php_krb5 releases

Moritz Bechler

php_krb5 releases Sun, Aug 19. 2012

To avoid further confusion: The krb5 PHP extension is now hosted on PECL. There now is a public SVN repository under http://svn.php.net/repository/pecl/krb5/trunk/ which contains some bug fixes and improvements over the here published rc2 version. Please use the SVN version.

Also feel free to use the PECL bug tracker if you experience any issues.

UPDATE: The library location issues that many people suffered from should now be fixed. Sorry it took so long.
Posted by Moritz Bechler Comments: (8) Trackbacks: (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 - John Fanjoy 2012-10-26 17:16 - (Reply)

It seems like this package would be exactly what I am looking for, but so far I've had no luck installing it. First I tried "pecl install krb5" but the package is not available in pecl. There is a page on the site, but no versions are listed. I also tried downloading and installing from source. and ran into the following error:

[13:00:10 root@katana:krb5.pecl]# phpize
Configuring for:
PHP Api Version: 20090626
Zend Module Api No: 20090626
Zend Extension Api No: 220090626
[13:00:34 root@katana:krb5.pecl]# ./configure --with-krb5kadm
......
checking whether KADM is exported... yes
checking for MIT kerberos/GSSAPI libraries in /usr/ /usr/local... not found
checking for Heimdal kerberos/GSSAPI libraries... not found
dir:
configure: error: No kerberos libraries (MIT/Heimdal) found


My system is authing using LDAP / kerberos with SASL and php is compiled with SASL support

[13:01:02 root@katana:krb5.pecl]# php -i | grep -i sasl
SASL Support => Enabled

I went through the configure script generated by phpize, and I found the line where it looks for the gssapi libraries, and it looks like it looks in either /usr/lib and /usr/lib64. My libgssapi_krb5.so module actually lives in /usr/lib/x86_64-linux-gnu (Ubuntu Default). I created a symlink to satisfy the script but still get the same error.

[13:13:55 root@katana:krb5.pecl]# ln -sv /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 /usr/local/lib/libgssapi_krb5.so
`/usr/local/lib/libgssapi_krb5.so' -> `/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2'

Any help would be greatly appreciated.

#2 - Moritz Bechler 2012-12-14 16:07 - (Reply)

I'm sorry ... I somehow missed your comment. Yes, there is still no PECL packaging. I just committed a patch which should fix the library location problem. If you create symlinks you will need both libgssapi_krb5 and libkrb5.


Moritz

#3 - Denix 2013-01-21 13:29 - (Reply)

Hi Moritz,
happy new year :-) any news in the PECL packaging?

Denis

#4 - Moritz Bechler 2013-01-21 13:51 - (Reply)

Thanks.

I'm really sorry, but unfortunately not yet. I'm really busy right now and this probably won't change till march. No promises, but I'll try to look into it then.

#5 - Rodney McDuff said:
2013-02-08 05:55 - (Reply)

Hi Moritz,
I've been using php_krb5 quite successfully so far. Thank you very much.
However I'm having some trouble trying to get the kerberos policies working. Using either the standard kerberos policy 'user' within kadmin or using the example code from ex4.php where you can create policies within the PHP code.

I can create principals as I please but independent of the password complexity. Its all most like I using the 'default' policy.

I was hoping that you might create a more detailed example of ex3.php and ex4.php so I can get kerberos policies working.

#6 - Moritz Bechler 2013-02-08 10:13 - (Reply)

The following code works for me:

$conn = KADM5(...);
$newpol = new KADM5Policy('testing');
$newpol->setMinPasswordLength(10);
$newpol->setMinPasswordClasses(3);
$conn->createPolicy($newpol);

$princ = new KADM5Principal('testuser');
$conn->createPrincipal($princ , 'testpass');

// either of this should work
$princ->setPolicy($conn->getPolicy('testing'));
$princ->setPolicy($newpol);
$princ->setPolicy('testing');

$princ->save();

(do not forget to remove the principal and policy afterwards)

Does the policy get created (kadmin -q listpols)? Or does the problem seem to be that you cannot assign policies to users (getprinc testuser on the kadmin console lists the policy in place)?

#7 - Rodney McDuff said:
2013-02-11 01:28 - (Reply)

Hi Moritz,
This worked expected. The policy is created. (PS changed the policy a bit.
setMinPasswordLength(8)
setMinPasswordClasses(2))

kadmin: getpol testing
Policy: testing
Maximum password life: 0
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 1
Reference count: 1
Maximum password failures before lockout: 0
Password failure count reset interval: 0
Password lockout duration: 0

In this example of mine the password was "1" which should not be allowed by the policy.

I would expect that one of the various methods would atleast provide a boolean if the password, etc fits in the policy.

maybe some thing like:
$bool = $conn->createPrincipal($princ , 'testpass');

#8 - Moritz Bechler 2013-02-11 18:39 - (Reply)

So, the principal does not get created and no exception is thrown? Or does the policy not seem to be in place when the principal is first created?

As far as the kadm API is concerned, there is no special function to check whether a password matches the policy, but the create_principal and chpass_principal calls should fail when mismatching passwords are provided.

As far as I can see, both cases should trigger an exception.


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.


You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.