deon/phpldapadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implemented better SASL/GSSAPI authentication.

Browse Source 
Implemented a 'sasl' auth_type for better control over authentication
flow specific to SASL.

Implemented 'sasl_dn_regex' and 'sasl_dn_replacement' config variables
for mapping from a SASL authentication ID to a bind DN, a necessary step
when using GSSAPI/Kerberos where there is no explicit bind DN provided.

Fixed setting of Kerberos credentials cache location in environment
variable. The location is derived from either an already set
environement variable or the SERVER variable set by the Apache
mod_auth_kerb module.
See http://modauthkerb.sourceforge.net/configure.html
This commit is contained in:
Dan Duvall
2010-07-09 18:01:47 -07:00
committed by Deon George
parent 7980d1c131
commit b3874bf958
3 changed files with 43 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/ds_ldap.php
View File

@@ -605,14 +605,6 @@ class ldap extends DS {
static $CACHE = array();
switch (strtolower($this->getValue('sasl','mech'))) {
case 'gssapi':
if (isset($_ENV['REDIRECT_KRB5CCNAME']))
putenv(sprintf('KRB5CCNAME={%s}',$_ENV['REDIRECT_KRB5CCNAME']));
break;
}
if (! $this->getValue('server','sasl') || ! function_exists('ldap_start_tls'))
return false;
@@ -621,9 +613,11 @@ class ldap extends DS {
$CACHE['login_pass'] = is_null($this->getPassword($method)) ? $this->getPassword('user') : $this->getPassword($method);
}
$mech = strtolower($this->getValue('sasl','mech'));
# Do we need to rewrite authz_id?
if (! isset($CACHE['authz_id']))
if (! trim($this->getValue('sasl','authz_id'))) {
if (! trim($this->getValue('sasl','authz_id')) && $mech != 'gssapi') {
if (DEBUG_ENABLED)
debug_log('Rewriting bind DN [%s] -> authz_id with regex [%s] and replacement [%s].',9,0,__FILE__,__LINE__,__METHOD__,