LX. KADM5

Introduction

These package allows you to access Kerberos V administration servers. You can create, modify, and delete Kerberos V principals and policies.

More information about Kerberos can be found at http://web.mit.edu/kerberos/www/.

Documentation for Kerberos and KADM5 can be found at http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin_toc.html.

Predefined Constants

The constants below are defined by this extension, and will only be available when the extension has either been compiled into PHP or dynamically loaded at runtime.

Constants for Attribute Flags

The functions kadm5_create_principal(), kadm5_modify_principal(), and kadm5_modify_principal() allow to specify special attributes using a bitfield. The symbols are defined below:

Table 1. Attributes for use by the KDC

constant
KRB5_KDB_DISALLOW_POSTDATED
KRB5_KDB_DISALLOW_FORWARDABLE
KRB5_KDB_DISALLOW_TGT_BASED
KRB5_KDB_DISALLOW_RENEWABLE
KRB5_KDB_DISALLOW_PROXIABLE
KRB5_KDB_DISALLOW_DUP_SKEY
KRB5_KDB_DISALLOW_ALL_TIX
KRB5_KDB_REQUIRES_PRE_AUTH
KRB5_KDB_REQUIRES_HW_AUTH
KRB5_KDB_REQUIRES_PWCHANGE
KRB5_KDB_DISALLOW_SVR
KRB5_KDB_PWCHANGE_SERVER
KRB5_KDB_SUPPORT_DESMD5
KRB5_KDB_NEW_PRINC

Constants for Options

The functions kadm5_create_principal(), kadm5_modify_principal(), and kadm5_get_principal() allow to specify or return principal's options as an associative array. The keys for the associative array are defined as string constants below:

Table 2. Options for creating/modifying/retrieving principals

constantfuncdefdescription
KADM5_PRINCIPALlongThe expire time of the princial as a Kerberos timestamp.
KADM5_PRINC_EXPIRE_TIMElongThe expire time of the princial as a Kerberos timestamp.
KADM5_LAST_PW_CHANGElongThe time this principal's password was last changed.
KADM5_PW_EXPIRATIONlong The expire time of the principal's current password, as a Kerberos timestamp.
KADM5_MAX_LIFElong The maximum lifetime of any Kerberos ticket issued to this principal.
KADM5_MAX_RLIFElong The maximum renewable lifetime of any Kerberos ticket issued to or for this principal.
KADM5_MOD_NAMEstring The name of the Kerberos principal that most recently modified this principal.
KADM5_MOD_TIMElong The time this principal was last modified, as a Kerberos timestamp.
KADM5_KVNOlongThe version of the principal's current key.
KADM5_POLICYstringThe name of the policy controlling this principal.
KADM5_CLEARPOLICYlong Standard procedure is to assign the 'default' policy to new principals. KADM5_CLEARPOLICY suppresses this behaviour.
KADM5_LAST_SUCCESSlongThe KDC time of the last successfull AS_REQ.
KADM5_LAST_FAILEDlongThe KDC time of the last failed AS_REQ.
KADM5_FAIL_AUTH_COUNTlongThe number of consecutive failed AS_REQs.
KADM5_RANDKEYlong Generates a random password for the principal. The parameter password will be ignored.
KADM5_ATTRIBUTESlongA bitfield of attributes for use by the KDC.

Examples

This simple example shows how to connect, query, print resulting principals and disconnect from a KADM5 database.

Example 1. KADM5 extension overview example

<?php

  $handle
= kadm5_init_with_password("afs-1", "GONICUS.LOCAL", "admin/admin", "password");

  print
"<h1>get_principals</h1>\n";
  
$principals = kadm5_get_principals($handle);
  for(
$i=0; $i<count($principals); $i++)
      print
"$principals[$i]<br>\n";

  print
"<h1>get_policies</h1>\n";
  
$policies = kadm5_get_policies($handle);
  for(
$i=0; $i<count($policies); $i++)
      print
"$policies[$i]<br>\n";

  print
"<h1>get_principal burbach@GONICUS.LOCAL</h1>\n";

  
$options = kadm5_get_principal($handle, "burbach@GONICUS.LOCAL" );
  
$keys = array_keys($options);
  for(
$i=0; $i<count($keys); $i++) {
    
$value = $options[$keys[$i]];
    print
"$keys[$i]: $value<br>\n";
  }

  
$options = array(KADM5_PRINC_EXPIRE_TIME => 0);
  
kadm5_modify_principal($handle, "burbach@GONICUS.LOCAL", $options);

  
kadm5_destroy($handle);
?>

Contact Information

If you have comments, bugfixes, enhancements or want to help in developing this you can send me a mail at holger.burbach@gonicus.de. The project homepage can be found at http://oss.gonicus.de/project/?group_id=7.

Table of Contents
kadm5_chpass_principal -- Changes the principal's password
kadm5_create_principal -- Creates a kerberos principal with the given parameters
kadm5_delete_principal -- Deletes a kerberos principal
kadm5_destroy -- Closes the connection to the admin server and releases all related resources
kadm5_flush -- Flush all changes to the Kerberos database, leaving the connection to the Kerberos admin server open
kadm5_get_policies -- Gets all policies from the Kerberos database
kadm5_get_principal -- Gets the principal's entries from the Kerberos database
kadm5_get_principals -- Gets all principals from the Kerberos database
kadm5_init_with_password -- Opens a connection to the KADM5 library and initializes any neccessary state information
kadm5_modify_principal -- Modifies a kerberos principal with the given parameters

Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 18:00:14