Kerberos Authentication in PHP

BlaM picture BlaM · Dec 23, 2008 · Viewed 25.8k times · Source

Let's just assume that I don't know much about Kerberos - just the basics.

I have...

  • Debian Linux 2.6 Webserver
    • Apache 2.2
      • mod_auth_kerb/5.3
      • PHP/5.2
  • a (working) Kerberos Realm
  • Windows Client

How do I use this information in a PHP script so that I don't need to log in to the website if the visitor has a kerberos ticket like that? I don't want Apache to handle the authentication. I need to find out which user is accessing the site via PHP.

Is that possible? If so: How?

What I have found out so far: I have to "enable" the domain in Firefox.

However that's about it...

Answer

Cetra picture Cetra · Dec 24, 2008

I'm not sure if this will help, but it looks like Apache will send PHP the username information with the modauthkerb package if you use the KrbSaveCredentials parameter. You should get two global variables in php:

 $_SERVER['REMOTE_USER']
 $_SERVER['KRB5CCNAME']

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.php looks like they have got this working.

That way if you can see what the user is, it really isn't a requirement that php actually does the authentication.