author Dan Fuhry <>
Mon, 13 Dec 2010 20:33:31 -0500
changeset 2 3e5bd9e5b22f
parent 0 5a5a654fae1a
permissions -rw-r--r--
Added my patch to the kadm5 extension


class KerberosError extends Exception

 * Parse an INI file, specifically one in krb5.conf format.
 * @param string File to read
 * @return array

function krb5_read_ini_file($file)
	$fp = @fopen($file, 'r');
	if ( !$fp )
		return array();
	$section = '';
	$data = array();
	while ( !feof($fp) )
		// read in line
		$line = @fgets($fp, 8192);
		// trim and skip comments
		$line = trim(preg_replace('/;.*$/', '', $line));
		if ( empty($line) )
		if ( preg_match('/^\[(.+?)\]$/', $line, $match) )
			// new section
			$section = $match[1];
		if ( count($parts = explode('=', $line)) == 2 )
			list($name, $value) = $parts;
			$name = $line;
			$value = true;
		$name = trim($name);
		// ltrim to honor trailing spaces/tabs
		$value = ltrim($value);
		if ( $value === '{' )
			$section .= ".$name";
			$subsection = $name;
		else if ( $name === '}' && isset($subsection) )
			$section = substr($section, 0, strlen($section) - 1 - strlen($subsection));;
		if ( !empty($section) )
			$name = "$section.$name";
		if ( $value === 'true' )
			$value = true;
		else if ( $value === 'false' )
			$value = false;
		else if ( ctype_digit($value) )
			$value = intval($value);
		$data[$name] = $value;
	return $data;

function krb5_get_config()
	static $config = false;
	if ( @file_exists('/etc/krb5.conf') && @is_readable('/etc/krb5.conf') )
		return $config = krb5_read_ini_file('/etc/krb5.conf');
	return false;

function krb5_get_realm()
	if ( $config = krb5_get_config() )
		if ( isset($config['libdefaults.default_realm']) )
			return $config['libdefaults.default_realm'];
	return false;

function krb5_detect_admin_server($realm = '__default__')
	if ( $config = krb5_get_config() )
		if ( isset($config['libdefaults.default_realm']) )
			$realm = ($realm == '__default__') ? $config['libdefaults.default_realm'] : $realm;
			// we have the default realm; determine what the admin server is
			if ( isset($config["realms.$realm.admin_server"]) )
				return $config["realms.$realm.admin_server"];
			// failing ini parsing, honor dns_lookup_kdc (this isn't strictly looking up KDCs, more the master, but this allows for configurability)
			if ( isset($config['libdefaults.dns_lookup_kdc']) && $config['libdefaults.dns_lookup_kdc'] && function_exists('dns_get_record') )
				// look it up
				$dns_result = dns_get_record('_kerberos-master._udp.' . strtolower($realm), DNS_SRV);
				// find result with lowest priority
				$host = '';
				$pri = 0x7FFFFFFF;
				if ( $dns_result )
					foreach ( $dns_result as $entry )
						if ( $entry['pri'] < $pri )
							$host = $entry['target'];
					if ( !empty($host) )
						return $host;
	return false;

function krb5_verify_creds($username, $password)
	$realm = getConfig('kerb_realm', krb5_get_realm());
	$server = getConfig('kerb_admin_server', krb5_detect_admin_server($realm));
	if ( empty($realm) || empty($server) )
		throw new KerberosError("Empty realm or server");
	$result = kadm5_init_with_password($server, $realm, $username, $password);
	if ( $result === FALSE )
		return FALSE;
	return TRUE;