TieUpYourCamel has asked for the wisdom of the Perl Monks concerning the following question:

I am attempting to use Dancer2::Plugin::Auth::Extensible with Dancer2::Plugin::Auth::Extensible::Provider::LDAP and am running into some problems. For my SSCCE I have created a sample ap according to the directions at https://metacpan.org/pod/Dancer2::Cookbook#Using-DBIx::Class ("dancer2 -a bookstore") and created a restricted route called "restricted". I have entered my LDAP configuration information into the config.yml file, using working data from a successful LDAP search conducted from the command line on the same computer. I attempt to load the restricted route in the browser, I am redirected to a login page, I enter valid credentials and click "Login", and it says "Login failed." Expected behavior is that it display the message "You're logged in!". The code and error messages are below. ("a successful bind must be completed on the connection")

It would seem that something must be different between the LDAP search done from the command line, which is successful, and the LDAP operation (presumably it's a search for the information of the user logging in) that's done by the plugin, which fails. I'm not sure where to start or how to troubleshoot what that difference might be. 

----------------------------------------------------------------------
+-
successful ldapsearch from command line (returns 264 entries)
 
ldapsearch -h xxx.xxx.xxx.xxx -D "cn=Test User,ou=user,ou=accounts,ou=
+our,dc=our,dc=domain,dc=com" -W -b "dc=our,dc=domain,dc=com" objectcl
+ass=person

----------------------------------------------------------------------
+-
# config.yml:

plugins:
  Auth::Extensible:
    realms:
      config1:
        provider: LDAP
        host: xxx.xxx.xxx.xxx
        basedn: dc=our,dc=domain,dc=com
        binddn: 'cn=Test User,OU=USER,OU=ACCOUNTS,OU=our,DC=our,DC=dom
+ain,DC=com'
        bindpw: password
        username_attribute: sn
        name_attribute: displayName
        

----------------------------------------------------------------------
+-
# bookstore.pm:

package bookstore;
use Dancer2;
use Dancer2::Plugin::Auth::Extensible;
use Dancer2::Plugin::Auth::Extensible::Provider::LDAP;

our $VERSION = '0.1';

get '/' => sub {
    template 'index' => { 'title' => 'bookstore' };
};

get '/restricted' => require_login sub {
    return "You are logged in!!";
};

true;

----------------------------------------------------------------------
+-
error message when attempting to login:

[bookstore:7168] core @2020-05-04 21:31:56> looking for post /login in
+ /home/camel/perl5/perlbrew/perls/perl-5.30.1/lib/site_perl/5.30.1/Da
+ncer2/Core/App.pm l. 35
[bookstore:7168] core @2020-05-04 21:31:56> Entering hook core.app.bef
+ore_request in (eval 305) l. 1
[bookstore:7168] core @2020-05-04 21:31:56> Entering hook plugin.auth_
+extensible.before_authenticate_user in (eval 305) l. 1
[bookstore:7168] debug @2020-05-04 21:31:56> Attempting to authenticat
+e testuser against realm config1 in /home/camel/perl5/perlbrew/perls/
+perl-5.30.1/lib/site_perl/5.30.1/Dancer2/Core/Route.pm l. 164
[bookstore:7168] debug @2020-05-04 21:31:57> Binding to LDAP with cred
+entials in /home/camel/perl5/perlbrew/perls/perl-5.30.1/lib/site_perl
+/5.30.1/Dancer2/Plugin/Auth/Extensible/Provider/LDAP.pm l. 230
[bookstore:7168] error @2020-05-04 21:31:57> config1 provider threw er
+ror: LDAP search error: 000004DC: LdapErr: DSID-0C0906DC, comment: In
+ order to perform this operation a successful bind must be completed 
+on the connection., data 0, v1db0 at /home/camel/perl5/perlbrew/perls
+/perl-5.30.1/lib/site_perl/5.30.1/Dancer2/Plugin/Auth/Extensible.pm l
+ine 473. in /home/camel/perl5/perlbrew/perls/perl-5.30.1/lib/site_per
+l/5.30.1/Dancer2/Core/Route.pm l. 164
[bookstore:7168] core @2020-05-04 21:31:57> Entering hook plugin.auth_
+extensible.after_authenticate_user in (eval 305) l. 1
[bookstore:7168] core @2020-05-04 21:31:57> looking for get /login in 
+/home/camel/perl5/perlbrew/perls/perl-5.30.1/lib/site_perl/5.30.1/Dan
+cer2/Core/App.pm l. 35
[bookstore:7168] core @2020-05-04 21:31:57> Entering hook core.app.bef
+ore_request in (eval 305) l. 1
[bookstore:7168] debug @2020-05-04 21:31:57> app has no login template
+ defined in /home/camel/perl5/perlbrew/perls/perl-5.30.1/lib/site_per
+l/5.30.1/Dancer2/Plugin/Auth/Extensible.pm l. 285
[bookstore:7168] core @2020-05-04 21:31:57> Entering hook core.app.aft
+er_request in (eval 305) l. 1
127.0.0.1 - - [04/May/2020:21:31:57 -0400] "POST /login?return_url=%2F
+restricted HTTP/1.1" 200 1191 "http://localhost:5000/login?return_url
+=%2Frestricted" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gec
+ko/20100101 Firefox/75.0"
127.0.0.1 - - [04/May/2020:21:31:57 -0400] "GET /css/style.css HTTP/1.
+1" 304 0 "http://localhost:5000/login?return_url=%2Frestricted" "Mozi
+lla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/7
+5.0"
127.0.0.1 - - [04/May/2020:21:31:57 -0400] "GET /images/perldancer-bg.
+jpg HTTP/1.1" 304 0 "http://localhost:5000/css/style.css" "Mozilla/5.
+0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"

