[gosa.git] / gosa-plugins / heimdal / admin / systems / services / kerberos / class_password-methods-MIT.inc
1 <?php
2 /*
3 This code is part of GOsa (https://gosa.gonicus.de)
4 Copyright (C) 2007 Cajus Pollmeier
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
22 class passwordMethodMIT extends passwordMethod
23 {
25 var $krb5MaxLife = "";
26 var $krb5MaxRenew = "";
27 var $krb5ValidStart = "";
28 var $krb5ValidEnd = "";
29 var $krb5PasswordEnd = "";
30 var $krb5ValidStart_clear = TRUE;
31 var $krb5ValidEnd_clear = TRUE;
32 var $krb5PasswordEnd_clear = TRUE;
34 var $display = TRUE;
36 var $flag_list = array(
37 "0"=>"initial" ,
38 "1"=>"forwardable" ,
39 "2"=>"proxiable" ,
40 "3"=>"renewable" ,
41 "4"=>"postdate" ,
42 "5"=>"server" ,
43 "6"=>"client" ,
44 "7"=>"invalid" ,
45 "8"=>"require-preauth" ,
46 "9"=>"change-pw" ,
47 "10"=>"require-hwauth" ,
48 "11"=>"ok-as-delegate" ,
49 "12"=>"user-to-user" ,
50 "13"=>"immutable");
52 var $krb5KDCFlags = 123;
54 var $dn = "new";
55 var $parent_dn = "new";
56 var $attributes = array("krb5MaxLife","krb5MaxRenew","krb5KDCFlags",
57 "krb5ValidStart","krb5ValidEnd","krb5PasswordEnd");
58 var $attrs = array();
59 var $is_account = FALSE;
61 var $server_list = array();
62 var $map = array();
64 var $goKrbRealm = "";
65 var $principal = "";
67 function __construct(&$config,$dn = "new")
68 {
69 $this->config= $config;
70 $this->parent_dn = $dn;
72 $this->is_account = FALSE;
73 $this->krb5MaxLife = 86400;
74 $this->krb5MaxRenew = 604800;
75 $this->krb5ValidStart = date("Ymd",time())."0000Z";
76 $this->krb5ValidEnd = date("Ymd",time())."0000Z";
77 $this->krb5PasswordEnd= date("Ymd",time())."0000Z;";
79 if(!is_object($config)){
80 return;
81 }
83 /* Keep cache until we try to configure a principal
84 */
85 if($dn != "new" && $dn != ""){
86 echo "Reload cache";
87 session::un_set("MIT_CACHE");
88 }
90 /* Get a list of all kerberos servers
91 */
92 $ldap = $this->config->get_ldap_link();
93 $ldap->cd($this->config->current['BASE']);
94 $ldap->search("(&(objectClass=goServer)(objectClass=goKrbServer))",array("goKrbRealm","cn","description","macAddress"));
95 $this->server_list = array();
96 while($attrs = $ldap->fetch()){
97 if(!isset($attrs['macAddress'][0])) continue;
98 if(!isset($attrs['description'][0])) $attrs['description'][0] ="";
100 $principals = $this->load_principals_for_server($attrs['macAddress'][0]);
102 /* Create Realm/Server/Principal mapping.
