![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
[gosa.git] / gosa-plugins / heimdal / admin / systems / services / kerberos / class_password-methods-MIT.inc
diff --git a/gosa-plugins/heimdal/admin/systems/services/kerberos/class_password-methods-MIT.inc b/gosa-plugins/heimdal/admin/systems/services/kerberos/class_password-methods-MIT.inc
index 4ce94463406b675ba9b9b551fa2fbfe6e673e1c3..fbfd17c91ebc41b62c4ae7fa4991dfe6149d027c 100644 (file)
class passwordMethodMIT extends passwordMethod
{
- var $dn = "new"; // DN of the current object
- var $parent_dn = "new"; // parents DN
- var $is_account = FALSE; // This is TRUE if this object already has a krb extension
- var $server_list = array(); // A list with all configured servers
- var $map = array(); // Mapping array, maps SERVER-REALM, REALM-SERVER ...
+ var $dn = "new"; // DN of the current object
+ var $parent_dn = "new"; // parents DN
+ var $is_account = FALSE; // This is TRUE if this object already has a krb extension
+ var $server_list = array(); // A list with all configured servers
+ var $map = array(); // Mapping array, maps SERVER-REALM, REALM-SERVER ...
- var $goKrbRealm = ""; // The realm name this principal belongs to
- var $principal = ""; // The principals name (e.g. user@MY-DOMAIN.SYS)
- var $is_new = TRUE; // Is TRUE if principal is new
+ var $goKrbRealm = ""; // The realm name this principal belongs to
+ var $principal = ""; // The principals name (e.g. user@MY-DOMAIN.SYS)
+ var $is_new = TRUE; // Is TRUE if principal is new
+
+ var $si_error = FALSE; // TRUE is daemon communication failed
+ var $si_error_msg = ""; // The last error message if above attribute is TRUE.
var $values = array(
"PRINC_EXPIRE_TIME", // Expiry date of this principal
"MAX_RENEWABLE_LIFE", // Max ticket lifetime when renewed
"POLICY"); // The policy used by this principal
+ var $PRINC_EXPIRE_TIME = 0;
+ var $PW_EXPIRATION = 0;
+ var $PRINC_EXPIRE_TIME_clear = TRUE;
+ var $PW_EXPIRATION_clear = TRUE;
+ var $MAX_LIFE = 36000;
+ var $MAX_RENEWABLE_LIFE = 604800;
+ var $MASK = 0;
+
var $flags = array(
- "DISALLOW_POSTDATED" , // Pohibit postdated tickets
- "DISALLOW_FORWARDABLE", // Prohibit forwardable tickets
- "DISALLOW_RENEWABLE" , // Prohibit renewable tickets
- "DISALLOW_PROXIABLE" , // Disallow proxiable tickets
- "DISALLOW_DUP_SKEY" , // Disallow user to user authentification
- "REQUIRES_PRE_AUTH" , // Preauthentication required
- "REQUIRES_HW_AUTH" , // Hardware preauthentication
- "DISALLOW_SVR" , // Prohibit issuance of service tickets
- "DISALLOW_TGT_BASED" , // Disallow Ticket-Granting Service
- "DISALLOW_ALL_TIX" , // Forbid ticket issuance
- "REQUIRES_PWCHANGE" , // Force a password change
- "PWCHANGE_SERVICE" ); // Password change service
+ "DISALLOW_POSTDATED" =>0x00000001 , // Pohibit postdated tickets
+ "DISALLOW_FORWARDABLE" =>0x00000002 , // Prohibit forwardable tickets
+ "DISALLOW_TGT_BASED" =>0x00000004 , // Disallow Ticket-Granting Service
+ "DISALLOW_RENEWABLE" =>0x00000008 , // Prohibit renewable tickets
+ "DISALLOW_PROXIABLE" =>0x00000010 , // Disallow proxiable tickets
+ "DISALLOW_DUP_SKEY" =>0x00000020 , // Disallow user to user authentification
+ "DISALLOW_ALL_TIX" =>0x00000040 , // Forbid ticket issuance
+ "REQUIRES_PRE_AUTH" =>0x00000080 , // Preauthentication required
+ "REQUIRES_HW_AUTH" =>0x00000100 , // Hardware preauthentication
+ "REQUIRES_PWCHANGE" =>0x00000200 , // Force a password change
+ "UNKNOWN_0x00000400" =>0x00000400 , // ?
+ "UNKNOWN_0x00000800" =>0x00000800 , // ?
