MySQL 8.4.2
Source Code Documentation
auth_ldap_sasl_client::Kerberos Class Reference

Kerberos class is built around kerberos library. More...

#include <auth_ldap_kerberos.h>

Public Member Functions

 Kerberos ()
 Constructor. More...
 
 ~Kerberos ()
 Destructor. More...
 
void set_user_and_password (const char *user, const char *password)
 Set user, realm and password member variables. More...
 
bool obtain_store_credentials ()
 
bool get_default_principal_name (std::string &name)
 This function retrieves default principle from kerberos configuration and parses the user name from it. More...
 
bool credentials_valid ()
 Check if the cache contains valid credentials. More...
 
void destroy_credentials ()
 Destroys existing credentials (remove them from the cache). More...
 
void get_ldap_host (std::string &host)
 This function gets LDAP host from krb5.conf file. More...
 
bool get_kerberos_config ()
 This method gets kerberos profile settings from krb5.conf file. More...
 

Private Member Functions

bool initialize ()
 This function creates kerberos context, initializes credentials cache and user principal. More...
 
void cleanup ()
 This function frees kerberos context, credentials, credentials cache and user principal. More...
 
void log (int error_code)
 Log a Kerberos error, the message is taken from the Kerberos based on the error code. More...
 
void get_ldap_server_from_kdc ()
 Gets LDAP server name from krb5.conf file, realms section, kdc option. More...
 
bool open_default_cache ()
 Opens default Kerberos cache. More...
 
void close_default_cache ()
 Closes default Kerberos cache. More...
 

Private Attributes

bool m_initialized
 is the object initialized More...
 
std::string m_user
 user name More...
 
std::string m_password
 user password More...
 
std::string m_realm
 user realm More...
 
std::string m_ldap_server_host
 LDAP host. More...
 
bool m_destroy_tgt
 shall be the credentials destroyed on cleanup More...
 
krb5_context m_context
 Kerberos context. More...
 
krb5_ccache m_krb_credentials_cache
 Kerberos cache. More...
 
krb5_creds m_credentials
 Kerberos credentials. More...
 
bool m_credentials_created
 were the credentials created by the object More...
 
Krb5_interface krb5
 interface to kerberos functions More...
 

Detailed Description

Kerberos class is built around kerberos library.

This class should/can be used for different part of code as standalone class. This class performs following operations:

  1. Authentication with kerberos server and store the credentials in cache.
  2. Get the default configured kerberos user in the OS, from default principal.

Credentials: A ticket plus the secret session key necessary to use that ticket successfully in an authentication exchange.

Principal: A named client or server entity that participates in a network communication, with one name that is considered canonical

Credential cache: A credential cache (or ccache) holds Kerberos credentials while they remain valid and, generally, while the user's session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn't require contacting the KDC every time.

Constructor & Destructor Documentation

◆ Kerberos()

auth_ldap_sasl_client::Kerberos::Kerberos ( )

Constructor.

◆ ~Kerberos()

auth_ldap_sasl_client::Kerberos::~Kerberos ( )

Destructor.

Member Function Documentation

◆ cleanup()

void auth_ldap_sasl_client::Kerberos::cleanup ( )
private

This function frees kerberos context, credentials, credentials cache and user principal.

◆ close_default_cache()

void auth_ldap_sasl_client::Kerberos::close_default_cache ( )
private

Closes default Kerberos cache.

◆ credentials_valid()

bool auth_ldap_sasl_client::Kerberos::credentials_valid ( )

Check if the cache contains valid credentials.

Return values
truevalid credentials exist
falsevalid credentials not exist or an error ocurred

◆ destroy_credentials()

void auth_ldap_sasl_client::Kerberos::destroy_credentials ( )

Destroys existing credentials (remove them from the cache).

◆ get_default_principal_name()

bool auth_ldap_sasl_client::Kerberos::get_default_principal_name ( std::string &  name)

This function retrieves default principle from kerberos configuration and parses the user name from it.

If user name has not been provided in the MySQL client, This method can be used to get the user name and use for authentication.

Return values
trueSuccessfully able to get user name.
falseFailed to get user name.

◆ get_kerberos_config()

bool auth_ldap_sasl_client::Kerberos::get_kerberos_config ( )

This method gets kerberos profile settings from krb5.conf file.

Return values
truesuccess
falsefailure

Sample krb5.conf file format may be like this:

[realms] MEM.LOCAL = { kdc = VIKING67.MEM.LOCAL admin_server = VIKING67.MEM.LOCAL default_domain = MEM.LOCAL }

This portion is optional

[appdefaults] mysql = { ldap_server_host = ldap_host.oracle.com ldap_destroy_tgt = true }

kdc: The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator.

For example: kdchost.example.com:88

Details from: https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html

Host information is used by LDAP SASL client API while initialization. LDAP SASL API doesn't need port information and port is not used any where.

◆ get_ldap_host()

void auth_ldap_sasl_client::Kerberos::get_ldap_host ( std::string &  host)

This function gets LDAP host from krb5.conf file.

◆ get_ldap_server_from_kdc()

void auth_ldap_sasl_client::Kerberos::get_ldap_server_from_kdc ( )
private

Gets LDAP server name from krb5.conf file, realms section, kdc option.

◆ initialize()

bool auth_ldap_sasl_client::Kerberos::initialize ( )
private

This function creates kerberos context, initializes credentials cache and user principal.

Return values
trueAll the required kerberos objects like context, credentials cache and user principal are initialized correctly.
falseRequired kerberos objects failed to initialized.

◆ log()

void auth_ldap_sasl_client::Kerberos::log ( int  error_code)
private

Log a Kerberos error, the message is taken from the Kerberos based on the error code.

Parameters
error_code[in] Kerberos error code

◆ obtain_store_credentials()

bool auth_ldap_sasl_client::Kerberos::obtain_store_credentials ( )
  1. This function authenticates with kerberos server.
  2. If TGT destroy is false, this function stores the TGT in Kerberos cache for subsequent usage.
  3. If user credentials already exist in the cache, it doesn't attempt to get it again.
Return values
trueSuccessfully able to obtain and store credentials.
falseFailed to obtain and store credentials.

◆ open_default_cache()

bool auth_ldap_sasl_client::Kerberos::open_default_cache ( )
private

Opens default Kerberos cache.

Return values
truesuccess
falsefailure

◆ set_user_and_password()

void auth_ldap_sasl_client::Kerberos::set_user_and_password ( const char *  user,
const char *  password 
)

Set user, realm and password member variables.

Parameters
user[in] user name
password[in] password

Member Data Documentation

◆ krb5

Krb5_interface auth_ldap_sasl_client::Kerberos::krb5
private

interface to kerberos functions

◆ m_context

krb5_context auth_ldap_sasl_client::Kerberos::m_context
private

Kerberos context.

◆ m_credentials

krb5_creds auth_ldap_sasl_client::Kerberos::m_credentials
private

Kerberos credentials.

◆ m_credentials_created

bool auth_ldap_sasl_client::Kerberos::m_credentials_created
private

were the credentials created by the object

◆ m_destroy_tgt

bool auth_ldap_sasl_client::Kerberos::m_destroy_tgt
private

shall be the credentials destroyed on cleanup

◆ m_initialized

bool auth_ldap_sasl_client::Kerberos::m_initialized
private

is the object initialized

◆ m_krb_credentials_cache

krb5_ccache auth_ldap_sasl_client::Kerberos::m_krb_credentials_cache
private

Kerberos cache.

◆ m_ldap_server_host

std::string auth_ldap_sasl_client::Kerberos::m_ldap_server_host
private

LDAP host.

◆ m_password

std::string auth_ldap_sasl_client::Kerberos::m_password
private

user password

◆ m_realm

std::string auth_ldap_sasl_client::Kerberos::m_realm
private

user realm

◆ m_user

std::string auth_ldap_sasl_client::Kerberos::m_user
private

user name


The documentation for this class was generated from the following files: