Hi,
I have been trying to authenticate to an Active Directory LDAP server using Authen::SASL::Perl::DIGEST_MD5 and am failing. Using OpenLDAP's ldapsearch and the -Y DIGEST-MD5 command line option, I can authenticate with no problem -- so the credentials I am using are certainly correct. However, with the script below I get an error code 49 -- invalid credentials.
use Net::LDAP;
use Authen::SASL qw/Perl/;
my $host = "fqdn.of.domain.controller"; # one of our AD domain controllers
my $user = '[EMAIL PROTECTED]'; # my UserPrincipalName in AD
my $passwd = 'myPassword';
my $sasl = Authen::SASL->new(
mechanism => 'DIGEST-MD5',
callback => {
user => $user,
pass => $passwd,
}
);
my $ldap = Net::LDAP->new($host, debug=>12, version => 3);
my $msg = $ldap->bind("", sasl => $sasl);
if($msg->code) {
print $msg->error . "\n";
}
else {
print "IT WORKED!!!\n";
exit(0);
}
The only thing of note in the AD environment is that we have multiple domain
controllers. This lead me to look at the 'serv' callback parameter, as that
appears to be used when there is a replicated service. One thing I have noticed
while investigating this, is that there appears to be a bug in the 'serv'
parameter handling of the DIGEST_MD5 module. When this parameter is present,
the module appends the value to digest_uri (note the underscore), it should do
so to digest-md5. However, even when I change the module and try to use this
parameter I still get the same authentication problem. [In my testing with ther
'serv' parameter, the $host is the fqdn of a domain controller, and the serv
value was the name of the domain I am trying to authenticate to.]
Any ideas what I am doing wrong?
Steve
