Hi Steve,
On Thursday 04 August 2005 11:52, SteveC wrote:
> I have been trying to authenticate to an Active Directory LDAP server using
> Authen::SASL::Perl::DIGEST_MD5 and am failing. Using OpenLDAP's ldapsearch
> and the -Y DIGEST-MD5 command line option, I can authenticate with no
> problem -- so the credentials I am using are certainly correct. However,
> with the script below I get an error code 49 -- invalid credentials.
>
>
> use Net::LDAP;
> use Authen::SASL qw/Perl/;
>
> my $host = "fqdn.of.domain.controller"; # one of our AD domain
> controllers
>
> my $user = '[EMAIL PROTECTED]'; # my UserPrincipalName in AD
> my $passwd = 'myPassword';
>
> my $sasl = Authen::SASL->new(
> mechanism => 'DIGEST-MD5',
> callback => {
> user => $user,
> pass => $passwd,
> }
> );
> my $ldap = Net::LDAP->new($host, debug=>12, version => 3);
> my $msg = $ldap->bind("", sasl => $sasl);
> if($msg->code) {
> print $msg->error . "\n";
> }
> else {
> print "IT WORKED!!!\n";
> exit(0);
> }
>
>
> The only thing of note in the AD environment is that we have multiple
> domain controllers. This lead me to look at the 'serv' callback parameter,
> as that appears to be used when there is a replicated service. One thing I
> have noticed while investigating this, is that there appears to be a bug in
> the 'serv' parameter handling of the DIGEST_MD5 module. When this
> parameter is present, the module appends the value to digest_uri (note the
> underscore), it should do so to digest-uri. However, even when I change
> the module and try to use this parameter I still get the same
> authentication problem. [In my testing with ther 'serv' parameter, the
> $host is the fqdn of a domain controller, and the serv value was the name
> of the domain I am trying to authenticate to.]
I guess you are right with digest-uri vs. digest_uri
A few questions / requests:
- Did you replace both occurrences of 'digest_uri' with 'digest-uri' ?
- Did you try the script with Authen::SASL::Cyrus as Backend ?
- Did you check the communication for the different implementations
on the wire ?
If not, would you mind to do so ?
Thank you for your help
Peter
--
Peter Marschall
eMail: [EMAIL PROTECTED]
