Parametrize GSSAPI CName
Aleksander Machniak
6 years ago
| 197 | 197 | * |
| 198 | 198 | * @var string |
| 199 | 199 | */ |
| 200 | var $_servicePrincipal = null; | |
| 200 | var $_gssapiPrincipal = null; | |
| 201 | ||
| 202 | /** | |
| 203 | * Kerberos service cname to use for GSSAPI authentication. | |
| 204 | * | |
| 205 | * @var string | |
| 206 | */ | |
| 207 | var $_gssapiCN = null; | |
| 201 | 208 | |
| 202 | 209 | /** |
| 203 | 210 | * Constructor. |
| 223 | 230 | * @param mixed $handler A callback handler for the debug output. |
| 224 | 231 | * @param string $principal Kerberos service principal to use |
| 225 | 232 | * with GSSAPI authentication. |
| 233 | * @param string $cname Kerberos service cname to use | |
| 234 | * with GSSAPI authentication. | |
| 226 | 235 | */ |
| 227 | 236 | function __construct($user = null, $pass = null, $host = 'localhost', |
| 228 | 237 | $port = 2000, $logintype = '', $euser = '', |
| 229 | 238 | $debug = false, $bypassAuth = false, $useTLS = true, |
| 230 | $options = null, $handler = null, $principal = null | |
| 239 | $options = null, $handler = null, $principal = null, $cname = null | |
| 231 | 240 | ) { |
| 232 | 241 | $this->_pear = new PEAR(); |
| 233 | 242 | $this->_state = NET_SIEVE_STATE_DISCONNECTED; |
| 241 | 250 | $this->_bypassAuth = $bypassAuth; |
| 242 | 251 | $this->_useTLS = $useTLS; |
| 243 | 252 | $this->_options = (array) $options; |
| 244 | $this->_servicePrincipal = $principal; | |
| 253 | $this->_gssapiPrincipal = $principal; | |
| 254 | $this->_gssapiCN = $cname; | |
| 245 | 255 | |
| 246 | 256 | $this->setDebug($debug, $handler); |
| 247 | 257 | |
| 295 | 305 | */ |
| 296 | 306 | function setServicePrincipal($principal) |
| 297 | 307 | { |
| 298 | $this->_servicePrincipal = $principal; | |
| 308 | $this->_gssapiPrincipal = $principal; | |
| 309 | } | |
| 310 | ||
| 311 | /** | |
| 312 | * Sets the Kerberos service CName for use with GSSAPI | |
| 313 | * authentication. | |
| 314 | * | |
| 315 | * @param string $cname The Kerberos service principal | |
| 316 | * | |
| 317 | * @return void | |
| 318 | */ | |
| 319 | function setServiceCN($cname) | |
| 320 | { | |
| 321 | $this->_gssapiCN = $cname; | |
| 299 | 322 | } |
| 300 | 323 | |
| 301 | 324 | /** |
| 711 | 734 | /** |
| 712 | 735 | * Authenticates the user using the GSSAPI method. |
| 713 | 736 | * |
| 714 | * @note the PHP krb5 extension is required and the service principal must have been set. | |
| 737 | * @note the PHP krb5 extension is required and the service principal and cname | |
| 738 | * must have been set. | |
| 715 | 739 | * @see setServicePrincipal() |
| 716 | 740 | * |
| 717 | 741 | * @return void |
| 722 | 746 | return $this->_pear->raiseError('The krb5 extension is required for GSSAPI authentication', 2); |
| 723 | 747 | } |
| 724 | 748 | |
| 725 | if (!$this->_servicePrincipal) { | |
| 749 | if (!$this->_gssapiPrincipal) { | |
| 726 | 750 | return $this->_pear->raiseError('No Kerberos service principal set', 2); |
| 727 | 751 | } |
| 728 | 752 | |
| 729 | putenv('KRB5CCNAME=' . $_SERVER['KRB5CCNAME']); | |
| 753 | if (!$this->_gssapiCN) { | |
| 754 | return $this->_pear->raiseError('No Kerberos service CName set', 2); | |
| 755 | } | |
| 756 | ||
| 757 | putenv('KRB5CCNAME=' . $this->_gssapiCN); | |
| 730 | 758 | |
| 731 | 759 | try { |
| 732 | 760 | $ccache = new KRB5CCache(); |
| 733 | $ccahe->open($_SERVER['KRB5CCNAME']); | |
| 761 | $ccahe->open($this->_gssapiCN); | |
| 734 | 762 | |
| 735 | 763 | $gssapicontext = new GSSAPIContext(); |
| 736 | 764 | $gssapicontext->acquireCredentials($ccache); |
| 737 | 765 | |
| 738 | 766 | $token = ''; |
| 739 | $success = $gssapicontext->initSecContext($this->_servicePrincipal, null, null, null, $token); | |
| 767 | $success = $gssapicontext->initSecContext($this->_gssapiPrincipal, null, null, null, $token); | |
| 740 | 768 | $token = base64_encode($token); |
| 741 | 769 | } |
| 742 | 770 | catch (Exception $e) { |