On febr. 20, 13:27, ismael.lezc...@gmail.com (Ismael Lezcano) wrote:
> Ismael Lezcano wrote:
> > I have problems (no snickering in the back!)
>
> > I wrote a script to connect to AD, do some stuff, and spit out an
> > XML file. Works great. I picked up the script and handed it to a
> > colleague to run on his AIX server. Of course, his Perl install was
> > criminally out of date, so I spent a few minutes and did him the favor
> > of running CPAN and updating his 5.8 install with all the necessary
> > modules. I ran the script and lo and behold, this familiar error
> > message pops up:
>
> > 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not
> > match any LDAP SPN's registered for this server.,
>
> > Makes me want to slap somebody.
>
> > I'm confident that all of the modules are up to date, given the
> > fact that I just ran CPAN. But I could be wrong, and the fact that I
> > developed it on 5.10 perl and ran it on a 5.8 perl install... well.
>
> > Anyway, I printed the SASL object I created via Dumper in a line
> > after the bind attempt. Here's a snippet. The @ldaploginservers is an
> > array of LDAP URLs:
>
> > my $sasl = Authen::SASL->new(mechanism => 'DIGEST-MD5',
> > callback => {
> > user => $aduser,
> > pass => $adpassword,
> > },
> > );
>
> > my $ldap = Net::LDAP->new(\...@ldaploginservers, async => 0);
> > $mesg = $ldap->bind(sasl =>$sasl);
> > print Dumper($sasl);
>
> > When I ran it on the working Linux box, I noticed this in the
> > output
>
> > 'service' => 'ldap',
> > 'host' =>'fully.qualified.name.that.I.changed.for.this.post'
>
> > On the server that it did NOT work on, I saw this:
>
> > 'service' => 'ldap',
> > 'host' => '10.3.2.1'
>
> > Suspicious that this would not go well with AD, I poked around and
> > decided to downgrade the server version of Net::LDAP to 0.34. Bingo!
> > Worked. But now I'm worried that if I upgrade Net::LDAP for some
> > reason in the future, that this, as well as alot of other AD stuff
> > I've written, will die.
>
> Ok, so nobody has responded, so I did some more lab work. I installed
> every version of Net::LDAP working my way backwards from 0.39, with the
> idea that I would stop at the version that worked. Every time I ran the
> script with the DIGEST-MD5 SASL bind it failed, until I hit 0.36. I
> looked at the Bug Fixes for the release notes of 0.37, and it mentions
> that there was a patch worded as such: "Pass correct hostname to SASL
> when connecting to a round-robin". The only module file to change from
> 0.36 to 0.37 was LDAP.pm. Could it be the call to the $ldap object
> IO::Socket::INET ($ldap->{net_ldap_socket}->peerhost)is returning an IP
> address instead of the desired hostname? Should I file a bug on CPAN?
I think yes.
