Hi David,
On Wednesday 13 April 2005 20:49, Faltermier, David (HP Directory) wrote:
> Hi Peter,
>
> Thanks for patching Net::LDAP::Control::ProxyAuth.pm. It was on my list
> of things to do, but... <head hanging low>.
>
> TEST RESULTS
> ------------
> I applied and tested your patch against OpenLDAP 2.2.23 and SunOne 5.2.
> SunOne, using the old OID, worked fine performing a search with:
>
> my $dn = '[EMAIL PROTECTED],ou=People,o=hp.com';
> my $control = Net::LDAP::Control::ProxyAuth->new(proxyDN => $dn);
> # Connect and bind...
> my $mesg = $ldap->search(
> base => ...
> scope => ...
> filter => ...
> control => $control,
> );
>
> However, I ran into a problem testing against OpenLDAP:
>
> my $dn = '[EMAIL PROTECTED],ou=People,o=hp.com';
> my $authzID = Net::LDAP::Control::ProxyAuth->new(
> authzID => "dn:$dn",
> );
> # Connect and bind...
> my $mesg = $ldap->search(
> base => ...
> scope => ...
> filter => ...
> control => $control,
> );
>
> The search failed with LDAP error 47. My debugging log shows the
> following entries:
yup, you are right.
The patch I sent to you was plain wrong (I should have read the specs
before more closely before sending it to you and Graham).
Early last week I did some tests and noticed my failure.
I then created a new patch which I tested successfully against OpenLDAP
and then committed to the perl-ldap SVN
To save you the hassle to get it from SVN I attach it to this mail.
Would you give it a try ?
Peter
--
Peter Marschall
eMail: [EMAIL PROTECTED]
--- lib/Net/LDAP/Control/ProxyAuth.pm (revision 452)
+++ lib/Net/LDAP/Control/ProxyAuth.pm (working copy)
@@ -8,43 +8,89 @@
use Net::LDAP::Control;
@ISA = qw(Net::LDAP::Control);
-$VERSION = "1.04";
+$VERSION = "1.04_01";
+use Net::LDAP::Constant qw(LDAP_CONTROL_PROXYAUTHENTICATION);
use Net::LDAP::ASN qw(proxyAuthValue);
use strict;
+sub LDAP_CONTROL_PROXYAUTHENTICATION_OLD { "2.16.840.1.113730.3.4.12"; }
+
sub init {
my($self) = @_;
delete $self->{asn};
- unless (exists $self->{value}) {
- $self->{asn} = {
- proxyDN => $self->{proxyDN} || '',
- };
+ if (defined($self->{proxyDN})) {
+ $self->{type} = LDAP_CONTROL_PROXYAUTHENTICATION_OLD;
+
+ unless (exists $self->{value}) {
+ $self->{asn} = { proxyDN => $self->{proxyDN} || '' };
+ }
}
+ else {
+ $self->{value} = $self->{authzID} || '';
+ }
- $self->{critical}=1;
+ # criticality must be set !
