check_krb5_ldap.sh

#!/bin/sh
host="$1"
REALM="LOCAL.EXAMPLE.NET"
LCREALM="local.example.net"
TESTUSER="nagiostest"
BASENAME="cn=users,dc=local,dc=example,dc=net"

if [ "$host" = "" ]; then
  echo "Missing hostname"
  exit 2
fi

# A v6 address must be enclosed in square brackets when
# we add it to krb5_config

export KRB5_CONFIG="/tmp/krb5.config.$$"
export KRB5CCNAME="/tmp/krb5.cc_cache.$$"

if expr "$host" : ".*:" >/dev/null; then
  khost="[$host]"
else
  khost="$host"
fi

cat <<EOS >"$KRB5_CONFIG"
[realms]
$REALM = {
  kdc = $khost
}
EOS

# 1. Can we get a ticket from this host?
# Rather than hard-coding a password, we use a keytab

kinit -k -t /etc/nagiostest.keytab "$TESTUSER@$REALM"
if [ "$?" != "0" ]; then
  echo "KINIT FAILED"
  rm "$KRB5_CONFIG"
  exit 2
fi

# 2. Can we use this ticket to do an LDAP query to this host?

res="$(ldapsearch -LLLQ -Y GSSAPI -h "$host" -b "$BASENAME" "(samaccountname=$TESTUSER)" samaccountname userprincipalname)"
if [ "$?" != "0" ]; then
  echo "LDAPSEARCH FAILED"
  kdestroy
  rm "$KRB5_CONFIG"
  exit 2
fi
if ! expr "$res" : ".*userPrincipalName: $TESTUSER@$LCREALM" >/dev/null; then
  echo "LDAPSEARCH BAD RESULT: $res"
  kdestroy
  rm "$KRB5_CONFIG"
  exit 2
fi

# 3. Clean up

kdestroy
rm "$KRB5_CONFIG"
echo "OK"