MySQL 8.4.2
Source Code Documentation
auth_ldap_kerberos.h
Go to the documentation of this file.
1/* Copyright (c) 2020, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef AUTH_LDAP_KERBEROS_H_
25#define AUTH_LDAP_KERBEROS_H_
26
27#include <assert.h>
28#include <krb5/krb5.h>
29
30#include <string>
31
32#include "krb5_interface.h"
33
34namespace auth_ldap_sasl_client {
35
36/**
37 Kerberos class is built around kerberos library.
38 This class should/can be used for different part of code as standalone
39 class.
40 This class performs following operations:
41 1. Authentication with kerberos server and store the credentials in cache.
42 2. Get the default configured kerberos user in the OS, from default principal.
43
44 Credentials:
45 A ticket plus the secret session key necessary to use that ticket successfully
46 in an authentication exchange.
47
48 Principal:
49 A named client or server entity that participates in a network communication,
50 with one name that is considered canonical
51
52 Credential cache:
53 A credential cache (or ccache) holds Kerberos credentials while they
54 remain valid and, generally, while the user's session lasts, so that
55 authenticating to a service multiple times (e.g., connecting to a web or mail
56 server more than once) doesn't require contacting the KDC every time.
57*/
58class Kerberos {
59 public:
60 /**
61 Constructor.
62 */
63 Kerberos();
64 /**
65 Destructor.
66 */
67 ~Kerberos();
68 /**
69 Set user, realm and password member variables.
70
71 @param user [in] user name
72 @param password [in] password
73 */
74 void set_user_and_password(const char *user, const char *password);
75 /**
76 1. This function authenticates with kerberos server.
77 2. If TGT destroy is false, this function stores the TGT in Kerberos cache
78 for subsequent usage.
79 3. If user credentials already exist in the cache, it doesn't attempt to get
80 it again.
81
82 @retval true Successfully able to obtain and store credentials.
83 @retval false Failed to obtain and store credentials.
84 */
86 /**
87 This function retrieves default principle from kerberos configuration and
88 parses the user name from it. If user name has not been provided in the
89 MySQL client, This method can be used to get the user name and use for
90 authentication.
91 @retval true Successfully able to get user name.
92 @retval false Failed to get user name.
93 */
94 bool get_default_principal_name(std::string &name);
95 /**
96 Check if the cache contains valid credentials
97
98 @retval true valid credentials exist
99 @retval false valid credentials not exist or an error ocurred
100 */
101 bool credentials_valid();
102 /**
103 Destroys existing credentials (remove them from the cache).
104 */
105 void destroy_credentials();
106 /**
107 This function gets LDAP host from krb5.conf file.
108 */
109 void get_ldap_host(std::string &host);
110
111 /**
112 This method gets kerberos profile settings from krb5.conf file.
113
114 @retval true success
115 @retval false failure
116
117 @details
118 Sample krb5.conf file format may be like this:
119
120 [realms]
121 MEM.LOCAL = {
122 kdc = VIKING67.MEM.LOCAL
123 admin_server = VIKING67.MEM.LOCAL
124 default_domain = MEM.LOCAL
125 }
126
127 # This portion is optional
128 [appdefaults]
129 mysql = {
130 ldap_server_host = ldap_host.oracle.com
131 ldap_destroy_tgt = true
132 }
133
134 kdc:
135 The name or address of a host running a KDC for that realm.
136 An optional port number, separated from the hostname by a colon, may
137 be included. If the name or address contains colons (for example, if it is
138 an IPv6 address), enclose it in square brackets to distinguish the colon
139 from a port separator.
140
141 For example:
142 kdchost.example.com:88
143 [2001:db8:3333:4444:5555:6666:7777:8888]:88
144
145 Details from:
146 https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
147
148 Host information is used by LDAP SASL client API while initialization.
149 LDAP SASL API doesn't need port information and port is not used any where.
150 */
151 bool get_kerberos_config();
152
153 private:
154 /**
155 This function creates kerberos context, initializes credentials cache and
156 user principal.
157 @retval true All the required kerberos objects like context,
158 credentials cache and user principal are initialized correctly.
159 @retval false Required kerberos objects failed to initialized.
160 */
161 bool initialize();
162 /**
163 This function frees kerberos context, credentials, credentials cache and
164 user principal.
