perl-ldap-0.39 dependencies for GSSAPI authentication
Markus Moeller
OpenSolaris install on which I installed Net::LDAP, GSSAPI, Authen::Krb5,
Net::DNS with all dependencies.
When I run my perl script I get an error
./LDAP-AD-query.pl
GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more
information
Server not found in Kerberos database
Looking at the Kerberos traffic I see that a TGS for ldap/<ip-address> is
requested instead of ldap/<fqdn>. When I change LDAP.pm as below it works.
# If we're talking to a round-robin, the canonical name of
# the host we are talking to might not match the name we
# requested
my $connected_name = $ldap->{net_ldap_socket}->peerhost;
# $connected_name ||= $ldap->{net_ldap_host};
$connected_name = $ldap->{net_ldap_host};
Running the same script on OpenSuse with perl 5.10.0 works fine without the
change. Which underlying perl module do I have to update ?
Thank you
Markus
#!/usr/bin/perl
#
# Reads LDAP Attributes and store them as Radius Attributes
#
#
use Net::LDAPS;
use Authen::SASL qw(Perl);
# use Authen::SASL;
use Authen::Krb5;
use Net::DNS;
use Data::Dumper;
my $user = 'mm';
# DNS details
my $ares = Net::DNS::Resolver->new;
my $nres = Net::DNS::Resolver->new;
my $rres = Net::DNS::Resolver->new;
my $aquery = $ares->query("win2003r2.home");
my $hostlist = '';
#
# Query DNS and make sanity checks to guaranty Kerberos works
#
if ($aquery) {
# loop over list of IP-addresses
foreach my $arr ($aquery->answer) {
next unless $arr->type eq "A";
my $nquery = $nres->query($arr->address);
if ($nquery) {
# Get names for IP-addresses
foreach my $nrr ($nquery->answer) {
next unless $nrr->type eq "PTR";
my $rquery = $rres->query($nrr->ptrdname);
if ($rquery) {
# Check if DNS lookup of name gives same IP-address
foreach my $rrr ($rquery->answer) {
next unless $rrr->type eq "A";
if ( $rrr->address eq $arr->address ) {
$hostlist = $hostlist." ".$nrr->ptrdname;
}
}
}
}
}
}
} else {
print("DNS query failed: $ares->errorstring \n");
exit;
}
my @hosts = split(/\s+/,$hostlist);
# ldap details
my $server = \@hosts;
my $bind_path = 'dc=win2003r2,dc=home';
my ($mail, $samaccountname, $userprincipalname, $useraccountcontrol);
my ($ldap, $sasl, $mesg, $entry);
#
# Connect to Global Catalog to get details of all trusted domain users
#
# $ldap = Net::LDAPS->new( $server,
# port => 3269,
$ldap = Net::LDAPS->new( $server,
port => 3269,
timeout => 2,
verify => 'never',
version => 3) or die "$@";
# Setup Kerberos cache
Authen::Krb5::init_context();
my $ccache_name = "FILE:/tmp/.client.cache.$$";
my $ccache = Authen::Krb5::cc_resolve($ccache_name);
my $kt = Authen::Krb5::kt_resolve('FILE:./clienttest.keytab');
my $princ = Authen::Krb5::parse_name('client/te...@WIN2003R2.HOME');
$ccache->initialize($princ);
my $creds = Authen::Krb5::get_init_creds_keytab($princ, $kt);
$ccache->store_cred($creds);
$ENV{'KRB5CCNAME'} = $ccache_name;
$sasl = Authen::SASL->new( mechanism => 'GSSAPI', 'user' => '');
$mesg = $ldap->bind( '',
sasl => $sasl) ;
$mesg->code && die $mesg->error;
$mesg = $ldap->search( # perform a search
base => $bind_path,
filter => "(samaccountname=$user)",
timelimit => 2,
attrs => ['mail',
'samaccountname',
'useraccountcontrol',
'userprincipalname']
);
$ccache->destroy;
$mesg->code && die $mesg->error;
foreach $entry ($mesg->entries) {
$mail = $entry->get_value('mail');
$samaccountname= $entry->get_value('samaccountname');
$useraccountcontrol = $entry->get_value('useraccountcontrol');
$userprincipalname = $entry->get_value('userprincipalname');
}
$mesg = $ldap->unbind; # take down session
my $locked = ($useraccountcontrol & 0x0002)?"Yes":"No" if defined
$useraccountcontrol;
print("Retrieved LDAP Attributes:\n");
print("User-Mail = $mail\n");
print("User-SAM-Accountname = $samaccountname\n");
print("User-Account-Control = $useraccountcontrol\n");
print("User-Account-Locked = $locked \n");
print("User-Principal-name = $userprincipalname\n");
Markus Moeller
version.
Markus
"Graham Barr" <gb...@pobox.com> wrote in message
news:A0711F99-E501-4010...@pobox.com...
On Nov 16, 2009, at 3:04 PM, Markus Moeller wrote:
> I have an OpenSolaris system which has perl 5.8.4 installed as part of the
> OpenSolaris install on which I installed Net::LDAP, GSSAPI, Authen::Krb5,
> Net::DNS with all dependencies.
>
> When I run my perl script I get an error
>
> ./LDAP-AD-query.pl
> GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more
> information
> Server not found in Kerberos database
>
> Looking at the Kerberos traffic I see that a TGS for ldap/<ip-address> is
> requested instead of ldap/<fqdn>. When I change LDAP.pm as below it works.
>
> # If we're talking to a round-robin, the canonical name of
> # the host we are talking to might not match the name we
> # requested
> my $connected_name = $ldap->{net_ldap_socket}->peerhost;
> # $connected_name ||= $ldap->{net_ldap_host};
> $connected_name = $ldap->{net_ldap_host};
>
> Running the same script on OpenSuse with perl 5.10.0 works fine without
> the change. Which underlying perl module do I have to update ?
this is one of those things that needs to be different ways depending on the
system. as a result the next release of Net::LDAP will allow the caller to
call $sasl->client_new("ldap", $connected_name) and pass the result as the
sasl option.
the code to do that is currently on the "next" branch in the repository if
you want to test before we release it.
http://github.com/gbarr/perl-ldap/tree/next/
Graham.
Graham Barr
On Nov 16, 2009, at 3:04 PM, Markus Moeller wrote:
> I have an OpenSolaris system which has perl 5.8.4 installed as part of the OpenSolaris install on which I installed Net::LDAP, GSSAPI, Authen::Krb5, Net::DNS with all dependencies.
>
> When I run my perl script I get an error
>
> ./LDAP-AD-query.pl
> GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
>
> Looking at the Kerberos traffic I see that a TGS for ldap/<ip-address> is requested instead of ldap/<fqdn>. When I change LDAP.pm as below it works.
>
> # If we're talking to a round-robin, the canonical name of
> # the host we are talking to might not match the name we
> # requested
> my $connected_name = $ldap->{net_ldap_socket}->peerhost;
> # $connected_name ||= $ldap->{net_ldap_host};
> $connected_name = $ldap->{net_ldap_host};
>
> Running the same script on OpenSuse with perl 5.10.0 works fine without the change. Which underlying perl module do I have to update ?
this is one of those things that needs to be different ways depending on the system. as a result the next release of Net::LDAP will allow the caller to call $sasl->client_new("ldap", $connected_name) and pass the result as the sasl option.