|
0
|
1 |
<?php
|
|
|
2 |
|
|
|
3 |
if ( !extension_loaded('kadm5') )
|
|
|
4 |
die('kadm5 extension is not loaded');
|
|
|
5 |
|
|
|
6 |
function get_default_kerberos_realm()
|
|
|
7 |
{
|
|
|
8 |
$fp = @fopen('/etc/krb5.conf', 'r');
|
|
|
9 |
if ( !$fp )
|
|
|
10 |
return false;
|
|
|
11 |
|
|
|
12 |
$found_libdefaults = true;
|
|
|
13 |
$found_realm = false;
|
|
|
14 |
while ( !feof($fp) )
|
|
|
15 |
{
|
|
|
16 |
$line = trim(fgets($fp, 1024));
|
|
|
17 |
if ( $found_libdefaults )
|
|
|
18 |
{
|
|
|
19 |
if ( !strstr($line, '=') )
|
|
|
20 |
continue;
|
|
|
21 |
list($key, $value) = explode('=', $line);
|
|
|
22 |
if ( trim($key) === 'default_realm' )
|
|
|
23 |
{
|
|
|
24 |
$found_realm = trim($value);
|
|
|
25 |
break;
|
|
|
26 |
}
|
|
|
27 |
}
|
|
|
28 |
else if ( $line === '[libdefaults]' )
|
|
|
29 |
{
|
|
|
30 |
$found_libdefaults = true;
|
|
|
31 |
}
|
|
|
32 |
}
|
|
|
33 |
fclose($fp);
|
|
|
34 |
return $found_realm;
|
|
|
35 |
}
|
|
|
36 |
|
|
|
37 |
function get_kerberos_admin_server($realm = false)
|
|
|
38 |
{
|
|
|
39 |
if ( !$realm )
|
|
|
40 |
$realm = get_default_kerberos_realm();
|
|
|
41 |
|
|
|
42 |
$dns_result = dns_get_record("_kerberos-adm._tcp.$realm", DNS_SRV);
|
|
|
43 |
if ( isset($dns_result[0]['target']) )
|
|
|
44 |
return "{$dns_result[0]['target']}:{$dns_result[0]['port']}";
|
|
|
45 |
|
|
|
46 |
// try using the config
|
|
|
47 |
$fp = @fopen('/etc/krb5.conf', 'r');
|
|
|
48 |
if ( !$fp )
|
|
|
49 |
return false;
|
|
|
50 |
|
|
|
51 |
$found_realms = false;
|
|
|
52 |
$found_realm = false;
|
|
|
53 |
$found_admin_server = false;
|
|
|
54 |
while ( !feof($fp) )
|
|
|
55 |
{
|
|
|
56 |
$line = trim(fgets($fp, 1024));
|
|
|
57 |
if ( $found_realm )
|
|
|
58 |
{
|
|
|
59 |
if ( !strstr($line, '=') )
|
|
|
60 |
continue;
|
|
|
61 |
list($key, $value) = explode('=', $line);
|
|
|
62 |
if ( trim($key) === 'admin_server' )
|
|
|
63 |
{
|
|
|
64 |
$found_admin_server = trim($value);
|
|
|
65 |
break;
|
|
|
66 |
}
|
|
|
67 |
}
|
|
|
68 |
else if ( $found_realms && trim($line) == "$realm = {" )
|
|
|
69 |
{
|
|
|
70 |
$found_realm = true;
|
|
|
71 |
}
|
|
|
72 |
else if ( $line === '[realms]' )
|
|
|
73 |
{
|
|
|
74 |
$found_realms = true;
|
|
|
75 |
}
|
|
|
76 |
}
|
|
|
77 |
fclose($fp);
|
|
|
78 |
|
|
|
79 |
return $found_admin_server;
|
|
|
80 |
}
|
|
|
81 |
|
|
|
82 |
function get_kerberos_connection()
|
|
|
83 |
{
|
|
|
84 |
global $kerberos_admin;
|
|
|
85 |
static $khandle = false;
|
|
|
86 |
if ( $khandle )
|
|
|
87 |
return $khandle;
|
|
|
88 |
|
|
|
89 |
