Kerberos Authentication in PHP

php apache2 single-sign-on kerberos
28,693

Solution 1

I'm not sure if this will help, but it looks like Apache will send PHP the username information with the modauthkerb package if you use the KrbSaveCredentials parameter. You should get two global variables in php:

 $_SERVER['REMOTE_USER']
 $_SERVER['KRB5CCNAME']

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.php looks like they have got this working.

That way if you can see what the user is, it really isn't a requirement that php actually does the authentication.

Solution 2

mod_auth_kerb will handle for you actual authentication. After that, it will set REMOTE_USER and KRB5CCNAME environmental variables. Note that there are few caveats:

  • mod_auth_kerb can do translation between Kerberos principal and local user name if Krb5AuthToLocal option is enabled.
  • If Krb5AuthToLocal is enabled, when authentication succeeds, mod_auth_kerb will call Kerberos library to perform translation from an authenticated name to a local name as Kerberos principal is not always the same as actual user in the operating system (you can map principals to usernames).
  • When MIT Kerberos is in use, this mapping is performed with the help of auth_to_local rules in /etc/krb5.conf, see krb5.conf manual page for details.
  • mod_auth_kerb has a bug that resulting local name should not have longer name than the principal itself. This is usually true for principals from a default realm since they presented without realm part, i.e. 'user' instead of 'user@REALM'. However, if you have several trusted realms, users from non-default realms will be shown as '[email protected]' and then mod_auth_kerb will freak out. This bug should be fixed in Fedora 18+ and RHEL6.5, not sure about Debian since mod_auth_kerb upstream is a bit dead.
  • Therefore, your REMOTE_USER variable will contain either Kerberos principal or local user name, depending on how mod_auth_kerb was configured. If your application relies on the fact that REMOTE_USER value must be a real existing system user, you would need to make sure Krb5AuthToLocal option is enabled and such users are visible in the system (through winbind or sssd).

For your case I'd recommend to look at excellent how to by Tom McLaughlin: http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/

Share:
28,693
Nishan
Author by

Nishan

Professional Web Developer since 2001, amateur developer since 198x. Eating and breathing JavaScript and PHP in my day-to-day live, but have seen a lot in my 30+ years of code-juggling. Adobe Certified Expert - Adobe Analytics Developer

Updated on July 27, 2020

Comments

  • Nishan
    Nishan almost 4 years

    Let's just assume that I don't know much about Kerberos - just the basics.

    I have...

    • Debian Linux 2.6 Webserver
      • Apache 2.2
        • mod_auth_kerb/5.3
        • PHP/5.2
    • a (working) Kerberos Realm
    • Windows Client

    How do I use this information in a PHP script so that I don't need to log in to the website if the visitor has a kerberos ticket like that? I don't want Apache to handle the authentication. I need to find out which user is accessing the site via PHP.

    Is that possible? If so: How?

    What I have found out so far: I have to "enable" the domain in Firefox.

    However that's about it...

  • IndexOutOfDevelopersException
    IndexOutOfDevelopersException over 5 years
    Is there any documentation about using Kerberos in PHP with examples?
  • smartmeta
    smartmeta about 5 years
    The link to the blog does no longer exist. (returns 404 now)
  • abbra
    abbra about 5 years
    Looks like Tom stopped maintaining that blog and it was recycled. You can use archived copy: web.archive.org/web/20100923214709/http://blogs.freebsdish.o‌​rg/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?
Apache in Docker won't deliver sites
Can't import database through phpmyadmin
Steps to implement SSO for php application
Form sends GET instead of POST
How to get Service Token from Kerberos using SSPI
Is there a way to provide SAML sp implementation using an Apache filter?
How to decode SAML Response and get the attribute values sent by Idp in PHP
Apache doesn't execute php files, but mod_php5 is enabled
PHP Curl Cannot Connect to Host on Own Server