103 */
104 foreach($principals as $principal){
105 $this->map["PRINCIPAL_SERVER"][$principal] = $attrs['cn'][0];
106 $this->map["PRINCIPAL_REALM"] [$principal] = $attrs['goKrbRealm'][0];
107 }
108 $this->map["SERVER_REALM"][$attrs['cn'][0]] = $attrs['goKrbRealm'][0];
109 $this->map["REALM_SERVER"][$attrs['goKrbRealm'][0]] = $attrs['cn'][0];
111 /* Create Server list
112 */
113 $this->server_list[$attrs['cn'][0]] = array("macAddress" => $attrs['macAddress'][0],
114 "description"=> $attrs['description'][0],
115 "dn" => $attrs['dn'],
116 "principals" => $principals,
117 "goKrbRealm" => $attrs['goKrbRealm'][0],
118 "cn" => $attrs['cn'][0]);
119 }
121 /* Load object data from ldap && initialize this class
122 */
123 if($dn != "new" && $dn != ""){
124 $ldap = $this->config->get_ldap_link();
125 $ldap->cd($dn);
126 $ldap->cat($dn);
127 $this->attrs = $ldap->fetch();
128 if(isset($this->attrs['userPassword'])){
130 $p_name = preg_replace("/^\{".$this->get_hash_name()."\}/","",$this->attrs['userPassword'][0]);
132 /* Try to detect server our principal is configured on
133 */
134 if($this->map['PRINCIPAL_SERVER'][$p_name]){
135 $server= $this->map['PRINCIPAL_SERVER'][$p_name];
136 $this->goKrbRealm = $this->map['SERVER_REALM'][$server];
137 $this->principal = $p_name;
139 $info = $this->load_principal($this->server_list[$server]['macAddress'],$p_name);
140 echo "Found principal, implement krb_get_principal";
141 break;
142 }
143 }
144 }
145 }
148 /*! \brief get list of all configured principals
149 for a given server.
150 The results will cached.
151 */
152 public function load_principal($server,$name)
153 {
154 return(array());
155 $o = new gosaSupportDaemon();
156 $tmp = array();
157 $tmp = $o->krb5_get_principal($server,$name);
158 if($o->is_error()){
159 msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
160 }
162 return($tmp);
163 }
166 /*! \brief get list of all configured principals
167 for a given server.
168 The results will cached.
169 */
170 public function load_principals_for_server($server)
171 {
172 if(!session::is_set("MIT_CACHE")){
173 session::set("MIT_CACHE",array());
174 }
175 $cache = session::get("MIT_CACHE");
176 if(!isset($cache[$server])){
177 $o = new gosaSupportDaemon();
178 $tmp = $o->krb5_list_principals($server);
179 $cache[$server] = $tmp;
180 session::set("MIT_CACHE",$cache);
181 }
182 return($cache[$server]);
183 }
186 /*! \brief Check if this password method is useable.
187 This is the case if there is at least one si server which provides
188 kerberos support.
189 */
190 function is_available()
191 {
192 foreach($this->server_list as $server => $data){
193 if(count($data['principals'])){
194 return(TRUE);
195 }
196 }
197 return(FALSE);
198 }
201 function generate_hash($pwd)
202 {
203 $mode= "kerberos";
204 if (isset($this->config->current['KRBSASL']) && preg_match('/^true$/i', $this->config->current['KRBSASL'])){
205 $mode= "sasl";
206 }
207 return "{".$mode."}".$this->attrs['uid'][0]."@".$this->goKrbRealm;
208 }
211 function remove_from_parent()
212 {
213 if(!empty($this->principal) && $this->goKrbRealm){
214 $server = $this->map['REALM_SERVER'][$this->goKrbRealm];
215 $o = new gosaSupportDaemon();
216 if(!$o->krb5_del_principal($this->server_list[$server]['macAddress'],$this->principal)){