+ $self->{critical} = 1;
$self;
}
+
sub proxyDN {
my $self = shift;
- $self->{asn} ||= $proxyAuthValue->decode($self->{value});
+
if (@_) {
delete $self->{value};
- return $self->{asn}{proxyDN} = shift || 0;
+
+ $self->{type} = LDAP_CONTROL_PROXYAUTHENTICATION_OLD;
+ return $self->{asn}{proxyDN} = shift || '';
}
+ elsif ($self->{type} eq LDAP_CONTROL_PROXYAUTHENTICATION) {
+ $self->{error} = 'Illegal query method: use authzID()';
+ return undef;
+ }
+ else {
+ $self->{asn} ||= $proxyAuthValue->decode($self->{value});
+ }
+
$self->{asn}{proxyDN};
}
+
+sub authzID {
+ my $self = shift;
+
+ if (@_) {
+ delete $self->{value};
+
+ $self->{type} = LDAP_CONTROL_PROXYAUTHENTICATION;
+ return $self->{authzID} = shift || '';
+ }
+ elsif ($self->{type} eq LDAP_CONTROL_PROXYAUTHENTICATION_OLD) {
+ $self->{error} = 'Illegal query method: use proxyDN()';
+ return undef;
+ }
+ else {
+ $self->{authzID} ||= $self->{value};
+ }
+
+ $self->{authzID};
+}
+
+
sub value {
my $self = shift;
- exists $self->{value}
- ? $self->{value}
- : $self->{value} = $proxyAuthValue->encode($self->{asn});
+ unless (exists $self->{value}) {
+ $self->{value} = ($self->{type} eq LDAP_CONTROL_PROXYAUTHENTICATION_OLD)
+ ? $proxyAuthValue->encode($self->{asn})
+ : $self->{authzID} || '';
+ }
+
+ return $self->{value};
}
1;
@@ -62,7 +108,7 @@
$ldap = Net::LDAP->new( "ldap.mydomain.eg" );
- $auth = Net::LDAP::Control::ProxyAuth->new( proxyDN => 'cn=me,ou=people,o=myorg.com' );
+ $auth = Net::LDAP::Control::ProxyAuth->new( authzID => 'dn:cn=me,ou=people,o=myorg.com' );
@args = ( base => "cn=subnets,cn=sites,cn=configuration,$BASE_DN",
scope => "subtree",
@@ -84,7 +130,7 @@
=head1 DESCRIPTION
C<Net::LDAP::Control::ProxyAuth> provides an interface for the creation and manipulation
-of objects that represent the C<proxyauthorisationControl> as described by draft-weltman-ldapv3-proxy-05.txt.
+of objects that represent the C<proxyauthorisationControl> as described by draft-weltman-ldapv3-proxy-XX.txt.
=head1 CONSTRUCTOR ARGUMENTS
@@ -93,12 +139,28 @@
=over 4
+=item authzID
+
+The authzID that is required. This is the identity we are requesting operations to use
+
=item proxyDN
-The proxyDN that is required. This is the identity we are requesting operations to use
+In older versions of draft-weltman-ldapv3-proxy-XX.txt the value in the control and thus the
+constructor argument was a DN and was called C<proxyDN>. It served the same purpose as C<authzID>
+in recent versions of C<proxyauthorisationControl>.
=back
+B<Please note:>
+Unfortunately the OID and the encoding or the C<proxyauthorisationControl>
+changed significantly in recent versions of draft-weltman-ldapv3-proxy-XX.txt.
+Net::LDAP::Control::ProxyAuth tries to cope with that situation and changes
+the OID and encoding used depending on the constructor argument.
+
+With C<proxyDN> as constructor argument the old OID and encoding are used,
+while with C<authzID> as constructor argument the new OID and encoding are used.
+Using this logic servers supporting either OID can be handled correctly.
+
=head1 METHODS
As with L<Net::LDAP::Control> each constructor argument
@@ -114,7 +176,9 @@
=head1 AUTHOR
Olivier Dubois, Swift sa/nv based on Net::LDAP::Control::Page from
-Graham Barr E<lt>[EMAIL PROTECTED]<gt>
+Graham Barr E<lt>[EMAIL PROTECTED]<gt>.
+Peter Marschall E<lt>[EMAIL PROTECTED]<gt> added authzID extensions
+based on ideas from Graham Barr E<lt>[EMAIL PROTECTED]<gt>.
Please report any bugs, or post any suggestions, to the perl-ldap
mailing list E<lt>[EMAIL PROTECTED]<gt>
--- lib/Net/LDAP/Constant.pm (revision 452)
+++ lib/Net/LDAP/Constant.pm (working copy)
@@ -4,7 +4,7 @@
package Net::LDAP::Constant;
-$VERSION = "0.03";
+$VERSION = "0.03_01";
use Carp;
@@ -449,7 +449,7 @@
=item LDAP_CONTROL_VLVRESPONSE (2.16.840.1.113730.3.4.10)
-=item LDAP_CONTROL_PROXYAUTHENTICATION (2.16.840.1.113730.3.4.12)
+=item LDAP_CONTROL_PROXYAUTHENTICATION (2.16.840.1.113730.3.4.18)
=item LDAP_CONTROL_PAGED (1.2.840.113556.1.4.319)
