buksh_s has asked for the wisdom of the Perl Monks concerning the following question:

hi there. i am a newbie to perl and i am facing this problem which i hope you guys can help me with.

I am trying to configure LDAP for an application (Eprints). there is a script already available for this in the application and I am able to search users using this script. However when i try to authenticate a user by doing a bind it allows any existing LDAP user to go through regardless if their password is correct or not.

I have been wrecking my head over this one for a number of days and the Eprints forum was also of no help. I would really appreciate if any of you guys could help me out.

Regards

Sheraaz

Replies are listed 'Best First'.
Re: LDAP Authentication
by NetWallah (Canon) on Dec 13, 2011 at 05:17 UTC
    Please read How do I post a question effectively? .

    Show us what code/parameters you tried, and what error message you got.

                "XML is like violence: if it doesn't solve your problem, use more."

[reply]

      Hi there. thank you for responding. Here is the script itself.

      $c->{check_user_password} = sub {
   my( $session, $username, $password ) = @_;
   
   # LDAP authentication for "user", "editor" and "admin" types (roles
+)
   
   use Net::LDAP; # IO::Socket::SSL also required
   
   # LDAP tunables
   my $ldap_host = "Tute.Usp.Ac.Fj/";
   my $base      = "Dc=Usp,Dc=Ac,Dc=Fj";
   my $dn        = "Cn=XXX,Cn=Users,$base";
   
   my $ldap      = Net::LDAP->new ( $ldap_host, version => 3 );
   unless( $ldap )
   {
       print STDERR "LDAP error: $@\n";
       return 0;
   }
   
   # Start secure connection (not needed if using LDAPS)
   my $ssl = $ldap->start_tls();
   if( $ssl->code() )
   {
       print STDERR "LDAP SSL error: " . $ssl->error() . "\n";
       return 0;
   }
   
   # Get password for the search-bind-account
   my $repository = $session->get_repository;
   my $id         = $repository->get_id;
   my $ldappass   = `cat /opt/eprints3/archives/$id/cfg/ldap.passwd`;
   chomp($ldappass);
   
   my $mesg = $ldap->bind( $dn, password=>$ldappass );
   if( $mesg->code() )
   {
       print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
       return 0;
   }
   
   # Distinguished name (and attribues needed later on) for this user
   my $result = $ldap->search (
       base    => "$base",
       scope   => "sub",
       #filter  => "(&(uid=$username)(objectclass=inetOrgPerson))",
       filter  => "SAMAccountName=$username",
       #attrs   =>  ['1.1', 'uid', 'sn', 'givenname', 'mail'],
       sizelimit=>1
   );
   my $entr = $result->pop_entry;
   unless( defined $entr )
   {
       # Allow local EPrints authentication for admins (accounts not f
+ound in LDAP)
       my $user = EPrints::DataObj::User::user_with_username( $session
+, $username );
       return 0 unless $user;
       
       my $user_type = $user->get_type;
       if( $user_type eq "admin" )
       {
           # internal authentication for "admin" type
           return $session->get_database->valid_login( $username, $pas
+sword );
       }
       return 0;
   }
   my $ldap_dn = $entr->dn;
   
   # Check password
   my $mesg = $ldap->bind( $ldap_dn, password => $password );
   if( $mesg->code() )
   {
       return 0;
   }
   
   # Does account already exist?
   my $user = EPrints::DataObj::User::user_with_username( $session, $u
+sername );
   if( !defined $user )
   {
       # New account
       $user = EPrints::DataObj::User::create( $session, "user" );
       $user->set_value( "username", $username );
   }
   
   # Set metadata
   my $name = {};
   $name->{family} = $entr->get_value( "sn" );
   $name->{given} = $entr->get_value( "givenName" );
   $user->set_value( "name", $name );
   $user->set_value( "username", $username );
   $user->set_value( "email", $entr->get_value( "mail" ) );
   $user->commit();
   
   $ldap->unbind if $ldap;
   
   return 1;
}

      [download]
[reply]
[d/l]
        Your first "bind" operation with the 'search-bind' account may cause the second bind-attempt to be a no-op.(Speculation)

        Try either using a "new" ldap object, or doing " $ldap->unbind;" before authenticating the user.

                    "XML is like violence: if it doesn't solve your problem, use more."

[reply]
Re: LDAP Authentication
by Khen1950fx (Canon) on Dec 13, 2011 at 10:28 UTC
    I think that you might need to use HTTPS. Give it a try. If you can't get it to work, post some code and go from there.
[reply]

Back to Seekers of Perl Wisdom