217 msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
218 }
219 }
220 }
223 function set_password($password)
224 {
225 if(!empty($this->principal) && $this->goKrbRealm){
226 $server = $this->map['REALM_SERVER'][$this->goKrbRealm];
227 $o = new gosaSupportDaemon();
229 echo "Not implemented yet";
230 $attrs = array("password" => $password);
232 # if(!$o->krb5_set_principal($this->server_list[$server]['macAddress'],$this->principal,$attrs)){
233 # msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
234 # }
235 }
236 }
239 function get_hash_name()
240 {
241 $mode= "kerberos";
242 if (isset($this->config->current['KRBSASL']) && preg_match('/^true$/i', $this->config->current['KRBSASL'])){
243 $mode= "sasl";
244 }
245 return "$mode";
246 }
249 function is_configurable()
250 {
251 return TRUE;
252 }
255 function configure()
256 {
257 $this->save_object();
259 /* Cancel heimdal options */
260 if (isset($_POST['pw_abort']) || $this->display == FALSE){
261 $this->display = FALSE;
262 return("");
263 }
265 /* Cancel heimdal options */
266 if (isset($_POST['pw_save'])){
267 $msgs = $this->check();
268 if(count($msgs)){
269 foreach($msgs as $msg){
270 msg_dialog::display(_("Heimdal"),$msg,WARNING_DIALOG);
271 }
272 }else{
273 $this->display = FALSE;
274 return "";
275 }
276 }
278 $years = array();
279 $start = date("Y")-1;
280 for($i = $start; $i < ($start +20) ; $i++){
281 $years[$i] = $i;
282 }
283 $month= array();
284 for($i = 1; $i <= 12 ; $i++){
285 $month[str_pad($i,2,"0",STR_PAD_LEFT)] = $i;
286 }
287 $days= array();
288 for($i = 1; $i <= 31 ; $i++){
289 $days[str_pad($i,2,"0",STR_PAD_LEFT)] = $i;
290 }
291 $hours= array();
292 for($i = 0; $i <= 23 ; $i++){
293 $hours[str_pad($i,2,"0",STR_PAD_LEFT)] = $i;
294 }
295 $minutes= array();
296 for($i = 0; $i <= 59 ; $i++){
297 $minutes[str_pad($i,2,"0",STR_PAD_LEFT)] = $i;
298 }
301 $smarty = get_smarty();
302 $smarty->assign("years",$years);
303 $smarty->assign("month",$month);
304 $smarty->assign("days",$days);
305 $smarty->assign("hours",$hours);
306 $smarty->assign("minutes",$minutes);
308 $date_values = array("krb5ValidStart","krb5ValidEnd","krb5PasswordEnd");
309 foreach($date_values as $date_val){
310 $clear = $date_val."_clear";
311 $smarty->assign($date_val."_clear",$this->$clear);
312 $smarty->assign($date_val."_y",substr($this->$date_val,0,4));
313 $smarty->assign($date_val."_m",substr($this->$date_val,4,2));
314 $smarty->assign($date_val."_d",substr($this->$date_val,6,2));
315 $smarty->assign($date_val."_h",substr($this->$date_val,8,2));
316 $smarty->assign($date_val."_i",substr($this->$date_val,10,2));
317 }
319 foreach($this->attributes as $attr){
320 $smarty->assign($attr ,$this->$attr);
321 }
322 foreach($this->flag_list as $key => $name){
323 $val = pow(2,$key);
324 if($this->krb5KDCFlags & $val){
325 $smarty->assign("krb5KDCFlags_".$key,TRUE);
326 }else{
327 $smarty->assign("krb5KDCFlags_".$key,FALSE);
328 }
329 }
331 return($smarty->fetch(get_template_path("pwd_heimdal.tpl")));
332 }
335 function save_object()
336 {
337 if(isset($_POST['pwd_heimdal_posted'])){
339 $date_values = array("krb5ValidStart","krb5ValidEnd","krb5PasswordEnd");
340 foreach($date_values as $date_value){
341 $clear = $date_value."_clear";
342 if(isset($_POST[$date_value."_clear"])){
343 $this->$clear = TRUE;
344 }else{
