Permalink
Browse files

Merge branch 'next'

  • Loading branch information...
2 parents bc81a69 + fba956c commit 9d125ad4f9491f0ce2486c6c5573033adc1a2bf3 @marschap marschap committed Jan 21, 2017
Showing with 57 additions and 30 deletions.
  1. +29 −6 contrib/schema2ad.pl
  2. +21 −17 lib/Net/LDAP.pod
  3. +2 −2 lib/Net/LDAP/FAQ.pod
  4. +1 −1 lib/Net/LDAP/Schema.pod
  5. +4 −4 lib/Net/LDAP/Security.pod
View
@@ -106,13 +106,11 @@
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms675578.aspx
foreach my $at ($schema->all_attributes) {
my $cn = $at->{name};
- my $syntax = $schema->attribute_syntax($cn);
+ my $syntax = $schema->attribute_syntax_oid($cn);
die "Syntax not known for attribute $cn\n"
if (!$syntax);
- $syntax = $syntax->{name};
-
die "Unknown syntax $syntax for attribute $cn\n"
if (!exists($syntaxMap{$syntax}));
@@ -253,6 +251,29 @@ ($)
}
+## Net::LDAP::Schema extension
+package Net::LDAP::Schema;
+
+# get an attribute's syntax's OID taking into account attribute supertype
+# based on: Net::LDAP::Schema's attribute_syntax()
+sub attribute_syntax_oid
+{
+ my $self = shift;
+ my $attr = shift;
+ my $syntax;
+
+ while ($attr) {
+ my $elem = $self->attribute( $attr ) or return undef;
+
+ $syntax = $elem->{syntax} and return $syntax;
+
+ $attr = ${$elem->{sup} || []}[0];
+ }
+
+ return undef;
+}
+
+
=head1 NAME
schema2ad.pl -- convert standard LDAP schema into a format that AD can digest
@@ -278,8 +299,10 @@ =head1 ARGUMENTS
=item I<schema-file>
-Input file containing a schema entry with its I<attributeTypes> and
-I<objectClasses> attributes.
+Input file in LDIF format containing a schema entry with its I<attributeTypes>
+and I<objectClasses> attributes, as e.g. returned by
+L<Net::LDAP::Schema's dump()|Net::LDAP::Schema/"dump ( )">
+method.
=item I<AD-schema-file>
@@ -293,7 +316,7 @@ =head1 AUTHOR
=head1 COPYRIGHT & LICENSE
-Copyright (c) 2012 Peter Marschall All rights reserved.
+Copyright (c) 2012-2015 Peter Marschall. All rights reserved.
This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.
View
@@ -6,42 +6,46 @@ Net::LDAP - Lightweight Directory Access Protocol
use Net::LDAP;
- $ldap = Net::LDAP->new( 'ldap.bigfoot.com' ) or die "$@";
+ $ldap = Net::LDAP->new( 'ldap.example.com' ) or die "$@";
- $mesg = $ldap->bind ; # an anonymous bind
+ $mesg = $ldap->bind; # anonymous bind
- $mesg = $ldap->search( # perform a search
- base => "c=US",
+ $mesg->code and die $mesg->error; # check for errors
+
+ $srch = $ldap->search( base => "c=US", # perform a search
filter => "(&(sn=Barr)(o=Texas Instruments))"
);
- $mesg->code && die $mesg->error;
+ $srch->code and die $srch->error; # check for errors
- foreach $entry ($mesg->entries) { $entry->dump; }
+ foreach $entry ($srch->entries) { $entry->dump; }
- $mesg = $ldap->unbind; # take down session
+ $mesg = $ldap->unbind; # take down session
- $ldap = Net::LDAP->new( 'ldap.umich.edu' );
+ $ldap = Net::LDAP->new( 'ldaps://ldap.example.com' ) or die "$@";
- # bind to a directory with dn and password
+ # simple bind with DN and password
$mesg = $ldap->bind( 'cn=root, o=University of Michigan, c=us',
password => 'secret'
);
+ $mesg->code and die $mesg->error; # check for errors
+
$result = $ldap->add( 'cn=Barbara Jensen, o=University of Michigan, c=US',
attrs => [
- 'cn' => ['Barbara Jensen', 'Barbs Jensen'],
