It took me a while to figure this code out, and there seemed to be a lack of complete examples on the web to do exactly this, so I thought I’d document it.<\/p>\n
I needed to connect to an LDAP server using a Kerberos principal for authentication from within a Perl script. This meant that it needed to do it without any external input, so it couldn’t rely on a password being entered or someone doing a kinit first.<\/p>\n
The code is fairly simple. It basically gets the right credentials using a pre-initialised keytab and then sets up the relevant objects and uses them to bind to an LDAP server.<\/p>\n
\n#!\/usr\/local\/bin\/perl -w \r\n\r\n# How to connect to an LDAP server using GSSAPI Kerberos auth. \r\n\r\nuse strict; \r\n\r\nuse Net::LDAP;\r\nuse Authen::SASL qw(Perl);\r\n# This module makes doing the kinit much easier\r\nuse Authen::Krb5::Easy qw(kinit kdestroy kerror); \r\n\r\n# Location of the keytab which contains testuser's key\r\n# exported in kadmin by: ktadd -k \/tmp\/test.keytab testuser\r\nmy $keytab = '\/tmp\/test.keytab';\r\n# Where to store the credentials\r\nmy $ccache = '\/tmp\/test.ccache'; \r\n\r\n$ENV{KRB5CCNAME} = $ccache; \r\n\r\n# Get credentials for testuser\r\nkinit($keytab, 'testuser@CS.UKC.AC.UK') || die kerror(); \r\n\r\n# Set up a SASL object\r\nmy $sasl = Authen::SASL->new(mechanism => 'GSSAPI') || die \"$@\"; \r\n\r\n# Set up an LDAP connection\r\nmy $ldap = Net::LDAP->new('ldap.cs.kent.ac.uk') || die \"$@\"; \r\n\r\n# Finally bind to LDAP using our SASL object\r\nmy $mesg = $ldap->bind(sasl => $sasl); \r\n\r\n# This should say \"0 (Success)\" if it worked\r\nprint \"Message is \". $mesg->code .\" (\". $mesg->error .\").\\n\"; \r\n\r\n# Clear up the credentials\r\nkdestroy();<\/pre>\n<\/blockquote>\nHopefully this will help someone else out. Comments welcome \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
It took me a while to figure this code out, and there seemed to be a lack of complete examples on the web to do exactly this, so I thought I’d document it. I needed to connect to an LDAP server using a Kerberos principal for authentication from within a Perl script. This meant that it needed to do it …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[10,12,9,7,8,13,6,11],"class_list":["post-59","post","type-post","status-publish","format-standard","hentry","category-computing","tag-authsasl","tag-authenkrb5easy","tag-gssapi","tag-kerberos","tag-keytab","tag-krb5ccname","tag-ldap","tag-netldap"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts\/59","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/comments?post=59"}],"version-history":[{"count":2,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts\/59\/revisions"}],"predecessor-version":[{"id":355,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/posts\/59\/revisions\/355"}],"wp:attachment":[{"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/media?parent=59"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/categories?post=59"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bishnet.net\/tim\/blog\/wp-json\/wp\/v2\/tags?post=59"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}