Discussion:
Can't pull configurationNamingContext using Perl
(too old to reply)
Ismael Lezcano
2009-01-31 00:46:29 UTC
Permalink
Hello, new poster, all noob disclaimers apply.

I'm trying to write script that will be a concept for other scripts. I
want to connect to Active Directory and have the script intelligently
decipher the configuration naming context to thereafter poll for other
values. However it seems that I can't retrieve
configurationNamingContext from the Root DSE. When I itemize the
attributes for the Root DSE, the following are available:

subschemaSubentry
namingContexts
supportedControl
supportedLDAPVersion
supportedSASLMechanisms
supportedExtension

These are nice, but not what I'm looking for. I vaguely remember that
AD restricts certain attributes to authenticated users, but I can't find
documentation that is specific on the subject. Also, I successfully
authenticate with a valid user ID. I can retrieve the value of
configurationNamingContext manually using the ADSI Edit tool with the
same credentials.

Here's the failed script so far, with all of the sensitive stuff
removed. Any suggestions, or is what I'm trying to do impossible via
Net::LDAP?




#!/usr/bin/perl -w

use Net::DNS;
use Net::LDAP;
use Net::LDAP::Filter;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
use Authen::SASL qw(Perl);
use XML::Dumper;
use strict;

my $user='REMOVED';
my $pw='REMOVED';

my $res=Net::DNS::Resolver->new;
my $query = $res->query('REMOVED');
my @loginservers = map {"ldap://". $_->target . ":" . $_->port}
$query->answer;

my $sasl = Authen::SASL->new(mechanism => 'DIGEST-MD5',
callback => {
user => $user,
pass => $pw
},
);

my $ldap = Net::LDAP->new(\@loginservers);

my $mesg = $ldap->bind(undef, sasl =>$sasl);

$mesg->code && die $mesg->error;

my $dse = $ldap->root_dse();

my $confnamecontext = $dse->get_value('configurationNamingContext');
#my @confnamecontext = $dse->attributes;


#print $mesg->code;

print pl2xml($confnamecontext);

$ldap->unbind;
Richard Mueller [MVP]
2009-01-31 01:26:14 UTC
Permalink
Post by Ismael Lezcano
Hello, new poster, all noob disclaimers apply.
I'm trying to write script that will be a concept for other scripts. I
want to connect to Active Directory and have the script intelligently
decipher the configuration naming context to thereafter poll for other
values. However it seems that I can't retrieve configurationNamingContext
from the Root DSE. When I itemize the attributes for the Root DSE, the
subschemaSubentry
namingContexts
supportedControl
supportedLDAPVersion
supportedSASLMechanisms
supportedExtension
These are nice, but not what I'm looking for. I vaguely remember that AD
restricts certain attributes to authenticated users, but I can't find
documentation that is specific on the subject. Also, I successfully
authenticate with a valid user ID. I can retrieve the value of
configurationNamingContext manually using the ADSI Edit tool with the same
credentials.
Here's the failed script so far, with all of the sensitive stuff removed.
Any suggestions, or is what I'm trying to do impossible via Net::LDAP?
#!/usr/bin/perl -w
use Net::DNS;
use Net::LDAP;
use Net::LDAP::Filter;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
use Authen::SASL qw(Perl);
use XML::Dumper;
use strict;
my $user='REMOVED';
my $pw='REMOVED';
my $res=Net::DNS::Resolver->new;
my $query = $res->query('REMOVED');
$query->answer;
my $sasl = Authen::SASL->new(mechanism => 'DIGEST-MD5',
callback => {
user => $user,
pass => $pw
},
);
my $mesg = $ldap->bind(undef, sasl =>$sasl);
$mesg->code && die $mesg->error;
my $dse = $ldap->root_dse();
my $confnamecontext = $dse->get_value('configurationNamingContext');
#print $mesg->code;
print pl2xml($confnamecontext);
$ldap->unbind;
I don't use perl, but the namingContexts attribute is actually a collection
of DN's, one of which is the configuration naming context. You should be
able to enumerate namingContexts and see this.

