perl.ldap

perl.ldap http://www.nntp.perl.org/group/perl.ldap/ ... Copyright 1998-2008 perl.org Tue, 07 Oct 2008 21:29:02 +0000 ask@perl.org Re: managing AD users through Net::LDAP by Peter Karman Guillaume Rousse wrote on 10/07/2008 04:08 AM: > Hello list. > > Thanks to archives of this ML, as well as source code from > Net::LDAP::Class::User::AD package, I'm able to create functional AD > user entries from Net::LDAP. Any particular reason you didn't just use Net::LDAP::Class::User::AD directly? > Third, is there a recommended practice for organising user and group > entries in AD ? In OpenLDAP world, the standard practice is to have a > 'user' and a 'group' branch, whereas AD setup I saw sofar had a more > subdivised organisation (one branch per group, for instance). > I don't know of recommended practices; I can, however, speak to how Net::LDAP::Class::User::AD does it and how we do it at $work, which are different (despite the fact that I wrote Net::LDAP::Class). NLCUA assumes you are using the primaryGroupID attribute in AD, since that attribute is required for Unix compatability even though AD doesn't itself use it. In other words, the Net::LDAP::Class basic API assumes every user has a primary group and so the AD classes implement that API. AD has Security Groups which can be used like OpenLDAP groups, and that is what Net::LDAP::Class::Group::AD assumes. However, at $work we use OrgUnits with AD in a way analogous to how OpenLDAP uses primary groups. We use Security Groups in AD to control which resources a a User has access to (e.g., we have just a few Security Groups, while we have 100s of OrgUnits). I actually have a Net::LDAP::Class-derived class for OrgUnit and each User class uses a OrgUnit class as its primary group. I think the $work approach succeeds because of our particular security requirements. I hope that Net::LDAP::Class::*::AD can also work for folks implementing Unix-style organization for their AD server. -- Peter Karman . peter@peknet.com . http://peknet.com/ http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2978.html Tue, 07 Oct 2008 06:43:41 +0000 managing AD users through Net::LDAP by Guillaume Rousse Hello list. Thanks to archives of this ML, as well as source code from Net::LDAP::Class::User::AD package, I'm able to create functional AD user entries from Net::LDAP. However, I'm a bit curious about some issues. I realise they are not strictly Net::LDAP issues, but as many people here have strong experience in the domain, that seems a good place to ask :) First, unless there is dark magic behind, I imagine than just setting unicodePwd attribute only creates an LDAP passord for the user, not a kerberos principal as well. So, should users also run an external tool (smbpasswd, for instance) to fully initialise their account ? Second, I'm used with OpenLDAP to create simpleSecurityObject entries with dedicated ACLs, so as to manage sensible attributes finely. Is it possible with Windows AD to create a system user, with the only abitility to perform password changes ? Third, is there a recommended practice for organising user and group entries in AD ? In OpenLDAP world, the standard practice is to have a 'user' and a 'group' branch, whereas AD setup I saw sofar had a more subdivised organisation (one branch per group, for instance). Thanks for your input. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2977.html Tue, 07 Oct 2008 02:08:36 +0000 Re: [PATCH] LDAP Content synchronisation fixes (cont.) by Graham Barr On Oct 5, 2008, at 2:02 PM, Mathieu Parent wrote: > Subject: [PATCH] LDAP Content synchronisation fixes > - Fixed parsing of SyncState: avoid emptying the value > - Fill in default values in Intermediate::SyncInfo Thanks. This patch has been applied to the next branch Graham. http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2976.html Mon, 06 Oct 2008 07:47:00 +0000 [PATCH] LDAP Content synchronisation fixes (cont.) by Mathieu Parent Subject: [PATCH] LDAP Content synchronisation fixes - Fixed parsing of SyncState: avoid emptying the value - Fill in default values in Intermediate::SyncInfo --- lib/Net/LDAP/Control/SyncState.pm | 10 +++++----- lib/Net/LDAP/Intermediate/SyncInfo.pm | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/lib/Net/LDAP/Control/SyncState.pm b/lib/Net/LDAP/Control/SyncState.pm index e47c78a..569553b 100644 --- a/lib/Net/LDAP/Control/SyncState.pm +++ b/lib/Net/LDAP/Control/SyncState.pm @@ -8,7 +8,7 @@ use vars qw(@ISA $VERSION); use Net::LDAP::Control; @ISA = qw(Net::LDAP::Control); -$VERSION = "0.01"; +$VERSION = "0.02"; use Net::LDAP::ASN qw(syncStateValue); use strict; @@ -16,13 +16,13 @@ use strict; sub init { my($self) = @_; - delete $self->{asn}; - - unless (exists $self->{value}) { + if (exists $self->{value}) { + $self->{asn} = $syncStateValue->decode(delete $self->{value}); + } else { $self->{asn} = { state => $self->{state} || '', entryUUID => $self->{entryUUID} || '', - cookie => $self->{cookie} || '', + cookie => defined($self->{cookie}) ? $self->{cookie} : '', }; } diff --git a/lib/Net/LDAP/Intermediate/SyncInfo.pm b/lib/Net/LDAP/Intermediate/SyncInfo.pm index 73d1604..38e6109 100644 --- a/lib/Net/LDAP/Intermediate/SyncInfo.pm +++ b/lib/Net/LDAP/Intermediate/SyncInfo.pm @@ -29,6 +29,27 @@ sub init { $self->{asn}{syncIdSet} = delete $self->{syncIdSet} if exists $self->{syncIdSet}; } + #$self->{asn}{refreshDelete}{refreshDone} defaults to TRUE + if(defined($self->{asn}{refreshDelete})) { + $self->{asn}{refreshDelete}{refreshDone} = + defined($self->{asn}{refreshDelete}{refreshDone}) + ? $self->{asn}{refreshDelete}{refreshDone} + : 1; + } + #$self->{asn}{refreshPresent}{refreshDone} defaults to TRUE + if(defined($self->{asn}{refreshPresent})) { + $self->{asn}{refreshPresent}{refreshDone} = + defined($self->{asn}{refreshPresent}{refreshDone}) + ? $self->{asn}{refreshPresent}{refreshDone} + : 1; + } + #$self->{asn}{syncIdSet}{refreshDeletes} defaults to FALSE + if(defined($self->{asn}{syncIdSet})) { + $self->{asn}{syncIdSet}{refreshDeletes} = + defined($self->{asn}{syncIdSet}{refreshDeletes}) + ? $self->{asn}{syncIdSet}{refreshDeletes} + : 0; + } $self; } -- 1.5.6.5 http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2975.html Sun, 05 Oct 2008 12:02:32 +0000 Huge numbers of Constant Redefined errors by Bruce Johnson Version Perl 5.10 I installed Net::LDAP, Net::LDAPS and am now getting flooded with errors like this: Constant subroutine ModPerl ::ROOT ::ModPerl ::PerlRunPrefork ::home_oraweb_perl_calendar2_calendar_2epl::LDAP_STRONG_AUTH_REQUIRED redefined at /opt/lampp/lib/perl5/site_perl/5.10.0/i686-linux/ModPerl/ Util.pm line 69, <DATA> line 2845. Constant subroutine ModPerl ::ROOT ::ModPerl ::PerlRunPrefork ::home_oraweb_perl_calendar2_calendar_2epl::LDAP_RESULTS_TOO_LARGE redefined at /opt/lampp/lib/perl5/site_perl/5.10.0/i686-linux/ModPerl/ Util.pm line 69, <DATA> line 2845. About 80-90 lines Every time the ldap routine is created. The program works, but it's hard finding real errors in this flood. