Michael, this mod resolved the AD/LDAP problem for me. Thank you very much. Devs, somehow incorporate this to 3.2?
Reply below.
That bit would stay the same. The bit of code that needs to change is
On Wed, 2008-10-22 at 14:45 -0500, Library Guy wrote:
> On Fri, Sep 26, 2008 at 09:17:13AM -0600, Michael Hafen wrote:
> > that Active Directory does not have the attribute auth_with_ldap.pm is
>
>
> > looking for to compare to the user entered password.
>
> this can be set with xpath /ldapserver/mapping/password at is but it will
>
> fail because you can't compare a clear text with an AD encrypted passwd!
>
>
> > problem is that auth_with_ldap.pm expects an attribute with password
> > stored in the plain,
>
> i don't think so! can you imagine a password stored in plain in a modern
>
>
> and secure system? i think that the current code expect that the plain
> text used for comparaison will be encrypted by the server.
>
> > $db->unbind;
> > $db->disconnect();
> > $db = Net::LDAP->new( [$prefhost] );
>
>
>
> why unbind ? you'll loose the benefit of mod_ldap cached data.
>
> $dbuser = Net::LDAP->new( [$prefhost] );
>
> > $res = $db->bind( $userldapentry, password = $password );
>
> password = $password will fail as perl vars begins with $ sigil!
>
>
>
> $res = $db->bind( $userldapentry, password => $password );
>
> works better
>
>
> regards
>
> marc
>
> so what would the suggested final mod look like if the current auth
> section of Auth_with_ldap.pm is:
>
> sub checkpw_ldap {
> my ($dbh, $userid, $password) = @_;
> my $db = Net::LDAP->new([$prefhost]);
> #$debug and $db->debug(5);
> my $uid_field = $mapping{userid}->{is} or die
> ldapserver_error("mapping for 'userid'");
> my $filter = Net::LDAP::Filter->new("$uid_field=$userid") or
> die "Failed to create new Net::LDAP::Filter";
> my $res = ($config{anonymous}) ? $db->bind : $db->bind($ldapname,
> password=>$ldappassword);
> if ($res->code) { # connection refused
> warn "LDAP bind failed as $ldapname: " . description($res);
> return 0;
> }
>
further down:
my $cmpmesg = $db->compare( $userldapentry,
attr=>'userpassword', value => $password );
if ($cmpmesg->code != 6) {
warn "LDAP Auth rejected : invalid password for user
'$userid'. " . description($cmpmesg);
return 0;
}
Would become more like:
my $user_ldapname = $userldapentry->dn();
my $user_db = Net::LDAP->new( [$prefhost] );
$res = $user_db->bind( $user_ldapname, password => $password );
if ( $res->code ) {
$debug and warn "Bind as user failed". description( $res );
return 0;
}