Bug # 33500 | imap auth fails when server advertises gssapi

18 years ago by Back Ports — view source — reply

unread

Hi all,

Is there any progress on the following bug report:

http://bugs.php.net/bug.php?id=33500&thanks=6

It was reported quite a while ago -- I also saw a relevant post on the
mit kerberos mailing list where discussed patches fixed the issue,
however, they appear impossible to track down.

http://mailman.mit.edu/pipermail/kerberos/2006-April/009629.html

Regards,
Mustafa.

Mustafa A. Hashmi
backports@gmail.com

18 years ago by Michael B Allen — view source — reply

unread

On Thu, 22 Mar 2007 12:02:50 +0500
"Back Ports" backports@gmail.com wrote:

Hi all,

Is there any progress on the following bug report:

http://bugs.php.net/bug.php?id=33500&thanks=6

It was reported quite a while ago -- I also saw a relevant post on the
mit kerberos mailing list where discussed patches fixed the issue,
however, they appear impossible to track down.

http://mailman.mit.edu/pipermail/kerberos/2006-April/009629.html

I'm not a php dev and I don't know the status of this bug but I have a
possible solution for you anyway.

If you're on an Active Directory network (very possible if your IMAP
server is offering GSSAPI) then you could use our product to get the
necessary credential so that the IMAP extension's GSSAPI auth works.

With our Plexcel PHP extension (see sig) you can acquire Kerberos
credentials in three ways - 1 Single Sign-On (the delegated credential
from the web client); 2 use the HTTP service account cred; or 3 explicit
logon with username and password.

So you could use any one of those three credentials (with the
putenv_krb5ccname option) to get a Kerberos cred and then IMAP's GSSAPI
auth should work.

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

18 years ago by Back Ports — view source — reply

unread

Mike,

Thanks for your reply.

On Thu, 22 Mar 2007 12:02:50 +0500
"Back Ports" backports@gmail.com wrote:

Hi all,

Is there any progress on the following bug report:

http://bugs.php.net/bug.php?id=33500&thanks=6

It was reported quite a while ago -- I also saw a relevant post on the
mit kerberos mailing list where discussed patches fixed the issue,
however, they appear impossible to track down.

http://mailman.mit.edu/pipermail/kerberos/2006-April/009629.html

I'm not a php dev and I don't know the status of this bug but I have a
possible solution for you anyway.

If you're on an Active Directory network (very possible if your IMAP
server is offering GSSAPI) then you could use our product to get the
necessary credential so that the IMAP extension's GSSAPI auth works.

We're on MIT kerberos, openldap & dovecot is the imap server. Our
gssapi bit works well for all clients, etc. -- it's only the php imap
call which chokes.

With our Plexcel PHP extension (see sig) you can acquire Kerberos
credentials in three ways - 1 Single Sign-On (the delegated credential
from the web client); 2 use the HTTP service account cred; or 3 explicit
logon with username and password.

The problem is that php doesn't go ahead and try plain auth if gssapi
doesn't work out -- I don't think supplying krb5 credentials would
work -- however, I will go ahead and give that a shot. We're using
stanford's webauth and a user ticket can easily be made available when
trying gssapi.

ldap_sasl_auth() doesn't support gssapi either, though my earlier post
to this list ended up on a web site somewhere with a note saying
'theoretically it's possible'.

Appreciate your help.

mustafa.

18 years ago by Michael B Allen — view source — reply

unread

On Sat, 24 Mar 2007 10:32:41 +0500
"Back Ports" backports@gmail.com wrote:

ldap_sasl_auth() doesn't support gssapi either, though my earlier post
to this list ended up on a web site somewhere with a note saying
'theoretically it's possible'.

Not true. The ldap_sasl_bind function does in-fact support GSSAPI binds
with at least the Kerberos mech. We have an example script that does
it. This is what our code looks like:

$px = plexcel_new(NULL, array('putenv_krb5ccname' => TRUE));
if ($px == NULL)
die('<pre>' . plexcel_status(NULL) . '</pre>');
if (plexcel_authenticate($px, session_id()) == FALSE)
die('<pre>' . plexcel_status($px) . '</pre>');

$ldap = ldap_connect($ldap_server);
if ($ldap) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (ldap_sasl_bind($ldap)) {
// WARNING: escape special chars in filter like acctmgr.php
$srch = ldap_search($ldap, 'DC=example,DC=com', "(cn=$cn)");
if ($srch) {
$info = ldap_get_entries($ldap, $srch);
for ($i = 0; $i < $info["count"]; $i++) {
if (isset($info[$i]['distinguishedname'])) {
$resp = 'Success: ' . $info[$i]['distinguishedname'][0];
break;
}
}
} else {
$err = "LDAP Error: " . ldap_error($ldap) . "\n";
}
} else {
$err = "LDAP Error: " . ldap_error($ldap) . "\n";
}

  ldap_close($ldap);

} else {
$err = "Error: ldap_connect\n";
}

The first 5 lines are specific to our product but if you used
mod_auth_kerb instead with the option:

KrbSaveCredentials on

the ldap_sasl_bind should work with the above code (never tried it but
I would be surprised if it didn't work).

One thing that I have noticed that does not appear to work is using
KRB5_KTNAME to specify a keytab file from which to get credentials
(although it may have been the curl extension that I was trying).

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

18 years ago by Back Ports — view source — reply

unread

On Sat, 24 Mar 2007 10:32:41 +0500
"Back Ports" backports@gmail.com wrote:

ldap_sasl_auth() doesn't support gssapi either, though my earlier post
to this list ended up on a web site somewhere with a note saying
'theoretically it's possible'.

Not true. The ldap_sasl_bind function does in-fact support GSSAPI binds
with at least the Kerberos mech. We have an example script that does
it. This is what our code looks like:

$px = plexcel_new(NULL, array('putenv_krb5ccname' => TRUE));
if ($px == NULL)
die('<pre>' . plexcel_status(NULL) . '</pre>');
if (plexcel_authenticate($px, session_id()) == FALSE)
die('<pre>' . plexcel_status($px) . '</pre>');

$ldap = ldap_connect($ldap_server);
if ($ldap) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (ldap_sasl_bind($ldap)) {
// WARNING: escape special chars in filter like acctmgr.php
$srch = ldap_search($ldap, 'DC=example,DC=com', "(cn=$cn)");
if ($srch) {
$info = ldap_get_entries($ldap, $srch);
for ($i = 0; $i < $info["count"]; $i++) {
if (isset($info[$i]['distinguishedname'])) {
$resp = 'Success: ' . $info[$i]['distinguishedname'][0];
break;
}
}
} else {
$err = "LDAP Error: " . ldap_error($ldap) . "\n";
}
} else {
$err = "LDAP Error: " . ldap_error($ldap) . "\n";
}
  ldap_close($ldap);
} else {
$err = "Error: ldap_connect\n";
}

The first 5 lines are specific to our product but if you used
mod_auth_kerb instead with the option:

KrbSaveCredentials on

the ldap_sasl_bind should work with the above code (never tried it but
I would be surprised if it didn't work).

One thing that I have noticed that does not appear to work is using
KRB5_KTNAME to specify a keytab file from which to get credentials
(although it may have been the curl extension that I was trying).

Appreciate your detailed example. Let me try the SASL bit. I also read
how the mail bit can work in a comment on php.net -- will confirm both
of these findings.

Again, thanks.

Mustafa.

Bug # 33500 | imap auth fails when server advertises gssapi

Regards, Mustafa.

Regards,
Mustafa.