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2974.html Sat, 04 Oct 2008 08:33:18 +0000 Re: [PATCH] IntermediateMessage and LDAP Content synchronisation fixes by Graham Barr On Oct 4, 2008, at 8:30 AM, Mathieu Parent wrote: > Subject: [PATCH] IntermediateMessage and LDAP Content > synchronisation fixes: > - Fix ASN parsing of syncRequestValue, syncDoneValue and syncInfoValue > (attributes with default value are threated as optional values) > - Renamed syncInfoValue ASN name to match RFC > - Fixed parsing of SyncDone and SyncRequest: avoid emptying the value > - Corrected Net::LDAP::Intermediate::SyncInfo parsing > - Enable Net::LDAP::Intermediate::SyncInfo > - Moved catching of IntermediateMessage from LDAP::Search to > LDAP::Message (this is not specific to searches) Thanks for the patch. I have merged it onto the next branch at http://git.goingon.net/?p=perl-ldap.git;a=shortlog;h=refs/heads/next If others could test it that would be great. Graham. http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2973.html Sat, 04 Oct 2008 07:34:22 +0000 [PATCH] IntermediateMessage and LDAP Content synchronisation fixes by Mathieu Parent Subject: [PATCH] IntermediateMessage and LDAP Content synchronisation fixes: - Fix ASN parsing of syncRequestValue, syncDoneValue and syncInfoValue (attributes with default value are threated as optional values) - Renamed syncInfoValue ASN name to match RFC - Fixed parsing of SyncDone and SyncRequest: avoid emptying the value - Corrected Net::LDAP::Intermediate::SyncInfo parsing - Enable Net::LDAP::Intermediate::SyncInfo - Moved catching of IntermediateMessage from LDAP::Search to LDAP::Message (this is not specific to searches) --- lib/Net/LDAP/ASN.pm | 16 ++++++++-------- lib/Net/LDAP/Control/SyncDone.pm | 15 ++++++--------- lib/Net/LDAP/Control/SyncRequest.pm | 11 +++-------- lib/Net/LDAP/Control/SyncState.pm | 3 --- lib/Net/LDAP/Intermediate.pm | 2 +- lib/Net/LDAP/Intermediate/SyncInfo.pm | 30 +++++++++++++++--------------- lib/Net/LDAP/Message.pm | 20 ++++++++++++++++---- lib/Net/LDAP/Search.pm | 15 +++------------ 8 files changed, 52 insertions(+), 60 deletions(-) diff --git a/lib/Net/LDAP/ASN.pm b/lib/Net/LDAP/ASN.pm index 82b7c17..9ba0913 100644 --- a/lib/Net/LDAP/ASN.pm +++ b/lib/Net/LDAP/ASN.pm @@ -1,7 +1,7 @@ package Net::LDAP::ASN; -$VERSION = "0.07"; +$VERSION = "0.08"; use Convert::ASN1; @@ -455,7 +455,7 @@ $asn->prepare(<<LDAP_ASN) or die $asn->error; refreshAndPersist (3) } cookie syncCookie OPTIONAL, - reloadHint BOOLEAN -- DEFAULT FALSE + reloadHint BOOLEAN OPTIONAL -- DEFAULT FALSE } syncStateValue ::= SEQUENCE { @@ -471,22 +471,22 @@ $asn->prepare(<<LDAP_ASN) or die $asn->error; syncDoneValue ::= SEQUENCE { cookie syncCookie OPTIONAL, - refreshDeletes BOOLEAN -- DEFAULT FALSE + refreshDeletes BOOLEAN OPTIONAL -- DEFAULT FALSE } syncInfoValue ::= CHOICE { newcookie [0] syncCookie, refreshDelete [1] SEQUENCE { - refreshDeleteCookie syncCookie OPTIONAL, - refreshDeleteDone BOOLEAN -- DEFAULT TRUE + cookie syncCookie OPTIONAL, + refreshDone BOOLEAN OPTIONAL -- DEFAULT TRUE } refreshPresent [2] SEQUENCE { - refreshDeletecookie syncCookie OPTIONAL, - refreshDeleteDone BOOLEAN -- DEFAULT TRUE + cookie syncCookie OPTIONAL, + refreshDone BOOLEAN OPTIONAL -- DEFAULT TRUE } syncIdSet [3] SEQUENCE { cookie syncCookie OPTIONAL, - refreshDeletes BOOLEAN, -- DEFAULT FALSE + refreshDeletes BOOLEAN OPTIONAL, -- DEFAULT FALSE syncUUIDs SET OF syncUUID } } diff --git a/lib/Net/LDAP/Control/SyncDone.pm b/lib/Net/LDAP/Control/SyncDone.pm index 7fcb0d9..e8bc2ae 100644 --- a/lib/Net/LDAP/Control/SyncDone.pm +++ b/lib/Net/LDAP/Control/SyncDone.pm @@ -8,22 +8,19 @@ use vars qw(@ISA $VERSION); use Net::LDAP::Control; @ISA = qw(Net::LDAP::Control); -$VERSION = "0.01"; +$VERSION = "0.02"; use Net::LDAP::ASN qw(syncDoneValue); use strict; -# use some kind of hack here: -# - calling the control without args means: response, -# - giving an argument: means: request sub init { my($self) = @_; - delete $self->{asn}; - - unless (exists $self->{value}) { + if (exists $self->{value}) { + $self->{asn} = $syncDoneValue->decode(delete $self->{value}); + } else { $self->{asn} = { - cookie => $self->{cookie} || '', + cookie => defined($self->{cookie}) ? $self->{cookie} : '', refreshDeletes => $self->{refreshDeletes} || '0', }; } @@ -36,7 +33,7 @@ sub cookie { $self->{asn} ||= $syncDoneValue->decode($self->{value}); if (@_) { delete $self->{value}; - return $self->{asn}{cookie} = shift || 0; + return $self->{asn}{cookie} = defined($_[0]) ? $_[0] : ''; } $self->{asn}{cookie}; } diff --git a/lib/Net/LDAP/Control/SyncRequest.pm b/lib/Net/LDAP/Control/SyncRequest.pm index b33868d..95cd716 100644 --- a/lib/Net/LDAP/Control/SyncRequest.pm +++ b/lib/Net/LDAP/Control/SyncRequest.pm @@ -8,14 +8,11 @@ use vars qw(@ISA $VERSION); use Net::LDAP::Control; @ISA = qw(Net::LDAP::Control); -$VERSION = "0.01"; +$VERSION = "0.02"; use Net::LDAP::ASN qw(syncRequestValue); use strict; -# use some kind of hack here: -# - calling the control without args means: response, -# - giving an argument: means: request sub init { my($self) = @_; @@ -64,10 +61,8 @@ sub reloadHint { sub value { my $self = shift; - - exists $self->{value} - ? $self->{value} - : $self->{value} = $syncRequestValue->encode($self->{asn}); + return $self->{value} if exists $self->{value}; + $self->{value} = $syncRequestValue->encode($self->{asn}); } 1; diff --git a/lib/Net/LDAP/Control/SyncState.pm b/lib/Net/LDAP/Control/SyncState.pm index b069e42..e47c78a 100644 --- a/lib/Net/LDAP/Control/SyncState.pm +++ b/lib/Net/LDAP/Control/SyncState.pm @@ -13,9 +13,6 @@ $VERSION = "0.01"; use Net::LDAP::ASN qw(syncStateValue); use strict; -# use some kind of hack here: -# - calling the control without args means: response, -# - giving an argument: means: request sub init { my($self) = @_; diff --git a/lib/Net/LDAP/Intermediate.pm b/lib/Net/LDAP/Intermediate.pm index b95b849..288d785 100644 --- a/lib/Net/LDAP/Intermediate.pm +++ b/lib/Net/LDAP/Intermediate.pm @@ -15,7 +15,7 @@ $VERSION = "0.01"; my %Class2ResponseName = ( - #'Net::LDAP::Intermediate::SyncInfo' => LDAP_SYNC_INFO, #disabled as decoding doesn't work + 'Net::LDAP::Intermediate::SyncInfo' => LDAP_SYNC_INFO, ); my %ResponseName2Class = reverse %Class2ResponseName; diff --git a/lib/Net/LDAP/Intermediate/SyncInfo.pm b/lib/Net/LDAP/Intermediate/SyncInfo.pm index ed8205a..8d1814c 100644 --- a/lib/Net/LDAP/Intermediate/SyncInfo.pm +++ b/lib/Net/LDAP/Intermediate/SyncInfo.pm @@ -8,23 +8,26 @@ use vars qw(@ISA $VERSION); use Net::LDAP::Intermediate; @ISA = qw(Net::LDAP::Intermediate); -$VERSION = "0.01"; +$VERSION = "0.02"; use Net::LDAP::ASN qw(syncInfoValue); use strict; -# use some kind of hack here: -# - calling the control without args means: response, -# - giving an argument: means: request sub init { my($self) = @_; - delete $self->{asn}; - - unless (exists $self->{responseValue}) { - $self->{asn} = { - newcookie => $self->{newcookie} || '', - }; + if (exists $self->{responseValue}) { + $self->{asn} = $syncInfoValue->decode(delete $self->{responseValue}); + } else { + $self->{asn} = {}; + $self->{asn}{newcookie} = + delete $self->{newcookie} if exists $self->{newcookie}; + $self->{asn}{refreshDelete} = + delete $self->{refreshDelete} if exists $self->{refreshDelete}; + $self->{asn}{refreshPresent} = + delete $self->{refreshPresent} if exists $self->{refreshPresent}; + $self->{asn}{syncIdSet} = + delete $self->{syncIdSet} if exists $self->{syncIdSet}; } $self; @@ -32,11 +35,8 @@ sub init { sub newcookie { my $self = shift; - $self->{asn} ||= $syncInfoValue->decode($self->{responseValue}); - if (@_) { - delete $self->{responseValue}; - return $self->{asn}{newcookie} = shift || 0; - } + @_ ? ($self->{asn}{newcookie}=shift) + : $self->{asn}{newcookie}; $self->{asn}{cookie}; } diff --git a/lib/Net/LDAP/Message.pm b/lib/Net/LDAP/Message.pm index 5007afb..26e5eeb 100644 --- a/lib/Net/LDAP/Message.pm +++ b/lib/Net/LDAP/Message.pm @@ -9,7 +9,7 @@ use Net::LDAP::ASN qw(LDAPRequest); use strict; use vars qw($VERSION); -$VERSION = "1.10"; +$VERSION = "1.11"; my $MsgID = 0; @@ -142,9 +142,21 @@ sub decode { # $self, $pdu, $control # free up memory as we have a result so we will not need to re-send it delete $self->{pdu}; - # tell our LDAP client to forget us as this message has now completed - # all communications with the server - $self->parent->_forgetmesg($self); + if ($data = delete $result->{protocolOp}{intermediateResponse}) { + + my $intermediate = Net::LDAP::Intermediate->from_asn($data); + + push(@{$self->{'intermediate'} ||= []}, $intermediate); + + $self->{callback}->($self, $intermediate) + if (defined $self->{callback}); + + return $self; + } else { + # tell our LDAP client to forget us as this message has now completed + # all communications with the server + $self->parent->_forgetmesg($self); + } $self->{callback}->($self) if (defined $self->{callback}); diff --git a/lib/Net/LDAP/Search.pm b/lib/Net/LDAP/Search.pm index d8c3568..3dd6575 100644 --- a/lib/Net/LDAP/Search.pm +++ b/lib/Net/LDAP/Search.pm @@ -13,7 +13,7 @@ use Net::LDAP::Filter; use Net::LDAP::Constant qw(LDAP_SUCCESS LDAP_DECODING_ERROR); @ISA = qw(Net::LDAP::Message); -$VERSION = "0.12"; +$VERSION = "0.13"; sub first_entry { # compat @@ -36,6 +36,8 @@ sub decode { return $self->SUPER::decode($result) if exists $result->{protocolOp}{searchResDone}; + return $self->SUPER::decode($result) + if exists $result->{protocolOp}{intermediateResponse}; my $data; @{$self}{qw(controls ctrl_hash)} = ($result->{controls}, undef); @@ -64,17 +66,6 @@ sub decode { return $self; } - elsif ($data = delete $result->{protocolOp}{intermediateResponse}) { - - my $intermediate = Net::LDAP::Intermediate->from_asn($data); - - push(@{$self->{'intermediate'} ||= []}, [$intermediate]); - - $self->{callback}->($self, $intermediate) - if (defined $self->{callback}); - - return $self; - } $self->set_error(LDAP_DECODING_ERROR, "LDAP decode error"); return; -- 1.5.6.5 http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2972.html Sat, 04 Oct 2008 06:30:14 +0000 Re: after upgrade: glibc detected *** /usr/bin/perl: double free or corruption by Graham Barr On Oct 3, 2008, at 10:05 AM, Peter Daum wrote: >> Anyway, I suspect the issue is todo with calling s/// on the >> element of a tied hash. >> See if this reproduces the issue. >> { >> package Foo; >> use Tie::Hash; >> use base qw(Tie::StdHash); >> sub new { >> my $proto = shift; >> my $inner = bless {}; >> my %outer; >> tie %outer, __PACKAGE__, $inner; >> bless \%outer; >> } >> } >> $self = Foo->new; >> ($self->{prog_name} = $0) =~ s|^.*/([^/]+)$|$1|; > > That's it: Same thing - the program is aborted with a stack trace! > (Btw: this is happening with glibc-2.7 on Debian "lenny") > > So: what's the big difference between just assigning a value and > calling s/// ? > Is there anything else that shouldn't be done on a tied hash? No it should work. Now that you can reproduce it, and using only modules that come with Perl, I would suggest you report the issue using perlbug. perlbug will attach info about the perl build you are using. Graham. http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2971.html Fri, 03 Oct 2008 09:41:39 +0000 Re: after upgrade: glibc detected *** /usr/bin/perl: double freeor corruption by Peter Daum Graham Barr wrote: [...] In your first statement ($self->{prog_name}= $0) =~ s|^.*/([^/]+)$|$1|; you are calling s/// on the hash element. In the second $self->{prog_name}= (my $_p= $0) =~ s|^.*/([^/]+)$|$1|; you are just setting the hash element, actually to the value "1" not the prog name. oops ;) > Anyway, I suspect the issue is todo with calling s/// on the element of > a tied hash. > > See if this reproduces the issue. > > { > package Foo; > use Tie::Hash; > use base qw(Tie::StdHash); > > sub new { > my $proto = shift; > my $inner = bless {}; > my %outer; > tie %outer, __PACKAGE__, $inner; > bless \%outer; > } > } > > $self = Foo->new; > ($self->{prog_name} = $0) =~ s|^.*/([^/]+)$|$1|; That's it: Same thing - the program is aborted with a stack trace! (Btw: this is happening with glibc-2.7 on Debian "lenny") So: what's the big difference between just assigning a value and calling s/// ? Is there anything else that shouldn't be done on a tied hash? Regards, Peter http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2970.html Fri, 03 Oct 2008 08:06:02 +0000 Re: after upgrade: glibc detected *** /usr/bin/perl: double free or corruption by Graham Barr On Oct 3, 2008, at 7:35 AM, Peter Daum wrote: > Peter Daum wrote: >> I recently upgraded a system (as far as perl is concerned from >> 5.8.8 to 5.10.0). Afterwards I ran into a mysterious problem. I >> could eventually > > find a workaround, but still don't really understand, what is > going on. >> After the upgrade, a perl program wouldn't run anymore - it crashed >> with a message:"*** glibc detected *** /usr/bin/perl: double free >> or corruption (fasttop): ..." and a memory map suggesting some >> problem on the heap. >> The crash can be reproduced by the following code: >> use Net::LDAP; >> my $self=Net::LDAP->new("127.0.0.1"); >> ($self->{prog_name}= $0) =~ s|^.*/([^/]+)$|$1|; >> # when I put an intermediate variable into the statement: >> $self->{prog_name}= (my $_p= $0) =~ s|^.*/([^/]+)$|$1|; >> the program works again. >> Technically, my problem is solved, but maybe somebody here can shed >> some light on some questions: > > - I tried to run the program under the debugger hoping to find, > where >> exactly the error occurs - unfortunately the same program >> suddenly worked > > just fine, so I ended up putting print statements into the > code until I > > eventually found the problematic line. Why can't the crash be > reproduced > > under the debugger? Would there be an easier way to find the > problem? >> - Generally, I still don't understand what's wrong with the >> original program code.I didn't try it but I don't think it is >> anything specific to Net::LDAP. However, when $self is just some >> hash reverence ("my $self={}"), > > the code also works without any problem. > > Actually, it seems like the problem is indeed specific to Net::LDAP; > furthermore, > the crash only occurs, if there is a LDAP server running at the > specified address. > > I still would love to know where exactly the problem is. > Is there a bug somewhere in Perl or in Net::LDAP? > Am I doing something wrong? (well, some might argue that it's a bad to > rely on Net::LDAP::new returning a hash reference and isn't using a > key named > "prog_name" ...) Net::LDAP has reference loops internally. To ensure that memory is not leaked it plays tricks with tie so that the ref that the app holds is not part of the loop and the loop can manually be broken when needed. In your first statement ($self->{prog_name}= $0) =~ s|^.*/([^/]+)$|$1|; you are calling s/// on the hash element. In the second $self->{prog_name}= (my $_p= $0) =~ s|^.*/([^/]+)$|$1|; you are just setting the hash element, actually to the value "1" not the prog name. You probably want ($self->{prog_name}) = $0 =~ m|([^/]+)$|; Anyway, I suspect the issue is todo with calling s/// on the element of a tied hash. See if this reproduces the issue. { package Foo; use Tie::Hash; use base qw(Tie::StdHash); sub new { my $proto = shift; my $inner = bless {}; my %outer; tie %outer, __PACKAGE__, $inner; bless \%outer; } } $self = Foo->new; ($self->{prog_name} = $0) =~ s|^.