Active Directory authentication using login name

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi,
I am developing a script which has to authenticate against MS Active Directory. I am using the following script for that.

#!/usr/bin/perl
use Net::LDAP;
use Data::Dumper;
use Net::LDAP::Util qw(ldap_error_text
                         ldap_error_name
                         ldap_error_desc
                        );

my $LDAPServerAddress =  '10.4.78.107';   
my $errorMsg=checkPassword('test@navitools.com','test');
print "$errorMsg.....";


sub checkPassword() {
  my ($user,$password)=@_;

  my $ldap = Net::LDAP->new($LDAPServerAddress, port => '636',scheme =
+> 'ldaps') ||
                 return "Can't connect to $LDAPServerAddress via LDAP"
+;

  my $result=$ldap->bind("CN=Test User,OU=Corp, DC=navitools,DC=com",p
+assword=>$password) ||
                  die "$@";

  $ldap->unbind();                        
  $result->code && return $result->error; # return error message if fa
+iled
  return 1;                  # return "undef" on success
}
[download]

My problem is in bind part.This script works fine. But here I am using the attribute CN=Test User (1st & last name) and the password .

I have to use logon name to get authenticated (test). If i use 'CN=test' instead of 'CN=Test User ', its not authenticating.
Please help me to get it done.
Thanks,

Comment on Active Directory authentication using login name Download Code

Replies are listed 'Best First'.
Re: Active Directory authentication using login name by lcs (Novice) on Dec 19, 2007 at 11:25 UTC
Hi, Anonymous, I think you need to include the domain in the bind: domain\samaccountname or samaccountname@domain Also, Exchange 5.5 supported the following DN: cn=<Login Name>,cn=<NT Domain>,cn=Admin so this one might work too! (I haven't verified this - this is just from memory...) Cheers	[reply]
Re: Active Directory authentication using login name by shmem (Chancellor) on Dec 19, 2007 at 13:33 UTC
AFAIK you can use just the UPN (UserPrincipalName, test@navitools.com in your case) as BindDN for Active Directory: `sub checkPassword { # no parens () here - why a prototype? my ($user,$password) = @_; my $ldap = Net::LDAP->new( $LDAPServerAddress, port => '636', scheme => 'ldaps' ) or die "Can't connect to $LDAPServerAddress via LDAP"; # not \|\| my $result = $ldap->bind( $user, password => $password ) or die "Can't bind!\n"; # $@ is set by eval if ($result->code) { die $result->error; } 1; }` [download] You should make up your mind whether you want to die() on errors and wrap the call into a block eval, or return strings on error and nothing on error, in wich case the function name is a bit misleading if used in boolean context, e.g. `if ( checkPassword($user,$pass) ) { # success or failure here? } else { ... }` [download] You coul also avoid the die(), setting $@ and returning nothing on failure, and returning 1 on success - that's what I would do. --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l] [select]