Kerberos for authentication, php for authorization

Michael B Allen mba2000 at ioplex.com
Thu Jun 7 11:53:43 EDT 2007 

On Thu, 7 Jun 2007 23:16:26 +1000
"Steve Webb" <webbsta at gmail.com> wrote:

> Hello,
> 
> I have been requested to build a web app for my medium sized organization
> that currently have Kerberos 5 running on the network.  The webapp will
> require non-technical users to be able to log on remotely through a web
> browser (IE only is fine but there must not be any other client programs
> involved) and then be given different privilidges within the app depending
> on their role.
> 
> Being a newbie to kerberos I have done some reading about possible
> implementation techniques for Kerberos in web apps but have one question I
> am hoping some of the gurus out there may be able to help with:
> *Q. Can Kerberos be used to authenticate users and a php script then given
> access to a users username in order to authorize privilidges??*
> 
> >From my reading I believe that using the mod_auth_kerb module for Apache in
> Negotiation mode may be the best bet for my needs but am hoping to confirm
> whether or not a php script on the same apache server can gain access to the
> users username in order to ascertain roles from a database, where I am quite
> happy to duplicate usernames if need be.
> 
> If this scenario is not possible, can anyone offer suggestions as to a
> viable method to implement such a web application.

Hi Steve,

If you're using AD and your web server is Linux, there's a product that
is specifically designed for this sort of thing. It's called Plexcel:

  http://www.ioplex.com/plexcel.html

Plexcel will authenticate clients using Kerberos 5 / SPENGO / Single
Sign-On (SSO) but users can also authenticate using explicit credentials
(e.g. if they're not logged into the domain). You have access to all
of the user's information within the script and you can check to see
if they're in different Windows groups. You can set passwords, create accounts,
whatever.

You can find detailed API documentation here:

  http://www.ioplex.com/api/plexcel_new.html

Also, it's free for up to 25 users.

If you have any more questions feel free to contact our support email
directly.

Or you could use mod_auth_kerb to do the authentication and then use the
PHP ldap API to check group membership but you'll find a few limitations
in this solution.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the Kerberos mailing list