*/([^/]+)$|$1|; Graham. http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2969.html Fri, 03 Oct 2008 06:32:53 +0000 Re: after upgrade: glibc detected *** /usr/bin/perl: double free or corruption by Graham Barr On Oct 3, 2008, at 8:03 AM, Peter Karman wrote: > Peter Daum wrote on 10/03/2008 07:35 AM: >> Peter Daum wrote: >>> I recently upgraded a system (as far as perl is concerned from 5.8.8 >>> to 5.10.0). Afterwards I ran into a mysterious problem. I could >>> eventually >>> find a workaround, but still don't really understand, what is >>> going on. >>> >>> After the upgrade, a perl program wouldn't run anymore - it crashed >>> with a message:"*** glibc detected *** /usr/bin/perl: double free or >>> corruption (fasttop): ..." and a memory map suggesting some >>> problem on >>> the heap. > > I've seen that error message when the version of glibc changes. Have > you > tried re-installing Net::LDAP so that is is compiled against the same > libs that your perl is? Net::LDAP itself is pure perl, so that would not make a difference. Also this is not due to the library any program is linked to. In newer versions of glibc they added a this warning for when free() is called multiple times. I forget the versions, but we saw this in a lot of apps at a previous employer when they upgraded RHEL, which introduced the new glibc Graham. http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2968.html Fri, 03 Oct 2008 06:16:37 +0000 Re: after upgrade: glibc detected *** /usr/bin/perl: double freeor corruption by Peter Karman Peter Daum wrote on 10/03/2008 07:35 AM: > Peter Daum wrote: >> I recently upgraded a system (as far as perl is concerned from 5.8.8 >> to 5.10.0). Afterwards I ran into a mysterious problem. I could >> eventually >> find a workaround, but still don't really understand, what is going on. >> >> After the upgrade, a perl program wouldn't run anymore - it crashed >> with a message:"*** glibc detected *** /usr/bin/perl: double free or >> corruption (fasttop): ..." and a memory map suggesting some problem on >> the heap. I've seen that error message when the version of glibc changes. Have you tried re-installing Net::LDAP so that is is compiled against the same libs that your perl is? -- Peter Karman . peter@peknet.com . http://peknet.com/ http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2967.html Fri, 03 Oct 2008 06:03:13 +0000 Re: after upgrade: glibc detected *** /usr/bin/perl: double freeor corruption by Peter Daum Peter Daum wrote: > I recently upgraded a system (as far as perl is concerned from 5.8.8 to > 5.10.0). Afterwards I ran into a mysterious problem. I could eventually > find a workaround, but still don't really understand, what is going on. > > After the upgrade, a perl program wouldn't run anymore - it crashed with > a message:"*** glibc detected *** /usr/bin/perl: double free or corruption > (fasttop): ..." and a memory map suggesting some problem on the heap. > The crash can be reproduced by the following code: > > > use Net::LDAP; > my $self=Net::LDAP->new("127.0.0.1"); > ($self->{prog_name}= $0) =~ s|^.*/([^/]+)$|$1|; > > # when I put an intermediate variable into the statement: > > $self->{prog_name}= (my $_p= $0) =~ s|^.*/([^/]+)$|$1|; > > the program works again. > > Technically, my problem is solved, but maybe somebody here can shed some > light on some questions: > > - I tried to run the program under the debugger hoping to find, where > exactly the error occurs - unfortunately the same program suddenly worked > just fine, so I ended up putting print statements into the code until I > eventually found the problematic line. Why can't the crash be reproduced > under the debugger? Would there be an easier way to find the problem? > > - Generally, I still don't understand what's wrong with the original > program code.I didn't try it but I don't think it is anything specific to > Net::LDAP. However, when $self is just some hash reverence ("my $self={}"), > the code also works without any problem. Actually, it seems like the problem is indeed specific to Net::LDAP; furthermore, the crash only occurs, if there is a LDAP server running at the specified address. I still would love to know where exactly the problem is. Is there a bug somewhere in Perl or in Net::LDAP? Am I doing something wrong? (well, some might argue that it's a bad to rely on Net::LDAP::new returning a hash reference and isn't using a key named "prog_name" ...) Regards, Peter Daum http://www.nntp.perl.org/group/perl.ldap/2008/10/msg2966.html Fri, 03 Oct 2008 05:50:21 +0000 Re: Can't get LDAP::Message object with modify method by John W. Sopko Jr. Graham Barr wrote: > On Sep 26, 2008, at 8:11 AM, John W. Sopko Jr. wrote: >> >> Here is the section of code that changes the password: >> >> # the unicodePwd attribute is write only >> $mesg = $AD->modify($dn, replace => { "unicodePwd" => $adpw }); >> print "mesg->code = $mesg->code() \n"; > > That is not calling the method. > >> print "resultCode = $mesg->{'resultCode'} \n"; >> >> if($mesg->{'resultCode'} != 0) { >> print STDERR "\nFailed to change password for $cn exiting.\n"; >> print STDERR "error_text:" . $mesg->error_text . "\n"; >> print STDERR "server_error:" . $mesg->server_error . "\n"; >> print STDERR "error:" . $mesg->error . "\n"; >> print >> exit 1; >> } >> >> >> Output from above section: >> >> mesg->code = Net::LDAP::Modify=HASH(0x81d1f90)->code() >> resultCode = 53 > > If you change the line above to > > print "mesg->code = ",$mesg->code()," \n"; I plead temporary insanity, improper print statement, that fixed. I changed the test I was trying to figure out from this: if($mesg->{'resultCode'} != 0) { to this: if($mesg->code() != 0) { and it works fine. > > you should also see 53, so I doubt this is you problem. > >> Failed to change password for astroboy exiting. >> error_text:The server is unwilling to perform the requested operation >> >> server_error:0000052D: SvcErr: DSID-031A0FC0, problem 5003 >> (WILL_NOT_PERFORM), data 0 >> >> error:0000052D: SvcErr: DSID-031A0FC0, problem 5003 >> (WILL_NOT_PERFORM), data 0 > > Well it certainly looks like the server is refusing to change the > password, so I would expect the return message to signal an error Yes am testing for error conditions. Thanks for your help! > > Graham. > -- John W. Sopko Jr. University of North Carolina email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 044 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2965.html Fri, 26 Sep 2008 11:13:48 +0000 Re: Can't get LDAP::Message object with modify method by Graham Barr On Sep 26, 2008, at 8:11 AM, John W. Sopko Jr. wrote: > > Here is the section of code that changes the password: > > # the unicodePwd attribute is write only > $mesg = $AD->modify($dn, replace => { "unicodePwd" => $adpw }); > print "mesg->code = $mesg->code() \n"; That is not calling the method. > print "resultCode = $mesg->{'resultCode'} \n"; > > if($mesg->{'resultCode'} != 0) { > print STDERR "\nFailed to change password for $cn exiting.\n"; > print STDERR "error_text:" . $mesg->error_text . "\n"; > print STDERR "server_error:" . $mesg->server_error . "\n"; > print STDERR "error:" . $mesg->error . "\n"; > print > exit 1; > } > > > Output from above section: > > mesg->code = Net::LDAP::Modify=HASH(0x81d1f90)->code() > resultCode = 53 If you change the line above to print "mesg->code = ",$mesg->code()," \n"; you should also see 53, so I doubt this is you problem. > Failed to change password for astroboy exiting. > error_text:The server is unwilling to perform the requested operation > > server_error:0000052D: SvcErr: DSID-031A0FC0, problem 5003 > (WILL_NOT_PERFORM), data 0 > > error:0000052D: SvcErr: DSID-031A0FC0, problem 5003 > (WILL_NOT_PERFORM), data 0 Well it certainly looks like the server is refusing to change the password, so I would expect the return message to signal an error Graham. