Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:28584
Return-Path: <backports@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28624 invoked by uid 1010); 24 Mar 2007 09:13:20 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 28609 invoked from network); 24 Mar 2007 09:13:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Mar 2007 09:13:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=backports@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=backports@gmail.com; sender-id=pass; domainkeys=bad
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.230 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: backports@gmail.com
X-Host-Fingerprint: 64.233.162.230 nz-out-0506.google.com Linux 2.4/2.6
Received: from [64.233.162.230] ([64.233.162.230:8795] helo=nz-out-0506.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C9/8B-18427-0BBE4064 for <internals@lists.php.net>; Sat, 24 Mar 2007 04:13:20 -0500
Received: by nz-out-0506.google.com with SMTP id k1so1035125nzf
        for <internals@lists.php.net>; Sat, 24 Mar 2007 02:13:18 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=LLcP/6KreJvn05QH94ZDS1Lq38QTsz6obHK8nA4jPPoHdf5/wRSml5GNLcukxYROLJO0Th0MudGpQzOscxCbBMEF+wFZPBrycl5Ez7vs74HwJCeu72ItAkNF452ondHc4ZcOW0xFpcDpw3iQMONPp15t/k3ZL5DVRF569Pq+IUA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=C65ey/nTRL6RM/cbDQPV/SniDwQkDiUUpIw6tMsSG2FCH/wgyp9NbRuWoU0dkCBarBSjDVMOYmPAtU/dNX+K1NFuaF5vjSIYFOuLj/pdXwN4ZwNgRF66w76eyc7z4tGE66dHIuzZf3SFXingTlr8nDm375JrvYEUXIEmWLTfshc=
Received: by 10.65.230.9 with SMTP id h9mr8436888qbr.1174727597348;
        Sat, 24 Mar 2007 02:13:17 -0700 (PDT)
Received: by 10.64.3.8 with HTTP; Sat, 24 Mar 2007 02:13:17 -0700 (PDT)
Message-ID: <3e1c67bc0703240213j1f325a18w8ff4a22a299b5bf4@mail.gmail.com>
Date: Sat, 24 Mar 2007 14:13:17 +0500
To: "Michael B Allen" <mba2000@ioplex.com>
Cc: internals@lists.php.net
In-Reply-To: <20070324033158.27ff4fcb.mba2000@ioplex.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <3e1c67bc0703220002x12faf6c6oa6f5796603f31561@mail.gmail.com>
	 <20070322153530.01de5971.mba2000@ioplex.com>
	 <3e1c67bc0703232232x7eece58foc05c0bb1319192b1@mail.gmail.com>
	 <20070324033158.27ff4fcb.mba2000@ioplex.com>
Subject: Re: [PHP-DEV] Bug # 33500 | imap auth fails when server advertises gssapi
From: backports@gmail.com ("Back Ports")

On 3/24/07, Michael B Allen <mba2000@ioplex.com> wrote:
> On Sat, 24 Mar 2007 10:32:41 +0500
> "Back Ports" <backports@gmail.com> wrote:
>
> > ldap_sasl_auth() doesn't support gssapi either, though my earlier post
> > to this list ended up on a web site somewhere with a note saying
> > 'theoretically it's possible'.
>
> Not true. The ldap_sasl_bind function does in-fact support GSSAPI binds
> with at least the Kerberos mech. We have an example script that does
> it. This is what our code looks like:
>
>   $px = plexcel_new(NULL, array('putenv_krb5ccname' => TRUE));
>   if ($px == NULL)
>       die('<pre>' . plexcel_status(NULL) . '</pre>');
>   if (plexcel_authenticate($px, session_id()) == FALSE)
>       die('<pre>' . plexcel_status($px) . '</pre>');
>
>   $ldap = ldap_connect($ldap_server);
>   if ($ldap) {
>       ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
>       ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
>       if (ldap_sasl_bind($ldap)) {
>           // WARNING: escape special chars in filter like acctmgr.php
>           $srch = ldap_search($ldap, 'DC=example,DC=com', "(cn=$cn)");
>           if ($srch) {
>               $info = ldap_get_entries($ldap, $srch);
>               for ($i = 0; $i < $info["count"]; $i++) {
>                   if (isset($info[$i]['distinguishedname'])) {
>                       $resp = 'Success: ' . $info[$i]['distinguishedname'][0];
>                       break;
>                   }
>               }
>           } else {
>               $err = "LDAP Error: " . ldap_error($ldap) . "\n";
>           }
>       } else {
>           $err = "LDAP Error: " . ldap_error($ldap) . "\n";
>       }
>
>       ldap_close($ldap);
>   } else {
>       $err = "Error: ldap_connect\n";
>   }
>
> The first 5 lines are specific to our product but if you used
> mod_auth_kerb instead with the option:
>
>   KrbSaveCredentials on
>
> the ldap_sasl_bind should work with the above code (never tried it but
> I would be surprised if it didn't work).
>
> One thing that I have noticed that does not appear to work is using
> KRB5_KTNAME to specify a keytab file from which to get credentials
> (although it may have been the curl extension that I was trying).

Appreciate your detailed example. Let me try the SASL bit. I also read
how the mail bit can work in a comment on php.net -- will confirm both
of these findings.

Again, thanks.

Mustafa.