On Sat, 24 Mar 2007 10:32:41 +0500
"Back Ports" <[EMAIL PROTECTED]> wrote:
> ldap_sasl_auth() doesn't support gssapi either, though my earlier post
> to this list ended up on a web site somewhere with a note saying
> 'theoretically it's possible'.
Not true. The ldap_sasl_bind function does in-fact support GSSAPI binds
with at least the Kerberos mech. We have an example script that does
it. This is what our code looks like:
$px = plexcel_new(NULL, array('putenv_krb5ccname' => TRUE));
if ($px == NULL)
die('<pre>' . plexcel_status(NULL) . '</pre>');
if (plexcel_authenticate($px, session_id()) == FALSE)
die('<pre>' . plexcel_status($px) . '</pre>');
$ldap = ldap_connect($ldap_server);
if ($ldap) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (ldap_sasl_bind($ldap)) {
// WARNING: escape special chars in filter like acctmgr.php
$srch = ldap_search($ldap, 'DC=example,DC=com', "(cn=$cn)");
if ($srch) {
$info = ldap_get_entries($ldap, $srch);
for ($i = 0; $i < $info["count"]; $i++) {
if (isset($info[$i]['distinguishedname'])) {
$resp = 'Success: ' . $info[$i]['distinguishedname'][0];
break;
}
}
} else {
$err = "LDAP Error: " . ldap_error($ldap) . "\n";
}
} else {
$err = "LDAP Error: " . ldap_error($ldap) . "\n";
}
ldap_close($ldap);
} else {
$err = "Error: ldap_connect\n";
}
The first 5 lines are specific to our product but if you used
mod_auth_kerb instead with the option:
KrbSaveCredentials on
the ldap_sasl_bind should work with the above code (never tried it but
I would be surprised if it didn't work).
One thing that I have noticed that does not appear to work is using
KRB5_KTNAME to specify a keytab file from which to get credentials
(although it may have been the curl extension that I was trying).
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
