PHP's ldap_sasl_bind tries to authenticate with KRB5CCNAME other than the one provided by mod_auth_kerb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.

I am using Apache-2.2.2 with mod_auth_kerb-5.3, php-5.2.1,
openldap-2.3.27 cyrus-sasl-2.1.21 and heindal-0.7.2 on a
Linux-from-scratch based system.

The problem I'm presenting is probably a PHP issue or an Apache issue,
or a mod_auth_kerb issue. I could not understand which one causes the
problem.

I am trying to connect using SASL and GSSAPI to the LDAP server from a
PHP script that runs on the Apache server.

The script (in short) does the following:
 putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
 echo getenv("KRB5CCNAME");
 system("klist");
 $ldapconn = ldap_connect("ldap://example.org";) || die(...);
 ldap_sasl_bind($ldapconn, NULL, NULL, "GSSAPI") || die(...);

When I run the script manually from a shell that has a proper
KRB5CCNAME environment variable, both the system("klist") and the
ldap_sasl_bind(...) work as they should.

When I run `restart Apache' and then enter to the PHP page for the
first time both work as well. The KRB5CCNAME written is
/tmp/krb5ccname_apache_<something>

After that, each time I enter the page I get some other KRB5CCNAME
(other than the one I got before), the system("klist") command works
as it should, but ldap_sasl_bind returns "Local error". In this case I
also get an error written to /var/log/auth. This error says that the
file /tmp/krb5ccname_apache_<something> could not be found (this is
the same <something> that was written by PHP after I restarted
Apache). This means that the authentication process tries to use the
previous file-name.

I added a debug print to PHP's ldap_sasl_bind function that prints
`getenv("KRB5CCNAME")' to Apache's error-log. The KRB5CCNAME written
to the error-log is the same as the one PHP outputs. Not the one
written to the auth log.

Why isn't the KRB5CCNAME variable passed on?
Which of the three (PHP, Apache, mod_auth_kerb) keeps the first KRB5CCNAME?
How do I cause the new KRB5CCNAME to be used for authentication?
Any ideas?

Thanks,
            Gil Ran.

P.S.
I am not on the list, please cc me.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux