On Tue, 11 Nov 2003 12:47:52 -0600 Bruno Wolff III <bruno@xxxxxxxx> wrote: > If you trust the host the php/web server runs on you may be able to use > trust authentication. If you don't trust all of the users on that host > then you can use ident authentication, though if the db server and php/web > server aren't the same host using identd may slow things down too much. The web application, which will make the connection to the database, is normally running under the user apache, so I don't think I could use the ident method? I have found this interesting info: "The goal of the Negotiateauth project is to create an plugin for the Mozilla browser supporting the HTTP Negotiate authentication method. Main motivation is to add support for the Kerberos mechanism and use Kerberos tickets for user's authentication instead of their password. This way the user's Kerberos password will no longer be transfered to the web server. More information on the use of Negotiate method in Mozilla and Apache can be found at http://meta.cesnet.cz/software/heimdal/negotiate.en.html." So maybe I could authenticate every user at the client machines with kerberos, and pass the kerberos ticket with this method to apache, who will pass it to php, which does use it to connect to postgresql. Would now be interesting to know if I can authenticate to a Kerberos server with a smartcard. -- Retrovirology Laboratory Luxembourg Centre Hospitalier de Luxembourg 4, rue E. Barblé L-1210 Luxembourg phone: +352-44116105 fax: +352-44116113 web: http://www.retrovirology.lu e-mail: struck.d@xxxxxxxxxxxxxxxx