+ "DISALLOW_SVR" =>0x00001000 , // Prohibit issuance of service tickets
+ "PWCHANGE_SERVICE" =>0x00002000 , // Password change service
+ "SUPPORT_DESMD5" =>0x00004000 , // ?
+ "NEW_PRINC" =>0x00008000 ); // ?
+
+ var $used_flags = 128; // Flags, see below
var $readonly = array(
"FAIL_AUTH_COUNT", // The number of failed logins
"LAST_SUCCESS", // Last successful login
"MOD_DATE"); // Last modification time
-
- var $POLICY = "";
- var $POLICIES = array(); // Policies provided by the corrently selected realm/server
-
- var $PRINC_EXPIRE_TIME = 0;
- var $PW_EXPIRATION = 0;
- var $PRINC_EXPIRE_TIME_clear = TRUE;
- var $PW_EXPIRATION_clear = TRUE;
- var $MAX_LIFE = 0;
- var $MAX_RENEWABLE_LIFE = 0;
- var $MASK = "";
-
- var $DISALLOW_POSTDATED = FALSE;
- var $DISALLOW_FORWARDABLE = FALSE;
- var $DISALLOW_RENEWABLE = FALSE;
- var $DISALLOW_PROXIABLE = FALSE;
- var $DISALLOW_DUP_SKEY = FALSE;
- var $REQUIRES_PRE_AUTH = FALSE;
- var $REQUIRES_HW_AUTH = FALSE;
- var $DISALLOW_SVR = FALSE;
- var $DISALLOW_TGT_BASED = FALSE;
- var $DISALLOW_ALL_TIX = FALSE;
- var $REQUIRES_PWCHANGE = FALSE;
- var $PWCHANGE_SERVICE = FALSE;
-
var $FAIL_AUTH_COUNT = 0;
var $KVNO = "";
var $LAST_FAILED = 0;
var $LAST_SUCCESS = 0;
var $MOD_DATE = 0;
- function __construct(&$config,$dn = "new")
+ var $POLICY = "";
+ var $POLICIES = array(); // Policies provided by the corrently selected realm/server
+
+
+ public function __construct(&$config,$dn = "new")
{
$this->config= $config;
$this->parent_dn = $dn;
return;
}
- /* Keep cache until we try to configure a principal
+ /* Keep the cached valued and skip loading principals
+ from si until this method gets configured.
*/
+ $skip_si_access = TRUE;
if($dn != "new" && $dn != ""){
session::un_set("MIT_CACHE");
+ session::un_set("MIT_PRINCIPAL_CACHE");
+ session::un_set("MIT_POLICY_CACHE");
+ $skip_si_access = FALSE;
}
/* Get a list of all kerberos servers, defined in ldap
if(!isset($attrs['macAddress'][0])) continue;
if(!isset($attrs['description'][0])) $attrs['description'][0] ="";
- $principals = $this->load_principals_for_server($attrs['macAddress'][0]);
+ if($skip_si_access){
+ $principals = array();
+ }else{
+ $principals = $this->load_principals_for_server($attrs['macAddress'][0]);
+ }
/* Create Realm/Server/Principal mapping.
*/
$this->map["SERVER_REALM"][$attrs['cn'][0]] = $attrs['goKrbRealm'][0];
$this->map["REALM_SERVER"][$attrs['goKrbRealm'][0]] = $attrs['cn'][0];
+ /* Set first realm as selected.
+ */
+ if($this->goKrbRealm == ""){
+ $this->goKrbRealm = $attrs['goKrbRealm'][0];
+ }
+
/* Create Server list
*/
$this->server_list[$attrs['cn'][0]] = array("macAddress" => $attrs['macAddress'][0],
"cn" => $attrs['cn'][0]);
}
- /* Load object data from ldap && initialize this class
+ /* If this methods is initialized with a valid object dn then
+ load the object data from ldap and the SI daemon && initialize this class.
*/
$this->is_new = TRUE;
- if($dn != "new" && $dn != ""){
+ if(!$skip_si_access){
$ldap = $this->config->get_ldap_link();
$ldap->cd($dn);
$ldap->cat($dn);
$this->attrs = $ldap->fetch();
- if(isset($this->attrs['userPassword'])){
+ /* Set initial pwd hash which take effect if no password method was set yet.
+ Will be overwritten by the following lines, if the user has already a valid principal.
