Net::LDAP giving I/O Error

dvl has asked for the wisdom of the Perl Monks concerning the following question:

I'm trying to connect to an LDAP server and run a simple search. I'm getting 'I/O Error' back from my search() call.

The code is:

#!/usr/local/bin/perl

use strict;
use warnings;

use Authen::SASL;
use Net::LDAP;

my $username = 'dvl';

# Search for the user entry
my $filter = "(&(objectClass=person)(CN=$username))";
my $base   = "OU=People,DC=us,DC=example,DC=com";
my $dc     = "dc.us.example.com";

my $sasl = Authen::SASL->new( mechanism => 'GSSAPI', debug => 1 ) or d
+ie 'failed to create sasl';

my $ldap = Net::LDAP->new($dc, port => 636, scheme => 'ldaps') or die 
+"$@";

my $dse  = $ldap->root_dse;
die "Can't support GSSAPI" unless $dse->supported_sasl_mechanism('GSSA
+PI');

my $mesg = $ldap->bind( 'sasl' => $sasl, version => 3 ) or die "$@";
die 'Error ' . $mesg->code . ': ' . $mesg->error if $mesg->code;
if($mesg->is_error())
{
    die "Failed to set version: " . $mesg->error() . "\n";
}

print "searching with filter='$filter' and base='$base'\n";
$mesg = $ldap->search(base => $base, filter => $filter);

if($mesg->is_error())
{
    die "Failed to retrieve user entry: " . $mesg->error() . ' ' . $me
+sg->error_name() . ' ' . $mesg->error_desc() . ' ' .  $mesg->code . '
+ '  . $mesg->mesg_id ( ) . "\n";
}

if($mesg->entries == 0)
{
    die "No records found for user '$username'\n";
}


$ldap->done();
[download]

The output I get is:

$ perl testing.pl
state(0): continuation call to routine required;unknown mech-code 0 fo
+r mech unknown; output token sz: 1514
state(0):  Function completed successfully;unknown mech-code 0 for mec
+h unknown; output token sz: 
state(1): layermask 7,rsz 10485760,lsz 16777215,choice 4
searching with filter='(&(objectClass=person)(CN=dvl))' and base='OU=P
+eople,DC=us,DC=example,DC=com'
Failed to retrieve user entry: I/O Error  LDAP_OPERATIONS_ERROR Operat
+ions error 1 5
[download]

I've tried various values for filter; all result in the same LDAP_OPERATIONS_ERROR error. Suggestions please?

Comment on Net::LDAP giving I/O Error Select or Download Code

Replies are listed 'Best First'.
Re: Net::LDAP giving I/O Error by NetWallah (Canon) on Oct 11, 2016 at 18:31 UTC
Your BIND statement: `my $mesg = $ldap->bind( 'sasl' => $sasl, version => 3 ) or die "$@";` [download] Does not seem to follow the LDAP bind syntax, which requires the first argument to be a DN to bind/authenticate to. I believe you are getting an authorization error (5), since you try to do a search using what looks like an anonymous bind. </c> ...it is unhealthy to remain near things that are in the process of blowing up. man page for WARP, by Larry Wall	[reply] [d/l]
Re^2: Net::LDAP giving I/O Error by dvl (Initiate) on Oct 11, 2016 at 19:14 UTC
Also, this morning, after my Kerberos ticket had expired overnight, I received this output when I ran the script: `Failed to set version: GSSAPI Error (init): Miscellaneous failure (see + text) Ticket expired` [download] That tells me that GSSAPI is being used.	[reply] [d/l]
Re^2: Net::LDAP giving I/O Error by dvl (Initiate) on Oct 11, 2016 at 19:06 UTC
Thank you. I neglected to include: I'm running a kinit from my shell before running this script. I have a valid Kerberos ticket and that is why I specify GSSAPI. That is the intended use case. Does that help?	[reply]
Re^3: Net::LDAP giving I/O Error by NetWallah (Canon) on Oct 11, 2016 at 20:00 UTC
I'm not familiar with GSSAPI, but Tim Bishop's Blog has a discussion, and supposedly working code for this. ...it is unhealthy to remain near things that are in the process of blowing up. man page for WARP, by Larry Wall	[reply]
Re^4: Net::LDAP giving I/O Error by dvl (Initiate) on Oct 11, 2016 at 20:37 UTC