authen::krb5::admin : create principal

[Jason T Hardy]

This is a simple adduser script that authenticates the admin principal
with a keytab. You should search CPAN for Krb5:Admin; there are plenty
of useful examples there. Note: I've removed most of the error handling
here, so don't use this code without first cleaning it up.

Jason

----

use Authen::Krb5::Admin qw(:constants);
use Authen::Krb5;

sub setup_krb5 {
	my $krb5context;
	eval {
		$krb5context = Authen::Krb5::init_context();
		Authen::Krb5::init_ets();
	};
	
	if ( $@ ) {
		warn $@;
	}

	return $krb5context;
}

sub setup_kadmin {
	my ( $krb_admin_princ, $krb_admin_keytab ) = @_;

	my $kadm5 =
	  Authen::Krb5::Admin->init_with_skey( $krb_admin_princ, $krb_admin_keytab )
	  or die Authen::Krb5::Admin::error;

	return $kadm5;
}


sub KERB_add_principal {
	my ( $kadm5, $uid, $userPassword ) = @_;
	my $krb5_princ;

	# get valid kerb5 principal from uid
	$krb5_princ = Authen::Krb5::parse_name($uid)
	  or die Authen::Krb5::error;

	# get a new principal object
	my $kadm5_princ = Authen::Krb5::Admin::Principal->new
	  or die Authen::Krb5::error;

	# set the value of the new principal's principal name
	$kadm5_princ->principal($krb5_princ)
	  or die Authen::Krb5::error;

	# if principal does not exist, ok to create...
	if ( !$kadm5->get_principal($krb5_princ) ) {
	    # set the value of the principals policy
	    $kadm5_princ->policy( "default" )
	        or die Authen::Krb5::Admin::error;
	
	    # modify principal's pw expiration
	    $kadm5_princ->pw_expiration( time() )
	        or die Authen::Krb5::Admin::error;
		
	    # create princ
	    $kadm5->create_principal( $kadm5_princ, $userPassword )
		or die Authen::Krb5::Admin::error;
	}
	else { 
		warn "WARNING: Principal $uid already existed in Kerberos\n";
	}
}

my $krb_admin_princ = "your admin princ";
my $krb_admin_keytab = "your keytab location";
my $uid = "your new username";
my $userPassword = "your new password";

my $krb5context = setup_krb5();
my $kadm5       = setup_kadmin( $krb_admin_princ, $krb_admin_keytab );
KERB_add_principal( $kadm5, $uid, $userPassword );

---



On Fri, 2005-04-08 at 14:56 -0400, FM wrote:
> Hello,
> Do you have example to manage kerberos db using perl
> I create a simple test script :
> 
> $handle = 
> Authen::Krb5::Admin->init_with_password("$ADMINPRINC","$adminpass");
> $kp=Authen::krb5::get_default_realm();
> print $kp;
> 
> but I received :
> Undefined subroutine &Authen::krb5::get_default_realm
> 
> I'd like to be able to add principal and change password for existing 
> users (2 scripts are fine).
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 

Jason T Hardy
Enterprise Operations and Systems
Office of Information Technology
University of Texas at Arlington
GnuPG Public Key: http://omega.uta.edu/~jthardy/jthardy.gpg.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050408/90a95351/attachment.bin