Kerberos for authentication, php for authorization
slushpupie at gmail.com
Thu Jun 7 10:24:12 EDT 2007
On 6/7/07, Steve Webb <webbsta at gmail.com> wrote:
> *Q. Can Kerberos be used to authenticate users and a php script then given
> access to a users username in order to authorize privilidges??*
>
> >From my reading I believe that using the mod_auth_kerb module for Apache in
> Negotiation mode may be the best bet for my needs but am hoping to confirm
> whether or not a php script on the same apache server can gain access to the
> users username in order to ascertain roles from a database, where I am quite
> happy to duplicate usernames if need be.
mod_auth_kerb works great in the right conditions. You must be using
IE or a newer Firefox. Linux works great (not sure about other Unix
systems). On Windows the two browsers can only acquire credentials
from the LSA which means the workstation needs to be joined to a
domain, I believe.
>From the server side, when Apache authenticates a user, it sets the
environment variable REMOTE_USER to the full principal name, so PHP
can get it from $_SERVER['REMOTE_USER'].
More information about the Kerberos
mailing list