MySQL 8.4.2
Source Code Documentation
|
Kerberos class is built around kerberos library. More...
#include <auth_ldap_kerberos.h>
Public Member Functions | |
Kerberos () | |
Constructor. More... | |
~Kerberos () | |
Destructor. More... | |
void | set_user_and_password (const char *user, const char *password) |
Set user, realm and password member variables. More... | |
bool | obtain_store_credentials () |
bool | get_default_principal_name (std::string &name) |
This function retrieves default principle from kerberos configuration and parses the user name from it. More... | |
bool | credentials_valid () |
Check if the cache contains valid credentials. More... | |
void | destroy_credentials () |
Destroys existing credentials (remove them from the cache). More... | |
void | get_ldap_host (std::string &host) |
This function gets LDAP host from krb5.conf file. More... | |
bool | get_kerberos_config () |
This method gets kerberos profile settings from krb5.conf file. More... | |
Private Member Functions | |
bool | initialize () |
This function creates kerberos context, initializes credentials cache and user principal. More... | |
void | cleanup () |
This function frees kerberos context, credentials, credentials cache and user principal. More... | |
void | log (int error_code) |
Log a Kerberos error, the message is taken from the Kerberos based on the error code. More... | |
void | get_ldap_server_from_kdc () |
Gets LDAP server name from krb5.conf file, realms section, kdc option. More... | |
bool | open_default_cache () |
Opens default Kerberos cache. More... | |
void | close_default_cache () |
Closes default Kerberos cache. More... | |
Private Attributes | |
bool | m_initialized |
is the object initialized More... | |
std::string | m_user |
user name More... | |
std::string | m_password |
user password More... | |
std::string | m_realm |
user realm More... | |
std::string | m_ldap_server_host |
LDAP host. More... | |
bool | m_destroy_tgt |
shall be the credentials destroyed on cleanup More... | |
krb5_context | m_context |
Kerberos context. More... | |
krb5_ccache | m_krb_credentials_cache |
Kerberos cache. More... | |
krb5_creds | m_credentials |
Kerberos credentials. More... | |
bool | m_credentials_created |
were the credentials created by the object More... | |
Krb5_interface | krb5 |
interface to kerberos functions More... | |
Kerberos class is built around kerberos library.
This class should/can be used for different part of code as standalone class. This class performs following operations:
Credentials: A ticket plus the secret session key necessary to use that ticket successfully in an authentication exchange.
Principal: A named client or server entity that participates in a network communication, with one name that is considered canonical
Credential cache: A credential cache (or ccache) holds Kerberos credentials while they remain valid and, generally, while the user's session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn't require contacting the KDC every time.
auth_ldap_sasl_client::Kerberos::Kerberos | ( | ) |
Constructor.
auth_ldap_sasl_client::Kerberos::~Kerberos | ( | ) |
Destructor.
|
private |
This function frees kerberos context, credentials, credentials cache and user principal.
|
private |
Closes default Kerberos cache.
bool auth_ldap_sasl_client::Kerberos::credentials_valid | ( | ) |
Check if the cache contains valid credentials.
true | valid credentials exist |
false | valid credentials not exist or an error ocurred |
void auth_ldap_sasl_client::Kerberos::destroy_credentials | ( | ) |
Destroys existing credentials (remove them from the cache).
bool auth_ldap_sasl_client::Kerberos::get_default_principal_name | ( | std::string & | name | ) |
This function retrieves default principle from kerberos configuration and parses the user name from it.
If user name has not been provided in the MySQL client, This method can be used to get the user name and use for authentication.
true | Successfully able to get user name. |
false | Failed to get user name. |
bool auth_ldap_sasl_client::Kerberos::get_kerberos_config | ( | ) |
This method gets kerberos profile settings from krb5.conf file.
true | success |
false | failure |
Sample krb5.conf file format may be like this:
[realms] MEM.LOCAL = { kdc = VIKING67.MEM.LOCAL admin_server = VIKING67.MEM.LOCAL default_domain = MEM.LOCAL }
[appdefaults] mysql = { ldap_server_host = ldap_host.oracle.com ldap_destroy_tgt = true }
kdc: The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator.
For example: kdchost.example.com:88
Details from: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
Host information is used by LDAP SASL client API while initialization. LDAP SASL API doesn't need port information and port is not used any where.
void auth_ldap_sasl_client::Kerberos::get_ldap_host | ( | std::string & | host | ) |
This function gets LDAP host from krb5.conf file.
|
private |
Gets LDAP server name from krb5.conf file, realms section, kdc option.
|
private |
This function creates kerberos context, initializes credentials cache and user principal.
true | All the required kerberos objects like context, credentials cache and user principal are initialized correctly. |
false | Required kerberos objects failed to initialized. |
|
private |
Log a Kerberos error, the message is taken from the Kerberos based on the error code.
error_code | [in] Kerberos error code |
bool auth_ldap_sasl_client::Kerberos::obtain_store_credentials | ( | ) |
true | Successfully able to obtain and store credentials. |
false | Failed to obtain and store credentials. |
|
private |
Opens default Kerberos cache.
true | success |
false | failure |
void auth_ldap_sasl_client::Kerberos::set_user_and_password | ( | const char * | user, |
const char * | password | ||
) |
Set user, realm and password member variables.
user | [in] user name |
password | [in] password |
|
private |
interface to kerberos functions
|
private |
Kerberos context.
|
private |
Kerberos credentials.
|
private |
were the credentials created by the object
|
private |
shall be the credentials destroyed on cleanup
|
private |
is the object initialized
|
private |
Kerberos cache.
|
private |
LDAP host.
|
private |
user password
|
private |
user realm
|
private |
user name