Kerberos Authentification in PHP

Question

Let's just assume that I don't know much about Kerberos - just the basics.

I have...

• Debian Linux 2.6 Webserver
  • Apache 2.2
    • mod_auth_kerb/5.3
    • PHP/5.2
• a (working) Kerberos Realm
• Windows Client
  • Firefox 3
  • an logged in identity "[email protected]" in MIT Network Identity Manager

How do I use this information in a PHP script so that I don't need to log in to the website if the visitor has a kerberos ticket like that? I don't want Apache to handle the authentication. I need to find out which user is accessing the site via PHP.

Is that possible? If so: How?

What I have found out so far: I have to "enable" the domain in Firefox.

However that's about it...

Answer 1

I'm not sure if this will help, but it looks like Apache will send PHP the username information with the modauthkerb package if you use the KrbSaveCredentials parameter. You should get two global variables in php:

 $_SERVER['REMOTE_USER']
 $_SERVER['KRB5CCNAME']

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.php looks like they have got this working.

That way if you can see what the user is, it really isn't a requirement that php actually does the authentication.