diff --git a/config/config.php.example b/config/config.php.example index 425a192..daf9497 100644 --- a/config/config.php.example +++ b/config/config.php.example @@ -314,6 +314,7 @@ $servers->setValue('server','name','My LDAP Server'); login will be required to use phpLDAPadmin for this server. 5. 'sasl': login will be taken from the webserver's kerberos authentication. Currently only GSSAPI has been tested (using mod_auth_kerb). + 6. 'sasl_external': login will be taken from SASL external mechanism. Choose wisely to protect your authentication information appropriately for your situation. If you choose 'cookie', your cookie contents will be @@ -355,6 +356,9 @@ $servers->setValue('server','name','My LDAP Server'); NOTE: auth_type must be simple auth compatible (ie not sasl) */ # $servers->setValue('sasl','mech','PLAIN'); +/* SASL EXTERNAL support... really a different auth_type */ +# $servers->setValue('login','auth_type','sasl_external'); + /* SASL authentication realm name */ // $servers->setValue('sasl','realm',''); # $servers->setValue('sasl','realm','EXAMPLE.COM'); diff --git a/lib/HTMLTree.php b/lib/HTMLTree.php index e4068d7..e96a254 100644 --- a/lib/HTMLTree.php +++ b/lib/HTMLTree.php @@ -136,6 +136,7 @@ class HTMLTree extends Tree { case 'config': case 'proxy': case 'sasl': + case 'sasl_external': break; default: @@ -334,7 +335,7 @@ class HTMLTree extends Tree { $server = $this->getServer(); $href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex()); - if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl'))) + if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl','sasl_external'))) return ''; else return sprintf('%s
%s', diff --git a/lib/ds.php b/lib/ds.php index 4b27227..31700d3 100644 --- a/lib/ds.php +++ b/lib/ds.php @@ -139,6 +139,7 @@ abstract class DS { case 'proxy': case 'session': case 'sasl': + case 'sasl_external': return $this->getValue('login','auth_type'); default: @@ -194,6 +195,8 @@ abstract class DS { else return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']); + case 'sasl_external': + return 'external'; default: die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType())); } @@ -215,6 +218,7 @@ abstract class DS { return true; case 'config': + case 'sasl_external': return true; case 'proxy': @@ -274,6 +278,8 @@ abstract class DS { else return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']); + case 'sasl_external': + return ''; default: die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType())); } @@ -400,6 +406,7 @@ abstract class DS { set_cookie($method.'-PASS','',time()-3600,'/'); case 'config': + case 'sasl_external': return true; case 'http': diff --git a/lib/ds_ldap.php b/lib/ds_ldap.php index 76d3467..0c83170 100644 --- a/lib/ds_ldap.php +++ b/lib/ds_ldap.php @@ -590,6 +590,8 @@ class ldap extends DS { * $servers->setValue('login','auth_type','sasl'); * OR * $servers->setValue('sasl','mech','PLAIN'); + * OR + * $servers->setValue('login','auth_type','sasl_external'); * * * @return boolean @@ -598,7 +600,7 @@ class ldap extends DS { if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS')) debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs); - if (! in_array($this->getValue('login','auth_type'), array('sasl'))) { + if (! in_array($this->getValue('login','auth_type'), array('sasl','sasl_external'))) { // check if SASL mech uses login from other auth_types if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain'))) return false; @@ -630,6 +632,13 @@ class ldap extends DS { if ($method == 'anon') return false; + # EXTERNAL mech is really a different authType + if ($this->getAuthType() == 'sasl_external') { + return @ldap_sasl_bind($resource,NULL,NULL, + 'EXTERNAL',NULL,NULL, + $this->getValue('sasl','props')); + } + # At the moment, we have only implemented GSSAPI and PLAIN if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) { system_message(array(