I have the below perl program which works fine with perl-ldap 0.34 and sasl
2.10, but after upgrading to perl-ldap 0.4.001 and sasl 2.15 it fails. When
I look at the ldap traffic I see the following:
LDAP 0.34
SASL 2.10
bindRequest(1) "<ROOT>" sasl
bindResponse(1) saslBindInProgess
bindRequest(2) "<ROOT>" sasl
bindResponse(2) saslBindInProgess
bindRequest(3) "<ROOT>" sasl
bindResponse(3) success
searchRequest(4) "DC=DOMAIN,DC=COM" wholeSubtree
searchResEntry(4) "CN=..."
unbindRequest(5)
LDAP 0.4001
SASL 2.15
searchRequest(2) "DC=DOMAIN,DC=COM" wholeSubtree
searchResDone(2) operationsError ....
It looks like the sasl bind request is never send. has anything changed in
the sasl usage ?
Thank you
Markus
#!/usr/bin/perl
#
# Reads LDAP Attributes
#
#
use Net::LDAP;
use Net::LDAPS;
use Authen::SASL;
$hostlist = "ad1.domain.com";
my @hosts = split(/\s+/,$hostlist);
my $bind_path = "DC=DOMAIN,DC=COM";
# ldap details
my $server = \...@hosts;
my $port = 389;
my $user = $ARGV[0];
my ($mail, $displayname, $samaccountname, $useraccountcontrol,
$useraccountlocked, $userprincipalname, $pwdLastSet);
my ($ldap, $sasl, $mesg, $entry);
#
# Connect to AD
#
$ldap = Net::LDAP->new( $server,
port => $port,
timeout => 2,
debug => 1,
version => 3) or die "$@";
$sasl = Authen::SASL->new('GSSAPI', 'user' => '');
$mesg = $ldap->bind( '',
sasl => $sasl) ;
$mesg = $ldap->search( # perform a search
base => $bind_path,
filter => "(samaccountname=$user)",
timelimit => 2,
attrs => ['mail',
'displayname',
'samaccountname',
'useraccountcontrol',
'userprincipalname',
'pwdLastSet']
);
if ($mesg->code) {
print "LDAP search error: $mesg->error\n";
exit;
}
foreach $entry ($mesg->entries) {
$mail = $entry->get_value('mail');
$displayname = $entry->get_value('displayname');
$samaccountname = $entry->get_value('samaccountname');
$useraccountcontrol = $entry->get_value('useraccountcontrol');
$userprincipalname = $entry->get_value('userprincipalname');
$pwdLastSet = $entry->get_value('pwdLastSet');
}
$mesg = $ldap->unbind; # take down session
$useraccountlocked = ($useraccountcontrol & 0x0002)?"Yes":"No" if defined
$useraccountcontrol;
print "User-Mail = $mail\n";
print "User-Display-Name = $displayname\n";
print "User-SamAccountName = $samaccountname\n";
print "User-Account-Locked = $useraccountlocked\n";
print "User-Principal-Name = $userprincipalname\n";
print "Password-Expiry = $pwdLastSet\n";
my $ns = 10000000; # nanoseconds
my $epochs = 11644473600; # seconds between epochs
my $dayseconds = 3600*24; # seconds of a day
my $expiry = 90-(time() - int($pwdLastSet/$ns - $epochs))/$dayseconds;
printf("Last change %s\n", $s=localtime(int($pwdLastSet/$ns - $epochs)));
print "Expiry in $expiry days\n";
if ( ! defined $useraccountcontrol ) {
print "User $user not found in Active directory\n";
exit;
}
if ( $useraccountlocked != "No" ) {
print "User $displayname($userprincipalname) locked\n";
exit;
}
exit;