165 */
166 void cleanup();
167
168 /** is the object initialized */
170 /** user name */
171 std::string m_user;
172 /** user password */
173 std::string m_password;
174 /** user realm */
175 std::string m_realm;
176 /** LDAP host */
178 /** shall be the credentials destroyed on cleanup */
180 /** Kerberos context */
181 krb5_context m_context;
182 /** Kerberos cache */
184 /** Kerberos credentials */
185 krb5_creds m_credentials;
186 /** were the credentials created by the object */
188 /** interface to kerberos functions */
190
191 /**
192 Log a Kerberos error, the message is taken from the Kerberos based on the
193 error code.
194
195 @param error_code [in] Kerberos error code
196 */
197 void log(int error_code);
198 /**
199 Gets LDAP server name from krb5.conf file, realms section, kdc option.
200 */
202 /**
203 Opens default Kerberos cache.
204
205 @retval true success
206 @retval false failure
207 */
208 bool open_default_cache();
209
210 /**
211 Closes default Kerberos cache.
212 */
213 void close_default_cache();
214};
215} // namespace auth_ldap_sasl_client
216#endif // AUTH_LDAP_KERBEROS_H_
Kerberos class is built around kerberos library.
Definition: auth_ldap_kerberos.h:58
krb5_context m_context
Kerberos context.
Definition: auth_ldap_kerberos.h:181
void get_ldap_host(std::string &host)
This function gets LDAP host from krb5.conf file.
Definition: auth_ldap_kerberos.cc:43
~Kerberos()
Destructor.
Definition: auth_ldap_kerberos.cc:41
std::string m_realm
user realm
Definition: auth_ldap_kerberos.h:175
void set_user_and_password(const char *user, const char *password)
Set user, realm and password member variables.
Definition: auth_ldap_kerberos.cc:88
void cleanup()
This function frees kerberos context, credentials, credentials cache and user principal.
Definition: auth_ldap_kerberos.cc:72
Krb5_interface krb5
interface to kerberos functions
Definition: auth_ldap_kerberos.h:189
bool get_kerberos_config()
This method gets kerberos profile settings from krb5.conf file.
Definition: auth_ldap_kerberos.cc:295
bool open_default_cache()
Opens default Kerberos cache.
Definition: auth_ldap_kerberos.cc:98
bool obtain_store_credentials()
Definition: auth_ldap_kerberos.cc:123
krb5_ccache m_krb_credentials_cache
Kerberos cache.
Definition: auth_ldap_kerberos.h:183
void destroy_credentials()
Destroys existing credentials (remove them from the cache).
Definition: auth_ldap_kerberos.cc:449
std::string m_user
user name
Definition: auth_ldap_kerberos.h:171
void get_ldap_server_from_kdc()
Gets LDAP server name from krb5.conf file, realms section, kdc option.
Definition: auth_ldap_kerberos.cc:259
std::string m_ldap_server_host
LDAP host.
Definition: auth_ldap_kerberos.h:177
std::string m_password
user password
Definition: auth_ldap_kerberos.h:173
bool m_destroy_tgt
shall be the credentials destroyed on cleanup
Definition: auth_ldap_kerberos.h:179
Kerberos()
Constructor.
Definition: auth_ldap_kerberos.cc:32
void close_default_cache()
Closes default Kerberos cache.
Definition: auth_ldap_kerberos.cc:112
bool credentials_valid()
Check if the cache contains valid credentials.
Definition: auth_ldap_kerberos.cc:371
bool get_default_principal_name(std::string &name)
This function retrieves default principle from kerberos configuration and parses the user name from i...
Definition: auth_ldap_kerberos.cc:462
bool m_initialized
is the object initialized
Definition: auth_ldap_kerberos.h:169
void log(int error_code)
Log a Kerberos error, the message is taken from the Kerberos based on the error code.
Definition: auth_ldap_kerberos.cc:511
bool initialize()
This function creates kerberos context, initializes credentials cache and user principal.
Definition: auth_ldap_kerberos.cc:48
bool m_credentials_created
were the credentials created by the object
Definition: auth_ldap_kerberos.h:187
krb5_creds m_credentials
Kerberos credentials.
Definition: auth_ldap_kerberos.h:185
Class representing interface to KRB5 functions.
Definition: krb5_interface.h:141
static char * password
Definition: mysql_secure_installation.cc:58
char * user
Definition: mysqladmin.cc:66
const char * host
Definition: mysqladmin.cc:65
Definition: auth_ldap_kerberos.cc:30
case opt name
Definition: sslopt-case.h:29