4 issues with Net::LDAP and Active Directory

------_=_NextPart_001_01C74A47.D441C220
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I have 4 issues which I do not understand and I have searched the
Net::LDAP documentation up and down and cannot figure it out.

=20

1.   pwdLastSet is only available for the DN of the user who is logged
in. (That seems a little odd, why is that?) and yes I logged in as
another user using LDAP and it was available for them and not me.

=20

2.   pwdLastSet is some Active Directory timestamp (Why oh why cant
Microsoft just use utc like every other application on the planet.). Is
there a function included with Net::LDAP to convert this number into
utc. So I can tell when the user last set their password in meaningful
terms in perl on linux.

=20

3.	I have real difficult with determining the DN. In my program you
can see that I looked at the Server Level DN(At least that is what I
think it is. I got it by seeing what I was a member of. My sysadmin for
Active Directory told me my DN to start). If I knew my login name is
there a way I can find my DN easily.=20

=20

4.  I do not seem to be able to set the value of unicodePwd even though
I can change my own password in Active Directory.           =20

=20

Any help is appreciated.

=20

Jeff K

=20

----------------------------------------------------------

=20

When the time comes and my password is going to expire I can set my
password leading me to believe that I can change my own password and my
sysadmin for Active directory swears up and down that each user has the
rights to modify their own password. And I suspect maybe the password is
not in unicodePwd field as suggested because I do not see that field
when I list all the properties of my DN.

 Or maybe its hidden for security reasons?

=20

And I get the following Access rights Violation error.

=20

Display Date [CN=3DJeff =
Kalbfleisch,OU=3DNelvana,DC=3Dcorusent,DC=3Dintra] [Dec
31, 1969] [128126604183974767]<h1>Software error:</h1>

<pre>00000005: SecErr: DSID-031A0F44, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

 at ldappass_set line 120.</pre>

<p>

For help, please send mail to this site's webmaster, giving this error
message

and the time and date of the error.

=20

</p>

[Tue Feb  6 18:14:01 2007] ldappass_set: 00000005: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

[Tue Feb  6 18:14:01 2007] ldappass_set:  at ldappass_set line 120.

=20

=20

I wrote this code which gives the above result

=20

my $ldap =3D Net::LDAPS->new("myDNS") or die "$@";

=20

my $login =3D "CORUSENT\\jeffk";

my $password =3D "-----"; # I emptied this field for security reasons

=20

my $message =3D $ldap->bind($login, password=3D>$password, version=3D> =
3);

=20

my $schema =3D $ldap->schema();

my $dse =3D $ldap->root_dse();

=20

my $resultCode =3D $message->{'resultCode'};

=20

#Nel::Core::Common::dump($dse);

=20

my $mesg =3D $ldap->search(

        base   =3D> "OUR BASE DN",

        filter =3D> "cn=3D*"

);

=20

$mesg->code && die $mesg->error;

=20

my @entries =3D $mesg->entries;

=20

my @all_nelvana_DNs;

=20

foreach my $entr ( @entries ) {

   my $attr;

   foreach $attr ( sort $entr->attributes ) {

     next if ( $attr =3D~ /;binary$/ );

     if ($attr eq 'member'){

        @all_nelvana_DNs =3D $entr->get_value($attr);

     }

   }

}

=20

=20

foreach my $DN(@all_nelvana_DNs){

        #if ($DN !~ 'Richard Gopaul') { next; }

        if ($DN !~ 'Jeff Kalbfleisch') { next; }

        my $ldap_hash =3D &get_dn_hash($ldap,$DN);

        my $pwdLastSet =3D $ldap_hash->{pwdLastSet}[0];

        my $date =3D &get_date($pwdLastSet);

        my $display_date =3D $date->get_display_date();

=20

        print "\nDisplay Date [$DN] [$display_date] [$pwdLastSet]";

=20

        my $newPW =3D "---------"; # PURPOSLY BLANKED OUT BY ME FOR THIS
POSTING

        &set_password($ldap,$DN,$newPW);

}

=20

=20

sub get_dn_hash(){

        my $ldap =3D shift;

        my $DN =3D shift;

        my %ldap_record;

        my $ldap_record =3D \%ldap_record;

        # Do An LDAP Search On This USER

        my $mesg2 =3D $ldap->search(

                base   =3D> $DN,

                filter =3D> "cn=3D*",

        );

=20

        my @entries =3D $mesg2->entries;

=20

        foreach my $entry(@entries){

                my $asn =3D $entry->{asn};

                my $attributes =3D $asn->{attributes};

                foreach my $attribute(@$attributes){

                        my $type =3D $attribute->{type};

                        my $vals =3D $attribute->{vals};