[download]
  • Comment on Dancer2::Plugin::Auth::Extensible::Provider::LDAP says "a successful bind must be completed"...
  • Download Code

Replies are listed 'Best First'.
Re: Dancer2::Plugin::Auth::Extensible::Provider::LDAP says "a successful bind must be completed"...
by Corion (Patriarch) on May 05, 2020 at 06:59 UTC

    I guess something goes wrong when authenticating against LDAP, but the plugin you're using does not log the LDAP error message when binding.

    As the plugin falls back on Net::LDAP anyway, maybe you can try this bare-bones version first, to find whether the password is wrong or anything like that:

    #!perl
use strict;
use warnings;
use Net::LDAP;

my $host = 'xxx.xxx.xxx.xxx';
my %options = (
    # fill these in
);

my $ldap = Net::LDAP->new( $, %options } )
      or die "LDAP connect failed for: " . $host;

my $mesg = $ldap->bind(
    "cn=Test User,ou=user,ou=accounts,ou=our,dc=our,dc=domain,dc=com" 
+,
    password => 'secret admin password',
);
warn "LDAP response when binding: " . $mesg->error;

my $srch = $ldap->search( base   => "c=US",     # perform a search
                       filter => "(&(sn=Barr)(o=Texas Instruments))"
                     );

    [download]
[reply]
[d/l]
      Thanks for your suggestion Corion -- here are the results: 
      camel@camelbox:~$ cat ldaptest.pl
use strict;
use warnings;
use Net::LDAP;

my $host = 'xxx.xxx.xxx.xxx';
my $ldap = Net::LDAP->new( $host  )
      or die "LDAP connect failed for: " . $host;

my $mesg = $ldap->bind(
    "cn=Test User,ou=user,ou=accounts,ou=our,dc=our,dc=domain,dc=com" 
+,
    password => 'password',
);
warn "LDAP response when binding: " . $mesg->error;

my $srch = $ldap->search( base   => "c=US",     # perform a search
                       filter => "(&(sn=Barr)(o=Texas Instruments))"
                     );
camel@camelbox:~$ perl ldaptest.pl
LDAP response when binding: Success at ldaptest.pl line 13, <DATA> lin
+e 755.
camel@camelbox:~$

      [download]
      So it does perform a successful bind.
[reply]
[d/l]
Re: Dancer2::Plugin::Auth::Extensible::Provider::LDAP says "a successful bind must be completed"...
by whosgonna (Novice) on May 06, 2020 at 17:51 UTC
[reply]
      Thanks whosgonna for noticing that. The branch/fork you mention does solve the problem in my SSCCE. I'm getting inconsistent results in my actual app that I'm working on. I'll have to do some more work to figure out what's going on.
[reply]

Back to Seekers of Perl Wisdom