Sue D. Nymme has asked for the wisdom of the Perl Monks concerning the following question:

I am trying to bind to a Windows Active Directory LDAP server on the domain controller, via Net::LDAP. Everything works fine, I can retrieve and update values, etc.

But is there a way to invoke the Net::LDAP bind() method without supplying the user's password? I'm not talking about an anonymous bind; I want to bind with the current user's credentials and permissions, but I don't want to have to prompt the user for their password every time they run the program.

I don't know much about authentication methods, but I found some references to Authen::SASL, and various authentication mechanisms. I looked on my AD server and saw that it supports GSSAPI, so I thought I'd try that:

use Net::LDAP;
use Authen::SASL;

#-----------------------------------------------#
# connect and authenticate
#-----------------------------------------------#
my $dc     = 'brbdc1';
my $dn     = "OU=OurDept,dc=OurDomain,dc=com";

# Create LDAP object; check auth capabilities.
my $ldap = Net::LDAP->new($dc) or die;
my $dse  = $ldap->root_dse;
die "Can't support GSSAPI" unless $dse->supported_sasl_mechanism('GSSA
+PI');

# Create auth object; use it to bind to LDAP server.
my $sasl = Authen::SASL->new(mechanism => 'GSSAPI') or die;
my $rc = $ldap->bind(sasl => $sasl);
die 'Error ' . $rc->code . ': ' . $rc->error if $rc->code;

[download]

This dies on the last line with

No SASL mechanism found
 at //Summ2/Perl/site/lib/Authen/SASL.pm line 77
 at //Summ2/Perl/site/lib/Net/LDAP.pm line 392

[download]

I feel that I'm very close here—can anyone help?

Replies are listed 'Best First'.
Re: Bind to LDAP without password
by Khen1950fx (Canon) on Jul 30, 2010 at 00:40 UTC
    I used Authen::SASL::Perl::GSSAPI and came up with this: 
    #!/usr/bin/perl

use strict;
use warnings;
use Net::LDAP;
use Authen::SASL;

my $adhost    = 'http://localhost';
my $ldap_base = 'dc=brbdc1,dc=net';

my $sasl = Authen::SASL->new( mechanism => 'GSSAPI' );
my $ldap;

eval {
    $ldap = Net::LDAP->new($adhost,
                           onerror => 'die')
      or die "Cannot connect to LDAP host '$adhost': '$@'";
    $ldap->bind(sasl => $sasl);
};

print "\tLDAP bind() succeeded, working in authenticated state\n";

    [download]
[reply]
[d/l]

      Well... rats.

      That fails for me on the $ldap->bind line, with error 82, "No SASL mechanism found."

      Digging deeper, I see that I have Authen::SASL::Perl::GSSAPI installed. But it depends on GSSAPI, which I do not have installed, and which I apparently can't install—I am using ActiveState perl, with no C compiler, and I don't see any ppm repository that has GSSAPI.pm.

[reply]
[d/l]
[reply]

Back to Seekers of Perl Wisdom