345 $this->$clear = FALSE;
346 $str = "";
347 foreach(array("y","m","d","h","i") as $val){
348 if(isset($_POST[$date_value."_".$val])){
349 $str .= $_POST[$date_value."_".$val];
350 }
351 }
352 $this->$date_value = $str."Z";
353 }
354 }
356 foreach($this->attributes as $attr){
357 if(isset($_POST[$attr])){
358 $this->$attr = get_post($attr);
359 }
360 }
362 $int = "";
363 foreach($this->flag_list as $key => $name){
364 $post = "krb5KDCFlags_".$key;
365 if(isset($_POST[$post])){
366 $int |= pow(2,$key);
367 }
368 }
369 $this->krb5KDCFlags = $int;
370 }
371 }
373 function check()
374 {
375 $message = array();
376 if(!is_numeric($this->krb5MaxLife) && !empty($this->krb5MaxLife)){
377 $message[] = msgPool::invalid(_("Max life"),$this->krb5MaxLife,"/[0-9]/");
378 }
379 if(!is_numeric($this->krb5MaxRenew) && !empty($this->krb5MaxRenew)){
380 $message[] = msgPool::invalid(_("Max renew"),$this->krb5MaxRenew,"/[0-9]/");
381 }
382 if(!$this->krb5ValidStart_clear && !$this->chk_times($this->krb5ValidStart)){
383 $message[] = msgPool::invalid(_("Valid start"),$this->krb5ValidStart,"/[0-9]/");
384 }
385 if(!$this->krb5ValidEnd_clear && !$this->chk_times($this->krb5ValidEnd)){
386 $message[] = msgPool::invalid(_("Valid end"),$this->krb5ValidEnd,"/[0-9]/");
387 }
388 if(!$this->krb5PasswordEnd_clear && !$this->chk_times($this->krb5PasswordEnd)){
389 $message[] = msgPool::invalid(_("Valid password"),$this->krb5PasswordEnd,"/[0-9]/");
390 }
391 return($message);
392 }
395 function chk_times($str)
396 {
397 if(preg_match("/^([0-9]){12,12}[a-z]$/i",$str)){
398 return(true);
399 }
400 return(false);
401 }
404 function save($dn)
405 {
406 $realm = $this->config->data['SERVERS']['KERBEROS']['REALM'];
408 $ldap = $this->config->get_ldap_link();
409 $ldap->cd($dn);
410 $ldap->cat($dn,array('uid'));
411 $attrs = $ldap->fetch();
412 if(isset($attrs['uid'][0])){
414 $uid = $attrs['uid'][0];
415 $name = $uid."@".strtoupper($realm);
416 $dn = "krb5PrincipalName=".$name.",".$dn;
418 $data = array();
419 $data['krb5PrincipalName'] = $name;
420 $data['objectClass'] = array("top","account","krb5Principal","krb5KDCEntry");
421 $data['krb5PrincipalName'] =$name;
422 $data['uid'] = $uid;
423 $data['krb5KeyVersionNumber'] = rand(100000,99999999);
425 if($this->is_account){
426 foreach($this->attributes as $attr){
427 $data[$attr] = array();
428 }
429 }
431 /* Append Flags */
432 $data['krb5KDCFlags'] = $this->krb5KDCFlags;
433 if(!empty($this->krb5MaxLife)){
434 $data['krb5MaxLife'] = $this->krb5MaxLife;
435 }
436 if(!empty($this->krb5MaxRenew)){
437 $data['krb5MaxRenew'] = $this->krb5MaxRenew;
438 }
439 if(!$this->krb5ValidStart_clear){
440 $data['krb5ValidStart'] = $this->krb5ValidStart;
441 }
442 if(!$this->krb5ValidEnd_clear){
443 $data['krb5ValidEnd'] = $this->krb5ValidEnd;
444 }
445 if(!$this->krb5PasswordEnd_clear){
446 $data['krb5PasswordEnd']= $this->krb5PasswordEnd;
447 }
449 echo "Save missing";
451 # /* Add / Updated data */
452 # $ldap->cd($dn);
453 # if(!$this->is_account){
454 # $ldap->add($data);
455 # }else{
456 # $ldap->modify($data);
457 # }
458 # if (!$ldap->success()){
459 # msg_dialog::display(_("LDAP error"), msgPool::ldaperror($ldap->get_error(), $dn, 0, get_class()));
460 # }
461 }
462 }
463 }
465 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
466 ?>