It seems like this package would be exactly what I am looking for, but so far I've had no luck installing it. First I tried "pecl install krb5" but the package is not available in pecl. There is a page on the site, but no versions are listed. I also tried downloading and installing from source. and ran into the following error:
[13:00:10 root@katana:krb5.pecl]# phpize
PHP Api Version: 20090626
Zend Module Api No: 20090626
Zend Extension Api No: 220090626
[13:00:34 root@katana:krb5.pecl]# ./configure --with-krb5kadm
checking whether KADM is exported... yes
checking for MIT kerberos/GSSAPI libraries in /usr/ /usr/local... not found
checking for Heimdal kerberos/GSSAPI libraries... not found
configure: error: No kerberos libraries (MIT/Heimdal) found
My system is authing using LDAP / kerberos with SASL and php is compiled with SASL support
[13:01:02 root@katana:krb5.pecl]# php -i | grep -i sasl
SASL Support => Enabled
I went through the configure script generated by phpize, and I found the line where it looks for the gssapi libraries, and it looks like it looks in either /usr/lib and /usr/lib64. My libgssapi_krb5.so module actually lives in /usr/lib/x86_64-linux-gnu (Ubuntu Default). I created a symlink to satisfy the script but still get the same error.
[13:13:55 root@katana:krb5.pecl]# ln -sv /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 /usr/local/lib/libgssapi_krb5.so
`/usr/local/lib/libgssapi_krb5.so' -> `/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2'
Any help would be greatly appreciated.
I'm sorry ... I somehow missed your comment. Yes, there is still no PECL packaging. I just committed a patch which should fix the library location problem. If you create symlinks you will need both libgssapi_krb5 and libkrb5.
happy new year any news in the PECL packaging?
I'm really sorry, but unfortunately not yet. I'm really busy right now and this probably won't change till march. No promises, but I'll try to look into it then.
I've been using php_krb5 quite successfully so far. Thank you very much.
However I'm having some trouble trying to get the kerberos policies working. Using either the standard kerberos policy 'user' within kadmin or using the example code from ex4.php where you can create policies within the PHP code.
I can create principals as I please but independent of the password complexity. Its all most like I using the 'default' policy.
I was hoping that you might create a more detailed example of ex3.php and ex4.php so I can get kerberos policies working.
The following code works for me:
$conn = KADM5(...);
$newpol = new KADM5Policy('testing');
$princ = new KADM5Principal('testuser');
$conn->createPrincipal($princ , 'testpass');
// either of this should work
(do not forget to remove the principal and policy afterwards)
Does the policy get created (kadmin -q listpols)? Or does the problem seem to be that you cannot assign policies to users (getprinc testuser on the kadmin console lists the policy in place)?
This worked expected. The policy is created. (PS changed the policy a bit.
kadmin: getpol testing
Maximum password life: 0
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 1
Reference count: 1
Maximum password failures before lockout: 0
Password failure count reset interval: 0
Password lockout duration: 0
In this example of mine the password was "1" which should not be allowed by the policy.
I would expect that one of the various methods would atleast provide a boolean if the password, etc fits in the policy.
maybe some thing like:
$bool = $conn->createPrincipal($princ , 'testpass');
So, the principal does not get created and no exception is thrown? Or does the policy not seem to be in place when the principal is first created?
As far as the kadm API is concerned, there is no special function to check whether a password matches the policy, but the create_principal and chpass_principal calls should fail when mismatching passwords are provided.
As far as I can see, both cases should trigger an exception.