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2964.html Fri, 26 Sep 2008 08:59:21 +0000 Can't get LDAP::Message object with modify method by John W. Sopko Jr. I have a perl script to change a users Active Directory password. The script works fine. I can bind to AD and change the users password running the script on linux over an encrypted TLS session to Windows AD. I can get valid return message objects from other methods but I cannot get a valid message object from the modify method that does the password changing. The Windows AD password is changed by using modify to the write only "unicodePwd" attribute. I found some of the code on the web and wondered why the person used: $mesg->{'resultCode'} instead of: $mesg->code() And the reason must be that $mesg->code() does not work in this case. Here is the part of the code with the output below when I run it and get a password change failure. I force a failure by passing a password that Windows AD does not like. Again this works if I pass a good password. I want to get a an error message from the server that describes why the password failed. Here is the section of code that changes the password: # the unicodePwd attribute is write only $mesg = $AD->modify($dn, replace => { "unicodePwd" => $adpw }); print "mesg->code = $mesg->code() \n"; print "resultCode = $mesg->{'resultCode'} \n"; if($mesg->{'resultCode'} != 0) { print STDERR "\nFailed to change password for $cn exiting.\n"; print STDERR "error_text:" . $mesg->error_text . "\n"; print STDERR "server_error:" . $mesg->server_error . "\n"; print STDERR "error:" . $mesg->error . "\n"; print exit 1; } Output from above section: mesg->code = Net::LDAP::Modify=HASH(0x81d1f90)->code() resultCode = 53 Failed to change password for astroboy exiting. error_text:The server is unwilling to perform the requested operation server_error:0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 error:0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Thanks for any help on this. -- John W. Sopko Jr. University of North Carolina email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 044 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2963.html Fri, 26 Sep 2008 08:06:02 +0000 perl-ldap-0.38 released by Graham Barr 0.38 has been released to CPAN http://search.cpan.org/~gbarr/perl-ldap/ You can download from http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/perl-ldap-0.38.tar.gz perl-ldap 0.38 -- Sun Sep 21 09:17:25 CDT 2008 ============================================== Bug Fixes * Fix bug in Net::LDAP::Extension using wrong field for resultCode * Fix Net::LDAP::Control::PasswordPolicy decoding bug. Enhancements * Net::LDAP::Extension::SetPassword now supports controls http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2962.html Sun, 21 Sep 2008 16:59:43 +0000 Re: PasswordPolicy control and SetPassword extension by Graham Barr On Sep 19, 2008, at 12:03 PM, Peter Marschall wrote: > On Friday, 19. September 2008, Graham Barr wrote: >> I will apply thins change, then cut a new release this weekend. > > Please find attached another fix which IMHO should go into the next > release as > well. > > Dunno if it isimportant: patch is against origin/next. Thats great. I have applied. Which patches made in this manner, and attached so mail systems do not mangle them, make it easy to apply with git-am and all the credits remain correct Graham. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2961.html Fri, 19 Sep 2008 12:46:35 +0000 Re: PasswordPolicy control and SetPassword extension by Peter Marschall Hi, On Friday, 19. September 2008, Graham Barr wrote: > I will apply thins change, then cut a new release this weekend. Please find attached another fix which IMHO should go into the next release as well. Dunno if it isimportant: patch is against origin/next. Regards Peter -- Peter Marschall peter@adpm.de http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2960.html Fri, 19 Sep 2008 10:02:15 +0000 Re: PasswordPolicy control and SetPassword extension by Graham Barr On Sep 17, 2008, at 8:17 AM, Guillaume Rousse wrote: > Buchan Milne a écrit : >>> set_password was not passing through controls. Please try the >>> attached >>> lib/Net/LDAP/Extension/SetPassword.pm >> The patch works fine, I tested with the attached script, which >> works as a CGI or in the console, and uses/supports PasswordPolicy >> (e.g. if password has been reset or has expired, user is prompted >> to change it). > But the patch also triggers an error if no control is actually used: > controls.0.type is undefined at /usr/lib/perl5/vendor_perl/5.10.0/ > Net/LDAP/Message.pm > > The following patch fixes this issue. Thanks for testing. I will apply thins change, then cut a new release this weekend. Graham. > > -- > Guillaume Rousse > Moyens Informatiques - INRIA Futurs > Tel: 01 69 35 69 62 > --- /usr/lib/perl5/vendor_perl/5.10.0/Net/LDAP/Extension/ > SetPassword.pm 2008-09-17 15:14:54.000000000 +0200 > +++ SetPassword.pm 2008-09-17 15:16:20.000000000 +0200 > @@ -26,7 +26,7 @@ > my $res = $ldap->extension( > name => '1.3.6.1.4.1.4203.1.11.1', > value => $passwdModReq->encode(\%opt), > - control => $opt{control}, > + ($opt{control} ? (control => $opt{control}) : ()) > ); > > bless $res; # Naughty :-) http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2959.html Fri, 19 Sep 2008 06:28:05 +0000 Re: PasswordPolicy control and SetPassword extension by Guillaume Rousse Buchan Milne a écrit : >> set_password was not passing through controls. Please try the attached >> lib/Net/LDAP/Extension/SetPassword.pm > > The patch works fine, I tested with the attached script, which works as a CGI > or in the console, and uses/supports PasswordPolicy (e.g. if password has > been reset or has expired, user is prompted to change it). But the patch also triggers an error if no control is actually used: controls.0.type is undefined at /usr/lib/perl5/vendor_perl/5.10.0/Net/LDAP/Message.pm The following patch fixes this issue. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2958.html Wed, 17 Sep 2008 06:17:20 +0000 Re: PasswordPolicy control and SetPassword extension by Buchan Milne On Friday 12 September 2008 19:21:33 Graham Barr wrote: > On Sep 12, 2008, at 9:24 AM, Guillaume Rousse wrote: > > Hello list. > > > > I've been trying to use a PasswordPolicy control with a password > > change operation, in order to nicely handle constraints violations > > in server response. I actually subscribed to this mailing list on Thursday to ask the same question. > > > > my $pp = Net::LDAP::Control::PasswordPolicy->new(); > > > > my $result = $ldap->set_password( > > user => $dn, > > newpasswd => $new_password, > > control => [ $pp ] > > ); > > if ($result->code == LDAP_CONSTRAINT_VIOLATION) { > > my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); > > print $resp->error() if defined $resp; > > } > > set_password was not passing through controls. Please try the attached > lib/Net/LDAP/Extension/SetPassword.pm The patch works fine, I tested with the attached script, which works as a CGI or in the console, and uses/supports PasswordPolicy (e.g. if password has been reset or has expired, user is prompted to change it). > And as has been pointed out there has been a change to > Net::LDAP::Control::PasswordPolicy recently > > There is a git repository available at > > http://git.goingon.net/?p=perl-ldap.git > > The branch for the next release, which has the PasswordPolicy fixes, > is at > > http://git.goingon.net/?p=perl-ldap.git;a=shortlog;h=refs/heads/next I actually shipped PasswordPolicy fixes in the Mandriva cooker (similar to Debian "unstable", Fedora "Rawhide") package, and have just included the SetPassword.pm patch. http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/perl-ldap Regards, Buchan http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2957.html Mon, 15 Sep 2008 08:49:48 +0000 Re: PasswordPolicy control and SetPassword extension by Guillaume Rousse Clément OUDOT a écrit : >>> You can use it with the ldap_modify operation (and not with >>> modify_password extension). The modify operation accepts controls and so >>> you can check the control response. >> I don't see which operation you are refering to. I can't use a standard >> attribute value change operation here, I need to use the specific >> password change extension. > > Why? Which LDAP server are you using? Because smb5pwd overlay (password synchronisation) only works through it. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2956.html Mon, 15 Sep 2008 01:15:10 +0000 Re: PasswordPolicy control and SetPassword extension by Graham Barr On Sep 12, 2008, at 9:24 AM, Guillaume Rousse wrote: > Hello list. > > I've been trying to use a PasswordPolicy control with a password > change operation, in order to nicely handle constraints violations > in server response. > > my $pp = Net::LDAP::Control::PasswordPolicy->new(); > > my $result = $ldap->set_password( > user => $dn, > newpasswd => $new_password, > control => [ $pp ] > ); > if ($result->code == LDAP_CONSTRAINT_VIOLATION) { > my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); > print $resp->error() if defined $resp; > } set_password was not passing through controls. Please try the attached lib/Net/LDAP/Extension/SetPassword.pm And as has been pointed out there has been a change to Net::LDAP::Control::PasswordPolicy recently There is a git repository available at http://git.goingon.net/?p=perl-ldap.git The branch for the next release, which has the PasswordPolicy fixes, is at http://git.goingon.net/?p=perl-ldap.git;a=shortlog;h=refs/heads/next Graham. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2955.html Fri, 12 Sep 2008 10:21:48 +0000 Re: PasswordPolicy control and SetPassword extension by Chris Ridd On 12 Sep 2008, at 16:14, Clément OUDOT wrote: >> Clément OUDOT a écrit : >>>> Hello list. >>>> >>>> I've been trying to use a PasswordPolicy control with a password >>>> change >>>> operation, in order to nicely handle constraints violations in >>>> server >>>> response. >>>> >>>> my $pp = Net::LDAP::Control::PasswordPolicy->new(); >>>> >>>> my $result = $ldap->set_password( >>>> user => $dn, >>>> newpasswd => $new_password, >>>> control => [ $pp ] >>>> ); >>>> if ($result->code == LDAP_CONSTRAINT_VIOLATION) { >>>> my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); >>>> print $resp->error() if defined $resp; >>>> } >>>> >>>> $resp is never defined, and all I can do is to print raw >>>> $result->message() to the user, whereas I'd like to distinguish >>>> between >>>> different case, for translations purpose mainly. >>>> >>>> According to documentation, set_password operation only accept >>>> user, >>>> oldpasswd and newpasswd args, which seems to imply it doesn't >>>> handle >>>> controls. So, is PasswordPolicy control restricted to bind >>>> operations >>>> only >>>> ? >>> >>> You can use it with the ldap_modify operation (and not with >>> modify_password extension). The modify operation accepts controls >>> and so >>> you can check the control response. >> I don't see which operation you are refering to. I can't use a >> standard >> attribute value change operation here, I need to use the specific >> password change extension. > > Why? Which LDAP server are you using? One reason for requiring the extension could be that you want the server to generate (and return!) a password for you. All other uses of PasswordModify can be done with a normal modify operation AFAICS. >>> Please read this thread because the Password Policy module was >>> patched >>> recently: >>> http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2943.html Graham's changes look OK to me FWIW. >> I did, but it only relates to retrieving values from the control once >> used, not how to use it. > > For example : > $mesg = $ldap->modify($dn, replace => { userPassword => $new }, > control => It may be that Guillaume is required to provide the previous password in the operation - that's something that password policy can require for additional security. But that's easily done with a plain modify op too. Cheers, Chris http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2954.html Fri, 12 Sep 2008 08:50:17 +0000 Re: PasswordPolicy control and SetPassword extension by Clément OUDOT > Clément OUDOT a écrit : >>> Hello list. >>> >>> I've been trying to use a PasswordPolicy control with a password change >>> operation, in order to nicely handle constraints violations in server >>> response. >>> >>> my $pp = Net::LDAP::Control::PasswordPolicy->new(); >>> >>> my $result = $ldap->set_password( >>> user => $dn, >>> newpasswd => $new_password, >>> control => [ $pp ] >>> ); >>> if ($result->code == LDAP_CONSTRAINT_VIOLATION) { >>> my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); >>> print $resp->error() if defined $resp; >>> } >>> >>> $resp is never defined, and all I can do is to print raw >>> $result->message() to the user, whereas I'd like to distinguish between >>> different case, for translations purpose mainly. >>> >>> According to documentation, set_password operation only accept user, >>> oldpasswd and newpasswd args, which seems to imply it doesn't handle >>> controls. So, is PasswordPolicy control restricted to bind operations >>> only >>> ? >> >> You can use it with the ldap_modify operation (and not with >> modify_password extension). The modify operation accepts controls and so >> you can check the control response. > I don't see which operation you are refering to. I can't use a standard > attribute value change operation here, I need to use the specific > password change extension. Why? Which LDAP server are you using? >> Please read this thread because the Password Policy module was patched >> recently: >> http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2943.html > I did, but it only relates to retrieving values from the control once > used, not how to use it. For example : $mesg = $ldap->modify($dn, replace => { userPassword => $new }, control => [ $pp ]); my($resp) = $mesg->control( "1.3.6.1.4.1.42.2.27.8.5.1" ); print "PP error:".$resp->pp_error."\n"; The PP error code give you the correct information (password in history, etc.) Clément. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2953.html Fri, 12 Sep 2008 08:15:13 +0000 Re: PasswordPolicy control and SetPassword extension by Guillaume Rousse Clément OUDOT a écrit : >> Hello list. >> >> I've been trying to use a PasswordPolicy control with a password change >> operation, in order to nicely handle constraints violations in server >> response. >> >> my $pp = Net::LDAP::Control::PasswordPolicy->new(); >> >> my $result = $ldap->set_password( >> user => $dn, >> newpasswd => $new_password, >> control => [ $pp ] >> ); >> if ($result->code == LDAP_CONSTRAINT_VIOLATION) { >> my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); >> print $resp->error() if defined $resp; >> } >> >> $resp is never defined, and all I can do is to print raw >> $result->message() to the user, whereas I'd like to distinguish between >> different case, for translations purpose mainly. >> >> According to documentation, set_password operation only accept user, >> oldpasswd and newpasswd args, which seems to imply it doesn't handle >> controls. So, is PasswordPolicy control restricted to bind operations only >> ? > > You can use it with the ldap_modify operation (and not with > modify_password extension). The modify operation accepts controls and so > you can check the control response. I don't see which operation you are refering to. I can't use a standard attribute value change operation here, I need to use the specific password change extension. > Please read this thread because the Password Policy module was patched > recently: > http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2943.html I did, but it only relates to retrieving values from the control once used, not how to use it. