LDAP command line gives me a similar result. GetKeytabControl (giving me result in controls) vs Whoami (result in data):
$ LDAPTLS_REQCERT=never ldapexop -D uid=admin,cn=users,cn=accounts,dc=example,dc=test -H ldaps://ipa.example.test:636 -w hello_world 2.16.840.1.113730.3.8.10.5::oRswGaAXBBVob3N0L2lwYS5leGFtcGxlLnRlc3Q= # extended operation response control: 2.16.840.1.113730.3.8.10.5 false ooHzMIHwAgECMIHqMC2gKzApoAMCARKhIgQg UiWy7BM9Z8lKrQe/FIOszGekd/xW2JAjGiVz59iwR5wwHaAbMBmgAwIBEaESBBD3a5CELfCpAr+lS Nv+oJR5MB2gGzAZoAMCAROhEgQQTU9YDq7tlV+656rNP0M3BTAtoCswKaADAgEUoSIEINVdNuT2RJ YjaaafWJPX8wPJZrUnAjJ6k1dasozlclcPMB2gGzAZoAMCARmhEgQQPHyE3SKcbO0B28e+0r9nvjA toCswKaADAgEaoSIEIPYu2S+u+MNqNAMKEj+0JSEQKyZdrq21B/dmxpOxy0yW $ LDAPTLS_REQCERT=never ldapexop -D uid=admin,cn=users,cn=accounts,dc=example,dc=test -H ldaps://ipa.example.test:636 -w hello_world 1.3.6.1.4.1.4203.1.11.3 # extended operation response data:: ZG46IHVpZD1hZG1pbixjbj11c2Vycyxjbj1hY2NvdW50cyxkYz1leGFtcGxlLGRjPXRlc3Q = On Tue, Dec 31, 2024 at 10:43 AM Yuriy Halytskyy <[email protected]> wrote: > > Hi, and Happy New Year! > > I am trying to request service and host keytabs programmatically. The > idea is to create terraform data source with Go, but I am also > experimenting with python because it has good ASN1 support. There are > already several terraform providers for IPA but they all use RPC only > and there does not appear to be an RPC call to get a keytab. > > This looks like straightforward extended operation in ldap: > > https://github.com/freeipa/freeipa/blob/3a5ce9cb2af362d97d598f2198cbc20c4c32710b/asn1/asn1c/ipa.asn1#L6 > > The reply I am supposed to receive is: > GKReply ::= SEQUENCE { > newkvno Int32, > keys SEQUENCE OF KrbKey > } > > So I send GKCurrentKeys message, but the reply is interpreted as LDAP > controls both by python and Go ldap libraries? Which doesn't make any > sense to me because controls are supposedly part of ldap request, not > ldap response, but I don't know much about ldap. > > This is what I get in python after sending a request for > host/[email protected] > > Request message is: > >>LDAPMessage: > >> messageID=30 > >> protocolOp=ProtocolOp: > >> extendedReq=ExtendedRequest: > >> requestName=2.16.840.1.113730.3.8.10.5 > >> requestValue=0xa11b3019a0170415686f73742f6970612e6578616d706c652e74657374 > > > Result message: > <<{'controls': [(0, > << True, > << 16, > << [(0, False, 4, b'2.16.840.1.113730.3.8.10.5'), > << (0, > << False, > << 4, > << > b'\xa2\x81\xf30\x81\xf0\x02\x01\x020\x81\xea0-\xa0+0)\xa0\x03' > << b'\x02\x01\x12\xa1"\x04 > R%\xb2\xec\x13=g\xc9J\xad\x07\xbf\x14' > << b'\x83\xac\xccg\xa4w\xfcV\xd8\x90#\x1a%s\xe7\xd8\xb0G\x9c0' > << > b'\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10\xf7k' > << b'\x90\x84-\xf0\xa9\x02\xbf\xa5H\xdb\xfe\xa0\x94y0\x1d' > << b'\xa0\x1b0\x19\xa0\x03\x02\x01\x13\xa1\x12\x04\x10MOX' > << b'\x0e\xae\xed\x95_\xba\xe7\xaa\xcd?C7\x050-\xa0+0)\xa0' > << b'\x03\x02\x01\x14\xa1"\x04 \xd5]6\xe4\xf6D\x96#i\xa6\x9fX' > << b"\x93\xd7\xf3\x03\xc9f\xb5'\x022z\x93WZ\xb2\x8c\xe5rW\x0f" > << b'0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x19\xa1\x12\x04\x10<' > << b'|\x84\xdd"\x9cl\xed\x01\xdb\xc7\xbe\xd2\xbfg\xbe0-\xa0+0' > << b')\xa0\x03\x02\x01\x1a\xa1"\x04 > \xf6.