LDAP authentication from domain username -working

glenn has asked for the wisdom of the Perl Monks concerning the following question:

I know this is related to AD and LDAP more so than perl problem of processing the data but I hope someone can help.

I am adding a check against our AD that a user is allowed to create licenses for our products. That user will be added to a group so I need to get the list of groups the user is part of. However; I only have the domain username work work from and cannot figure out how to get the CN of the user from the samaccountname.

$|=1;
use Net::LDAP;
use Data::Dumper;
$^W++;          # Turn on warnings

my @DCs;
my @unit;
my $NS = qx"nslookup -type=srv _ldap._tcp.dc._msdcs.us.megatrends.com"
+;
foreach my $line (split("\n",$NS)) {
    if ($line =~ m/priority\s+=\s+(\d+)/) {
        $unit[0] = $1;
    }
    if ($line =~ m/weight\s+=\s+(\d+)/) {
        $unit[1] = $1;
    }
    if ($line =~ m/port\s+=\s+(\d+)/) {
        $unit[2] = $1;
    }
    if ($line =~ m/svr hostname\s+=\s+(.+)/) {
        $unit[3] = $1;
        my $index = 0;
        if (@DCs > 0) {
            if ($unit[1] < $DCs[0][1]) {
                #use nearest AD first
                unshift(@DCs, [@unit]);
            } elsif ($unit[0] < $DCs[0][0] and $unit[1] <= $DCs[0][1])
+ {
                #use preferred only if it is the same distance or clos
+er
                unshift(@DCs, [@unit]);
            } else {
                push(@DCs, [@unit]);
            }
        } else {
            push(@DCs, [@unit]);
        }
        @unit = ();
    }
}

my $result = "failed";
my $ldap = undef;
for (my $d = 0; $d < @DCs; $d++) {
    $ldap = Net::LDAP->new($DCs[$d][3], port=>$DCs[$d][2]) or print "$
+@";
    if (defined $ldap) {
        print "Connected to [$DCs[$d][3]] on port [$DCs[$d][2]]\n";
        my $user = "megatrends.com\\glennt";
        my $username = "";
        if ($user =~ m/.+\\(.+)/) {
            $username = $1;
        } elsif ($user =~ m/(.+)\@.+/) {
            $username = $1;
        }
        my $password = "*******************";
        my $mesg = $ldap->bind($user, password=>$password);
        if ($mesg->code) {
            #bind > 0 is error.
            if ($mesg->code == 1) {
                die "Bad credinicals\n";
            } else {
                die "Bind code: ". $mesg->code ." error: ". $mesg->err
+or ."\n";
            }
        } else {
            print "successfully authenticated\n";
            $search = $ldap->search(base=>"cn=Users,dc=us,dc=megatrend
+s,dc=com",scope=>"subtree",filter=>"(sAMAccountName=$username)",attrs
+=>['memberOf'],sizelimit=>1);
            
            my $userstate = "Non-Valid user";
            foreach my $group ($search->entry(0)->get_value('memberOf'
+)) {
                #print "Entry: $group\n";
                if ($group =~ m/StorTrends-License Generator/) {
                    $userstate = "Valid user";
                    $result = "success";
                    last;
                }
            }
            print "User is: $userstate\n";
        }
        $mesg = $ldap->unbind;
    } elsif ($d eq @DCs) {
        print "Failed to connect\n";
    }
    if ($result eq "success") {
        last;
    }
}
[download]

