--On Friday, June 11, 2004 6:36 AM +0100 Chris Ridd <[EMAIL PROTECTED]> wrote:
This isn't really a bug, as LDAP does require a DN to be passed in all forms of bind operation. RFC 2251:
---- - name: The name of the directory object that the client wishes to bind as. This field may take on a null value (a zero length string) for the purposes of anonymous binds, when authentication has been performed at a lower layer, or when using SASL credentials with a mechanism that includes the LDAPDN in the credentials. ----
So it technically makes sense if you're doing a SASL bind, even if most mechanisms will ignore it.
The fact they ignore it means you could very simply pass "", as you're doing with the ldapsearch tool.
I'm going to be a little more clear here, since you just exactly made my point:
Net::LDAP *fails* to ignore the bind dn. Net::LDAP *REQUIRES* that the Bind DN *BE* your real BIND DN or the BIND fails. I'm not trying to bind to the server *without* a bind DN, I'm trying to bind to the server *without a valid* DN.
*That* is a bug, and a failure to meet RFC 2251.
What I get back from Net::LDAP when I use a SASL bind with an invalid DN is:
./sasl-notwork.pl
SASL(-14): authorization failure: not authorized at ./sasl-notwork.pl line 15, <DATA> line 283.
--------------------------------- SASL-NOTWORK.PL--------------------------------------
#!/usr/local/bin/perl -w
use Net::LDAP;
use MIME::Base64;
use Authen::SASL;
use Socket;
$server='ldap.stanford.edu'; my $name = gethostbyaddr(inet_aton($server), AF_INET);
my $ldap = Net::LDAP->new($name, version=>3) || die "$@";
my $slavesasl = Authen::SASL->new(mechanism=>'GSSAPI');
my $mesg = $ldap->bind("uid=quanah", sasl=>$slavesasl);$mesg->code && die $mesg->error;
$mesg = $ldap->search(async=>1,filter=>"(uid=quanah)",base=>"dc=stanford,dc=edu");
@entries = $mesg->entries;
foreach $entry (@entries) {
$entry->dump;
}
---------------------------------------------------------------------------------------If I make the Bind DN *BE* the exact bind DN I get:
./sasl-work.pl ------------------------------------------------------------------------ dn:uid=quanah,cn=Accounts,dc=Stanford,dc=edu
cn: Quanah Gibson-Mount
gecos: Quanah Gibson-Mount
gidNumber: 37
homeDirectory: /afs/ir/users/q/u/quanah(etc)
--------------------------------- SASL-WORK.PL-----------------------------------------
#!/usr/local/bin/perl -w use Net::LDAP; use MIME::Base64; use Authen::SASL; use Socket;
$server='ldap.stanford.edu'; my $name = gethostbyaddr(inet_aton($server), AF_INET);
my $ldap = Net::LDAP->new($name, version=>3) || die "$@";
my $slavesasl = Authen::SASL->new(mechanism=>'GSSAPI');
my $mesg = $ldap->bind("uid=quanah,cn=accounts,dc=stanford,dc=edu", sasl=>$slavesasl);
$mesg->code && die $mesg->error;
$mesg = $ldap->search(async=>1,filter=>"(uid=quanah)",base=>"dc=stanford,dc=edu");
@entries = $mesg->entries;
foreach $entry (@entries) {
$entry->dump;
}
-----------------------------------------------------------------------------------------Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