\xd9/\xae\xf8\xc3j4\x03' > << > b'\n\x12?\xb4%!\x10+&]\xae\xad\xb5\x07\xf7f\xc6\x93\xb1\xcb' > << b'L\x96')])], > << 'messageID': 30, > << 'payload': [(0, False, 10, 0), (0, False, 4, b''), (0, False, 4, b'')], > << 'protocolOp': 24} > > The payload is just 4 bytes... > > That bit blob in controls is valid keytab list and I can decode it > using asn1 definitions from > >>> c.result['controls']['2.16.840.1.113730.3.8.10.5'].values().mapping['value'] > b'\xa2\x81\xf30\x81\xf0\x02\x01\x020\x81\xea0-\xa0+0)\xa0\x03\x02\x01\x12\xa1"\x04 > R%\xb2\xec\x13=g\xc9J\xad\x07\xbf\x14\x83\xac\xccg\xa4w\xfcV\xd8\x90#\x1a%s\xe7\xd8\xb0G\x9c0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10\xf7k\x90\x84-\xf0\xa9\x02\xbf\xa5H\xdb\xfe\xa0\x94y0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x13\xa1\x12\x04\x10MOX\x0e\xae\xed\x95_\xba\xe7\xaa\xcd?C7\x050-\xa0+0)\xa0\x03\x02\x01\x14\xa1"\x04 > \xd5]6\xe4\xf6D\x96#i\xa6\x9fX\x93\xd7\xf3\x03\xc9f\xb5\'\x022z\x93WZ\xb2\x8c\xe5rW\x0f0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x19\xa1\x12\x04\x10<|\x84\xdd"\x9cl\xed\x01\xdb\xc7\xbe\xd2\xbfg\xbe0-\xa0+0)\xa0\x03\x02\x01\x1a\xa1"\x04 > \xf6.\xd9/\xae\xf8\xc3j4\x03\n\x12?\xb4%!\x10+&]\xae\xad\xb5\x07\xf7f\xc6\x93\xb1\xcbL\x96' > > Go produces similar result. This is what the response looks like: > LDAP Response: (Universal, Constructed, Sequence and Sequence of) > Len=297 "<nil>" > Message ID: (Universal, Primitive, Integer) Len=1 "2" > Extended Response: (Application, Constructed, 0x18) Len=7 "<nil>" > (Universal, Primitive, Enumerated) Len=1 "0" > (Universal, Primitive, Octet String) Len=0 "" > (Universal, Primitive, Octet String) Len=0 "" > (Context, Constructed, 0x00) Len=281 "<nil>" > (Universal, Constructed, Sequence and Sequence of) Len=277 "<nil>" > (Universal, Primitive, Octet String) Len=26 "2.16.840.1.113730.3.8.10.5" > (Universal, Primitive, Octet String) Len=246 > "\xa2\x81\xf30\x81\xf0\x02\x01\x020\x81\xea0-\xa0+0)\xa0\x03\x02\x01\x12\xa1\"\x04 > R%\xb2\xec\x13=g\xc9J\xad\a\xbf\x14\x83\xac\xccg\xa4w\xfcVؐ#\x1a%s\xe7ذG\x9c0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x11\xa1\x12\x04\x10\xf7k\x90\x84-\xf0\xa9\x02\xbf\xa5H\xdb\xfe\xa0\x94y0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x13\xa1\x12\x04\x10MOX\x0e\xae\xed\x95_\xba\xe7\xaa\xcd?C7\x050-\xa0+0)\xa0\x03\x02\x01\x14\xa1\"\x04 > \xd5]6\xe4\xf6D\x96#i\xa6\x9fX\x93\xd7\xf3\x03\xc9f\xb5'\x022z\x93WZ\xb2\x8c\xe5rW\x0f0\x1d\xa0\x1b0\x19\xa0\x03\x02\x01\x19\xa1\x12\x04\x10<|\x84\xdd\"\x9cl\xed\x01\xdbǾҿg\xbe0-\xa0+0)\xa0\x03\x02\x01\x1a\xa1\"\x04 > \xf6.\xd9/\xae\xf8\xc3j4\x03\n\x12?\xb4%!\x10+&]\xae\xad\xb5\a\xf7fƓ\xb1\xcbL\x96" > > Again, the extended response is just 4 bytes of nothing, and the > actual result is provided after that and Go is confused (and so am I). > > [root@ipa /]# ipa --version > VERSION: 4.11.0, API_VERSION: 2.253 > > Is there a bug here, or does this work as intended? > > Cheers, > Yuriy -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
