Asp Forum - ruby-ldap rebinding ?

Dick Davies

3/10/2005 11:47:00 AM

Can anyone tell me where I'm going wrong here?
I'm trying to write a very simple ldap authenticator, which does

get user and pass
open connection to server
bind anonymously
map the user to a dn
bind as dn and pass <- this goes boom

when I rebind I get an error. Here's a cut down version:

$ irb -r ldap
irb(main):001:0> conn = LDAP::SSLConn.new('ldap.server',389,true)
=> #<LDAP::SSLConn:0x812ec70>
irb(main):002:0> a = conn.bind
=> #<LDAP::SSLConn:0x812ec70>
irb(main):003:0> a.unbind
=> nil
irb(main):004:0> b = conn.bind
LDAP::InvalidDataError: The LDAP handler is already unbind()'ed.
from (irb):4:in `bind'
from (irb):4

if I omit the unbind(), I get 'The LDAP handler is already binded'

That's some catch, that catch 22....

--
'In the beginning the Universe was created. This has made a lot of people
very angry and been widely regarded as a bad move.'
-- The Guide
Rasputin :: Jack of All Trades - Master of Nuns

17 Answers

Ollivier Robert

3/10/2005 5:03:00 PM

On Thu, 10 Mar 2005 20:46:51 +0900, Dick Davies wrote:
> get user and pass
> open connection to server
> bind anonymously
> map the user to a dn
> bind as dn and pass <- this goes boom

Don't unbind, I guess it is using some kind of global variable somewhere
and unbind() does bad things. You can have several simultaneous
connections though although it will leak a descriptor :(

I have the same issue here.

Ian Macdonald

3/11/2005 6:45:00 AM

On Thu 10 Mar 2005 at 20:46:51 +0900, Dick Davies wrote:

>
> Can anyone tell me where I'm going wrong here?
> I'm trying to write a very simple ldap authenticator, which does
>
> get user and pass
> open connection to server
> bind anonymously
> map the user to a dn
> bind as dn and pass <- this goes boom
>
> when I rebind I get an error. Here's a cut down version:
>
>
> $ irb -r ldap
> irb(main):001:0> conn = LDAP::SSLConn.new('ldap.server',389,true)
> => #<LDAP::SSLConn:0x812ec70>
> irb(main):002:0> a = conn.bind
> => #<LDAP::SSLConn:0x812ec70>
> irb(main):003:0> a.unbind
> => nil
> irb(main):004:0> b = conn.bind
> LDAP::InvalidDataError: The LDAP handler is already unbind()'ed.
> from (irb):4:in `bind'
> from (irb):4
>
>
>
> if I omit the unbind(), I get 'The LDAP handler is already binded'

Conn#unbind doesn't just unbind from the server; it also destroys the
connection object when it calls ldap_unbind().

From ldap_unbind(3):

UNBINDING
The ldap_unbind() call is used to unbind from the directory,
terminate the current association, and free the resources
contained in the ld structure. Once it is called, the connection
to the LDAP server is closed, and the ld structure is
invalid. The ldap_unbind_s() call is just another name for
ldap_unbind(); both of these calls are synchronous in
nature.

So, think of Conn#unbind as being more of a Conn#destroy, in that the
Conn object effectively no longer exists after the unbind.

Cheers,

Ian
--
Ian Macdonald | Time is but the stream I go a-fishing in.
System Administrator | -- Henry David Thoreau
ian@caliban.org |
http://www.c... |
|

Dick Davies

3/11/2005 11:39:00 AM

* Ian Macdonald <ian@caliban.org> [0345 06:45]:
> On Thu 10 Mar 2005 at 20:46:51 +0900, Dick Davies wrote:
> > get user and pass
> > open connection to server
> > bind anonymously
> > map the user to a dn
> > bind as dn and pass <- this goes boom
> >
> > when I rebind I get an error. Here's a cut down version:
> >
> > $ irb -r ldap
> > irb(main):001:0> conn = LDAP::SSLConn.new('ldap.server',389,true)
> > => #<LDAP::SSLConn:0x812ec70>
> > irb(main):002:0> a = conn.bind
> > => #<LDAP::SSLConn:0x812ec70>
> > irb(main):003:0> a.unbind
> > => nil
> > irb(main):004:0> b = conn.bind
> > LDAP::InvalidDataError: The LDAP handler is already unbind()'ed.
> > from (irb):4:in `bind'
> > from (irb):4

> > if I omit the unbind(), I get 'The LDAP handler is already binded'

> Conn#unbind doesn't just unbind from the server; it also destroys the
> connection object when it calls ldap_unbind().
>
> From ldap_unbind(3):
>
> UNBINDING
> The ldap_unbind() call is used to unbind from the directory,

Ok thanks - I've used Perl::LDAP in the past which lets you rebind and
existing connection.

