Netdot-users Digest, Vol 86, Issue 6

netdot-users-request Mon, 16 May 2016 12:01:33 -0700

Send Netdot-users mailing list submissions to
        [email protected]


To subscribe or unsubscribe via the World Wide Web, visit
        https://osl.uoregon.edu/mailman/listinfo/netdot-users
or, via email, send a message with subject or body 'help' to
        [email protected]

You can reach the person managing the list at
        [email protected]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Netdot-users digest..."


Today's Topics:

   1. LDAP without anonymous bind (Nico)


----------------------------------------------------------------------

Message: 1
Date: Mon, 16 May 2016 17:07:35 +0200
From: Nico <[email protected]>
Subject: [Netdot-users] LDAP without anonymous bind
To: "[email protected]" <[email protected]>
Message-ID:
        <cakxqfmue3j1-bncjkt0vij6x11nzjd_razobrts489r8re-...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hello,

I want to authenticate Netdot using an LDAP server that does not allow
anonymous binding. Netdot tries to bind with user and password so this
should work. But before the actual bind and during TLS negotiation (even
with flag NetdotLDAPRequireTLS "no") lib/Netdot/LDAP.pm uses the functions
$ldap->root_dse()
$ldap->schema()
Wich fails on error 'Anonymous Simple Bind Disabled.'.

This can be fixed by running the bind command before the root_dse() and
schema() and in my case it works also with ldaps and NetdotLDAPRequireTLS
"yes".

I'm not familiar with neither perl or ldap so i'm not sure if it may broke
something for someone else:

diff /opt/netdot/netdot/src/netdot-1.0.7/lib/Netdot/LDAP.pm LDAP.pm
120a121
>     my $auth = $ldap->bind($user_dn, password=>$password);
140d140
<     my $auth = $ldap->bind($user_dn, password=>$password);

I will need to do more changes on LDAP.pm, becouse the users on our LDAP
are divided on different branches, so i'll have to use a proxy ldap user,
to bind to the ldap, search wich branch the actual user is living on, and
modify the NetdotLDAPSearchBase accordingly. Then hopefully run the code as
it now (at lesast that's my plan). Will post the resulting code.

Greetings,
-- 
Nico
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://osl.uoregon.edu/pipermail/netdot-users/attachments/20160516/aaa962ab/attachment-0001.html
 

------------------------------

_______________________________________________
Netdot-users mailing list
[email protected]
https://osl.uoregon.edu/mailman/listinfo/netdot-users


End of Netdot-users Digest, Vol 86, Issue 6
*******************************************

Netdot-users Digest, Vol 86, Issue 6

Reply via email to