                        $ldap_record->{$type} =3D $vals;

                }

        }

        return $ldap_record;

}

=20

=20

=20

sub set_password(){

        my $ldap =3D shift;

        my $DN =3D shift;

        my $newPW =3D shift;

=20

        my $charmap =3D Unicode::Map8->new('latin1')  or  die;

        my $newUniPW =3D
$charmap->tou('"'.$newPW.'"')->byteswap()->utf16();

        $mesg =3D $ldap->modify($DN,

                            changes =3D> [

                            replace =3D> [ unicodePwd =3D> $newUniPW =
]]);

        $mesg->code && die $mesg->error;

}

=20

=20

=20

  Corus(tm) Entertainment Inc. / Nelvana

________________________________

=20

  Jeff Kalbfleisch

135 Liberty Street, suite 100

416.535.0935

jeff.kalbfleisch@corusent.com

=20

  Programmer/Analyst

Toronto, Ontario M6K 1A7

ext. 3255

=20

=20

  Corus(tm) is a trade-mark of Corus(tm) Entertainment Inc. or a
subsidiary thereof, which might be used under licence.

=20


------_=_NextPart_001_01C74A47.D441C220--
0
jeff
2/6/2007 11:37:56 PM
perl.ldap 1268 articles. 0 followers. Follow

0 Replies
1413 Views

Similar Articles

[PageSpeed] 35

Reply:

Similar Artilces:

iFolder and Active Directory LDAPS (LDAP over SSL)
I am looking for some insight in getting my iFolder server communicating with an Active directory server over SSL for user Authentication. I am using iFolder 2.1.3 and Windows 2003SP1 on the servers for both iFolder server OS and Active Directory OS. I have installed the root cert for the domain on the iFolder server. When I use the iFolder installer I can extend the schema of the directory structure over 636 using SSL without any problems, it connects and looks good. When iFolder starts the logfile has the following entries Starting iFolder server, version 2.1.3 [04/06/01] Conf...

LDAP Novell to Active Directory compatibility Issues
HiIs anyone familiar with any particular issues with using LDAP lib from Novell to connect to AD in Windows?I have code that fetches the user or InetOrgPerson, but the list of attributes is not complete? Is there some sort of page restriction that could be affecting this? The particular attribute that I am looking for is 'Title'I get these by default: uSNCreatedobjectGUIDnamewhenChangeduSNChangedsndistinguishedNamesAMAccountTypesAMAccountNameuserAccountControlobjectCategorydisplayNamewhenCreatedprimaryGroupIDgivenNameuserPrincipalNameinstanceTypeobjectSidcnobjectClassThanksA  ...

Net::LDAP, Active Directory and Disabled Users
------_=_NextPart_001_01C386CB.502F3B30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I've been trying to write a simple perl script that will query the = active directory via LDAP and give me a list of email addresses for disabled = users (eg, addresses we don't want to accept email for anymore). I found a = website or two that suggested I use the following as my filter: (&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D= 2)) I was beginning to think these websites were wrong as whene...

make Net::LDAP::LDIF more similar to Net::LDAP
Hi Graham, hi Chris, hi list, I would like to rework Net::LDAP::LDIF a bit so that its API resembles that of Net::LDAP a bit more while still keeping the traditional API. The reason for this is that in application I often need to distinguish between Net::LDAP and Net::LDAP::LDIF because some methods are only implemented on one side. I\'d like to start with a code() method that tries to mimic the Net::LDAP one and I\'d like to extend the Net::LDAP::Entry->update() method so that it takes a Net::LDAP::LDIF object as an argument. The latter one requires a...

Net::LDAP, Active Directory and Disabled Users #2
I've been trying to write a simple perl script that will query the active directory via LDAP and give me a list of email addresses for disabled users (eg, addresses we don't want to accept email for anymore). I found a website or two that suggested I use the following as my filter: (&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)) I was begining to think these websites were wrong as whenever I tried this filter, I'd go no results. With other filters, I'd get the results I'd expect to get. I then tried that filter in a couple other appli...

RE: Net::LDAP, Active Directory and Disabled Users
Version of Perl:=20 5.8.0 (as supplied with RedHat9) Version of Net::LDAP: [jsteenha@jake utilities]$ perl -mNet::LDAP -e 'print = "$Net::LDAP::VERSION\n"' 0.29 Relevant part of Perl code: #!/usr/bin/perl use Net::LDAP; use Net::LDAP::Filter; $filter =3D = '(&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D= 2))'; #$filter =3D '(objectCategory=3Dperson)'; $f =3D new Net::LDAP::Filter; $f->parse($filter); $f->print(); #exit; my $ldap =3D Net::LDAP->new('acutex-dc01'); my $mesg =3D $...