+ */
+ $this->principal = $this->attrs['uid'][0]."@".$this->goKrbRealm;
+
+ if(isset($this->attrs['userPassword']) && preg_match("/^\{".$this->get_hash_name()."\}/",$this->attrs['userPassword'][0])){
+
+ /* Extract principal name out of userPassword attribute
+ */
$p_name = preg_replace("/^\{".$this->get_hash_name()."\}/","",$this->attrs['userPassword'][0]);
/* Try to detect server our principal is configured on
*/
- if($this->map['PRINCIPAL_SERVER'][$p_name]){
+ if(isset($this->map['PRINCIPAL_SERVER'][$p_name])){
$server= $this->map['PRINCIPAL_SERVER'][$p_name];
$this->goKrbRealm = $this->map['SERVER_REALM'][$server];
$this->principal = $p_name;
}
- /*! \brief Load this plugin with the values of the given principal
+ /*! \brief Load a specific principal from the si daemon
+ and initialize this plugin with it.
@param String The macAddress of the kerberos server.
@param String The name of the principal to load.
*/
$o = new gosaSupportDaemon();
$tmp = array();
$tmp = $o->krb5_get_principal($server,$name);
+
if($o->is_error()){
+ $this->si_error = TRUE;
+ $this->si_error_msg = sprintf(_("While loading principal for '%s', from server '%s'."),$name,$server).": <br>".$o->get_error();
msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
}else{
/* Load flags
*/
if(isset($tmp['ATTRIBUTES'])){
- foreach($this->flags as $flag){
- if(in_array($flag,$tmp['ATTRIBUTES'])){
- $this->$flag = TRUE;
- }
- }
+ $this->used_flags = $tmp['ATTRIBUTES'];
}
/* Load readonly attributes
*/
foreach($this->readonly as $attr){
if(isset($tmp[$attr])){
- $this->$flag = $tmp[$attr];
+ $this->$attr = $tmp[$attr];
}
}
*/
foreach($this->values as $attr){
if(isset($tmp[$attr])){
- $this->$flag = $tmp[$attr];
+ $this->$attr = $tmp[$attr];
}
}
+
+ /* Update time checkboxes
+ */
+ $date_values = array("PW_EXPIRATION","PRINC_EXPIRE_TIME");
+ foreach($date_values as $value){
+ if(!empty($this->$value)){
+ $clear = $value."_clear";
+ $this->$clear = FALSE;
+ }
+ }
}
}
- /*! \brief get list of all configured principals
- for a given server.
- The results will cached.
+ /*! \brief Get the list of all configured principals for a given server.
+ @param String The servers mac address.
+ @return Array A list with all principals
+ The results will cached.
*/
public function load_principals_for_server($server)
{
if(!isset($cache[$server])){
$o = new gosaSupportDaemon();
$tmp = $o->krb5_list_principals($server);
- $cache[$server] = $tmp;
+ if($o->is_error()){
+ $this->si_error = TRUE;
+ $this->si_error_msg = sprintf(_("While loading principals from server '%s'."),$server).": <br>".$o->get_error();
+ msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
+ return(array());
+ }else{
+ $cache[$server] = $tmp;
+ }
session::set("MIT_PRINCIPAL_CACHE",$cache);
}
return($cache[$server]);
session::set("MIT_POLICY_CACHE",array());
}
$cache = session::get("MIT_POLICY_CACHE");
- if(1 | !isset($cache[$server])){
+ if(!isset($cache[$server])){
$o = new gosaSupportDaemon();
$tmp = $o->krb5_list_policies($server);
- $cache[$server] = array();
- $cache[$server]["_none_"] = _("none");
- foreach($tmp as $policy){
- $cache[$server][$policy] = $policy;
+ if($o->is_error()){
+ $this->si_error = TRUE;
+ $this->si_error_msg = sprintf(_("While loading policies from server '%s'."),$server).": <br>".$o->get_error();
+ msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
+ return(array());
+ }else{
+ $cache[$server] = array();
+ $cache[$server]["_none_"] = _("none");
+ foreach($tmp as $policy){
+ $cache[$server][$policy] = $policy;
+ }
+ ksort($cache[$server]);
}
- ksort($cache[$server]);
session::set("MIT_POLICY_CACHE",$cache);
}
return($cache[$server]);
This is the case if there is a si server running and at least one server configured.
kerberos support.
*/
- function is_available()
+ public function is_available()
{
$o = new gosaSupportDaemon(FALSE);
if(count($this->server_list) && $o->connect()){
}
- function generate_hash($pwd)
+ /*! \brief Create the password hash. In this case: {kerberos/sasl}name@RELAM
+ @param String The password -in this case unusued.
