packages/ssoinabox-webui/root/usr/local/share/ssoinabox/htdocs/includes/kadm5.php
author Dan Fuhry <dan@fuhry.us>
Fri, 11 Jan 2013 05:41:41 -0500
changeset 4 2212b2ded8bf
parent 0 3906ca745819
permissions -rw-r--r--
Added OpenSSH public key support in LDAP
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     1
<?php
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     2
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     3
if ( !extension_loaded('kadm5') )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     4
	die('kadm5 extension is not loaded');
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     5
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     6
function get_default_kerberos_realm()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     7
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     8
	$fp = @fopen('/etc/krb5.conf', 'r');
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
     9
	if ( !$fp )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    10
		return false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    11
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    12
	$found_libdefaults = true;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    13
	$found_realm = false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    14
	while ( !feof($fp) )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    15
	{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    16
		$line = trim(fgets($fp, 1024));
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    17
		if ( $found_libdefaults )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    18
		{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    19
			if ( !strstr($line, '=') )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    20
				continue;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    21
			list($key, $value) = explode('=', $line);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    22
			if ( trim($key) === 'default_realm' )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    23
			{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    24
				$found_realm = trim($value);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    25
				break;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    26
			}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    27
		}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    28
		else if ( $line === '[libdefaults]' )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    29
		{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    30
			$found_libdefaults = true;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    31
		}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    32
	}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    33
	fclose($fp);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    34
	return $found_realm;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    35
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    36
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    37
function get_kerberos_admin_server($realm = false)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    38
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    39
	if ( !$realm )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    40
		$realm = get_default_kerberos_realm();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    41
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    42
	$dns_result = dns_get_record("_kerberos-adm._tcp.$realm", DNS_SRV);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    43
	if ( isset($dns_result[0]['target']) )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    44
		return "{$dns_result[0]['target']}:{$dns_result[0]['port']}";
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    45
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    46
	// try using the config
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    47
	$fp = @fopen('/etc/krb5.conf', 'r');
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    48
	if ( !$fp )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    49
		return false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    50
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    51
	$found_realms = false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    52
	$found_realm = false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    53
	$found_admin_server = false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    54
	while ( !feof($fp) )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    55
	{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    56
		$line = trim(fgets($fp, 1024));
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    57
		if ( $found_realm )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    58
		{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    59
			if ( !strstr($line, '=') )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    60
				continue;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    61
			list($key, $value) = explode('=', $line);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    62
			if ( trim($key) === 'admin_server' )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    63
			{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    64
				$found_admin_server = trim($value);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    65
				break;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    66
			}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    67
		}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    68
		else if ( $found_realms && trim($line) == "$realm = {" )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    69
		{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    70
			$found_realm = true;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    71
		}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    72
		else if ( $line === '[realms]' )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    73
		{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    74
			$found_realms = true;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    75
		}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    76
	}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    77
	fclose($fp);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    78
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    79
	return $found_admin_server;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    80
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    81
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    82
function get_kerberos_connection()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    83
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    84
	global $kerberos_admin;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    85
	static $khandle = false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    86
	if ( $khandle )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    87
		return $khandle;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    88
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    89
	$realm = get_default_kerberos_realm();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    90
	$admin_server = get_kerberos_admin_server();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    91
	if ( !$realm || !$admin_server )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    92
		throw new Exception("Kerberos realm ($realm) or admin server ($admin_server) came back bad");
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    93
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    94
	$admin_server = preg_replace('/:[0-9]+$/', '', $admin_server);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    95
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    96
	$khandle = kadm5_init_with_password($admin_server, $realm, $kerberos_admin['principal'], $kerberos_admin['password']);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    97
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    98
	if ( !$khandle )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
    99
		throw new Exception("Failed to connect to Kerberos admin server");
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   100
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   101
	register_shutdown_function(function() use ($khandle)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   102
		{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   103
			kadm5_destroy($khandle);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   104
		});
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   105
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   106
	return $khandle;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   107
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   108
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   109
function kadm5_disable_user($user)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   110
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   111
	$kh = get_kerberos_connection();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   112
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   113
	return kadm5_modify_principal($kh, $user, array(
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   114
			KADM5_PRINC_EXPIRE_TIME => time()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   115
			, KADM5_PW_EXPIRATION => time()
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   116
		));
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   117
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   118
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   119
function kadm5_enable_user($user)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   120
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   121
	$kh = get_kerberos_connection();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   122
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   123
	return kadm5_modify_principal($kh, $user, array(
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   124
			KADM5_PRINC_EXPIRE_TIME => 0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   125
			, KADM5_PW_EXPIRATION => 0
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   126
		));
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   127
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   128
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   129
function kadm5_is_user_unexpired($user)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   130
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   131
	$kh = get_kerberos_connection();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   132
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   133
	$princ = @kadm5_get_principal($kh, $user);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   134
	if ( !is_array($princ) )
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   135
		return false;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   136
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   137
	$pr_good = $princ[KADM5_PRINC_EXPIRE_TIME] > time() || $princ[KADM5_PRINC_EXPIRE_TIME] == 0;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   138
	$pw_good = $princ[KADM5_PW_EXPIRATION] > time() || $princ[KADM5_PW_EXPIRATION] == 0;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   139
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   140
	return $pr_good && $pw_good;
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   141
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   142
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   143
function kadm5_delete_user($user)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   144
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   145
	$kh = get_kerberos_connection();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   146
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   147
	return kadm5_delete_principal($kh, $user);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   148
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   149
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   150
function kadm5_create_user($user, $pass)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   151
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   152
	$kh = get_kerberos_connection();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   153
	
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   154
	return @kadm5_create_principal($kh, $user, $pass);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   155
}
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   156
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   157
function kadm5_reset_password($princ, $pw)
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   158
{
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   159
	$kh = get_kerberos_connection();
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   160
	return kadm5_chpass_principal($kh, $princ, $pw);
3906ca745819 First commit!
Dan Fuhry <dan@fuhry.us>
parents:
diff changeset
   161
}