Comment on LDAP authentication from domain username -working Download Code

Replies are listed 'Best First'.
Re: LDAP authentication from domain username by NetWallah (Canon) on Mar 01, 2014 at 07:11 UTC
THis statement appears completely wrong: `$search = $ldap->search(base=>"samaccountname=>$user,cn=>U +sers,dc=>us,dc=>megatrends,dc= +com",filter=>"(objectClass=memberOf)");` [download] Here is some code I wrote years ago - you can use this as a basis for LDAP search: use strict; use Net::LDAP; my $dc = 'my.domain.controller.fqdn'; my $user = 'DomainName\UserName'; # or 'administrator@mycorp.com'; my $passwd = shift; #'Adminpasswd'; my $base = "dc=TopDomain,dc=com"; # my $scope = "subtree"; my $filter = "(&(objectclass=user)(objectcategory=user))"; my $ldap = Net::LDAP->new($dc) or die $@; my $rc = $ldap->bind( $user, password => $passwd); die $rc->error if $rc->code; my $search = $ldap->search ( base => $base, scope => $scope, filter => $filter, sizelimit=> 9999 # Does not seem to help... ); die $search->error if $search->code; foreach my $entry ($search->entries) { $entry->dump; } $ldap->unbind; [download] What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against? -Larry Wall, 1992	[reply] [d/l] [select]
Re^2: LDAP authentication from domain username by glenn (Scribe) on Mar 02, 2014 at 00:21 UTC
Thank you I will give it a try Monday when I get back to work. You are correct the search does not work; it's what I needed help on.	[reply]
Re^2: LDAP authentication from domain username by glenn (Scribe) on Mar 03, 2014 at 14:11 UTC
Thank you, that helped. However I still need to get just the one authenticated user and it's groups. Can you tell me/show me how to take megatrends.com\\glennt or glennt@megatrends.com and access the information about the single user? glennt@megatrends.com matches the sam account name field.	[reply]
Re^3: LDAP authentication from domain username by NetWallah (Canon) on Mar 07, 2014 at 04:47 UTC
More rusty old code dug up from the code graveyard: #This logs in to LDAP and generates a CSV file with each members displ +ay name and then a list of their groups. use strict; use Net::LDAP; use Net::LDAP::Control::Paged; use Net::LDAP::Constant ( "LDAP_CONTROL_PAGED" ); my $ldap = Net::LDAP->new('domain.controller.com') or die "Could not c +onnect to Domain controller $@"; # params for Net::LDAP::new # bind to a directory with dn and password my $mesg = $ldap->bind( 'ldapreadonlyuserid', password => 'LDAPReadonlyPassword' ); die $mesg->error if $mesg->code; # How many LDAP query results to grab for each paged round # Set to under 1000 for Active Directory my $page = Net::LDAP::Control::Paged->new( size => 100 ); my $fields = ['displayName','memberOf','useraccountcontrol']; my $strFilter = "(&(objectclass=user)(objectcategory=person)" # A + User # . "(!useraccountcontrol:1.2.840.113556.1.4.803:=2)" # + NOT Disabled . "(useraccountcontrol:dn:1.2.840.113556.1.4.803:=2)" +#The 1.2.840.113556.1.4.803 is a logical AND. . ")"; my $result = $ldap->search ( base => "dc=MyDomainName,dc=com", filter => $strFilter, attrs => $fields, control => [ $page ], ); die $result->error if $result->code; for my $item ( $result->entries) { next unless defined $item->get_value("displayName"); my $user; $user->{groups} = [ ref ( $item->get_value('memberOf') ) ? @{$item->get_value('memberOf')} : ($item->get_value('memberOf')) ]; $user->{groups} = [ map { /CN=(.+?),/ ; $1 } @{$user->{groups}} ]; print '"',$item->get_value("displayName"),'",'; print join(",", map { '"' . $_ . '"' } sort @{$user->{groups}} +),"\n"; } # Get cookie from paged control my($resp) = $mesg->control( LDAP_CONTROL_PAGED ) or print "-- No mo +re data (1) --\n"; ## last; my $cookie = $resp->cookie or print "-- No more data (2) --\n"; # Sh +ould do LAST here.. # Set cookie in paged control $page->cookie($cookie); [download] What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against? -Larry Wall, 1992	[reply] [d/l]
Re^4: LDAP authentication from domain username by glenn (Scribe) on Mar 20, 2014 at 16:14 UTC

Back to Seekers of Perl Wisdom