I have an OpenSolaris system which has perl 5.8.4 installed as part of the
OpenSolaris install on which I installed Net::LDAP, GSSAPI, Authen::Krb5,
Net::DNS with all dependencies.
When I run my perl script I get an error
./LDAP-AD-query.pl
GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more
information
Server not found in Kerberos database
Looking at the Kerberos traffic I see that a TGS for ldap/<ip-address> is
requested instead of ldap/<fqdn>. When I change LDAP.pm as below it works.
# If we're talking to a round-robin, the canonical name of
# the host we are talking to might not match the name we
# requested
my $connected_name = $ldap->{net_ldap_socket}->peerhost;
# $connected_name ||= $ldap->{net_ldap_host};
$connected_name = $ldap->{net_ldap_host};
Running the same script on OpenSuse with perl 5.10.0 works fine without the
change. Which underlying perl module do I have to update ?
Thank you
Markus
#!/usr/bin/perl
#
# Reads LDAP Attributes and store them as Radius Attributes
#
#
use Net::LDAPS;
use Authen::SASL qw(Perl);
# use Authen::SASL;
use Authen::Krb5;
use Net::DNS;
use Data::Dumper;
my $user = 'mm';
# DNS details
my $ares = Net::DNS::Resolver->new;
my $nres = Net::DNS::Resolver->new;
my $rres = Net::DNS::Resolver->new;
my $aquery = $ares->query("win2003r2.home");
my $hostlist = '';
#
# Query DNS and make sanity checks to guaranty Kerberos works
#
if ($aquery) {
# loop over list of IP-addresses
foreach my $arr ($aquery->answer) {
next unless $arr->type eq "A";
my $nquery = $nres->query($arr->address);
if ($nquery) {
# Get names for IP-addresses
foreach my $nrr ($nquery->answer) {
next unless $nrr->type eq "PTR";
my $rquery = $rres->query($nrr->ptrdname);
if ($rquery) {
# Check if DNS lookup of name gives same IP-address
foreach my $rrr ($rquery->answer) {
next unless $rrr->type eq "A";
if ( $rrr->address eq $arr->address ) {
$hostlist = $hostlist." ".$nrr->ptrdname;
}
}
}
}
}
}
} else {
print("DNS query failed: $ares->errorstring \n");
exit;
}
my @hosts = split(/\s+/,$hostlist);
# ldap details
my $server = \...@hosts;
my $bind_path = 'dc=win2003r2,dc=home';
my ($mail, $samaccountname, $userprincipalname, $useraccountcontrol);
my ($ldap, $sasl, $mesg, $entry);
#
# Connect to Global Catalog to get details of all trusted domain users
#
# $ldap = Net::LDAPS->new( $server,
# port => 3269,
$ldap = Net::LDAPS->new( $server,
port => 3269,
timeout => 2,
verify => 'never',
version => 3) or die "$@";
# Setup Kerberos cache
Authen::Krb5::init_context();
my $ccache_name = "FILE:/tmp/.client.cache.$$";
my $ccache = Authen::Krb5::cc_resolve($ccache_name);
my $kt = Authen::Krb5::kt_resolve('FILE:./clienttest.keytab');
my $princ = Authen::Krb5::parse_name('client/t...@win2003r2.home');
$ccache->initialize($princ);
my $creds = Authen::Krb5::get_init_creds_keytab($princ, $kt);
$ccache->store_cred($creds);
$ENV{'KRB5CCNAME'} = $ccache_name;
$sasl = Authen::SASL->new( mechanism => 'GSSAPI', 'user' => '');
$mesg = $ldap->bind( '',
sasl => $sasl) ;
$mesg->code && die $mesg->error;
$mesg = $ldap->search( # perform a search
base => $bind_path,
filter => "(samaccountname=$user)",
timelimit => 2,
attrs => ['mail',
'samaccountname',
'useraccountcontrol',
'userprincipalname']
);
$ccache->destroy;
$mesg->code && die $mesg->error;
foreach $entry ($mesg->entries) {
$mail = $entry->get_value('mail');
$samaccountname= $entry->get_value('samaccountname');
$useraccountcontrol = $entry->get_value('useraccountcontrol');
$userprincipalname = $entry->get_value('userprincipalname');
}
$mesg = $ldap->unbind; # take down session
my $locked = ($useraccountcontrol & 0x0002)?"Yes":"No" if defined
$useraccountcontrol;
print("Retrieved LDAP Attributes:\n");
print("User-Mail = $mail\n");
print("User-SAM-Accountname = $samaccountname\n");
print("User-Account-Control = $useraccountcontrol\n");
print("User-Account-Locked = $locked \n");
print("User-Principal-name = $userprincipalname\n");