+ @return String The generated hash
+ */
+ public function generate_hash($pwd = "")
{
$mode= "kerberos";
if (isset($this->config->current['KRBSASL']) && preg_match('/^true$/i', $this->config->current['KRBSASL'])){
}
- function remove_from_parent()
+ /*! \brief Removes this principal.
+ */
+ public function remove_from_parent()
{
if(!empty($this->principal) && $this->goKrbRealm){
$server = $this->map['REALM_SERVER'][$this->goKrbRealm];
$o = new gosaSupportDaemon();
if(!$o->krb5_del_principal($this->server_list[$server]['macAddress'],$this->principal)){
+ $this->si_error = TRUE;
+ $this->si_error_msg = $o->get_error();
msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
}
}
}
- function set_password($password)
+ /*! \brief Set a new password for this principal
+ @param String The new password.
+ */
+ public function set_password($password)
{
if(!empty($this->principal) && $this->goKrbRealm){
$server = $this->map['REALM_SERVER'][$this->goKrbRealm];
$o = new gosaSupportDaemon();
-
- echo "Not implemented yet";
- $attrs = array("password" => $password);
-
-# if(!$o->krb5_set_principal($this->server_list[$server]['macAddress'],$this->principal,$attrs)){
-# msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
-# }
+ if(!$o->krb5_set_password($this->server_list[$server]['macAddress'],$this->principal,$password)){
+ msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
+ }
}
}
- function get_hash_name()
+ /*! \brief Return the hash name of this mehtod, e.g. to identify methods.
+ @return String The hash used by this method.
+ */
+ public function get_hash_name()
{
$mode= "kerberos";
if (isset($this->config->current['KRBSASL']) && preg_match('/^true$/i', $this->config->current['KRBSASL'])){
}
- function is_configurable()
+ /*! \brief Returns TRUE if this method is configurable else FALSE
+ @retrun Boolena TRUE if configurable, else FALSE.
+ */
+ public function is_configurable()
{
return TRUE;
}
- function configure()
+ /*! \brief Additional info displayed in the users password method drop down.
+ @retunr String Additional password method info.
+ */
+ public function get_description()
+ {
+ return(_("Daemon based"));
+ }
+
+
+ /*! \brief Display a HTML based configuration dialog for this plugin
+ @return String HTML.
+ */
+ public function configure()
{
$this->save_object();
}
}
-
$smarty = get_smarty();
+ $smarty->assign("si_error",$this->si_error);
+ $smarty->assign("si_error_msg",$this->si_error_msg);
$smarty->assign("years",$years);
$smarty->assign("month",$month);
$smarty->assign("days",$days);
$smarty->assign("hours",$hours);
$smarty->assign("minutes",$minutes);
-
$smarty->assign("server_list",$this->server_list);
$smarty->assign("POLICY" ,$this->POLICY);
$smarty->assign("goKrbRealm" , $this->goKrbRealm);
-
$server_name = $this->map['REALM_SERVER'][$this->goKrbRealm];
$server_mac = $this->server_list[$server_name]['macAddress'];
$this->POLICIES = $this->load_policies_for_server($server_mac);
foreach($this->readonly as $attr){
$smarty->assign($attr ,$this->$attr);
}
- foreach($this->flags as $attr){
- $smarty->assign($attr,$this->$attr);
+ foreach($this->flags as $attr => $hex){
+ $smarty->assign($attr, ($this->used_flags & $hex ));
}
$date_values = array("PRINC_EXPIRE_TIME","PW_EXPIRATION");
foreach($date_values as $date_val){
$clear = $date_val."_clear";
$smarty->assign($date_val."_clear",$this->$clear);
- $smarty->assign($date_val."_y",substr($this->$date_val,0,4));
- $smarty->assign($date_val."_m",substr($this->$date_val,4,2));
- $smarty->assign($date_val."_d",substr($this->$date_val,6,2));
- $smarty->assign($date_val."_h",substr($this->$date_val,8,2));
- $smarty->assign($date_val."_i",substr($this->$date_val,10,2));
+ $smarty->assign($date_val."_y",date("Y",$this->$date_val));
+ $smarty->assign($date_val."_m",date("m",$this->$date_val));
+ $smarty->assign($date_val."_d",date("d",$this->$date_val));
+ $smarty->assign($date_val."_h",date("h",$this->$date_val));
+ $smarty->assign($date_val."_i",date("i",$this->$date_val));
}
-
- return($smarty->fetch(get_template_path("pwd_kerberos_mit.tpl")));
+ return($smarty->fetch(get_template_path("pwd_kerberos_mit.tpl",TRUE,dirname(__FILE__))));
}
- function save_object()
+ /*! \brief Saves all relevant HTML posts for this plugin
+ */
+ public function save_object()
{
+ /* If the communication with the si server failed,
+ you are able to retry to connect to the server.