In VB I use the Get method of the RootDSE object to retrieve properties
like: defaultNamingContext, rootDomainNamingContext, schemaNamingContext,
and configurationNamingContext. From the list of properties you see I wonder
if you are not authenticated to an AD domain. You should also be able to
retrieve DsServiceName, DnsHostName, and LDAPServiceName from the RootDSE
object.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Ismael Lezcano
2009-01-31 02:08:05 UTC
Permalink
Post by Richard Mueller [MVP]
Post by Ismael Lezcano
Hello, new poster, all noob disclaimers apply.
I'm trying to write script that will be a concept for other scripts. I
want to connect to Active Directory and have the script intelligently
decipher the configuration naming context to thereafter poll for other
values. However it seems that I can't retrieve configurationNamingContext
from the Root DSE. When I itemize the attributes for the Root DSE, the
subschemaSubentry
namingContexts
supportedControl
supportedLDAPVersion
supportedSASLMechanisms
supportedExtension
These are nice, but not what I'm looking for. I vaguely remember that AD
restricts certain attributes to authenticated users, but I can't find
documentation that is specific on the subject. Also, I successfully
authenticate with a valid user ID. I can retrieve the value of
configurationNamingContext manually using the ADSI Edit tool with the same
credentials.
Here's the failed script so far, with all of the sensitive stuff removed.
Any suggestions, or is what I'm trying to do impossible via Net::LDAP?
#!/usr/bin/perl -w
use Net::DNS;
use Net::LDAP;
use Net::LDAP::Filter;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
use Authen::SASL qw(Perl);
use XML::Dumper;
use strict;
my $user='REMOVED';
my $pw='REMOVED';
my $res=Net::DNS::Resolver->new;
my $query = $res->query('REMOVED');
$query->answer;
my $sasl = Authen::SASL->new(mechanism => 'DIGEST-MD5',
callback => {
user => $user,
pass => $pw
},
);
my $mesg = $ldap->bind(undef, sasl =>$sasl);
$mesg->code && die $mesg->error;
my $dse = $ldap->root_dse();
my $confnamecontext = $dse->get_value('configurationNamingContext');
#print $mesg->code;
print pl2xml($confnamecontext);
$ldap->unbind;
I don't use perl, but the namingContexts attribute is actually a collection
of DN's, one of which is the configuration naming context. You should be
able to enumerate namingContexts and see this.
In VB I use the Get method of the RootDSE object to retrieve properties
like: defaultNamingContext, rootDomainNamingContext, schemaNamingContext,
and configurationNamingContext. From the list of properties you see I wonder
if you are not authenticated to an AD domain. You should also be able to
retrieve DsServiceName, DnsHostName, and LDAPServiceName from the RootDSE
object.
Yes, I know that the namingContexts contains the value I need, but I
want to more precisely retrieve the exact DN instead of guess from an
array of DNs. I don't want to assume that the first DN will always be
the one I'm looking for.

I'm pretty sure that I'm successfully authenticating. I tested it by
falsifying my creds and watching the error message specifying my
authentication failure. Of course, I'm restricted to using DIGEST-MD5 as
the only available SASL method.
Joe Kaplan
2009-01-31 03:35:18 UTC
Permalink
Do you know how to query for operational attributes? You don't have to
authenticate to read anything on rootDSE but some attributes may not be
returned unless they are requested specifically in your search. I don't
know how to help you with the syntax.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Yes, I know that the namingContexts contains the value I need, but I want
to more precisely retrieve the exact DN instead of guess from an array of
DNs. I don't want to assume that the first DN will always be the one I'm
looking for.
I'm pretty sure that I'm successfully authenticating. I tested it by
falsifying my creds and watching the error message specifying my
authentication failure. Of course, I'm restricted to using DIGEST-MD5 as
the only available SASL method.
Ismael Lezcano
2009-01-31 04:13:31 UTC
Permalink
Post by Joe Kaplan
Do you know how to query for operational attributes? You don't have to
authenticate to read anything on rootDSE but some attributes may not be
returned unless they are requested specifically in your search. I don't
know how to help you with the syntax.
Got it, thanks! Using your clue, I did a little research about
"operational" attributes in the Perl documentation and modified this line:

my $dse = $ldap->root_dse();

To read this way:

my $dse = $ldap->root_dse(attrs =>['configurationNamingContext']);
santhanalakshmi s
2011-01-17 08:10:39 UTC
Permalink
hi,

I need ADSI authentication with perl. I am new to ADSI concept. I am running my perl program globally with the use of Apache. I am having my login screen, now its just checking the userid and the password to my database. If is it found in my database, the login should be successful.

