Automagic Kerberos/LDAP intergration on Apache

[Edward Murrell]

Hi all,

This might be somewhat off topic, so if the admin's nuke I won't be
offended, but I'm not quite sure where else to post it, and people who
use Kerberos might be interested.

I'm in the process of writing an automagical
Authorization/Authentication module for PHP to work with Kerberos and
LDAP, and I'm curious to know if it would be worth putting it up on
sourceforge, and if anyone else would use it.

The module requires http://sourceforge.net/projects/modauthkerb , and
uses this to get a string describing the connecting user. From this, it
guesses the DNS domain, queries that domain for SRV
<https://apollo/private/wiki/index.php?title=DNS_-_SRV&action=edit>
records for LDAP servers, and talks to those LDAP servers for user
information. Because this is all automagic, no configuration is
required. Currently it only supports RFC 2307 LDAP schema, although
patches for anything that supports the LDAP protocol would be awesome;

So from the current setup it does something like this;

edward at EXAMPLE.COM
=> DNS example.com
=> LDAP branch: dc=example,dc=com
=> LDAP servers: Query SRV _ldaps._tcp.dlconsulting.com &
_ldap._tcp.dlconsulting.com

It will attempt to connect to each of the ldap servers in turn, until it
finds something that knows about the user specified in the initial
kerberos principle. You can then query the module for information about
the user, the groups it's in, information about those groups, and
information about other users.

Effort has gone into avoiding more round trips than necessary, and in
the future I'll look into doing local caching.

The current version runs. It's not pretty, but it's a complete rewrite
from my original ugly as hell prototype into a nice happy PHP5 object.

Would anyone else find this useful? I've got authorization from my boss
to share this under the GPL if anyone would care.

Regards
Edward Murrell
edward at dlconsulting.com