+ Here we hanlde those requests.
+ */
+ if(isset($_POST['retry_si'])){
+ $this->si_error= FALSE;
+ $this->si_error_msg= "";
+ session::un_set("MIT_PRINCIPAL_CACHE");
+ session::un_set("MIT_POLICY_CACHE");
+ $this->__construct($this->config,$this->parent_dn);
+ }
+
+ /* Only handle posts for this plugin, it its content was posted
+ */
if(isset($_POST['pwd_heimdal_posted'])){
if(isset($_POST['goKrbRealm'])){
$this->goKrbRealm = get_post("goKrbRealm");
}
- foreach($this->flags as $attr){
- $this->$attr = isset($_POST[$attr]);
+ $this->used_flags = 0;
+ foreach($this->flags as $attr => $hex){
+ if(isset($_POST[$attr])){
+ $this->used_flags |= $hex;
+ }
}
foreach(array("MAX_LIFE","MAX_RENEWABLE_LIFE","POLICY") as $attr){
$this->$clear = TRUE;
}else{
$this->$clear = FALSE;
- $str = "";
- foreach(array("y","m","d","h","i") as $val){
- if(isset($_POST[$date_value."_".$val])){
- $str .= $_POST[$date_value."_".$val];
- }
- }
- $this->$date_value = $str."Z";
+ $this->$date_value = gmmktime(
+ $_POST[$date_value."_h"],
+ $_POST[$date_value."_i"],
+ 0,
+ $_POST[$date_value."_m"],
+ $_POST[$date_value."_d"],
+ $_POST[$date_value."_y"]);
}
}
}
}
- function check()
+
+ /*! \brief Checks the values specified in the configuration dialog.
+ @return Array Containing all error messages.
+ */
+ public function check()
{
$message = array();
- echo "Checks missing";
- return($message);
- }
-
- function chk_times($str)
- {
- if(preg_match("/^([0-9]){12,12}[a-z]$/i",$str)){
- return(true);
+ if(!preg_match("/^[0-9]*$/",$this->MAX_LIFE)){
+ $message[] = msgPool::invalid(_("Ticket max life"),$this->MAX_LIFE,"/[0-9]/");
+ }
+ if(!preg_match("/^[0-9]*$/",$this->MAX_RENEWABLE_LIFE)){
+ $message[] = msgPool::invalid(_("Ticket max renew"),$this->MAX_RENEWABLE_LIFE,"/[0-9]/");
}
- return(false);
+ return($message);
}
- function save($dn)
+ /*! \brief Saves changes back to the SI daemon.
+ */
+ public function save($dn)
{
- $realm = $this->config->data['SERVERS']['KERBEROS']['REALM'];
-
$ldap = $this->config->get_ldap_link();
$ldap->cd($dn);
$ldap->cat($dn,array('uid'));
$attrs = $ldap->fetch();
+
if(isset($attrs['uid'][0])){
/* Get servers mac */
/* Collect flags */
$flags = array();
$entry = array();
- foreach($this->flags as $flag){
- if($this->$flag){
- $flags[] = $flag;
- }
- }
- if(count($flags)){
- $entry['ATTRIBUTES'] = $flags;
- }
+
+ $entry['ATTRIBUTES'] = $this->used_flags;
/* Append other values */
foreach($this->values as $attr){
$entry['POLICY'] = $policy;
}
+ /* Set date values
+ */
+ $date_values = array("PW_EXPIRATION","PRINC_EXPIRE_TIME");
+ foreach($date_values as $value){
+ $clear = $value."_clear";
+ if($this->$clear){
+ $entry[$value] = 0;
+ }
+ }
+
+
/* Save principal changes */
$o = new gosaSupportDaemon();
+ if(in_array($principal,$this->server_list[$server_name]['principals'])){
+ $this->is_new = FALSE;
+ }
+
if($this->is_new){
$o->krb5_add_principal($server_mac,$principal,$entry);
}else{
$o->krb5_set_principal($server_mac,$principal,$entry);
}
if($o->is_error()){
+ $this->si_error = TRUE;
+ $this->si_error_msg = $o->get_error();
msg_dialog::display(_("Service infrastructure"),msgPool::siError($o->get_error()),ERROR_DIALOG);
}
}