Lists: | pgsql-adminpgsql-php |
---|
From: | Mark Gibson <gibsonm(at)cromwell(dot)co(dot)uk> |
---|---|
To: | pgsql-admin(at)postgresql(dot)org, pgsql-php(at)postgresql(dot)org |
Subject: | Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in harmony! How? |
Date: | 2004-08-17 14:40:02 |
Message-ID: | 44fffac5903f1d3c69d160878754ce2f41221776@cromwell.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-admin pgsql-php |
Hi,
I've been trying to Kerberize our Apache and PostgreSQL servers for
our company's web applications.
Goal: To connect from a PHP web app to a PostgreSQL database
using the users credentials, so all authorization is managed via
privileges within the database.
Our IT dept has recently installed Windows 2003 Server to provide
authentication & directories via Kerberos and LDAP.
I've managed to configure Apache (2.0.49) to authenticate users using
mod_auth_kerb (5.0-rc6), and also PostgreSQL (7.4.3) to use Kerberos.
(Linux hosts use MIT KerberosV5 1.3.3 client libs, KDC is Windows 2003)
mod_auth_kerb is configured with:
KrbSaveCredentials on
So in PHP (4.3.8) we end up with the variables:
$_SERVER['REMOTE_USER'] (eg: 'gibsonm(at)OUR-REALM(dot)CO(dot)UK')
$_SERVER['KRB5CCNAME'] (eg: 'FILE:/tmp/krb5cc_apache_tVFJCd')
Even HTTP Negotiate works with Firefox/Linux (but not IE/XP yet!) :)
But this is where I get stuck.
How do I use the supplied credentials file to connect to PostgreSQL?
In the PostgreSQL docs it says:
(http://www.postgresql.org/docs/7.4/interactive/auth-methods.html#KERBEROS-AUTH)
> If you use mod_auth_kerb from http://modauthkerb.sf.net and mod_perl
> on your Apache web server, you can use AuthType
> KerberosV5SaveCredentials with a mod_perl script. This gives secure
> database access over the web, no extra passwords required.
I'm assuming this is out of date, or has changed with mod_auth_kerb 5.0,
and that the KrbSaveCredentials directive does this job instead.
Is there any examples of this mod_perl script?
Can the alleged mod_perl method be adapted to PHP?
Has anyone got this to work?
What are the alternatives to my goal stated above?
Cheers
--
Mark Gibson <gibsonm |AT| cromwell |DOT| co |DOT| uk>
Web Developer & Database Admin
Cromwell Tools Ltd.
Leicester, England.
From: | Mark Gibson <gibsonm(at)cromwell(dot)co(dot)uk> |
---|---|
To: | Mark Gibson <gibsonm(at)cromwell(dot)co(dot)uk> |
Cc: | pgsql-admin(at)postgresql(dot)org, pgsql-php(at)postgresql(dot)org |
Subject: | Re: [PHP] Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in |
Date: | 2004-08-17 15:53:16 |
Message-ID: | 39d52b969d6add5a94afc6c25d53f4d34122289d@cromwell.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-admin pgsql-php |
Mark Gibson wrote:
> Hi,
> I've been trying to Kerberize our Apache and PostgreSQL servers for
> our company's web applications.
>
> Goal: To connect from a PHP web app to a PostgreSQL database
> using the users credentials, so all authorization is managed via
> privileges within the database.
>
> Our IT dept has recently installed Windows 2003 Server to provide
> authentication & directories via Kerberos and LDAP.
>
> I've managed to configure Apache (2.0.49) to authenticate users using
> mod_auth_kerb (5.0-rc6), and also PostgreSQL (7.4.3) to use Kerberos.
> (Linux hosts use MIT KerberosV5 1.3.3 client libs, KDC is Windows 2003)
>
> mod_auth_kerb is configured with:
>
> KrbSaveCredentials on
>
> So in PHP (4.3.8) we end up with the variables:
>
> $_SERVER['REMOTE_USER'] (eg: 'gibsonm(at)OUR-REALM(dot)CO(dot)UK')
> $_SERVER['KRB5CCNAME'] (eg: 'FILE:/tmp/krb5cc_apache_tVFJCd')
>
> Even HTTP Negotiate works with Firefox/Linux (but not IE/XP yet!) :)
>
> But this is where I get stuck.
> How do I use the supplied credentials file to connect to PostgreSQL?
>
> In the PostgreSQL docs it says:
> (http://www.postgresql.org/docs/7.4/interactive/auth-methods.html#KERBEROS-AUTH)
>
>
> > If you use mod_auth_kerb from http://modauthkerb.sf.net and mod_perl
> > on your Apache web server, you can use AuthType
> > KerberosV5SaveCredentials with a mod_perl script. This gives secure
> > database access over the web, no extra passwords required.
>
> I'm assuming this is out of date, or has changed with mod_auth_kerb 5.0,
> and that the KrbSaveCredentials directive does this job instead.
I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)
All it takes it this line your PHP script:
putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
Then pg_connect works :)
--
Mark Gibson <gibsonm |AT| cromwell |DOT| co |DOT| uk>
Web Developer & Database Admin
Cromwell Tools Ltd.
Leicester, England.
From: | Mark Gibson <gibsonm(at)cromwell(dot)co(dot)uk> |
---|---|
To: | |
Cc: | pgsql-admin(at)postgresql(dot)org, pgsql-php(at)postgresql(dot)org |
Subject: | Re: [PHP] Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in |
Date: | 2004-08-17 16:02:32 |
Message-ID: | d1a43308784f72b0a2bd817275efbc6541222ac6@cromwell.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-admin pgsql-php |
Mark Gibson wrote:
> Mark Gibson wrote:
>
>> Hi,
>> I've been trying to Kerberize our Apache and PostgreSQL servers for
>> our company's web applications.
[snip]
>
> I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)
>
> All it takes it this line your PHP script:
>
> putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
>
> Then pg_connect works :)
Or, not, as the case may be.
Well, sometimes it connects and sometimes it doesn't,
PostgreSQL logs the following error:
Kerberos recvauth returned error 103
Any ideas???
--
Mark Gibson <gibsonm |AT| cromwell |DOT| co |DOT| uk>
Web Developer & Database Admin
Cromwell Tools Ltd.
Leicester, England.
From: | "Miguel A(dot) Arévalo" <marevalo(at)marevalo(dot)net> |
---|---|
To: | pgsql-php(at)postgresql(dot)org |
Subject: | Re: Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in |
Date: | 2004-08-17 21:50:10 |
Message-ID: | cftui0$2662$1@news.hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-admin pgsql-php |
AFAIK, redirecting credentials is not supported in mod_auth_krb.
I remember listening something that makes it impossible due to way
Linux/UNIX works, but don't take this as something more than a rumor.
Regards.
Mark Gibson wrote:
> Mark Gibson wrote:
>
>> Mark Gibson wrote:
>>
>>> Hi,
>>> I've been trying to Kerberize our Apache and PostgreSQL servers for
>>> our company's web applications.
>
> [snip]
>
>>
>> I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)
>>
>> All it takes it this line your PHP script:
>>
>> putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
>>
>> Then pg_connect works :)
>
>
> Or, not, as the case may be.
> Well, sometimes it connects and sometimes it doesn't,
> PostgreSQL logs the following error:
>
> Kerberos recvauth returned error 103
>
> Any ideas???
>