packages/ssoinabox-webui/root/usr/local/share/ssoinabox/htdocs/includes/kadm5.php
<?php
if ( !extension_loaded('kadm5') )
die('kadm5 extension is not loaded');
function get_default_kerberos_realm()
{
$fp = @fopen('/etc/krb5.conf', 'r');
if ( !$fp )
return false;
$found_libdefaults = true;
$found_realm = false;
while ( !feof($fp) )
{
$line = trim(fgets($fp, 1024));
if ( $found_libdefaults )
{
if ( !strstr($line, '=') )
continue;
list($key, $value) = explode('=', $line);
if ( trim($key) === 'default_realm' )
{
$found_realm = trim($value);
break;
}
}
else if ( $line === '[libdefaults]' )
{
$found_libdefaults = true;
}
}
fclose($fp);
return $found_realm;
}
function get_kerberos_admin_server($realm = false)
{
if ( !$realm )
$realm = get_default_kerberos_realm();
$dns_result = dns_get_record("_kerberos-adm._tcp.$realm", DNS_SRV);
if ( isset($dns_result[0]['target']) )
return "{$dns_result[0]['target']}:{$dns_result[0]['port']}";
// try using the config
$fp = @fopen('/etc/krb5.conf', 'r');
if ( !$fp )
return false;
$found_realms = false;
$found_realm = false;
$found_admin_server = false;
while ( !feof($fp) )
{
$line = trim(fgets($fp, 1024));
if ( $found_realm )
{
if ( !strstr($line, '=') )
continue;
list($key, $value) = explode('=', $line);
if ( trim($key) === 'admin_server' )
{
$found_admin_server = trim($value);
break;
}
}
else if ( $found_realms && trim($line) == "$realm = {" )
{
$found_realm = true;
}
else if ( $line === '[realms]' )
{
$found_realms = true;
}
}
fclose($fp);
return $found_admin_server;
}
function get_kerberos_connection()
{
global $kerberos_admin;
static $khandle = false;
if ( $khandle )
return $khandle;
$realm = get_default_kerberos_realm();
$admin_server = get_kerberos_admin_server();
if ( !$realm || !$admin_server )
throw new Exception("Kerberos realm ($realm) or admin server ($admin_server) came back bad");
$admin_server = preg_replace('/:[0-9]+$/', '', $admin_server);
$khandle = kadm5_init_with_password($admin_server, $realm, $kerberos_admin['principal'], $kerberos_admin['password']);
if ( !$khandle )
throw new Exception("Failed to connect to Kerberos admin server");
register_shutdown_function(function() use ($khandle)
{
kadm5_destroy($khandle);
});
return $khandle;
}
function kadm5_disable_user($user)
{
$kh = get_kerberos_connection();
return kadm5_modify_principal($kh, $user, array(
KADM5_PRINC_EXPIRE_TIME => time()
, KADM5_PW_EXPIRATION => time()
));
}
function kadm5_enable_user($user)
{
$kh = get_kerberos_connection();
return kadm5_modify_principal($kh, $user, array(
KADM5_PRINC_EXPIRE_TIME => 0
, KADM5_PW_EXPIRATION => 0
));
}
function kadm5_is_user_unexpired($user)
{
$kh = get_kerberos_connection();
$princ = @kadm5_get_principal($kh, $user);
if ( !is_array($princ) )
return false;
$pr_good = $princ[KADM5_PRINC_EXPIRE_TIME] > time() || $princ[KADM5_PRINC_EXPIRE_TIME] == 0;
$pw_good = $princ[KADM5_PW_EXPIRATION] > time() || $princ[KADM5_PW_EXPIRATION] == 0;
return $pr_good && $pw_good;
}
function kadm5_delete_user($user)
{
$kh = get_kerberos_connection();
return kadm5_delete_principal($kh, $user);
}
function kadm5_create_user($user, $pass)
{
$kh = get_kerberos_connection();
return @kadm5_create_principal($kh, $user, $pass);
}
function kadm5_reset_password($princ, $pw)
{
$kh = get_kerberos_connection();
return kadm5_chpass_principal($kh, $princ, $pw);
}