Kerberos and/or other authentication systems - One time logon for all PHP scripts

Question

I'm managing a set of web apps, almost exclusively written in PHP, and would like to find an authentication platform to build a role-based authorization system on top of. Also, I'd like the authentication system to be extensible to use for, for example, system services (SSH, etc.)

Here are some of the main characteristics I'm looking for, in order of importance:

1. Easy PHP implementation (storing/reading easily roles, etc.).
2. Redundant, if possible. If an auth system goes down everyone is not locked out.
3. Has clients for Windows and Mac.
4. Easy web-based administration (adding/removing users/roles, changing passwords). If not, I can build an administration system without too much effort.
5. One-time log on.

I'd also like, when an auth token is issued, to store the user's IP address and use that to authorize the user for some non web-based applications. For that reason, I'd like a desktop client to issue the token and revoke tokens when, for example, the user becomes idle at their workstation. I'm thinking Kerberos might be a solution, but what are other options?

Answer 1

What you're looking for is (essentially) a Lightweight Directory Access Protocol (LDAP) server/client setup. PHP has a built in library, it's easily redundant, has clients for windows/mac/linux, front ends are available (though I can't recommend any good ones at the moment) and it'll provide authentication to any set of applications you want.

While there are some additional pieces you'll need to put in place to achieve exactly what you want, LDAP sounds like the framework you should start with.

Answer 2

If I were doing this, which I actually have at several points in the past, I would use a combination of Kerberos and LDAP. Kerberos handles authentication and provides users with tokens. LDAP provides authorization; information about group membership, user contact information, etc.

Kerberos is very, very well-tested and widely deployed. To protect a web application with Kerberos, use Apache's mod_krb5 or a solution like Stanford WebAuth. The user authenticates once to Kerberos and then their browser will use the ticket via SPNEGO to automagically log them in to the web application. If you have a Windows Active Directory Domain, then your users already have Kerberos tickets you can use from their computer login session!

Kerberos is also supported in many other network server programs, such as OpenSSH, various IPSEC VPN tools, email (both SMTP and IMAP), XMPP (Jabber) chat, etc etc.

A Kerberos infrastructure can be as redundant as you like, and organized however you like. Realms can have many servers providing authentication, and can trust eachother in arbitrary ways.

It's not just a solution, it's the solution for single signon.