Re: [PHP] Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in - Mailing list pgsql-admin

From Mark Gibson
Subject Re: [PHP] Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in
Date
Msg-id 39d52b969d6add5a94afc6c25d53f4d34122289d@cromwell.co.uk
Whole thread Raw
In response to Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in harmony! How?  (Mark Gibson <gibsonm@cromwell.co.uk>)
List pgsql-admin
Mark Gibson wrote:
> Hi,
>    I've been trying to Kerberize our Apache and PostgreSQL servers for
> our company's web applications.
>
> Goal: To connect from a PHP web app to a PostgreSQL database
> using the users credentials, so all authorization is managed via
> privileges within the database.
>
> Our IT dept has recently installed Windows 2003 Server to provide
> authentication & directories via Kerberos and LDAP.
>
> I've managed to configure Apache (2.0.49) to authenticate users using
> mod_auth_kerb (5.0-rc6), and also PostgreSQL (7.4.3) to use Kerberos.
> (Linux hosts use MIT KerberosV5 1.3.3 client libs, KDC is Windows 2003)
>
> mod_auth_kerb is configured with:
>
> KrbSaveCredentials on
>
> So in PHP (4.3.8) we end up with the variables:
>
> $_SERVER['REMOTE_USER']    (eg: 'gibsonm@OUR-REALM.CO.UK')
> $_SERVER['KRB5CCNAME']     (eg: 'FILE:/tmp/krb5cc_apache_tVFJCd')
>
> Even HTTP Negotiate works with Firefox/Linux (but not IE/XP yet!) :)
>
> But this is where I get stuck.
> How do I use the supplied credentials file to connect to PostgreSQL?
>
> In the PostgreSQL docs it says:
> (http://www.postgresql.org/docs/7.4/interactive/auth-methods.html#KERBEROS-AUTH)
>
>
>  > If you use mod_auth_kerb from http://modauthkerb.sf.net and mod_perl
>  > on your Apache web server, you can use AuthType
>  > KerberosV5SaveCredentials with a mod_perl script. This gives secure
>  > database access over the web, no extra passwords required.
>
> I'm assuming this is out of date, or has changed with mod_auth_kerb 5.0,
> and that the KrbSaveCredentials directive does this job instead.

I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)

All it takes it this line your PHP script:

  putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");

Then pg_connect works :)

--
Mark Gibson <gibsonm |AT| cromwell |DOT| co |DOT| uk>
Web Developer & Database Admin
Cromwell Tools Ltd.
Leicester, England.

pgsql-admin by date:

Previous
From: Tom Lane
Date:
Subject: Re: What's the best way to use a Solid State HDD?
Next
From: Mark Gibson
Date:
Subject: Re: [PHP] Kerberos, Apache2, mod_auth_kerb, PHP, and PostgreSQL in