Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

LDAP authentication from domain username -working

by glenn (Scribe)
on Feb 28, 2014 at 22:53 UTC ( #1076629=perlquestion: print w/replies, xml ) Need Help??

glenn has asked for the wisdom of the Perl Monks concerning the following question:

I know this is related to AD and LDAP more so than perl problem of processing the data but I hope someone can help.

I am adding a check against our AD that a user is allowed to create licenses for our products. That user will be added to a group so I need to get the list of groups the user is part of. However; I only have the domain username work work from and cannot figure out how to get the CN of the user from the samaccountname.

$|=1; use Net::LDAP; use Data::Dumper; $^W++; # Turn on warnings my @DCs; my @unit; my $NS = qx"nslookup -type=srv _ldap._tcp.dc._msdcs.us.megatrends.com" +; foreach my $line (split("\n",$NS)) { if ($line =~ m/priority\s+=\s+(\d+)/) { $unit[0] = $1; } if ($line =~ m/weight\s+=\s+(\d+)/) { $unit[1] = $1; } if ($line =~ m/port\s+=\s+(\d+)/) { $unit[2] = $1; } if ($line =~ m/svr hostname\s+=\s+(.+)/) { $unit[3] = $1; my $index = 0; if (@DCs > 0) { if ($unit[1] < $DCs[0][1]) { #use nearest AD first unshift(@DCs, [@unit]); } elsif ($unit[0] < $DCs[0][0] and $unit[1] <= $DCs[0][1]) + { #use preferred only if it is the same distance or clos +er unshift(@DCs, [@unit]); } else { push(@DCs, [@unit]); } } else { push(@DCs, [@unit]); } @unit = (); } } my $result = "failed"; my $ldap = undef; for (my $d = 0; $d < @DCs; $d++) { $ldap = Net::LDAP->new($DCs[$d][3], port=>$DCs[$d][2]) or print "$ +@"; if (defined $ldap) { print "Connected to [$DCs[$d][3]] on port [$DCs[$d][2]]\n"; my $user = "megatrends.com\\glennt"; my $username = ""; if ($user =~ m/.+\\(.+)/) { $username = $1; } elsif ($user =~ m/(.+)\@.+/) { $username = $1; } my $password = "*******************"; my $mesg = $ldap->bind($user, password=>$password); if ($mesg->code) { #bind > 0 is error. if ($mesg->code == 1) { die "Bad credinicals\n"; } else { die "Bind code: ". $mesg->code ." error: ". $mesg->err +or ."\n"; } } else { print "successfully authenticated\n"; $search = $ldap->search(base=>"cn=Users,dc=us,dc=megatrend +s,dc=com",scope=>"subtree",filter=>"(sAMAccountName=$username)",attrs +=>['memberOf'],sizelimit=>1); my $userstate = "Non-Valid user"; foreach my $group ($search->entry(0)->get_value('memberOf' +)) { #print "Entry: $group\n"; if ($group =~ m/StorTrends-License Generator/) { $userstate = "Valid user"; $result = "success"; last; } } print "User is: $userstate\n"; } $mesg = $ldap->unbind; } elsif ($d eq @DCs) { print "Failed to connect\n"; } if ($result eq "success") { last; } }

Replies are listed 'Best First'.
Re: LDAP authentication from domain username
by NetWallah (Canon) on Mar 01, 2014 at 07:11 UTC
    THis statement appears completely wrong:
    $search = $ldap->search(base=>"samaccountname=>$user,cn=>U +sers,dc=>us,dc=>megatrends,dc= +com",filter=>"(objectClass=memberOf)");
    Here is some code I wrote years ago - you can use this as a basis for LDAP search:
    use strict; use Net::LDAP; my $dc = 'my.domain.controller.fqdn'; my $user = 'DomainName\UserName'; # or 'administrator@mycorp.com'; my $passwd = shift; #'Adminpasswd'; my $base = "dc=TopDomain,dc=com"; # my $scope = "subtree"; my $filter = "(&(objectclass=user)(objectcategory=user))"; my $ldap = Net::LDAP->new($dc) or die $@; my $rc = $ldap->bind( $user, password => $passwd); die $rc->error if $rc->code; my $search = $ldap->search ( base => $base, scope => $scope, filter => $filter, sizelimit=> 9999 # Does not seem to help... ); die $search->error if $search->code; foreach my $entry ($search->entries) { $entry->dump; } $ldap->unbind;

            What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?
                  -Larry Wall, 1992

      Thank you I will give it a try Monday when I get back to work. You are correct the search does not work; it's what I needed help on.
      Thank you, that helped. However I still need to get just the one authenticated user and it's groups. Can you tell me/show me how to take megatrends.com\\glennt or glennt@megatrends.com and access the information about the single user? glennt@megatrends.com matches the sam account name field.
        More rusty old code dug up from the code graveyard:
        #This logs in to LDAP and generates a CSV file with each members displ +ay name and then a list of their groups. use strict; use Net::LDAP; use Net::LDAP::Control::Paged; use Net::LDAP::Constant ( "LDAP_CONTROL_PAGED" ); my $ldap = Net::LDAP->new('domain.controller.com') or die "Could not c +onnect to Domain controller $@"; # params for Net::LDAP::new # bind to a directory with dn and password my $mesg = $ldap->bind( 'ldapreadonlyuserid', password => 'LDAPReadonlyPassword' ); die $mesg->error if $mesg->code; # How many LDAP query results to grab for each paged round # Set to under 1000 for Active Directory my $page = Net::LDAP::Control::Paged->new( size => 100 ); my $fields = ['displayName','memberOf','useraccountcontrol']; my $strFilter = "(&(objectclass=user)(objectcategory=person)" # A + User # . "(!useraccountcontrol:1.2.840.113556.1.4.803:=2)" # + NOT Disabled . "(useraccountcontrol:dn:1.2.840.113556.1.4.803:=2)" +#The 1.2.840.113556.1.4.803 is a logical AND. . ")"; my $result = $ldap->search ( base => "dc=MyDomainName,dc=com", filter => $strFilter, attrs => $fields, control => [ $page ], ); die $result->error if $result->code; for my $item ( $result->entries) { next unless defined $item->get_value("displayName"); my $user; $user->{groups} = [ ref ( $item->get_value('memberOf') ) ? @{$item->get_value('memberOf')} : ($item->get_value('memberOf')) ]; $user->{groups} = [ map { /CN=(.+?),/ ; $1 } @{$user->{groups}} ]; print '"',$item->get_value("displayName"),'",'; print join(",", map { '"' . $_ . '"' } sort @{$user->{groups}} +),"\n"; } # Get cookie from paged control my($resp) = $mesg->control( LDAP_CONTROL_PAGED ) or print "-- No mo +re data (1) --\n"; ## last; my $cookie = $resp->cookie or print "-- No more data (2) --\n"; # Sh +ould do LAST here.. # Set cookie in paged control $page->cookie($cookie);

                What is the sound of Perl? Is it not the sound of a wall that people have stopped banging their heads against?
                      -Larry Wall, 1992

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1076629]
Approved by kcott
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (7)
As of 2022-01-28 13:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (73 votes). Check out past polls.

    Notices?