KADM5
Introduction
These package allows you to access Kerberos V administration servers. You can create, modify, and delete Kerberos V principals and policies.
More information about Kerberos can be found at » https://web.mit.edu/kerberos/www/.
Documentation for Kerberos and KADM5 can be found at » https://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin_toc.html.
Resource Types
This extension defines a KADM5 handle returned by kadm5_init_with_password().
Predefined Constants
The constants below are defined by this extension, and will only be available when the extension has either been compiled into PHP or dynamically loaded at runtime.
Constants for Attribute Flags
The functions kadm5_create_principal(), kadm5_modify_principal(), and kadm5_modify_principal() allow to specify special attributes using a bitfield. The symbols are defined below:
constant |
---|
KRB5_KDB_DISALLOW_POSTDATED |
KRB5_KDB_DISALLOW_FORWARDABLE |
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_DISALLOW_RENEWABLE |
KRB5_KDB_DISALLOW_PROXIABLE |
KRB5_KDB_DISALLOW_DUP_SKEY |
KRB5_KDB_DISALLOW_ALL_TIX |
KRB5_KDB_REQUIRES_PRE_AUTH |
KRB5_KDB_REQUIRES_HW_AUTH |
KRB5_KDB_REQUIRES_PWCHANGE |
KRB5_KDB_DISALLOW_SVR |
KRB5_KDB_PWCHANGE_SERVER |
KRB5_KDB_SUPPORT_DESMD5 |
KRB5_KDB_NEW_PRINC |
Constants for Options
The functions kadm5_create_principal(), kadm5_modify_principal(), and kadm5_get_principal() allow to specify or return principal's options as an associative array. The keys for the associative array are defined as string constants below:
constant | funcdef | description |
---|---|---|
KADM5_PRINCIPAL | long | The expire time of the princial as a Kerberos timestamp. |
KADM5_PRINC_EXPIRE_TIME | long | The expire time of the princial as a Kerberos timestamp. |
KADM5_LAST_PW_CHANGE | long | The time this principal's password was last changed. |
KADM5_PW_EXPIRATION | long | The expire time of the principal's current password, as a Kerberos timestamp. |
KADM5_MAX_LIFE | long | The maximum lifetime of any Kerberos ticket issued to this principal. |
KADM5_MAX_RLIFE | long | The maximum renewable lifetime of any Kerberos ticket issued to or for this principal. |
KADM5_MOD_NAME | string | The name of the Kerberos principal that most recently modified this principal. |
KADM5_MOD_TIME | long | The time this principal was last modified, as a Kerberos timestamp. |
KADM5_KVNO | long | The version of the principal's current key. |
KADM5_POLICY | string | The name of the policy controlling this principal. |
KADM5_CLEARPOLICY | long | Standard procedure is to assign the 'default' policy to new principals. KADM5_CLEARPOLICY suppresses this behaviour. |
KADM5_LAST_SUCCESS | long | The KDC time of the last successfull AS_REQ. |
KADM5_LAST_FAILED | long | The KDC time of the last failed AS_REQ. |
KADM5_FAIL_AUTH_COUNT | long | The number of consecutive failed AS_REQs. |
KADM5_RANDKEY | long | Generates a random password for the principal. The parameter password will be ignored. |
KADM5_ATTRIBUTES | long | A bitfield of attributes for use by the KDC. |
Examples
This simple example shows how to connect, query, print resulting principals and disconnect from a KADM5 database.
Example#1 KADM5 extension overview example
<?php
$handle = kadm5_init_with_password("afs-1", "GONICUS.LOCAL", "admin/admin", "password");
print "<h1>get_principals</h1>\n";
$principals = kadm5_get_principals($handle);
for( $i=0; $i<count($principals); $i++)
print "$principals[$i]<br>\n";
print "<h1>get_policies</h1>\n";
$policies = kadm5_get_policies($handle);
for( $i=0; $i<count($policies); $i++)
print "$policies[$i]<br>\n";
print "<h1>get_principal burbach@GONICUS.LOCAL</h1>\n";
$options = kadm5_get_principal($handle, "burbach@GONICUS.LOCAL" );
$keys = array_keys($options);
for( $i=0; $i<count($keys); $i++) {
$value = $options[$keys[$i]];
print "$keys[$i]: $value<br>\n";
}
$options = array(KADM5_PRINC_EXPIRE_TIME => 0);
kadm5_modify_principal($handle, "burbach@GONICUS.LOCAL", $options);
kadm5_destroy($handle);
?>
Contact Information
If you have comments, bugfixes, enhancements or want to help in developing this you can send me a mail at » holger.burbach@gonicus.de. The project homepage can be found at » https://oss.gonicus.de/project/?group_id=7.
Table of Contents
- kadm5_chpass_principal — Changes the principal's password
- kadm5_create_principal — Creates a kerberos principal with the given parameters
- kadm5_delete_principal — Deletes a kerberos principal
- kadm5_destroy — Closes the connection to the admin server and releases all related resources
- kadm5_flush — Flush all changes to the Kerberos database, leaving the connection to the Kerberos admin server open
- kadm5_get_policies — Gets all policies from the Kerberos database
- kadm5_get_principal — Gets the principal's entries from the Kerberos database
- kadm5_get_principals — Gets all principals from the Kerberos database
- kadm5_init_with_password — Opens a connection to the KADM5 library and initializes any neccessary state information
- kadm5_modify_principal — Modifies a kerberos principal with the given parameters