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2952.html Fri, 12 Sep 2008 07:59:24 +0000 Re: PasswordPolicy control and SetPassword extension by Clément OUDOT > Hello list. > > I've been trying to use a PasswordPolicy control with a password change > operation, in order to nicely handle constraints violations in server > response. > > my $pp = Net::LDAP::Control::PasswordPolicy->new(); > > my $result = $ldap->set_password( > user => $dn, > newpasswd => $new_password, > control => [ $pp ] > ); > if ($result->code == LDAP_CONSTRAINT_VIOLATION) { > my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); > print $resp->error() if defined $resp; > } > > $resp is never defined, and all I can do is to print raw > $result->message() to the user, whereas I'd like to distinguish between > different case, for translations purpose mainly. > > According to documentation, set_password operation only accept user, > oldpasswd and newpasswd args, which seems to imply it doesn't handle > controls. So, is PasswordPolicy control restricted to bind operations only > ? You can use it with the ldap_modify operation (and not with modify_password extension). The modify operation accepts controls and so you can check the control response. Please read this thread because the Password Policy module was patched recently: http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2943.html Clément OUDOT, LINAGORA. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2951.html Fri, 12 Sep 2008 07:41:21 +0000 PasswordPolicy control and SetPassword extension by Guillaume Rousse Hello list. I've been trying to use a PasswordPolicy control with a password change operation, in order to nicely handle constraints violations in server response. my $pp = Net::LDAP::Control::PasswordPolicy->new(); my $result = $ldap->set_password( user => $dn, newpasswd => $new_password, control => [ $pp ] ); if ($result->code == LDAP_CONSTRAINT_VIOLATION) { my $resp = $result->control(LDAP_CONTROL_PASSWORDPOLICY); print $resp->error() if defined $resp; } $resp is never defined, and all I can do is to print raw $result->message() to the user, whereas I'd like to distinguish between different case, for translations purpose mainly. According to documentation, set_password operation only accept user, oldpasswd and newpasswd args, which seems to imply it doesn't handle controls. So, is PasswordPolicy control restricted to bind operations only ? -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2950.html Fri, 12 Sep 2008 07:24:42 +0000 Re: Strange behavoir of PasswordPolicy module by Graham Barr On Sep 3, 2008, at 3:47 AM, Clément OUDOT wrote: >> Would help if I attached it :-) >> > Ok, I confirm this one is working! Do you plan to release it soon? As soon as I hear back from Chris about the changes as he originally wrote the module i question. > And have you a visibility on the uploading of perl-ldap packahe into > main > Linux distributions? No Graham. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2949.html Wed, 03 Sep 2008 06:41:32 +0000 Re: Strange behavoir of PasswordPolicy module by Clément OUDOT > Would help if I attached it :-) > Ok, I confirm this one is working! Do you plan to release it soon? And have you a visibility on the uploading of perl-ldap packahe into main Linux distributions? Thanks for your precious help. Clément OUDOT. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2948.html Wed, 03 Sep 2008 01:47:56 +0000 Re: Strange behavoir of PasswordPolicy module by Graham Barr Would help if I attached it :-) http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2947.html Tue, 02 Sep 2008 10:22:05 +0000 Re: Strange behavoir of PasswordPolicy module by Graham Barr On Sep 2, 2008, at 11:12 AM, Clément OUDOT wrote: >> Attached is a potential fix for this. Note that is also renames the >> error method for fetching the password policy error to be called >> pp_error. This is because there is already an error method in the >> Control base class which has a different purpose. >> >> A diff can also be seen at >> >> http://git.goingon.net/?p=perl-ldap.git;a=commitdiff;h=1db4bbb61f5f68a3a7ff178e58818db62e94c398 > > Hi, > > I replace my PasswordPolicy.pm by the one you provided, but I get > worse ;) Try the attached. > I don't know what "passwordPolicyRequest control value not absent" > means. The control is used in the request and the response. But in the request the value of the control must be empty. > The renaming of error in pp_error will be problematic, because the > perl > code has to be adapted to the perl-ldap version module! Is there no > any > solution? No. It was a bug in the initial module that needs to be fixed. As you pointed out the module is broken, so the number of people required to change code will be minimal. Graham. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2946.html Tue, 02 Sep 2008 10:15:05 +0000 Re: Strange behavoir of PasswordPolicy module by Clément OUDOT > Attached is a potential fix for this. Note that is also renames the > error method for fetching the password policy error to be called > pp_error. This is because there is already an error method in the > Control base class which has a different purpose. > > A diff can also be seen at > > http://git.goingon.net/?p=perl-ldap.git;a=commitdiff;h=1db4bbb61f5f68a3a7ff178e58818db62e94c398 Hi, I replace my PasswordPolicy.pm by the one you provided, but I get worse ;) The control is not working, as shown byt the Dump of the LDAP bind object: $VAR1 = bless( { 'parent' => bless( { 'net_ldap_version' => 3, 'net_ldap_scheme' => 'ldap', 'net_ldap_debug' => 0, 'net_ldap_socket' => bless( \*Symbol::GEN0, 'IO::Socket::INET' ), 'net_ldap_host' => 'localhost', 'net_ldap_uri' => 'localhost', 'net_ldap_resp' => {}, 'net_ldap_mesg' => {}, 'net_ldap_async' => 0, 'net_ldap_port' => 389, 'net_ldap_refcnt' => 1 }, 'Net::LDAP' ), 'errorMessage' => 'passwordPolicyRequest control value not absent', 'ctrl_hash' => undef, 'resultCode' => 2, 'callback' => undef, 'mesgid' => 1, 'matchedDN' => '', 'controls' => undef, 'raw' => undef }, 'Net::LDAP::Bind' ); I don't know what "passwordPolicyRequest control value not absent" means. The renaming of error in pp_error will be problematic, because the perl code has to be adapted to the perl-ldap version module! Is there no any solution? Clément. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2945.html Tue, 02 Sep 2008 09:12:25 +0000 Re: Strange behavoir of PasswordPolicy module by Graham Barr Attached is a potential fix for this. Note that is also renames the error method for fetching the password policy error to be called pp_error. This is because there is already an error method in the Control base class which has a different purpose. A diff can also be seen at http://git.goingon.net/?p=perl-ldap.git;a=commitdiff;h=1db4bbb61f5f68a3a7ff178e58818db62e94c398 Graham. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2944.html Tue, 02 Sep 2008 08:50:17 +0000 Strange behavoir of PasswordPolicy module by Clément OUDOT Hello, I'm using the PP control to retrieve warning (time to expiration and authn remaining). But it seems the dedicated functions time_before_expiration() and grace_authentications_remaining() are not wroking. I run this: ----------------------- print "Time before expiration:".$resp->time_before_expiration."\n"; print "Time before expiration:".$resp->{asn}->{warning}->{timeBeforeExpiration}."\n"; ------------------------ And the result is: ------------------------ Time before expiration: Time before expiration:1249 ------------------------ So the control is well formed (I can check it with Data::Dumper), but I can read the value only by browing the HASH and with the dedicated function. I use perl-ldap 0.36 on Linux CentOS 5.2. Any idea? Clément OUDOT. http://www.nntp.perl.org/group/perl.ldap/2008/09/msg2943.html Mon, 01 Sep 2008 09:05:12 +0000 Re: Problem using LDAP by Graham Barr On Aug 28, 2008, at 2:26 PM, pierre.ayotte@desjardins.com wrote: > We are currently using Perl::LDAP for many years now and it was > working really fine until a couple of days. We have 5 Windows 2000 > active directory wich we acess with Perl::LDAP using bind. Now in > three of those environnement we have the following error message > when we try to bind to the AD : > > > "LDAP_STRONG_AUTH_REQUIRED > The server requires authentication be performed with a SASL mechanism" > > Here is the perl code: > > use Net::LDAP; > use Net::LDAP::Util('ldap_error_name','ldap_error_text'); > > $ldap = Net::LDAP->new(@ARGV[0]) or die "$@"; > $mesg = $ldap->bind( dn => > "cn=XXXXX,ou=XXXXX,DC=XXX,DC=XXX,DC=XXX", password => 'PWD', > version => "3"); You are performing a simple bind, but it seems your AD now has a requirement that you use SASL binding. you will need to change you bind to $mesg = $ldap->bind( dn => "cn=XXXXX,ou=XXXXX,DC=XXX,DC=XXX,DC=XXX",, sasl => $sasl, version => 3); where $sasl is an Authen::SASL object. Graham. http://www.nntp.perl.org/group/perl.ldap/2008/08/msg2942.html Fri, 29 Aug 2008 10:11:24 +0000 Problem using LDAP by pierre.ayotte GIF89a h÷ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿ3fÌÿ3333f33Ì3ÿff3ffffÌfÿ3fÌÿÌÌ3ÌfÌÌÌÌÿÿÿ3ÿfÿÿÌÿÿ3333f33Ì3ÿ3333333f3333Ì33ÿ3f3f33ff3f3fÌ3fÿ3333f33Ì3ÿ3Ì3Ì33Ìf3Ì3ÌÌ3Ìÿ3ÿ3ÿ33ÿf3ÿ3ÿÌ3ÿÿff3ffffÌfÿf3f33f3ff3f3Ìf3ÿffff3fffffffÌffÿff3ffffÌfÿfÌfÌ3fÌffÌfÌÌfÌÿfÿfÿ3fÿffÿfÿÌfÿÿ3fÌÿ3333f33Ì3ÿff3ffffÌfÿ3fÌÿÌÌ3ÌfÌÌÌÌÿÿÿ3ÿfÿÿÌÿÿÌÌ3ÌfÌÌÌÌÿÌ3Ì33Ì3fÌ3Ì3ÌÌ3ÿÌfÌf3ÌffÌfÌfÌÌfÿÌÌ3ÌfÌÌÌÌÿÌÌÌÌ3ÌÌfÌÌÌÌÌÌÌÿÌÿÌÿ3ÌÿfÌÿÌÿÌÌÿÿÿÿ3ÿfÿÿÌÿÿÿ3ÿ33ÿ3fÿ3ÿ3Ìÿ3ÿÿfÿf3ÿffÿfÿfÌÿfÿÿÿ3ÿfÿÿÌÿÿÿÌÿÌ3ÿÌfÿÌÿÌÌÿÌÿÿÿÿÿ3ÿÿfÿÿÿÿÌÿÿÿ, hÿ<H° Á*\È°¡Ã#J4@àÄ3jÜÈqaÅ C¹ñ#É(S4©²¥ËYÂI¦Ì8s¼©³§Ï< 0(Ñ£D"]ÚS)Ó§4BÚRjÓ©º´Ú°¢×Yµ 1,Y±hrehVí^³Æ}ËRîW·pï¦¸Ö#Vµrÿ¾%x°a·t Þ±¯Â¶#[,lx²`ÈÇ<tnfº)[}×l\Î¢ÈóâÂ£).NÍzuc®cÃþ[2mâ¦¨WtfÏIÿn{¹óÇÍKÇ}úôàÖicnÓïÁêO·'ÿ½©øååWØ®{Ô'VN¸týâòõ¾¾dÿáíçÛw°QVÙw¼%8ßxÍ¦Òzí6[kMøYìA¦¡lìmõßpò×Gè^¦ Y§}H²x!ÎÈao½uÈ 3A¨£nrXc(WEæÚ0 id]úQ'ïuøU î5¹Rv#q¹;yI&UbiÐ_l©YG- 8&rºYl:'qtXç[fôÉé#vXc|Y¾Ý¢'iC. æ¢|bZh8"ª&§xyaö)©Bi¯æÿ'¥¡Yy·>9Yd¦ùçP¾þúS°Â6¥j±>SFÇâÙ,ÏrÇZ6Þf´$a`Ïr\|2};_hsa©d]Z +¯ê¦*«É¸«pjX`ªjjHðâ¸âcÿâ[/þ:cGý®X)qö ¼ï®µÆÕjðÀ¥biÀCÙ£eê0ïhrÁ%lá¥³ùíÄâRy¢¹ó·®Q0§©,ËÈf¶=4z@]UÑÞ1HHè¨]í©SÓB<ÅWÕ$&úÙ_¸S&êîq]³+êÄ+õ)«©è.rÉ£í±Êi3½2$¼1ÆrÜ©ÏvS\Í|ç÷ÙAÙöµÛ÷ÈÞqÆ%Ý¸Æ¯î2ÉG9£]30ÃÂm3Ù`ÇzºØRêZôÎêI»PkGµÑã©W]Õ¤föNy¶_±aou¥5.W¦1«{;³Æ§«övJúv®¹¼Þ¦ \þ{.¾Ôk|þ{ßï=¼ä¨²¼¦«¯^öí^>áþ ýâ(ÌæeÙñu=Ý1V3» Î« _´ÁvP+ü D8? 8; http://www.nntp.perl.org/group/perl.ldap/2008/08/msg2941.html Fri, 29 Aug 2008 05:29:18 +0000 Release perl-ldap-0.37 by Graham Barr perl-ldap-0.37 should appear on CPAN soon with the following changes perl-ldap 0.37 -- Thu Aug 28 07:48:13 CDT 2008 ============================================== Bug Fixes * Pass correct hostname to SASL when connecting to a round-robin * Return the SASL error message when sasl client_start fails Enhancements * Add Modify Increment (RFC 4525) support * Add Content Synchronization (RFC 4453) support The repository is available at http://git.goingon.net/?p=perl-ldap.git;a=summary log summary =========== commit 0ad1afebd38acc8a0215e79773474b89ea7995a9 Author: Graham Barr <gbarr@pobox.com> Date: Thu Aug 28 07:52:15 2008 -0500 Release 0.37 M Changes M META.yml M SIGNATURE M lib/Net/LDAP.pm commit f187ff5eed693aed2ebd7235b176b63063a41d3a Author: Graham Barr <gbarr@pobox.com> Date: Tue Aug 26 17:37:58 2008 -0500 Add MANIFEST.SKIP M .gitignore M MANIFEST A MANIFEST.SKIP commit d864ee0506031fcdb8b3fcdb182d9339973055fd Author: Mathieu PARENT <math.parent@gmail.com> Date: Wed Jul 16 20:02:15 2008 +0200 LDAP Content synchronisation Hi, This patch implements Intermediate Message and RFC 4533. Notes: - The only intrusive change is in lib/Net/LDAP/Search.pm - Net::LDAP::Intermediate::SyncInfo is not enabled by default (see lib/Net/LDAP/Intermediate.pm line 18) as there are decoding errors within ASN (see my previous mail). Waiting for feedback before (I hope) inclusion. Regards Mathieu Parent M MANIFEST M lib/Net/LDAP/ASN.pm M lib/Net/LDAP/Constant.pm M lib/Net/LDAP/Control.pm A lib/Net/LDAP/Control/SyncDone.pm A lib/Net/LDAP/Control/SyncRequest.pm A lib/Net/LDAP/Control/SyncState.pm A lib/Net/LDAP/Intermediate.pm A lib/Net/LDAP/Intermediate/SyncInfo.pm M lib/Net/LDAP/Search.pm commit f61d59d2c17bdcd09294504e742c5a7d4e8caa97 Author: Graham Barr <gbarr@pobox.com> Date: Tue Aug 26 16:47:45 2008 -0500 Add Module::Install A .gitignore M MANIFEST A META.yml A SIGNATURE A inc/Module/AutoInstall.pm A inc/Module/Install.pm A inc/Module/Install/AutoInstall.pm A inc/Module/Install/Base.pm A inc/Module/Install/Can.pm A inc/Module/Install/Fetch.pm A inc/Module/Install/Include.pm A inc/Module/Install/Makefile.pm A inc/Module/Install/Metadata.pm A inc/Module/Install/Win32.pm A inc/Module/Install/WriteAll.pm A inc/Test/Builder.pm A inc/Test/Builder/Module.pm A inc/Test/More.pm A inc/attributes.pm commit d16082de98c8f0427f0b057246e8adb794023560 Author: Ron Isaacson <isaacson@cpan.org> Date: Tue Aug 26 16:39:07 2008 -0500 [rt.cpan.org #37538] Errors from SASL client_start are not returned In bind(), if the SASL client_start call fails, the exact error message is swallowed, and the user gets a generic "Local error" message back. The error handling looks like this: my $initial = $sasl_conn->client_start; return _error($ldap, $mesg, LDAP_LOCAL_ERROR, "$@") unless defined($initial); This looks like a copy & paste from a few lines above, where errors creating $sasl_conn are caught by an eval. In this case, there is no eval, and "$@" will always be empty. To return the exact SASL error message to the caller, I think the last parameter here should be $sasl_conn->error(). M lib/Net/LDAP.pm commit 9e261fa3aff79a92391497e7ab90c9ae0a5707c4 Author: Peter Marschall <peter@adpm.de> Date: Sat May 24 12:37:23 2008 +0000 fix typo M lib/Net/LDAP/LDIF.pod commit f52c2166d3aed3695b9e72f79e1906da578bf384 Author: Chris Ridd <chris.ridd@isode.com> Date: Tue Apr 22 05:04:52 2008 +0000 Add Modify Increment (RFC 4525) support M lib/Net/LDAP.pm M lib/Net/LDAP.pod M lib/Net/LDAP/ASN.pm M lib/Net/LDAP/Constant.pm M lib/Net/LDAP/LDIF.pm commit af630673855d88c9a88e1f86ee0d068337562e91 Author: Graham Barr <gbarr@pobox.com> Date: Mon Apr 21 16:29:58 2008 +0000 Fix a problem with Net::LDAP when talking to a round-robin LDAP server(s) using SASL/GSSAPI authentication to use the provided hostname not the canonical name (Patch from Dominic Hargreaves) M lib/Net/LDAP.pm http://www.nntp.perl.org/group/perl.ldap/2008/08/msg2940.html Thu, 28 Aug 2008 06:07:57 +0000 Re: "" is not exported by the Net::LDAP::Constant module by Graham Barr On Aug 26, 2008, at 7:49 AM, ocns pcns wrote: > ================================================================= > The Issue: > > "" is not exported by the Net::LDAP::Constant module at > select_bsid.pl line 32 > at /usr/lib/perl5/site_perl/5.10/Net/LDAP/Constant.pm line 25 > Net::LDAP::Constant::import(undef, undef) called at > select_bsid.pl line 32 > main::BEGIN() called at /usr/lib/perl5/site_perl/5.10/Net/ > LDAP.pm line 3 2 > eval {...} called at /usr/lib/perl5/site_perl/5.10/Net/ > LDAP.pm line 32 > Can't continue after import errors at select_bsid.pl line 32 Something strange is going on here. Net:LDAP::import delegates to Net::LDAP::Constant::import, but it only passes the arguments it was passed. use Net::LDAP; should not pass any arguments, but somehow undef,undef is being passed. THis code has not changed in a long time, so we need to determine where those undef values come from. Could you modify Net/LDAP.pm and add the following line as the first line of sub import, before the shift require Carp; Carp::cluck(scalar @_); Graham. http://www.nntp.perl.org/group/perl.ldap/2008/08/msg2939.html Tue, 26 Aug 2008 07:59:32 +0000