I am testing further my perl script and noticed the following difference
between Linux and Solaris 10.
Linux:
./LDAP-ADS-check.pl
$VAR1 = [
'w2k3r2.win2003r2.home'
];
0) Cache name: /tmp/.client.cache.26713
1) Cache name:
Ticket cache: FILE:/tmp/.client.cache.26713
Default principal: client/[email protected]@WIN2003R2.HOME
Valid starting Expires Service principal
11/20/09 09:28:38 11/20/09 09:33:38 krbtgt/
2) Cache name:
Ticket cache: FILE:/tmp/.client.cache.26713
Default principal: client/[email protected]
Valid starting Expires Service principal
11/20/09 09:28:38 11/20/09 09:33:38 krbtgt/[email protected]
11/20/09 09:28:38 11/20/09 09:33:38
ldap/[email protected]
LDAP Attributes:
User-Mail = [email protected]
User-Display-Name = Markus Moeller
User-SamAccountName = markus
User-Account-Locked = No
User-Principal-Name = [email protected]
Solaris 10 seems to ignore the Kerberos cache default principal
./LDAP-ADS-check.pl
$VAR1 = [
'w2k3r2.win2003r2.home'
];
0) Cache name: /tmp/.client.cache.5458
1) Cache name:
Ticket cache: FILE:/tmp/.client.cache.5458
Default principal: client/[email protected]@WIN2003R2.HOME
Valid starting Expires Service principal
11/20/09 09:28:38 11/20/09 09:33:38 krbtgt/
2) Cache name:
klist: No credentials cache file found (ticket cache
FILE:/tmp/.client.cache.5458)
3) Cache name:
klist: No credentials cache file found (ticket cache
FILE:/tmp/.client.cache.5458)
Cache /tmp/.radclient.cache.5458
LDAP search error: Net::LDAP::Search=HASH(0x7d65c8)->error
When I run as root client/[email protected] is replaced with
host/[email protected] from /etc/krb5/krb5.keytab
2) Cache name:
Ticket cache: FILE:/tmp/.client.cache.5458
Default principal: host/[email protected]
Valid starting Expires Service principal
11/20/09 09:28:38 11/20/09 09:33:38 krbtgt/[email protected]
11/20/09 09:28:38 11/20/09 09:33:38
ldap/[email protected]
LDAP Attributes:
User-Mail = [email protected]
User-Display-Name = Markus Moeller
User-SamAccountName = markus
User-Account-Locked = No
User-Principal-Name = [email protected]
Any ideas ?
Markus
#!/usr/bin/perl
#
# PostAuthHook:
#
# Reads LDAP Attributes and store them as Radius Attributes
#
#
use Net::LDAP 0.39;
use Authen::SASL;
use Net::DNS;
use Data::Dumper;
#
# Changable Values
#
my $domain = 'WIN2003r2.HOME';
my $bind_path = 'dc=win2003r2,dc=home';
my $keytab = './clienttest.keytab';
my $principal = 'client/test';
# Dns details
my $ares = Net::DNS::Resolver->new;
my $nres = Net::DNS::Resolver->new;
my $rres = Net::DNS::Resolver->new;
my $hostlist;
#
# Query DNS and make sanity checks to guaranty Kerberos works
#
my $aquery = $ares->query($domain);
if ($aquery) {
# loop over list of IP-addresses
foreach my $arr ($aquery->answer) {
next unless $arr->type eq "A";
my $nquery = $nres->query($arr->address);
if ($nquery) {
# Get names for IP-addresses
foreach my $nrr ($nquery->answer) {
next unless $nrr->type eq "PTR";
my $rquery = $rres->query($nrr->ptrdname);
if ($rquery) {
# Check if DNS lookup of name gives same IP-address
foreach my $rrr ($rquery->answer) {
next unless $rrr->type eq "A";
if ( $rrr->address == $arr->address ) {
$hostlist = $hostlist." ".$nrr->ptrdname;
}
}
}
}
}
}
} else {
print "DNS query failed: $ares->errorstring \n";
exit;
}
$hostlist =~ s/^[ ]*//;
my @hosts = split(/\s+/,$hostlist);
# ldap details
my $server = \...@hosts;
my $port = 389;
my $user = "[email protected]";
my ($mail, $displayname, $samaccountname, $useraccountcontrol,
$useraccountlocked, $userprincipalname);
my ($ldap, $sasl, $mesg, $entry);
#
# Connect to Global Catalog to get details of all trusted domain users
#
print Dumper($server);
$ldap = Net::LDAP->new( $server,
port => $port,
timeout => 2,
version => 3) or die "$@";
# Setup Kerberos cache
my $ccache = "/tmp/.client.cache.$$";
$ENV{'KRB5CCNAME'} = $ccache;
my $rc = system("echo \"0) Cache name: $ccache\"");
my $rc = system("kinit -kt $keytab -l 5min $principal");
$sasl = Authen::SASL->new('GSSAPI', 'user' => '');
my $rc = system("echo \"1) Cache name: $KRB5CCNAME\" ; klist -c $ccache");
$mesg = $ldap->bind( '',
sasl => $sasl) ;
my $rc = system("echo \"2) Cache name: $KRB5CCNAME\" ; klist -c $ccache");
$mesg = $ldap->search( # perform a search
base => $bind_path,
filter => "(userprincipalname=$user)",
timelimit => 2,
attrs => ['mail',
'displayname',
'samaccountname',
'useraccountcontrol',
'userprincipalname']
);
system("rm $ccache");
if ($mesg->code) {
print "LDAP search error: $mesg->error\n";
exit;
}
foreach $entry ($mesg->entries) {
$mail = $entry->get_value('mail');
$displayname = $entry->get_value('displayname');
$samaccountname = $entry->get_value('samaccountname');
$useraccountcontrol = $entry->get_value('useraccountcontrol');
$userprincipalname = $entry->get_value('userprincipalname');
}
$mesg = $ldap->unbind; # take down session
$useraccountlocked = ($useraccountcontrol & 0x0002)?"Yes":"No" if
defined $useraccountcontrol;
print "PostAuthHook added LDAP Attributes:\n";
print "User-Mail = $mail\n";
print "User-Display-Name = $displayname\n";
print "User-SamAccountName = $samaccountname\n";
print "User-Account-Locked = $useraccountlocked\n";
print "User-Principal-Name = $userprincipalname\n";
if ( ! defined $useraccountcontrol ) {
print "User $user not found in Active directory\n";
exit;
}
if ( $useraccountlocked != "No" ) {
print "User $displayname($userprincipalname) locked\n";
exit;
}
exit;
