On Tue, 11 Nov 2003 12:47:52 -0600
Bruno Wolff III <bruno@wolff.to> wrote:
> If you trust the host the php/web server runs on you may be able to use
> trust authentication. If you don't trust all of the users on that host
> then you can use ident authentication, though if the db server and php/web
> server aren't the same host using identd may slow things down too much.
The web application, which will make the connection to the database, is normally running under the user apache, so I
don'tthink I could use the ident method?
I have found this interesting info:
"The goal of the Negotiateauth project is to create an plugin for the Mozilla browser supporting the HTTP Negotiate
authenticationmethod. Main motivation is to add support for the Kerberos mechanism and use Kerberos tickets for user's
authenticationinstead of their password. This way the user's Kerberos password will no longer be transfered to the web
server.More information on the use of Negotiate method in Mozilla and Apache can be found at
http://meta.cesnet.cz/software/heimdal/negotiate.en.html."
So maybe I could authenticate every user at the client machines with kerberos, and pass the kerberos ticket with this
methodto apache, who will pass it to php, which does use it to connect to postgresql.
Would now be interesting to know if I can authenticate to a Kerberos server with a smartcard.
--
Retrovirology Laboratory Luxembourg
Centre Hospitalier de Luxembourg
4, rue E. Barblé
L-1210 Luxembourg
phone: +352-44116105
fax: +352-44116113
web: http://www.retrovirology.lu
e-mail: struck.d@retrovirology.lu
