Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Error with Dancer2::Plugin::Auth::ActiveDirectory

by TieUpYourCamel (Beadle)
on Jan 08, 2020 at 21:14 UTC ( #11111205=perlquestion: print w/replies, xml ) Need Help??

TieUpYourCamel has asked for the wisdom of the Perl Monks concerning the following question:

I am attempting to use Dancer2::Plugin::Auth::ActiveDirectory and am receiving an error I can't figure out. Here is my code: (with unrelated routes removed)
package myApp; use Dancer2; use Dancer2::Plugin::Auth::ActiveDirectory; get '/loginForm' => sub { template 'loginForm' => { 'title' => 'loginForm' }; }; post '/loginPost' => sub { session 'user' => authenticate(params->{user}, params->{pass}) +; return template 'loggedIn' => {}; }; true;
And these are my settings in config.yml:
plugins: Auth::ActiveDirectory: host: xxx.xxx.xxx.xxx principal: 'OU=USER,OU=ACCOUNTS,OU=OUROU,DC=our,DC=domain,DC=com' domain: our.domain.com rights: definedright1: 'Our Users'
The error message is:
Can't call method "groups" on unblessed reference at /home/camel/perl5 +/perlbrew/perls/perl-5.30.1/lib/site_perl/5.30.1/Dancer2/Plugin/Auth/ +ActiveDirectory.pm line 140. /home/camel/perl5/perlbrew/perls/perl-5.30.1/lib/site_perl/5.30.1/Danc +er2/Plugin/Auth/ActiveDirectory.pm around line 140 135 136 register authenticate => sub { 137 my ( $dsl, $name, $pass ) = @_; 138 my $user = _connect_to_ad($dsl)->authenticate( $name, $pass + ); 139 return $user if $user->{error}; 140 my $user_groups = [ map { $_->name } @{ $user->groups } ]; 141 return { 142 uid => $user->uid, 143 firstname => $user->firstname, 144 surname => $user->surname, 145 mail => $user->mail,
I've tried two different AD accounts, both of which are members of the "Our Users" group, and get the same error message. If I put in an invalid password I get a different error. As far as I can tell I am following all of the directions in the documentation, and I'm using the same AD settings that are currently working in the PHP webapp that I'm attempting to rewrite in Perl. Any insights will be greatly appreciated.

Replies are listed 'Best First'.
Re: Error with Dancer2::Plugin::Auth::ActiveDirectory
by 1nickt (Abbot) on Jan 09, 2020 at 01:21 UTC

    Hi, I have not used this plugin, but reading the source I see that a call to authenticate() wraps a call to Auth::ActiveDirectory::authenticate(), which does:

    my $message = $self->ldap->bind( $user, password => $password ); if ( _v_is_error( $message, $user ) ) { $self->error_message( _parse_error_message($message) ); return; }
    ... however the code in the Dancer2 plugin does:
    my $user = _connect_to_ad($dsl)->authenticate( $name, $pass ); return $user if $user->{error};

    Without digging further (e.g. by reading the source of the distro's test files, if any), I would suggest adding debugging by replacing line 138 with:

    my $AD = _connect_to_ad($dsl) or die "No AD connection!"; my $user = $AD->authenticate( $name, $pass ); die $AD->error_message if $AD->error_message; ...

    Hope this helps!


    The way forward always starts with a minimal test.
      Thanks... That did help me establish that the connection to the domain controller is working fine, etc. Investigating further, I believe the problem is somewhere in Auth::ActiveDirectory, specifically here where it does the LDAP search to get the user's information:
      my $result = $self->_search_users( qq/(&(objectClass=person)(userP +rincipalName=$user./ . $self->principal . '))' );
      The search fails, which the code ignores, then runs a foreach on the nonexistent results, and then returns undefined. I've tried modifying the search in several different ways, including hard-coding some of the search criteria, and I can't get anything other than "DIR ERROR" and "NO OBJECT" as error messages. I inserted some debug code to show the error messages:
      my $search = qq/(&(objectClass=person)(userPrincipalName=$user./ . $se +lf->principal . '))'; my $result = $self->_search_users( $search ); die $search . " -- " . $result->{'errorMessage'} if $result->{'errorMe +ssage'};
      I've been reading about LDAP and it seems like I'm doing everything right, but I must not be. Here are some errors, with the search that generated them.
      (userPrincipalName=testuser@our.domain.com) -- 0000208D: NameErr: DSID +-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=USER, +OU=ACCOUNTS,OU=OUROU,DC=OUR,DC=DOMAIN,DC=com' at /home/camel/perl5/pe +rlbrew/perls/perl-5.30.1/lib/site_perl/5.30.1/Auth/ActiveDirectory.pm + line 133. (sAMAccountName=testuser) -- 0000208D: NameErr: DSID-0310020A, problem + 2001 (NO_OBJECT), data 0, best match of: 'OU=USER,OU=ACCOUNTS,OU=OUR +OU,DC=OUR,DC=DOMAIN,DC=com' at /home/camel/perl5/perlbrew/perls/perl- +5.30.1/lib/site_perl/5.30.1/Auth/ActiveDirectory.pm line 133. (sAMAccountName=*) -- 0000208D: NameErr: DSID-0310020A, problem 2001 ( +NO_OBJECT), data 0, best match of: 'OU=USER,OU=ACCOUNTS,OU=OUROU,DC=O +UR,DC=DOMAIN,DC=com' at /home/camel/perl5/perlbrew/perls/perl-5.30.1/ +lib/site_perl/5.30.1/Auth/ActiveDirectory.pm line 133.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://11111205]
Approved by 1nickt
Front-paged by 1nickt
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (7)
As of 2020-01-27 18:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?