- 'sn' => 'Jensen',
- 'mail' => 'b.jensen@umich.edu',
- 'objectclass' => ['top', 'person',
- 'organizationalPerson',
- 'inetOrgPerson' ],
+ cn => ['Barbara Jensen', 'Barbs Jensen'],
+ sn => 'Jensen',
+ mail => 'b.jensen@umich.edu',
+ objectclass => ['top', 'person',
+ 'organizationalPerson',
+ 'inetOrgPerson' ],
]
);
- $result->code && warn "failed to add entry: ", $result->error ;
- $mesg = $ldap->unbind; # take down session
+ $result->code and warn "failed to add entry: ", $result->error;
+
+ $mesg = $ldap->unbind; # take down session
=head1 DESCRIPTION
View
@@ -1195,7 +1195,7 @@ attribute name and no values.
In LDAPv3, this is defined to always work even if that attribute
doesn't exist in the entry.
-ie:
+I.e.:
my $mesg = $ldap->modify( $entry, replace => { %qv_del_arry } );
@@ -1770,7 +1770,7 @@ eldapo - a directory manager's blog
http://eldapo.blogspot.de/
Eine deutsche LDAP Website
-A german LDAP Website
+A German LDAP Website
http://verzeichnisdienst.de/ldap/Perl/index.html
(non-exhaustive) list of LDAP software on Wikipedia
View
@@ -32,7 +32,7 @@ may be an object class, attribute or syntax) then a case-insensitive name
or raw OID (object identifier, in dotted numeric string form, e.g. 2.5.4.0)
may be supplied.
-Each returned item of schema (eg an attribute definition) is returned
+Each returned item of schema (e.g. an attribute definition) is returned
in a HASH. The keys in the returned HASH are lowercase versions of
the keys read from the server. Here's a partial list (not all HASHes
define all keys) although note that RFC 4512 permits other keys as
@@ -130,7 +130,7 @@ standardized version of SSL.
You can only use TLS with an LDAPv3 server. That is because the
standard (RFC 4511) for LDAP and TLS requires that the I<normal> LDAP
-connection (ie., on port 389) can be switched on demand from plain text
+connection (i.e., on port 389) can be switched on demand from plain text
into a TLS connection. The switching mechanism uses a special extended
LDAP operation, and since these are not legal in LDAPv2, you can only
switch to TLS on an LDAPv3 connection.
@@ -151,18 +151,18 @@ I<mechanism>. A number of mechanisms are defined, such as CRAM-MD5.
The use of a mechanism like CRAM-MD5 provides a solution to the
password sniffing vulnerability, because these mechanisms typically do
-not require the user to send across a secret (eg., a password) in the
+not require the user to send across a secret (e.g., a password) in the
clear across the network. Instead, authentication is carried out in a
clever way which avoids this, and so prevents passwords from being
sniffed.
B<Net::LDAP> supports SASL using the B<Authen::SASL> class. Currently the
-only B<Authen::SASL> subclasses (ie., SASL mechanism) available are
+only B<Authen::SASL> subclasses (i.e., SASL mechanism) available are
CRAM-MD5 and EXTERNAL.
Some SASL mechanisms provide a general solution to the sniffing of all
data on the network vulnerability, as they can negotiate confidential
-(ie., encrypted) network connections. Note that this is over and above
+(i.e., encrypted) network connections. Note that this is over and above
any SSL or TLS encryption! Unfortunately, perl's B<Authen::SASL> code
cannot negotiate this.

0 comments on commit 9d125ad

Please sign in to comment.