Can I do that with ruby-ldap, or do I need a new connection every time
I check a username/password pair?

--
'Oh, wait you're serious. Let me laugh even harder.'
-- Bender
Rasputin :: Jack of All Trades - Master of Nuns

Ian Macdonald

3/11/2005 8:03:00 PM

On Fri 11 Mar 2005 at 20:38:31 +0900, Dick Davies wrote:

> * Ian Macdonald <ian@caliban.org> [0345 06:45]:
>
> > Conn#unbind doesn't just unbind from the server; it also destroys the
> > connection object when it calls ldap_unbind().
> >
> > From ldap_unbind(3):
> >
> > UNBINDING
> > The ldap_unbind() call is used to unbind from the directory,
>
> Ok thanks - I've used Perl::LDAP in the past which lets you rebind and
> existing connection.
>
> Can I do that with ruby-ldap, or do I need a new connection every time
> I check a username/password pair?

Yes, I'm afraid you need a new connection to bind as a different user.
On the other hand, is you only want to check the validity of a username
and password combination, you should be able to pull that information
from the directory as a user with the privileges required to view
passwords.

Ian
--
Ian Macdonald | All this wheeling and dealing around, why,
System Administrator | it isn't for money, it's for fun. Money's
ian@caliban.org | just the way we keep score. -- Henry
http://www.c... | Tyroon
|

Dick Davies

3/11/2005 8:40:00 PM

* Ian Macdonald <ian@caliban.org> [0303 20:03]:
> On Fri 11 Mar 2005 at 20:38:31 +0900, Dick Davies wrote:

> > Ok thanks - I've used Perl::LDAP in the past which lets you rebind and
> > existing connection.
> >
> > Can I do that with ruby-ldap, or do I need a new connection every time
> > I check a username/password pair?
>
> Yes, I'm afraid you need a new connection to bind as a different user.
> On the other hand, is you only want to check the validity of a username
> and password combination, you should be able to pull that information
> from the directory as a user with the privileges required to view
> passwords.

Yeah, but then I need to code an admin user/pass pair into my script,
and that sort of thing gives me the heeby-jeebies..

I suspect perl-ldap actually drops and reloads the connection in any case,
I'm not sure whether the C API lets you reuse a connection by rebinding
as another user.

Looks like I might have to actually open that LDAP programmers guide I got
on ebay before christmas, rather than just letting it sit on the shelf... :)

Thanks for your help anyway!

--
'Robots don't have emotions, and that sometimes makes me feel sad.'
-- Bender
Rasputin :: Jack of All Trades - Master of Nuns

Ian Macdonald

3/11/2005 11:16:00 PM

On Sat 12 Mar 2005 at 05:39:42 +0900, Dick Davies wrote:

> * Ian Macdonald <ian@caliban.org> [0303 20:03]:
> >
> > Yes, I'm afraid you need a new connection to bind as a different user.
> > On the other hand, is you only want to check the validity of a username
> > and password combination, you should be able to pull that information
> > from the directory as a user with the privileges required to view
> > passwords.
>
> Yeah, but then I need to code an admin user/pass pair into my script,
> and that sort of thing gives me the heeby-jeebies..

You could consider using SASL and something like GSSAPI instead, but
that might be a lot of work if you're not already set up for it.

> I suspect perl-ldap actually drops and reloads the connection in any case,
> I'm not sure whether the C API lets you reuse a connection by rebinding
> as another user.

It doesn't.

Perhaps Net::LDAP remembers the details of the connection when it was
opened and silently performs another open when you perform a bind after
an unbind, but at some point, you're still opening a new connection.
It's just a question of whether it's implicit or explicit.

Ruby/LDAP could be made to do this, too, I think. The details passed to
LDAP::Conn.new could be put into instance variables. If the connection
is dead at bind time, these could be read and used to transparently
reestablish the connection before conducting the bind.

I'll look at how hard this would be to ship up in practice.

