http://www.perlmonks.org?node_id=327902


in reply to LDAP authentication with Net::LDAP

You need to bind to the directory so that you can test the password. The password is not stored. Only the hash is stored. The hash can only be viewed if your user DN has the correct priviledge.

The code example below connects to an LDAP(S) directory using an application DN, looks up the full user DN based on their uid and then binds using the user DN and their password to check if it is OK.

#! /usr/bin/perl use strict; #http://search.cpan.org/~gbarr/perl-ldap-0.30/lib/Net/LDAP.pod use Net::LDAPS; use Net::LDAP; my $host = "myhost:389"; my $ldaps = 0; my $adminDn = "cn=myapp, ou=applications, o=MyOrg"; my $adminPwd = "password"; my $searchBase = "ou=people, o=MyOrg"; my $userdn = testGuid ("myGUID", "password"); if ($userdn) { print "$userdn checks out!\n"; } sub getUserDn { my $ldap; my $guid = shift; my $dn; my $entry; if ($ldaps) { $ldap = Net::LDAPS->new($host, verify=>'none') or die "$@"; } else { $ldap = Net::LDAP->new($host, verify=>'none') or die "$@"; + } my $mesg = $ldap->bind ($adminDn, password=>"$adminPwd"); $mesg->code && return undef; $mesg = $ldap->search(base => $searchBase, filter => "uid=$guid" ) +; $mesg->code && return undef; $entry = $mesg->shift_entry; if ($entry) { $dn = $entry->dn; $entry->dump; } $ldap->unbind; return $dn; } sub testGuid { my $ldap; my $guid = shift; my $userPwd = shift; my $userDn = getUserDn ($guid); return undef unless $userDn; if ($ldaps) { $ldap = Net::LDAPS->new($host, verify=>'none') or die "$@"; } else { $ldap = Net::LDAP->new($host, verify=>'none') or die "$@"; + } my $mesg = $ldap->bind ($userDn, password=>"$userPwd"); if ($mesg->code) { # Bad Bind print $mesg->error . "\n"; return undef; } $ldap->unbind; return $userDn; }