Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in harmony! How?

From: Mark Gibson <gibsonm(at)cromwell(dot)co(dot)uk>
To: pgsql-admin(at)postgresql(dot)org, pgsql-php(at)postgresql(dot)org
Subject: Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in harmony! How?
Date: 2004-08-17 14:40:02
Message-ID: 44fffac5903f1d3c69d160878754ce2f41221776@cromwell.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-php

Hi,
I've been trying to Kerberize our Apache and PostgreSQL servers for
our company's web applications.

Goal: To connect from a PHP web app to a PostgreSQL database
using the users credentials, so all authorization is managed via
privileges within the database.

Our IT dept has recently installed Windows 2003 Server to provide
authentication & directories via Kerberos and LDAP.

I've managed to configure Apache (2.0.49) to authenticate users using
mod_auth_kerb (5.0-rc6), and also PostgreSQL (7.4.3) to use Kerberos.
(Linux hosts use MIT KerberosV5 1.3.3 client libs, KDC is Windows 2003)

mod_auth_kerb is configured with:

KrbSaveCredentials on

So in PHP (4.3.8) we end up with the variables:

$_SERVER['REMOTE_USER'] (eg: 'gibsonm(at)OUR-REALM(dot)CO(dot)UK')
$_SERVER['KRB5CCNAME'] (eg: 'FILE:/tmp/krb5cc_apache_tVFJCd')

Even HTTP Negotiate works with Firefox/Linux (but not IE/XP yet!) :)

But this is where I get stuck.
How do I use the supplied credentials file to connect to PostgreSQL?

In the PostgreSQL docs it says:
(http://www.postgresql.org/docs/7.4/interactive/auth-methods.html#KERBEROS-AUTH)

> If you use mod_auth_kerb from http://modauthkerb.sf.net and mod_perl
> on your Apache web server, you can use AuthType
> KerberosV5SaveCredentials with a mod_perl script. This gives secure
> database access over the web, no extra passwords required.

I'm assuming this is out of date, or has changed with mod_auth_kerb 5.0,
and that the KrbSaveCredentials directive does this job instead.

Is there any examples of this mod_perl script?
Can the alleged mod_perl method be adapted to PHP?
Has anyone got this to work?
What are the alternatives to my goal stated above?

Cheers
--
Mark Gibson <gibsonm |AT| cromwell |DOT| co |DOT| uk>
Web Developer & Database Admin
Cromwell Tools Ltd.
Leicester, England.

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Chris Gamache 2004-08-17 14:48:28 What's the best way to use a Solid State HDD?
Previous Message Kris Deugau 2004-08-17 14:23:39 Re: 7.4.3 and PAM authentication failures

Browse pgsql-php by date

  From Date Subject
Next Message Mark Gibson 2004-08-17 15:53:16 Re: [PHP] Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in
Previous Message Christopher Kings-Lynne 2004-08-17 01:20:27 Re: How to create a new Table in prostgresql from a Webinterface