Re: Certificate, login & php question ? krb / sso

Поиск
Список
Период
Сортировка
От Jean-Gerard Pailloncy
Тема Re: Certificate, login & php question ? krb / sso
Дата
Msg-id 9BFE269E-6068-43AB-8E62-6D5C7A75F301@rilk.com
обсуждение исходный текст
Ответ на Re: Certificate, login & php question ?  (Michael Fuhr <mike@fuhr.org>)
Ответы Re: Certificate, login & php question ? krb / sso
Список pgsql-general
Дерево обсуждения
Le 11 sept. 06 à 05:57, Michael Fuhr a écrit :
On Sun, Sep 10, 2006 at 09:39:59PM -0600, Michael Fuhr wrote:
On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote:
1) Is it possible to use the SSL authentification done by apache with  
PostgreSQL ?

I'm not aware of a way for Apache to proxy PostgreSQL's SSL
negotiation with the PHP script back to the HTTP client.

If such a capability existed then it could arguably be considered
a flaw in SSL because it would allow a server to impersonate one
of its clients to another server or to hijack a client's secure
connection with another server.  Secure protocols are designed to
prevent such attacks.
The point is to USE AGAIN the authentification done by Apache with PostgreSQL not DO AGAIN the authentification.

Googling around, I found:
mod_auth_krb with "AuthType KerberosV5SaveCredentials"
The auth is done by mod_auth_krb and mod_perl is able to use the same ticket for PostgreSQL. It is in the doc of PG.

I found a page that presents phpkrb5 that may do the same things for mod_php
but is not really up to date (3 years old, and only for php4)

In fact, things may look simple after reading http://archives.postgresql.org/pgsql-php/2004-08/msg00031.php
I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)
All it takes it this line your PHP script:
putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
Then pg_connect works :)

Sorry for the noise, but my question seems to me less and less PostgreSQL centric.
On heavy solution may be a SSO with kerberos. Many new questions then...

If someone has already done that, I would be glad to have some good URL.
Pailloncy Jean-Gerard



Вложения

В списке pgsql-general по дате отправления:

Чтобы сделать работу с сайтом удобнее, мы используем cookie и аналитический сервис «Яндекс.Метрика». Продолжая пользоваться сайтом, вы соглашаетесь с их использованием.