Parametrize GSSAPI CName
Aleksander Machniak
6 years ago
197 | 197 | * |
198 | 198 | * @var string |
199 | 199 | */ |
200 | var $_servicePrincipal = null; | |
200 | var $_gssapiPrincipal = null; | |
201 | ||
202 | /** | |
203 | * Kerberos service cname to use for GSSAPI authentication. | |
204 | * | |
205 | * @var string | |
206 | */ | |
207 | var $_gssapiCN = null; | |
201 | 208 | |
202 | 209 | /** |
203 | 210 | * Constructor. |
223 | 230 | * @param mixed $handler A callback handler for the debug output. |
224 | 231 | * @param string $principal Kerberos service principal to use |
225 | 232 | * with GSSAPI authentication. |
233 | * @param string $cname Kerberos service cname to use | |
234 | * with GSSAPI authentication. | |
226 | 235 | */ |
227 | 236 | function __construct($user = null, $pass = null, $host = 'localhost', |
228 | 237 | $port = 2000, $logintype = '', $euser = '', |
229 | 238 | $debug = false, $bypassAuth = false, $useTLS = true, |
230 | $options = null, $handler = null, $principal = null | |
239 | $options = null, $handler = null, $principal = null, $cname = null | |
231 | 240 | ) { |
232 | 241 | $this->_pear = new PEAR(); |
233 | 242 | $this->_state = NET_SIEVE_STATE_DISCONNECTED; |
241 | 250 | $this->_bypassAuth = $bypassAuth; |
242 | 251 | $this->_useTLS = $useTLS; |
243 | 252 | $this->_options = (array) $options; |
244 | $this->_servicePrincipal = $principal; | |
253 | $this->_gssapiPrincipal = $principal; | |
254 | $this->_gssapiCN = $cname; | |
245 | 255 | |
246 | 256 | $this->setDebug($debug, $handler); |
247 | 257 | |
295 | 305 | */ |
296 | 306 | function setServicePrincipal($principal) |
297 | 307 | { |
298 | $this->_servicePrincipal = $principal; | |
308 | $this->_gssapiPrincipal = $principal; | |
309 | } | |
310 | ||
311 | /** | |
312 | * Sets the Kerberos service CName for use with GSSAPI | |
313 | * authentication. | |
314 | * | |
315 | * @param string $cname The Kerberos service principal | |
316 | * | |
317 | * @return void | |
318 | */ | |
319 | function setServiceCN($cname) | |
320 | { | |
321 | $this->_gssapiCN = $cname; | |
299 | 322 | } |
300 | 323 | |
301 | 324 | /** |
711 | 734 | /** |
712 | 735 | * Authenticates the user using the GSSAPI method. |
713 | 736 | * |
714 | * @note the PHP krb5 extension is required and the service principal must have been set. | |
737 | * @note the PHP krb5 extension is required and the service principal and cname | |
738 | * must have been set. | |
715 | 739 | * @see setServicePrincipal() |
716 | 740 | * |
717 | 741 | * @return void |
722 | 746 | return $this->_pear->raiseError('The krb5 extension is required for GSSAPI authentication', 2); |
723 | 747 | } |
724 | 748 | |
725 | if (!$this->_servicePrincipal) { | |
749 | if (!$this->_gssapiPrincipal) { | |
726 | 750 | return $this->_pear->raiseError('No Kerberos service principal set', 2); |
727 | 751 | } |
728 | 752 | |
729 | putenv('KRB5CCNAME=' . $_SERVER['KRB5CCNAME']); | |
753 | if (!$this->_gssapiCN) { | |
754 | return $this->_pear->raiseError('No Kerberos service CName set', 2); | |
755 | } | |
756 | ||
757 | putenv('KRB5CCNAME=' . $this->_gssapiCN); | |
730 | 758 | |
731 | 759 | try { |
732 | 760 | $ccache = new KRB5CCache(); |
733 | $ccahe->open($_SERVER['KRB5CCNAME']); | |
761 | $ccahe->open($this->_gssapiCN); | |
734 | 762 | |
735 | 763 | $gssapicontext = new GSSAPIContext(); |
736 | 764 | $gssapicontext->acquireCredentials($ccache); |
737 | 765 | |
738 | 766 | $token = ''; |
739 | $success = $gssapicontext->initSecContext($this->_servicePrincipal, null, null, null, $token); | |
767 | $success = $gssapicontext->initSecContext($this->_gssapiPrincipal, null, null, null, $token); | |
740 | 768 | $token = base64_encode($token); |
741 | 769 | } |
742 | 770 | catch (Exception $e) { |