Instead of looking into my database, i need ADSI authentication. Please give me the necessary steps to follow and the coding. Thanks in advance
Post by Ismael Lezcano
Hello, new poster, all noob disclaimers apply.
I'm trying to write script that will be a concept for other scripts. I
want to connect to Active Directory and have the script intelligently
decipher the configuration naming context to thereafter poll for other
values. However it seems that I can't retrieve
configurationNamingContext from the Root DSE. When I itemize the
subschemaSubentry
namingContexts
supportedControl
supportedLDAPVersion
supportedSASLMechanisms
supportedExtension
These are nice, but not what I'm looking for. I vaguely remember that
AD restricts certain attributes to authenticated users, but I can't find
documentation that is specific on the subject. Also, I successfully
authenticate with a valid user ID. I can retrieve the value of
configurationNamingContext manually using the ADSI Edit tool with the
same credentials.
Here's the failed script so far, with all of the sensitive stuff
removed. Any suggestions, or is what I'm trying to do impossible via
Net::LDAP?
use Net::DNS;
use Net::LDAP;
use Net::LDAP::Filter;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
use Authen::SASL qw(Perl);
use XML::Dumper;
use strict;
my $user='REMOVED';
my $pw='REMOVED';
my $res=Net::DNS::Resolver->new;
my $query = $res->query('REMOVED');
$query->answer;
my $sasl = Authen::SASL->new(mechanism => 'DIGEST-MD5',
callback => {
user => $user,
pass => $pw
},
);
my $mesg = $ldap->bind(undef, sasl =>$sasl);
$mesg->code && die $mesg->error;
my $dse = $ldap->root_dse();
my $confnamecontext = $dse->get_value('configurationNamingContext');
print pl2xml($confnamecontext);
$ldap->unbind;
Post by Richard Mueller [MVP]
I don't use perl, but the namingContexts attribute is actually a collection
of DN's, one of which is the configuration naming context. You should be
able to enumerate namingContexts and see this.
In VB I use the Get method of the RootDSE object to retrieve properties
like: defaultNamingContext, rootDomainNamingContext, schemaNamingContext,
and configurationNamingContext. From the list of properties you see I wonder
if you are not authenticated to an AD domain. You should also be able to
retrieve DsServiceName, DnsHostName, and LDAPServiceName from the RootDSE
object.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Post by Ismael Lezcano
Yes, I know that the namingContexts contains the value I need, but I
want to more precisely retrieve the exact DN instead of guess from an
array of DNs. I don't want to assume that the first DN will always be
the one I'm looking for.
I'm pretty sure that I'm successfully authenticating. I tested it by
falsifying my creds and watching the error message specifying my
authentication failure. Of course, I'm restricted to using DIGEST-MD5 as
the only available SASL method.
Post by Joe Kaplan
Do you know how to query for operational attributes? You don't have to
authenticate to read anything on rootDSE but some attributes may not be
returned unless they are requested specifically in your search. I don't
know how to help you with the syntax.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
Post by Ismael Lezcano
Got it, thanks! Using your clue, I did a little research about
my $dse = $ldap->root_dse();
my $dse = $ldap->root_dse(attrs =>['configurationNamingContext']);
Submitted via EggHeadCafe
Entity Framework Code-First Library CTP 5 Quick Facts
http://www.eggheadcafe.com/tutorials/aspnet/1be19af6-7384-4eca-9076-d19c2d0638cc/entity-framework-codefirst-library-ctp-5-quick-facts.aspx
Loading...