Re: Certificate, login & php question ? krb / sso

[Jean-Gerard Pailloncy <jg@xxxxxxxx>]

Le 11 sept. 06 à 05:57, Michael Fuhr a écrit :

On Sun, Sep 10, 2006 at 09:39:59PM -0600, Michael Fuhr wrote:

On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote:

1) Is it possible to use the SSL authentification done by apache with  

PostgreSQL ?

I'm not aware of a way for Apache to proxy PostgreSQL's SSL

negotiation with the PHP script back to the HTTP client.

If such a capability existed then it could arguably be considered

a flaw in SSL because it would allow a server to impersonate one

of its clients to another server or to hijack a client's secure

connection with another server.  Secure protocols are designed to

prevent such attacks.

The point is to USE AGAIN the authentification done by Apache with PostgreSQL not DO AGAIN the authentification.

Googling around, I found:

mod_auth_krb with "AuthType KerberosV5SaveCredentials"

The auth is done by mod_auth_krb and mod_perl is able to use the same ticket for PostgreSQL. It is in the doc of PG.

I found a page that presents phpkrb5 that may do the same things for mod_php

http://www.stacken.kth.se/lists/heimdal-discuss/2003-04/msg00026.html

The project is hosted on http://savannah.nongnu.org/projects/phpkrb5/

but is not really up to date (3 years old, and only for php4)

In fact, things may look simple after reading http://archives.postgresql.org/pgsql-php/2004-08/msg00031.php

I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)

All it takes it this line your PHP script:

putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");

Then pg_connect works :)

but it is not reliable (http://archives.postgresql.org/pgsql-php/2004-08/msg00033.php).

Sorry for the noise, but my question seems to me less and less PostgreSQL centric.

On heavy solution may be a SSO with kerberos. Many new questions then...

If someone has already done that, I would be glad to have some good URL.

Pailloncy Jean-Gerard

Attachment: smime.p7s
Description: S/MIME cryptographic signature