Added SASL EXTERNAL authentication support

New auth_type 'sasl_external'.  Login is hard coded as 'external'

config/config.php.example

@@ -314,6 +314,7 @@ $servers->setValue('server','name','My LDAP Server');
       login will be required to use phpLDAPadmin for this server.
    5. 'sasl': login will be taken from the webserver's kerberos authentication.
       Currently only GSSAPI has been tested (using mod_auth_kerb).
+   6. 'sasl_external': login will be taken from SASL external mechanism.
 
    Choose wisely to protect your authentication information appropriately for
    your situation. If you choose 'cookie', your cookie contents will be
@@ -355,6 +356,9 @@ $servers->setValue('server','name','My LDAP Server');
    NOTE: auth_type must be simple auth compatible (ie not sasl) */
 #  $servers->setValue('sasl','mech','PLAIN');
 
+/* SASL EXTERNAL support... really a different auth_type */
+#  $servers->setValue('login','auth_type','sasl_external');
+
 /* SASL authentication realm name */
 // $servers->setValue('sasl','realm','');
 #  $servers->setValue('sasl','realm','EXAMPLE.COM');

lib/HTMLTree.php

@@ -136,6 +136,7 @@ class HTMLTree extends Tree {
 				case 'config':
 				case 'proxy':
 				case 'sasl':
+				case 'sasl_external':
 					break;
 
 				default:
@@ -334,7 +335,7 @@ class HTMLTree extends Tree {
 		$server = $this->getServer();
 		$href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex());
 
-		if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl')))
+		if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl','sasl_external')))
 			return '';
 		else
 			return sprintf('<a href="%s" title="%s"><img src="%s/%s" alt="%s" /><br />%s</a>',

lib/ds.php

@@ -139,6 +139,7 @@ abstract class DS {
 			case 'proxy':
 			case 'session':
 			case 'sasl':
+			case 'sasl_external':
 				return $this->getValue('login','auth_type');
 
 			default:
@@ -194,6 +195,8 @@ abstract class DS {
 				else
 					return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']);
 
+			case 'sasl_external':
+				return 'external';
 			default:
 				die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
 		}
@@ -215,6 +218,7 @@ abstract class DS {
 				return true;
 
 			case 'config':
+			case 'sasl_external':
 				return true;
 
 			case 'proxy':
@@ -274,6 +278,8 @@ abstract class DS {
 				else
 					return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']);
 
+			case 'sasl_external':
+				return '';
 			default:
 				die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
 		}
@@ -400,6 +406,7 @@ abstract class DS {
 				set_cookie($method.'-PASS','',time()-3600,'/');
 
 			case 'config':
+			case 'sasl_external':
 				return true;
 
 			case 'http':

lib/ds_ldap.php

@@ -590,6 +590,8 @@ class ldap extends DS {
 	 *	$servers->setValue('login','auth_type','sasl');
 	 * OR
 	 *      $servers->setValue('sasl','mech','PLAIN');
+	 * OR
+	 *	$servers->setValue('login','auth_type','sasl_external');
 	 * </code>
 	 *
 	 * @return boolean
@@ -598,7 +600,7 @@ class ldap extends DS {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-		if (! in_array($this->getValue('login','auth_type'), array('sasl'))) {
+		if (! in_array($this->getValue('login','auth_type'), array('sasl','sasl_external'))) {
 			// check if SASL mech uses login from other auth_types
 			if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain')))
 				return false;
@@ -630,6 +632,13 @@ class ldap extends DS {
 		if ($method == 'anon')
 			return false;
 
+		# EXTERNAL mech is really a different authType
+		if ($this->getAuthType() == 'sasl_external') {
+			return @ldap_sasl_bind($resource,NULL,NULL,
+					       'EXTERNAL',NULL,NULL,
+					       $this->getValue('sasl','props'));
+		}
+
 		# At the moment, we have only implemented GSSAPI and PLAIN
 		if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) {
 			system_message(array(