[Fwd: make Net::LDAP::LDIF more similar to Net::LDAP]
--------------95D5815B06BDC2BD1A0ABFEB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------95D5815B06BDC2BD1A0ABFEB Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <40C7B13E.8864E5A0@cs.adelaide.edu.au> Date: Thu, 10 Jun 2004 10:54:22 +1000 From: Sion Camilleri <sion@cs.adelaide.edu.au> Reply-To: sion@cs.adelaide.edu.au X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Graham Barr <gbarr@pobox.com>...

bugzilla 2.17.4 and m$ active directory ldap
Hi all, I seem to be having a problem getting Bugzilla 2.17.4 running on Red Hat 9/Apache working with Active Directory LDAP. Net::LDAP is installed. I've configured the Active Directory to allow anonymous binds and then I enter my BaseDN in the form of "DC=mycompany,DC=com" The LDAPuidattribute is set to the default of uid and the LDAPmailattribute is set to the default of mail. The problem is that all logins are rejected with bad password when I flip the loginmethod switch to LDAP. If there's a more detailed log stored somewhere that I can look at, I'm...

Net::LDAP -> Active Directory password change attribute failure
Okay, even using the code chunk from "the FAQ"(tm), trying to have a user change their own password results in the error message: 0000052D: AtrErr: DSID-03190F00, #1: 0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) from the $ldap->modify( changes=>{delect,add} ) operation. Have tried numerous methods of encoding the password unicode (which all end up the same result) as well as base64 encoding. Strangely, if I use a "replace" operation instead of changes=>{delect,add}, it is accepted (tho i g...

Getting User List from Active Directory using LDAP with Asp.Net
Dear All, Did any body worked on the below process? Getting User List from Active Directory using LDAP with Asp.Net. If Yes, Can u pls guide me to proceed? warm regards, Minor. Not sure if that was supposed to be a hyperlink or not in your post.  However, you should start with the first post in this forum for common patterns.  You are looking for all users, so you can use "(&(objectClass=user)(objectCategory=person))" as your search filter.  Ryan DunnWeblog The BookLDAP Programming Help...

RE: Net::LDAP -> Active Directory password change attribute failure
------_=_NextPart_001_01C621ED.C1F635D4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We use a modify/replace on the dn to change the password. However, this = operation will only succed over LDAPS and not over LDAP. Here's a sub = that we use in our account maint 'system' to change AD passwords: =20 sub _setADPasswordForUser { my ($dn, $pass) =3D @_; my $name =3D "_setADPasswordForUser"; my ( $package, $filename, $line ) =3D caller;=20 debug("$name: entering with args @_"); ...

Net::LDAP and Net:LDAP::LDIF read & add problems
I'm trying to read in a simple LDIF file to add an entry to my LDAP server. Here is the basic routine (extraneous details omitted for brevity and security): $ldif = Net::LDAP::LDIF->new($tmp,"r",onerror => 'warn'); $entry = $ldif->ready_entry(); $ldap = Net::LDAP->new($LDAPSERVER); $result=$ldap->bind("$binddn",password=>"$bindpass",version=>"3"); $result=$ldap->add($entry); Now, everything seems to work until I get to the $ldap->add method. From that I get various versions of the following: object...

Fw: Re: make Net::LDAP::LDIF more similar to Net::LDAP
Am 08.06.2004 um 18:29 Uhr haben Sie geschrieben: > On 8 Jun 2004, at 16:56, peter@adpm.de wrote: > > I\'d like to start with a code() method that tries to mimic the >> Net::LDAP one and >I assume you mean better error handling ? My first goal is having a code() method in Net::LDAP::LDIF. > > I\'d like to extend the > > Net::LDAP::Entry->update() method so that it takes a > > Net::LDAP::LDIF object as an argument. The latter one > > requires a bit of work in Net::LDAP::LDIF to make it > > correct. > Not su...

Net::LDAP v0.28, bug in Net::LDAP::Constant, :all not supported
Net::LDAP::Constant no longer supports the :all tag in the export list due to the switch from Exporter to a manual export routine. So, while the following: perl -MNet::LDAP::Constant=:all -e 1 worked fine in 0.2701, it now dies with the error: ":all" is not exported by the Net::LDAP::Constant module at -e line 0 Can't continue after import errors at -e line 0 BEGIN failed--compilation aborted, <DATA> line 197. The documentation for Net::LDAP::Constant still documents the ':all' tag. I am not subscribed to the list, so if some...

Web resources about - 4 issues with Net::LDAP and Active Directory - perl.ldap

Resources last updated: 12/3/2015 3:28:06 PM