packages/ssoinabox-webui/root/usr/local/share/ssoinabox/htdocs/includes/kadm5.php
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/packages/ssoinabox-webui/root/usr/local/share/ssoinabox/htdocs/includes/kadm5.php Tue Jan 08 23:13:29 2013 -0500
@@ -0,0 +1,161 @@
+<?php
+
+if ( !extension_loaded('kadm5') )
+ die('kadm5 extension is not loaded');
+
+function get_default_kerberos_realm()
+{
+ $fp = @fopen('/etc/krb5.conf', 'r');
+ if ( !$fp )
+ return false;
+
+ $found_libdefaults = true;
+ $found_realm = false;
+ while ( !feof($fp) )
+ {
+ $line = trim(fgets($fp, 1024));
+ if ( $found_libdefaults )
+ {
+ if ( !strstr($line, '=') )
+ continue;
+ list($key, $value) = explode('=', $line);
+ if ( trim($key) === 'default_realm' )
+ {
+ $found_realm = trim($value);
+ break;
+ }
+ }
+ else if ( $line === '[libdefaults]' )
+ {
+ $found_libdefaults = true;
+ }
+ }
+ fclose($fp);
+ return $found_realm;
+}
+
+function get_kerberos_admin_server($realm = false)
+{
+ if ( !$realm )
+ $realm = get_default_kerberos_realm();
+
+ $dns_result = dns_get_record("_kerberos-adm._tcp.$realm", DNS_SRV);
+ if ( isset($dns_result[0]['target']) )
+ return "{$dns_result[0]['target']}:{$dns_result[0]['port']}";
+
+ // try using the config
+ $fp = @fopen('/etc/krb5.conf', 'r');
+ if ( !$fp )
+ return false;
+
+ $found_realms = false;
+ $found_realm = false;
+ $found_admin_server = false;
+ while ( !feof($fp) )
+ {
+ $line = trim(fgets($fp, 1024));
+ if ( $found_realm )
+ {
+ if ( !strstr($line, '=') )
+ continue;
+ list($key, $value) = explode('=', $line);
+ if ( trim($key) === 'admin_server' )
+ {
+ $found_admin_server = trim($value);
+ break;
+ }
+ }
+ else if ( $found_realms && trim($line) == "$realm = {" )
+ {
+ $found_realm = true;
+ }
+ else if ( $line === '[realms]' )
+ {
+ $found_realms = true;
+ }
+ }
+ fclose($fp);
+
+ return $found_admin_server;
+}
+
+function get_kerberos_connection()
+{
+ global $kerberos_admin;
+ static $khandle = false;
+ if ( $khandle )
+ return $khandle;
+
+ $realm = get_default_kerberos_realm();
+ $admin_server = get_kerberos_admin_server();
+ if ( !$realm || !$admin_server )
+ throw new Exception("Kerberos realm ($realm) or admin server ($admin_server) came back bad");
+
+ $admin_server = preg_replace('/:[0-9]+$/', '', $admin_server);
+
+ $khandle = kadm5_init_with_password($admin_server, $realm, $kerberos_admin['principal'], $kerberos_admin['password']);
+
+ if ( !$khandle )
+ throw new Exception("Failed to connect to Kerberos admin server");
+
+ register_shutdown_function(function() use ($khandle)
+ {
+ kadm5_destroy($khandle);
+ });
+
+ return $khandle;
+}
+
+function kadm5_disable_user($user)
+{
+ $kh = get_kerberos_connection();
+
+ return kadm5_modify_principal($kh, $user, array(
+ KADM5_PRINC_EXPIRE_TIME => time()
+ , KADM5_PW_EXPIRATION => time()
+ ));
+}
+
+function kadm5_enable_user($user)
+{
+ $kh = get_kerberos_connection();
+
+ return kadm5_modify_principal($kh, $user, array(
+ KADM5_PRINC_EXPIRE_TIME => 0
+ , KADM5_PW_EXPIRATION => 0
+ ));
+}
+
+function kadm5_is_user_unexpired($user)
+{
+ $kh = get_kerberos_connection();
+
+ $princ = @kadm5_get_principal($kh, $user);
+ if ( !is_array($princ) )
+ return false;
+
+ $pr_good = $princ[KADM5_PRINC_EXPIRE_TIME] > time() || $princ[KADM5_PRINC_EXPIRE_TIME] == 0;
+ $pw_good = $princ[KADM5_PW_EXPIRATION] > time() || $princ[KADM5_PW_EXPIRATION] == 0;
+
+ return $pr_good && $pw_good;
+}
+
+function kadm5_delete_user($user)
+{
+ $kh = get_kerberos_connection();
+
+ return kadm5_delete_principal($kh, $user);
+}
+
+function kadm5_create_user($user, $pass)
+{
+ $kh = get_kerberos_connection();
+
+ return @kadm5_create_principal($kh, $user, $pass);
+}
+
+function kadm5_reset_password($princ, $pw)
+{
+ $kh = get_kerberos_connection();
+ return kadm5_chpass_principal($kh, $princ, $pw);
+}