client authentication towards postgresql in php?

From: Daniel Struck <struck(dot)d(at)retrovirology(dot)lu>
To: pgsql-php(at)postgresql(dot)org
Subject: client authentication towards postgresql in php?
Date: 2003-11-09 15:52:28
Message-ID: 20031109165228.45503144.struck.d@retrovirology.lu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

Hello,

I am searching for a secure way to handle client authentication in php towards postgresql.

Let me explain what I like to setup:

Client will connect to the application via Apache.
The authentication of the clients will be done over ssl and the certificates of the clients will be stored on smartcards.
(I have written a small documentation how to setup this at www.opensc.org).
Next I will read in the PHP application environment variables of apache to know if the user was correctly authenticated by apache.

In postgresql I would like to create for every client a user.
Purpose: automatically log every action like update/delete of users by rules without requiring scripts in php.

The problem I have is to authenticate the client to postgresql.
Of course I could save the passwords for the clients in a text file accessible by the php application, but I don't like the idea of this file lying around on the hard drive.

I thought about using Kerberos in this setup, sort of:

1.apache authenticates the client (two way ssl with smartcards)
2. client receives a ticket from kerberos
3. which php could forward to postgresql.

Is this possible?

Maybe someone knows another secure way of authenticating users to postgresql in a web application?

Best regards,
Daniel Struck

--
Retrovirology Laboratory Luxembourg
Centre Hospitalier de Luxembourg
4, rue E. Barblé
L-1210 Luxembourg

phone: +352-44116105
fax: +352-44116113
web: http://www.retrovirology.lu
e-mail: struck(dot)d(at)retrovirology(dot)lu

Responses

Browse pgsql-php by date

  From Date Subject
Next Message Muhyiddin A.M Hayat 2003-11-10 05:50:15 View image in bytea field from php
Previous Message Daniel Struck 2003-11-09 15:37:16 Re: Reducing duplicated business rules