ETOOBUSY 🚀 minimal blogging for the impatient

Example LDAP with on-the-fly Kerberos authentication

· #ldap #kerberos #security #perl

TL;DR

An example to do Kerberos authentication in memory, i.e. without the need of using [kinit][] beforehand or to save anything on the disk.

Mixing Net::LDAP with Authen::SASL, being aware of how GSSAPI works and using Authen::Krb5 to get an initial ticket, without necessarily saving anything in the filesystem.

ldap-search-with-memory-kerberos.pl 2.46 KiB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 
#!/usr/bin/env perl
use v5.24;
use warnings;
use experimental 'signatures';
no warnings 'experimental::signatures';
use Scalar::Util 'blessed';

use Path::Tiny;
use Ouch ':trytiny_var';
use Try::Catch;

use Authen::Krb5;
use Authen::SASL;
use Net::LDAP;

use constant PRINT_ENTRIES => 5;

my $username = 'admin';
my $realm    = 'DEMO1.FREEIPA.ORG';
my $host     = 'ipa.demo1.freeipa.org';

my $conf_file = path('.')->child('krb5.conf');
$conf_file->spew(<<'END');
[libdefaults]
dns_canonicalize_hostname = false
default_ccache_name = MEMORY
END
$ENV{KRB5_CONFIG} = $conf_file->absolute->stringify;

exit try {
   my $cache = acquire_TGT("$username\@$realm", 'Secret123');

   say 'first call, this should return a bunch of entries:';
   LDAP_search($host, $username);

   say q<now let's get rid of the credentials in the cache>;
   $cache->destroy;

   say 'second call, this should fail for lack of credentials';
   try { LDAP_search($host, $username) }
   catch {
      if (bleep($_) =~ m{No Kerberos credentials available}i) {
         say '   --> failed as expected!';
      }
      else {
         say '   "bad" failure:', bleep($_);
      }
   };

   0;
}
catch {
   warn bleep($_);
   1;
};

sub LDAP_search ($host, $dn, $base= '', $filter = '(objectClass=*)') {
   my $ldap = Net::LDAP->new($host)
      or ouch 500, "LDAP: $@\n";
   my $sasl = Authen::SASL->new(mechanism => 'GSSAPI');
   my $msg = $ldap->bind($dn, sasl => $sasl, version => 3);
   ouch 500, join ' ', 'bind error', $msg->error, $sasl->error
      if $msg->code != 0;
   $msg = $ldap->search(base => '', filter => '(objectClass=*)');
   ouch 500, join ' ', 'search error', $msg->error if $msg->code != 0;
   my @entries = $msg->entries;
   if (@entries <= PRINT_ENTRIES) {
      say '- ', $_->dn for @entries;
   }
   else {
      say '- ', $_->dn for @entries[0 .. (PRINT_ENTRIES - 2)];
      my $n_residual = @entries - PRINT_ENTRIES + 1;
      say ". (and other $n_residual entries...)";
   }
}

sub acquire_TGT ($principal, $password) {
   return try {
      Authen::Krb5::init_context() or die;
      $principal = Authen::Krb5::parse_name($principal) or die;
      my $cache = Authen::Krb5::cc_resolve('MEMORY') or die;
      $cache->initialize($principal) or die;
      my $credentials = Authen::Krb5::get_init_creds_password(
         $principal, $password) or die;
      $cache->store_cred($credentials) or die;
      $cache;
   }
   catch {
      die $_ if blessed($_) && $_->isa('Ouch');
      ouch 500, Authen::Krb5::error();
   }
}

Local version here.

The acquire_TGT function is basically the same as A bare-bones kinit in Perl - nothing new here. Getting stuff with LDAP_search is basically the same as in eldap. So… we’re just doing plain ol’ integration here - all with a configuration file!

Well… be my guest, future me, and stay safe everybody!

Comments? Octodon, , GitHub, Reddit, or drop me a line!

ETOOBUSY © 2025 by polettix ― Powered by Jekyll and the TextLog theme