Kerberos Authentication in PHP Kerberos Authentication in PHP php php

Kerberos Authentication in PHP


php apache2 single-sign-on kerberos

I'm not sure if this will help, but it looks like Apache will send PHP the username information with the modauthkerb package if you use the KrbSaveCredentials parameter. You should get two global variables in php:

 $_SERVER['REMOTE_USER'] $_SERVER['KRB5CCNAME']

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.php looks like they have got this working.

That way if you can see what the user is, it really isn't a requirement that php actually does the authentication.

php apache2 single-sign-on kerberos

mod_auth_kerb will handle for you actual authentication. After that, it will set REMOTE_USER and KRB5CCNAME environmental variables. Note that there are few caveats:

  • mod_auth_kerb can do translation between Kerberos principal and local user name if Krb5AuthToLocal option is enabled.
  • If Krb5AuthToLocal is enabled, when authentication succeeds, mod_auth_kerb will call Kerberos library to perform translation from an authenticated name to a local name as Kerberos principal is not always the same as actual user in the operating system (you can map principals to usernames).
  • When MIT Kerberos is in use, this mapping is performed with the help of auth_to_local rules in /etc/krb5.conf, see krb5.conf manual page for details.
  • mod_auth_kerb has a bug that resulting local name should not have longer name than the principal itself. This is usually true for principals from a default realm since they presented without realm part, i.e. 'user' instead of 'user@REALM'. However, if you have several trusted realms, users from non-default realms will be shown as 'user@ANOTHER.REALM' and then mod_auth_kerb will freak out. This bug should be fixed in Fedora 18+ and RHEL6.5, not sure about Debian since mod_auth_kerb upstream is a bit dead.
  • Therefore, your REMOTE_USER variable will contain either Kerberos principal or local user name, depending on how mod_auth_kerb was configured. If your application relies on the fact that REMOTE_USER value must be a real existing system user, you would need to make sure Krb5AuthToLocal option is enabled and such users are visible in the system (through winbind or sssd).

For your case I'd recommend to look at excellent how to by Tom McLaughlin: http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last