin/perl5
&top();
&login_check();
&bottom();
sub top{
print <<EOM1;
Content-type: text/html


<html>
<head>
<title>Login Authentication</title>
</head>
<body>
EOM1
}
sub bottom{
print <<EOM2;
</body>
</html>
EOM2
}
sub login_check{

use warnings;
use strict;
use Net::LDAP;

my ($userid,$ldap,$mesg,@entries,@attrs,$attr,$entry);
$userid='prakash';
$ldap = Net::LDAP->new('ldap.abc.com', port=> '389');

$mesg = $ldap-

bind('ou=active,ou=employees,ou=people,o=abc.com',userPassword =>

'test');

$mesg = $ldap->search(filter=>"uid=$userid",
base=>"ou=active,ou=employees,ou=people,o=abc.com");
@entries = $mesg->entries;
foreach $entry (@entries) {
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
printf("\t%s: %s\n", $attr, $entry->get_value($attr));
}
}
}

$mesg = $ldap-

bind('ou=active,ou=employees,ou=people,o=abc.com',userPassword =>

'test');

i have given here userPassword because it was given like this in our
schema or it is as standard password only will come. i tried givenin
password also.
problem is even when if i give the worong password it read the
directory ..

sorry for bugging u all.. i dont know where im going wrong.

 

[Praki]

Really thanks for your replies..

really it was clearing my doubts..

as it is known user i tried with the last two stpes.here is the full
code i m using.

#!/usr/local/bin/perl5
&top();
&login_check();
&bottom();
sub top{
print <<EOM1;
Content-type: text/html

<html>
<head>
<title>Login Authentication</title>
</head>
<body>
EOM1}

sub bottom{
print <<EOM2;
</body>
</html>
EOM2}

sub login_check{

use warnings;
use strict;
use Net::LDAP;

my ($userid,$ldap,$mesg,@entries,@attrs,$attr,$entry);
$userid='prakash';
$ldap = Net::LDAP->new('ldap.abc.com', port=> '389');

$mesg = $ldap->bind('ou=active,ou=employees,ou=people,o=abc.com',userPassword =>

'test');

$mesg = $ldap->search(filter=>"uid=$userid",
base=>"ou=active,ou=employees,ou=people,o=abc.com");
@entries = $mesg->entries;
foreach $entry (@entries) {
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
printf("\t%s: %s\n", $attr, $entry->get_value($attr));
}
}

}

$mesg = $ldap->bind('ou=active,ou=employees,ou=people,o=abc.com',userPassword =>

'test');

i have given here userPassword because it was given like this in our
schema or it is as standard password only will come. i tried givenin
password also.
problem is even when if i give the worong password it read the
directory ..

sorry for bugging u all.. i dont know where im going wrong.

really thanks for all your replies i got it working

i did the follwing change ..

$mesg = $ldap->bind( dn => "uid=$userid, ou=active, ou=employees,
ou=people, o=abc.com", password => $pw );
die return 0 if $mesg->code;

Thanks for all your help...
Prakash

 

[Ron Bergin]

I haven't done much with LDAP, so I'll leave that to others that have
more experience with it, but I'll touch on a couple other parts of
your script.

No need to use both & and ( ) remove one or the other. My preference
is to use the () parens.
I'd drop the sub and use the CGI module instead, which will make this
cleaner and easier.

use CGI;
my $cgi = CGI->new; # I prefer the OO methods rather than the
functional approach.
print $cgi->header, $cgi->start_html('Login Authentication');Again, drop this sub.
print $cgi->end_html;
Move these use statements to the beginning of the script so they will
be loaded at compile time instead of runtime.I realize that a couple of the lines got wrapped in the positing, but
consistency and proper use of indentation and whitespace will make
your code easier to follow and maintain.

 

[J. Gleixner]

Ron Bergin wrote:
[...]

No need to use both & and ( ) remove one or the other. My preference
is to use the () parens.

There are times to use '&' and times to use '()'. Correct usage should
be the deciding factor, not your 'preference'.

perldoc -q "What's the difference between calling a function as &foo and
foo()"

Move these use statements to the beginning of the script so they will
be loaded at compile time instead of runtime.

It doesn't matter where 'use' is located in the program, though
most would agree to put them at the top.

perldoc -f use

 

[Ron Bergin]

Ron Bergin wrote:

[...]

No need to use both & and ( ) remove one or the other. My preference
is to use the () parens.

There are times to use '&' and times to use '()'. Correct usage should
be the deciding factor, not your 'preference'.

I agree, but my comments were in context with this code and either
usage would be correct. So, in this case it is entirely a personal
preference and mine happens to be to use '()'.

perldoc -q "What's the difference between calling a function as &foo and
foo()"


It doesn't matter where 'use' is located in the program, though
most would agree to put them at the top.

perldoc -f use

I stand corrected. I guess I was intermixing the differences between
use and require.