packages/ssoinabox-webui/root/usr/local/share/ssoinabox/htdocs/includes/kadm5.php
author Dan Fuhry <dan@fuhry.us>
Fri, 11 Jan 2013 05:41:41 -0500
changeset 4 2212b2ded8bf
parent 0 3906ca745819
permissions -rw-r--r--
Added OpenSSH public key support in LDAP

<?php

if ( !extension_loaded('kadm5') )
	die('kadm5 extension is not loaded');

function get_default_kerberos_realm()
{
	$fp = @fopen('/etc/krb5.conf', 'r');
	if ( !$fp )
		return false;

	$found_libdefaults = true;
	$found_realm = false;
	while ( !feof($fp) )
	{
		$line = trim(fgets($fp, 1024));
		if ( $found_libdefaults )
		{
			if ( !strstr($line, '=') )
				continue;
			list($key, $value) = explode('=', $line);
			if ( trim($key) === 'default_realm' )
			{
				$found_realm = trim($value);
				break;
			}
		}
		else if ( $line === '[libdefaults]' )
		{
			$found_libdefaults = true;
		}
	}
	fclose($fp);
	return $found_realm;
}

function get_kerberos_admin_server($realm = false)
{
	if ( !$realm )
		$realm = get_default_kerberos_realm();
	
	$dns_result = dns_get_record("_kerberos-adm._tcp.$realm", DNS_SRV);
	if ( isset($dns_result[0]['target']) )
		return "{$dns_result[0]['target']}:{$dns_result[0]['port']}";
	
	// try using the config
	$fp = @fopen('/etc/krb5.conf', 'r');
	if ( !$fp )
		return false;

	$found_realms = false;
	$found_realm = false;
	$found_admin_server = false;
	while ( !feof($fp) )
	{
		$line = trim(fgets($fp, 1024));
		if ( $found_realm )
		{
			if ( !strstr($line, '=') )
				continue;
			list($key, $value) = explode('=', $line);
			if ( trim($key) === 'admin_server' )
			{
				$found_admin_server = trim($value);
				break;
			}
		}
		else if ( $found_realms && trim($line) == "$realm = {" )
		{
			$found_realm = true;
		}
		else if ( $line === '[realms]' )
		{
			$found_realms = true;
		}
	}
	fclose($fp);
	
	return $found_admin_server;
}

function get_kerberos_connection()
{
	global $kerberos_admin;
	static $khandle = false;
	if ( $khandle )
		return $khandle;
	
	$realm = get_default_kerberos_realm();
	$admin_server = get_kerberos_admin_server();
	if ( !$realm || !$admin_server )
		throw new Exception("Kerberos realm ($realm) or admin server ($admin_server) came back bad");
	
	$admin_server = preg_replace('/:[0-9]+$/', '', $admin_server);
	
	$khandle = kadm5_init_with_password($admin_server, $realm, $kerberos_admin['principal'], $kerberos_admin['password']);
	
	if ( !$khandle )
		throw new Exception("Failed to connect to Kerberos admin server");
	
	register_shutdown_function(function() use ($khandle)
		{
			kadm5_destroy($khandle);
		});
	
	return $khandle;
}

function kadm5_disable_user($user)
{
	$kh = get_kerberos_connection();
	
	return kadm5_modify_principal($kh, $user, array(
			KADM5_PRINC_EXPIRE_TIME => time()
			, KADM5_PW_EXPIRATION => time()
		));
}

function kadm5_enable_user($user)
{
	$kh = get_kerberos_connection();
	
	return kadm5_modify_principal($kh, $user, array(
			KADM5_PRINC_EXPIRE_TIME => 0
			, KADM5_PW_EXPIRATION => 0
		));
}

function kadm5_is_user_unexpired($user)
{
	$kh = get_kerberos_connection();
	
	$princ = @kadm5_get_principal($kh, $user);
	if ( !is_array($princ) )
		return false;
	
	$pr_good = $princ[KADM5_PRINC_EXPIRE_TIME] > time() || $princ[KADM5_PRINC_EXPIRE_TIME] == 0;
	$pw_good = $princ[KADM5_PW_EXPIRATION] > time() || $princ[KADM5_PW_EXPIRATION] == 0;
	
	return $pr_good && $pw_good;
}

function kadm5_delete_user($user)
{
	$kh = get_kerberos_connection();
	
	return kadm5_delete_principal($kh, $user);
}

function kadm5_create_user($user, $pass)
{
	$kh = get_kerberos_connection();
	
	return @kadm5_create_principal($kh, $user, $pass);
}

function kadm5_reset_password($princ, $pw)
{
	$kh = get_kerberos_connection();
	return kadm5_chpass_principal($kh, $princ, $pw);
}