Re: PHP's ldap_sasl_bind tries to authenticate with KRB5CCNAME other than the one provided by mod_auth_kerb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My platform is basically debian sarge + heimdal gssapi, but I have exactly
the same problem.

I have a way to solve the issue, but it is not valid for any kind of
production site. Just add in your php code this

copy(substr($_SERVER['KRB5CCNAME'],5),"/tmp/krb5cc_0");

and you'll get a real bind (you see the ldap ticket with klist). I think
that I must use the uid 0 for the credential cache because my apache master
process is owned by root. If it did start with a different user, you
probably need to change the '_0'.

If you don't expect heavy usage and don't care about  run conditions, you
might use it as is. I might recommend some basic existence checks to avoid
collisions and possible impersonation (In my case, different users have
different persmissions on the ldap tree), but I believe it will not scale in
any sensible manner.

I'm afraid that this is due to the fact that mod-php (and php-ldap) is
loaded during initialization, and looks like the credential cache value is
either frozen or not taken from environment.

I've tried to use putenv and apache_setenv, as well as manually fix $_ENV
with no success, but I'm unsure if any of them have the same effect than
export a shell variable, which is what is actually expect.




-- 
View this message in context: http://www.nabble.com/PHP%27s-ldap_sasl_bind-tries-to-authenticate-with-KRB5CCNAME-other-than-the-one-provided-by-mod_auth_kerb-tf3681101.html#a10323750
Sent from the PHP - General mailing list archive at Nabble.com.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux