ETOOBUSY 🚀 minimal blogging for the impatient
Perl GSSAPI options
Passing options to Perl module GSSAPI is a bit clunky but doable.
It’s no secret I’m messing with Net::LDAP and Kerberos too, which means using Authen::SASL with a GSSAPI mechanism.
Confused? Well, I was, and I probably still am - although possibly a bit less. More on this in some future post, anyway.
One specific problem I encountered while trying to make the getcred_hostbased.pl example (local version here) work was about some automatic DNS resolutions and canonicalization actions performed by the library, which make working with the FreeIPA demo impossible
See also the ASCII-cast in Trying Kerberos. The need to add command-line option
ldapsearchstems from the same reason.
There seems to be no place where to put additional options in the
GSSAPI bindings, and probably in the whole
GSSAPI thing, which is
a generic mechanism that might be tied to Kerberos, but not
One way to get those options in place is through a configuration file,
which the library goes to look for based on environment variable
KRB5_CONFIG. In my case, to disable the annoyance it sufficed to do this:
$ export KRB5_CONFIG="$PWD/custom-krb5.conf" $ cat > "$KRB5_CONFIG" <<'END' [libdefaults] dns_canonicalize_hostname = false default_ccache_name = MEMORY END
Actually… only disabling
dns_canonicalize_hostname was needed to
make the example work, but I decided to avoid cluttering the filesystem
Now I’m left wandering how many security pitfalls are hidden in this
intricate way of setting a few options… 🤯 I’ll probably go look into
ldapsearch to see what they do.
Stay safe folks!