On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote:
> that Active Directory does not have the attribute auth_with_ldap.pm is
> looking for to compare to the user entered password.

this can be set with xpath /ldapserver/mapping/password at is but it will
fail because you can't compare a clear text with an AD encrypted passwd!

> problem is that auth_with_ldap.pm expects an attribute with password
> stored in the plain,

i don't think so! can you imagine a password stored in plain in a modern
and secure system? i think that the current code expect that the plain
text used for comparaison will be encrypted by the server.

> $db->unbind;
> $db->disconnect();
> $db = Net::LDAP->new( [$prefhost] );

why unbind ? you'll loose the benefit of mod_ldap cached data.

$dbuser = Net::LDAP->new( [$prefhost] );

> $res = $db->bind( $userldapentry, password = $password );

password = $password will fail as perl vars begins with $ sigil!

$res = $db->bind( $userldapentry, password => $password );

works better


regards

marc

so what would the suggested final mod look like if the current auth section of Auth_with_ldap.pm is:

sub checkpw_ldap {
    my ($dbh, $userid, $password) = @_;
    my $db = Net::LDAP->new([$prefhost]);
        #$debug and $db->debug(5);
        my $uid_field = $mapping{userid}->{is} or die ldapserver_error("mapping for 'userid'");
        my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or die "Failed to create new Net::LDAP::Filter";
    my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname, password=>$ldappassword);
    if ($res->code) {           # connection refused
        warn "LDAP bind failed as $ldapname: " . description($res);
        return 0;
    }