My platform is basically debian sarge + heimdal gssapi, but I have exactly the same problem. I have a way to solve the issue, but it is not valid for any kind of production site. Just add in your php code this copy(substr($_SERVER['KRB5CCNAME'],5),"/tmp/krb5cc_0"); and you'll get a real bind (you see the ldap ticket with klist). I think that I must use the uid 0 for the credential cache because my apache master process is owned by root. If it did start with a different user, you probably need to change the '_0'. If you don't expect heavy usage and don't care about run conditions, you might use it as is. I might recommend some basic existence checks to avoid collisions and possible impersonation (In my case, different users have different persmissions on the ldap tree), but I believe it will not scale in any sensible manner. I'm afraid that this is due to the fact that mod-php (and php-ldap) is loaded during initialization, and looks like the credential cache value is either frozen or not taken from environment. I've tried to use putenv and apache_setenv, as well as manually fix $_ENV with no success, but I'm unsure if any of them have the same effect than export a shell variable, which is what is actually expect. -- View this message in context: http://www.nabble.com/PHP%27s-ldap_sasl_bind-tries-to-authenticate-with-KRB5CCNAME-other-than-the-one-provided-by-mod_auth_kerb-tf3681101.html#a10323750 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php