Ian
--
Ian Macdonald | There's something different about us --
System Administrator | different from people of Europe, Africa,
ian@caliban.org | Asia ... a deep and abiding belief in the
http://www.c... | Easter Bunny. -- G. Gordon Liddy
|

Ian Macdonald

3/12/2005 9:52:00 AM

On Sat 12 Mar 2005 at 08:16:12 +0900, Ian Macdonald wrote:

> Perhaps Net::LDAP remembers the details of the connection when it was
> opened and silently performs another open when you perform a bind after
> an unbind, but at some point, you're still opening a new connection.
> It's just a question of whether it's implicit or explicit.
>
> Ruby/LDAP could be made to do this, too, I think. The details passed to
> LDAP::Conn.new could be put into instance variables. If the connection
> is dead at bind time, these could be read and used to transparently
> reestablish the connection before conducting the bind.
>
> I'll look at how hard this would be to ship up in practice.

This feature is now in Ruby/LDAP's CVS and will be released in 0.9.1.

This allows you to perform an LDAP::Conn#unbind, followed by either an
LDAP::Conn#bind or an LDAP::Conn#simple_bind to reconnect to the server,
using different credentials if you wish.

Ian
--
Ian Macdonald | This generation doesn't have emotional
System Administrator | baggage. We have emotional moving vans.
ian@caliban.org | -- Bruce Feirstein
http://www.c... |
|

Dick Davies

3/12/2005 10:35:00 AM

* Ian Macdonald <ian@caliban.org> [0351 09:51]:
> On Sat 12 Mar 2005 at 08:16:12 +0900, Ian Macdonald wrote:
>
> > Perhaps Net::LDAP remembers the details of the connection when it was
> > opened and silently performs another open when you perform a bind after
> > an unbind, but at some point, you're still opening a new connection.
> > It's just a question of whether it's implicit or explicit.
> >
> > Ruby/LDAP could be made to do this, too, I think. The details passed to
> > LDAP::Conn.new could be put into instance variables. If the connection
> > is dead at bind time, these could be read and used to transparently
> > reestablish the connection before conducting the bind.
> >
> > I'll look at how hard this would be to ship up in practice.
>
> This feature is now in Ruby/LDAP's CVS and will be released in 0.9.1.
>
> This allows you to perform an LDAP::Conn#unbind, followed by either an
> LDAP::Conn#bind or an LDAP::Conn#simple_bind to reconnect to the server,
> using different credentials if you wish.

Brilliant, thanks Ian!

--
'Ugh, it's like there's a party in my mouth and everyone's throwing up.'
-- Fry
Rasputin :: Jack of All Trades - Master of Nuns

Ian Macdonald

3/13/2005 9:49:00 AM

On Sat 12 Mar 2005 at 19:34:32 +0900, Dick Davies wrote:

> * Ian Macdonald <ian@caliban.org> [0351 09:51]:
> >
> > This feature is now in Ruby/LDAP's CVS and will be released in 0.9.1.
> >
> > This allows you to perform an LDAP::Conn#unbind, followed by either an
> > LDAP::Conn#bind or an LDAP::Conn#simple_bind to reconnect to the server,
> > using different credentials if you wish.
>
> Brilliant, thanks Ian!

You're welcome.

I quickly realised that LDAP::Conn#sasl_bind should also be able to
rebind in this way and that #bind, #simple_bind and #sasl_bind should
also work on SSLConn objects, not just plain old Conn objects. This work
has now also gone into CVS.

Ian
--
Ian Macdonald | A crow perched himself on a telephone wire.
System Administrator | He was going to make a long-distance caw.
ian@caliban.org |
http://www.c... |
|

Ian Macdonald

3/13/2005 11:15:00 AM

On Sun 13 Mar 2005 at 18:49:01 +0900, Ian Macdonald wrote:

> I quickly realised that LDAP::Conn#sasl_bind should also be able to
> rebind in this way and that #bind, #simple_bind and #sasl_bind should
> also work on SSLConn objects, not just plain old Conn objects. This work
> has now also gone into CVS.

And I spoke too soon, because SSLConn connections are more complicated.
For the time being, you can only rebind regular Conn objects, not
SSLConn objects.

Ian
--
Ian Macdonald | When the fog came in on little cat feet
System Administrator | last night, it left these little muddy paw
ian@caliban.org | prints on the hood of my car.
http://www.c... |
|

comp.lang.ruby

ruby-ldap rebinding ?

Dick Davies

Ollivier Robert

Ian Macdonald

Dick Davies

Ian Macdonald

Dick Davies

Ian Macdonald

Ian Macdonald

Dick Davies

Ian Macdonald

Ian Macdonald

x Login to ForumsZone