Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:28583 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1977 invoked by uid 1010); 24 Mar 2007 07:32:07 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 1962 invoked from network); 24 Mar 2007 07:32:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Mar 2007 07:32:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=mba2000@ioplex.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mba2000@ioplex.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain ioplex.com from 66.220.1.142 cause and error) X-PHP-List-Original-Sender: mba2000@ioplex.com X-Host-Fingerprint: 66.220.1.142 www.ioplex.com Linux 2.4/2.6 Received: from [66.220.1.142] ([66.220.1.142:1144] helo=www.ioplex.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 18/48-18427-4F3D4064 for ; Sat, 24 Mar 2007 02:32:06 -0500 Received: from quark.foo.net (c-69-142-196-170.hsd1.nj.comcast.net [69.142.196.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by www.ioplex.com (Postfix) with ESMTP id 5ED4C42B65; Sat, 24 Mar 2007 03:32:01 -0400 (EDT) Date: Sat, 24 Mar 2007 03:31:58 -0400 To: "Back Ports" Cc: internals@lists.php.net Message-ID: <20070324033158.27ff4fcb.mba2000@ioplex.com> In-Reply-To: <3e1c67bc0703232232x7eece58foc05c0bb1319192b1@mail.gmail.com> References: <3e1c67bc0703220002x12faf6c6oa6f5796603f31561@mail.gmail.com> <20070322153530.01de5971.mba2000@ioplex.com> <3e1c67bc0703232232x7eece58foc05c0bb1319192b1@mail.gmail.com> X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; i386-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Bug # 33500 | imap auth fails when server advertises gssapi From: mba2000@ioplex.com (Michael B Allen) On Sat, 24 Mar 2007 10:32:41 +0500 "Back Ports" wrote: > ldap_sasl_auth() doesn't support gssapi either, though my earlier post > to this list ended up on a web site somewhere with a note saying > 'theoretically it's possible'. Not true. The ldap_sasl_bind function does in-fact support GSSAPI binds with at least the Kerberos mech. We have an example script that does it. This is what our code looks like: $px = plexcel_new(NULL, array('putenv_krb5ccname' => TRUE)); if ($px == NULL) die('

' . plexcel_status(NULL) . '

'); if (plexcel_authenticate($px, session_id()) == FALSE) die('

' . plexcel_status($px) . '

'); $ldap = ldap_connect($ldap_server); if ($ldap) { ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); if (ldap_sasl_bind($ldap)) { // WARNING: escape special chars in filter like acctmgr.php $srch = ldap_search($ldap, 'DC=example,DC=com', "(cn=$cn)"); if ($srch) { $info = ldap_get_entries($ldap, $srch); for ($i = 0; $i < $info["count"]; $i++) { if (isset($info[$i]['distinguishedname'])) { $resp = 'Success: ' . $info[$i]['distinguishedname'][0]; break; } } } else { $err = "LDAP Error: " . ldap_error($ldap) . "\n"; } } else { $err = "LDAP Error: " . ldap_error($ldap) . "\n"; } ldap_close($ldap); } else { $err = "Error: ldap_connect\n"; } The first 5 lines are specific to our product but if you used mod_auth_kerb instead with the option: KrbSaveCredentials on the ldap_sasl_bind should work with the above code (never tried it but I would be surprised if it didn't work). One thing that I have noticed that does not appear to work is using KRB5_KTNAME to specify a keytab file from which to get credentials (although it may have been the curl extension that I was trying). Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/