Comments on: phpLDAPadmin and Kerberos http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/ A sourceful of secrets Tue, 08 Jun 2010 22:31:18 +0000 hourly 1 http://wordpress.com/ By: Ryan Lane http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-105 Ryan Lane Tue, 08 Jun 2010 22:31:18 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-105 Note that your distro may not compile ldap-sasl support into PHP, but may distribute a package that adds this support. You can tell by running ldd on the correct module, and ensuring it links to SASL libraries. For instance, on Red Hat Enterprise Linux, the php-ldap package provides this support: <pre> [root@example ~]# rpm -ql php-ldap /etc/php.d/ldap.ini /usr/lib64/php/modules/ldap.so [root@example ~]# ldd /usr/lib64/php/modules/ldap.so libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b09b2017000) libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002b09b2230000) liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002b09b246a000) libc.so.6 => /lib64/libc.so.6 (0x00002b09b2679000) libdl.so.2 => /lib64/libdl.so.2 (0x00002b09b29d0000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b09b2bd4000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b09b2dea000) libssl.so.6 => /lib64/libssl.so.6 (0x00002b09b3022000) libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b09b326e000) /lib64/ld-linux-x86-64.so.2 (0x0000003530c00000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b09b35c0000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b09b37ee000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b09b3a83000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b09b3c86000) libz.so.1 => /usr/lib64/libz.so.1 (0x00002b09b3eab000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b09b40bf000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b09b42c8000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b09b44ca000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b09b46e3000) </pre> Note above "libsasl2.so.2". Note that your distro may not compile ldap-sasl support into PHP, but may distribute a package that adds this support. You can tell by running ldd on the correct module, and ensuring it links to SASL libraries. For instance, on Red Hat Enterprise Linux, the php-ldap package provides this support:

[root@example ~]# rpm -ql php-ldap
/etc/php.d/ldap.ini
/usr/lib64/php/modules/ldap.so
[root@example ~]# ldd /usr/lib64/php/modules/ldap.so
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b09b2017000)
        libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002b09b2230000)
        liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002b09b246a000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b09b2679000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b09b29d0000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b09b2bd4000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b09b2dea000)
        libssl.so.6 => /lib64/libssl.so.6 (0x00002b09b3022000)
        libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b09b326e000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003530c00000)
        libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b09b35c0000)
        libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b09b37ee000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b09b3a83000)
        libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b09b3c86000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00002b09b3eab000)
        libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b09b40bf000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b09b42c8000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b09b44ca000)
        libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b09b46e3000)

Note above “libsasl2.so.2″.

]]> By: mazsi http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-33 mazsi Sat, 05 Jan 2008 08:55:51 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-33 as of phpldapadmin v1.1.0.3: if you set login_dn or login_pass to empty string, and anything other than anonymous bind is being used (as it is in our case) LDAPserver::connect() will refuse to login (it will always return false). so instead of $ldapservers->SetValue($i,'login','dn',''); $ldapservers->SetValue($i,'login','pass',''); use for example this: $ldapservers->SetValue($i,'login','dn','cn=noone'); $ldapservers->SetValue($i,'login','pass','passwd'); (you can set any value here, since you are using GSSAPI they will not be used.) as of phpldapadmin v1.1.0.3: if you set login_dn or login_pass to empty string, and anything other than anonymous bind is being used (as it is in our case) LDAPserver::connect() will refuse to login (it will always return false).

so instead of

$ldapservers->SetValue($i,’login’,'dn’,”);
$ldapservers->SetValue($i,’login’,'pass’,”);

use for example this:

$ldapservers->SetValue($i,’login’,'dn’,'cn=noone’);
$ldapservers->SetValue($i,’login’,'pass’,'passwd’);

(you can set any value here, since you are using GSSAPI they will not be used.)

]]> By: aeb http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-32 aeb Mon, 01 Oct 2007 13:44:23 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-32 Hi Ezra, No this will not allow you to create/change Kerberos passwords. This setup just uses Kerberos to authenticate users accessing phpladpadmin. Hope this helps. Hi Ezra, No this will not allow you to create/change Kerberos passwords. This setup just uses Kerberos to authenticate users accessing phpladpadmin. Hope this helps.

]]> By: Ezra Taylor http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-31 Ezra Taylor Sat, 29 Sep 2007 20:39:32 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-31 Hello: Will this feature allow me to create/change users Kerberos passwords in phpldapadmin? Hello:
Will this feature allow me to create/change users Kerberos passwords in phpldapadmin?

]]> By: jag http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-30 jag Wed, 08 Aug 2007 11:21:15 +0000 http://left.subtree.org/2007/06/26/phpldapadmin-and-kerberos/#comment-30 It almost works, except for the last change. Putting the "putenv(KRB5..." line at the top, or anywhere else, in the common.php file did not work, in the phpldapadmin log I could see that GSSAPI still assumed to find the ticket in "/tmp/krb5cc_80" and not in /tmp/krb5cc_apache_XXXXXX where mod_auth_kerb saved it. What does work for me is a changed mod_auth_kerb.c source where you can replace the line: ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); with: ccname = apr_psprintf(r->pool, "FILE:/tmp/krb5cc_80") ; mod_auth_kerb should offer this as a configurable option I think. It almost works, except for the last change. Putting the “putenv(KRB5…” line at the top, or anywhere else, in the common.php file did not work, in the phpldapadmin log I could see that GSSAPI still assumed to find the ticket in “/tmp/krb5cc_80″ and not in /tmp/krb5cc_apache_XXXXXX where mod_auth_kerb saved it.
What does work for me is a changed mod_auth_kerb.c source where you can replace the line:

ccname = apr_psprintf(r->pool, “FILE:%s/krb5cc_apache_XXXXXX”, P_tmpdir);

with:

ccname = apr_psprintf(r->pool, “FILE:/tmp/krb5cc_80″) ;

mod_auth_kerb should offer this as a configurable option I think.

]]>