$realm = get_default_kerberos_realm();
|
|
|
90 |
$admin_server = get_kerberos_admin_server();
|
|
|
91 |
if ( !$realm || !$admin_server )
|
|
|
92 |
throw new Exception("Kerberos realm ($realm) or admin server ($admin_server) came back bad");
|
|
|
93 |
|
|
|
94 |
$admin_server = preg_replace('/:[0-9]+$/', '', $admin_server);
|
|
|
95 |
|
|
|
96 |
$khandle = kadm5_init_with_password($admin_server, $realm, $kerberos_admin['principal'], $kerberos_admin['password']);
|
|
|
97 |
|
|
|
98 |
if ( !$khandle )
|
|
|
99 |
throw new Exception("Failed to connect to Kerberos admin server");
|
|
|
100 |
|
|
|
101 |
register_shutdown_function(function() use ($khandle)
|
|
|
102 |
{
|
|
|
103 |
kadm5_destroy($khandle);
|
|
|
104 |
});
|
|
|
105 |
|
|
|
106 |
return $khandle;
|
|
|
107 |
}
|
|
|
108 |
|
|
|
109 |
function kadm5_disable_user($user)
|
|
|
110 |
{
|
|
|
111 |
$kh = get_kerberos_connection();
|
|
|
112 |
|
|
|
113 |
return kadm5_modify_principal($kh, $user, array(
|
|
|
114 |
KADM5_PRINC_EXPIRE_TIME => time()
|
|
|
115 |
, KADM5_PW_EXPIRATION => time()
|
|
|
116 |
));
|
|
|
117 |
}
|
|
|
118 |
|
|
|
119 |
function kadm5_enable_user($user)
|
|
|
120 |
{
|
|
|
121 |
$kh = get_kerberos_connection();
|
|
|
122 |
|
|
|
123 |
return kadm5_modify_principal($kh, $user, array(
|
|
|
124 |
KADM5_PRINC_EXPIRE_TIME => 0
|
|
|
125 |
, KADM5_PW_EXPIRATION => 0
|
|
|
126 |
));
|
|
|
127 |
}
|
|
|
128 |
|
|
|
129 |
function kadm5_is_user_unexpired($user)
|
|
|
130 |
{
|
|
|
131 |
$kh = get_kerberos_connection();
|
|
|
132 |
|
|
|
133 |
$princ = @kadm5_get_principal($kh, $user);
|
|
|
134 |
if ( !is_array($princ) )
|
|
|
135 |
return false;
|
|
|
136 |
|
|
|
137 |
$pr_good = $princ[KADM5_PRINC_EXPIRE_TIME] > time() || $princ[KADM5_PRINC_EXPIRE_TIME] == 0;
|
|
|
138 |
$pw_good = $princ[KADM5_PW_EXPIRATION] > time() || $princ[KADM5_PW_EXPIRATION] == 0;
|
|
|
139 |
|
|
|
140 |
return $pr_good && $pw_good;
|
|
|
141 |
}
|
|
|
142 |
|
|
|
143 |
function kadm5_delete_user($user)
|
|
|
144 |
{
|
|
|
145 |
$kh = get_kerberos_connection();
|
|
|
146 |
|
|
|
147 |
return kadm5_delete_principal($kh, $user);
|
|
|
148 |
}
|
|
|
149 |
|
|
|
150 |
function kadm5_create_user($user, $pass)
|
|
|
151 |
{
|
|
|
152 |
$kh = get_kerberos_connection();
|
|
|
153 |
|
|
|
154 |
return @kadm5_create_principal($kh, $user, $pass);
|
|
|
155 |
}
|
|
|
156 |
|
|
|
157 |
function kadm5_reset_password($princ, $pw)
|
|
|
158 |
{
|
|
|
159 |
$kh = get_kerberos_connection();
|
|
|
160 |
return kadm5_chpass_principal($kh, $princ, $pw);
|
|
|
161 |
}
|