Querying AD with Net::LDAP is easy and straightforward. MS does a lot of proprietary things, but they do not do "very proprietary LDAP *type* things on 389". AD is very compliant to the LDAPv3 spec (as compliant as the other vendors anyway). You can perform LDAP queries against port 389 on any AD domain controller and you can query port 3268 on any global catalog server.
You can find a bunch of examples of using Net::LDAP against AD here: http://www.rallenhome.com/books/managingenterprisead/code.html Robbie Allen http://www.rallenhome.com/ > -----Original Message----- > From: Tim Musson [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 28, 2003 8:20 AM > To: Graham Barr > Subject: Re: [Fwd: howto perl-ldap AD authentication with > SASL/GSSAPI mechanism?] > > > Hey Graham, or Ben :-) > > My MUA believes you used Ximian Evolution 1.4.4 > to write the following on Wednesday, August 27, 2003 at 3:06:04 PM. > > GB> I have spent a week trying to search Active Directory via > Net::LDAP. > GB> I finally found the xray mailing list (geo crawler does > not seem to > GB> have information for this year?) via your CPAN information. I have > GB> spent all day reading posts (many of them yours), which has led me > GB> to believe that I need to use Simon' s module > GB> (perl-cyrus-sasl-0.02.tar.gz) to use GSSAPI to bind to AD. I am > GB> going to start down this path, but I realize that many people are > GB> trying to do this. Unfortunately, I have yet to find a > decent howto > GB> on it. Perhaps you can point me in the right direction? > > GB> Also, I saw the post > GB> > (http://www.xray.mpe.mpg.de/mailing-lists/perl-ldap/2003-01/ms > g00116.html) > GB> that suggested putting Active Directory info in your > Net:LDAP book. > GB> I would buy it if it contained this information, > especially the hard > GB> to track down authentication piece. Several people at my company > GB> have been trying to do this (AD via perl). > > I also had to do this, and have written a script taking > things from the > Net::LDAP::Examples link on http://perl-ldap.sourceforge.net/. > > I broke most everything into subroutines because I needed to do 3 > different queries to 3 different LDAP sources (syncing them...). > > The one thing I had the hardest time with is you don't use > port 389 for > LDAP access (I think AD does some very proprietary LDAP > *type* things on > 389). The MS web site has a document about it, and my AD > admins followed > it and set up port 3268 for LDAP queries. Another thing about > AD LDAP is > that by default there is no anonymous access at all. We decided it was > not needed, and set up an ID with rights... > > The last odd AD/LDAP thing I can think of off the top of my > head is they > use CN instead of UID... > > ,----- [ Here is my code (that works), I am *very* open to > suggestions :-) ] > #!perl > use strict; > use warnings; > use Net::LDAP; > use Net::LDAP::Util qw( ldap_error_name > ldap_error_text ) ; # use for > Error handling > > # Tim Musson, 2003/08 > my $LogLevel=2; # 0=no log > # 2=search parms & Returned: # > # 5=everything, even array-hash contents! > my $ldapDebug='0'; # set to 0 to disable debug output > # set to 12 to get debug output... > # set to 16 to just get aditional print > output from here > # ===================================================== > getAD(); # I have multiples of this, and type of sub call in > my script... > # ===================================================== > sub getAD { > my ( @Attrs ); > @Attrs = ( 'cn', 'sAMAccountName', 'department', ); # > request these attrs > # @Attrs = ('1.1'); # retrieve no attributes... > # @Attrs = (); # request all available attributes to be returned. > my %SearchParmsHash = ( > Server => "LDAPad.domain.tld", > Port => 3268, > AuthDN => "CN=LDAP4L00kups,OU=ServiceAccounts,DC=domain,DC=tld", > pw => "ldap-pw", > SearchString => "CN=Muss*", > Attrs => [EMAIL PROTECTED], > Base => "DC=domain,DC=tld", > ); > PrintParms( \%SearchParmsHash ) if $LogLevel>=2; > Search( \%SearchParmsHash ); > } > # ===================================================== > sub Search { > my $parm = shift @_; > my $ldap = Net::LDAP->new( $parm->{Server}, > port => $parm->{Port}, > debug => $ldapDebug, > version => 3, > ) or die "$@"; # INITIALIZE > my $mesg = $ldap->bind( $parm->{AuthDN}, > password => "$parm->{pw}", > ); # BIND > my $result = LDAPsearch( $ldap, > $parm->{SearchString}, > $parm->{Attrs}, > $parm->{Base}, > ); # SEARCH! > > $ldap->unbind; # CLEAN UP > > my $count = $result->count; > print "Returned: $count\n" if $LogLevel>=2; > WalkThrough( $result ); # OUTPUT > } > # ===================================================== > sub LDAPsearch { > my ( $ldap, $SearchString, $attrs, $Base ) = @_ ; > > my $result = $ldap->search ( base => $Base, > filter => $SearchString, > attrs => $attrs, > ); > } > # ===================================================== > sub WalkThrough { > # This works, but is not what mine looks like (I do my compare here) > my $result = shift @_; > my @entries = $result->entries; > my $entr; > foreach $entr ( @entries ) { > print "DN: ",$entr->dn,"\n"; > > my $attr; > foreach $attr ( sort $entr->attributes ) { > next if ( $attr =~ /;binary$/ ); # skip binary > print " $attr : ",$entr->get_value( $attr ),"\n"; > } > } > if ( $result->code ) { # Display ERROR information > LDAPerror( $result ); > } > } > # ===================================================== > sub PrintParms { > my $parm = shift @_; > my $Attrs = $parm->{Attrs}; > print " > Server: $parm->{Server}:$parm->{Port} > AuthDN: $parm->{AuthDN} ($parm->{pw}) > Base: $parm->{Base} | SearchString: $parm->{SearchString} > Attrs: $parm->{Attrs} ==> @{$Attrs} > > "; > } > # ===================================================== > sub LDAPerror { #LL=1 > my ( $mesg ) = @_; > print "\nReturn code: ", $mesg->code ; > print "\n Message: ", ldap_error_name( $mesg->code ); > print "\n : ", ldap_error_text( $mesg->code ); > print " MessageID: ", $mesg->mesg_id; > print "\n DN: ", $mesg->dn, "\n\n"; > } > # ===================================================== > `----- > > -- > Tim Musson > Flying with The Bat! eMail v1.62q > Windows 2000 5.0.2195 (Service Pack 3) > If you drink, don't park. Accidents cause people. >
