SSO-in-a-Box: comparison packages/ssoinabox-webui/root/usr/local/share/ssoinabox/htdocs/includes/kadm5.php

equal deleted inserted replaced

--1:000000000000
+:3906ca745819
+<?php
+if ( !extension_loaded('kadm5') )
+	die('kadm5 extension is not loaded');
+function get_default_kerberos_realm()
+{
+	$fp = @fopen('/etc/krb5.conf', 'r');
+	if ( !$fp )
+		return false;
+	$found_libdefaults = true;
+	$found_realm = false;
+	while ( !feof($fp) )
+	{
+		$line = trim(fgets($fp, 1024));
+		if ( $found_libdefaults )
+		{
+			if ( !strstr($line, '=') )
+				continue;
+			list($key, $value) = explode('=', $line);
+			if ( trim($key) === 'default_realm' )
+			{
+				$found_realm = trim($value);
+				break;
+			}
+		}
+		else if ( $line === '[libdefaults]' )
+		{
+			$found_libdefaults = true;
+		}
+	}
+	fclose($fp);
+	return $found_realm;
+}
+function get_kerberos_admin_server($realm = false)
+{
+	if ( !$realm )
+		$realm = get_default_kerberos_realm();
+	$dns_result = dns_get_record("_kerberos-adm._tcp.$realm", DNS_SRV);
+	if ( isset($dns_result[0]['target']) )
+		return "{$dns_result[0]['target']}:{$dns_result[0]['port']}";
+	// try using the config
+	$fp = @fopen('/etc/krb5.conf', 'r');
+	if ( !$fp )
+		return false;
+	$found_realms = false;
+	$found_realm = false;
+	$found_admin_server = false;
+	while ( !feof($fp) )
+	{
+		$line = trim(fgets($fp, 1024));
+		if ( $found_realm )
+		{
+			if ( !strstr($line, '=') )
+				continue;
+			list($key, $value) = explode('=', $line);
+			if ( trim($key) === 'admin_server' )
+			{
+				$found_admin_server = trim($value);
+				break;
+			}
+		}
+		else if ( $found_realms && trim($line) == "$realm = {" )
+		{
+			$found_realm = true;
+		}
+		else if ( $line === '[realms]' )
+		{
+			$found_realms = true;
+		}
+	}
+	fclose($fp);
+	return $found_admin_server;
+}
+function get_kerberos_connection()
+{
+	global $kerberos_admin;
+	static $khandle = false;
+	if ( $khandle )
+		return $khandle;
+	$realm = get_default_kerberos_realm();
+	$admin_server = get_kerberos_admin_server();
+	if ( !$realm || !$admin_server )
+		throw new Exception("Kerberos realm ($realm) or admin server ($admin_server) came back bad");
+	$admin_server = preg_replace('/:[0-9]+$/', '', $admin_server);
+	$khandle = kadm5_init_with_password($admin_server, $realm, $kerberos_admin['principal'], $kerberos_admin['password']);
+	if ( !$khandle )
+		throw new Exception("Failed to connect to Kerberos admin server");
+	register_shutdown_function(function() use ($khandle)
+		{
+			kadm5_destroy($khandle);
+		});
+	return $khandle;
+}
+function kadm5_disable_user($user)
+{
+	$kh = get_kerberos_connection();
+	return kadm5_modify_principal($kh, $user, array(
+			KADM5_PRINC_EXPIRE_TIME => time()
+			, KADM5_PW_EXPIRATION => time()
+		));
+}
+function kadm5_enable_user($user)
+{
+	$kh = get_kerberos_connection();
+	return kadm5_modify_principal($kh, $user, array(
+			KADM5_PRINC_EXPIRE_TIME => 0
+			, KADM5_PW_EXPIRATION => 0
+		));
+}
+function kadm5_is_user_unexpired($user)
+{
+	$kh = get_kerberos_connection();
+	$princ = @kadm5_get_principal($kh, $user);
+	if ( !is_array($princ) )
+		return false;
+	$pr_good = $princ[KADM5_PRINC_EXPIRE_TIME] > time() || $princ[KADM5_PRINC_EXPIRE_TIME] == 0;
+	$pw_good = $princ[KADM5_PW_EXPIRATION] > time() || $princ[KADM5_PW_EXPIRATION] == 0;
+	return $pr_good && $pw_good;
+}
+function kadm5_delete_user($user)
+{
+	$kh = get_kerberos_connection();
+	return kadm5_delete_principal($kh, $user);
+}
+function kadm5_create_user($user, $pass)
+{
+	$kh = get_kerberos_connection();
+	return @kadm5_create_principal($kh, $user, $pass);
+}
+function kadm5_reset_password($princ, $pw)
+{
+	$kh = get_kerberos_connection();
+	return kadm5_chpass_principal($kh, $princ, $pw);
+}