[27893] in Kerberos
Re: Kerberos for authentication, php for authorization
daemon@ATHENA.MIT.EDU (slushpupie@gmail.com)
Thu Jun 7 10:24:33 2007
Message-ID: <ace41e70706070724w624ee341u8b80e631b993d21c@mail.gmail.com>
Date: Thu, 7 Jun 2007 09:24:12 -0500
From: " " <slushpupie@gmail.com>
To: kerberos@mit.edu
In-Reply-To: <1fa1db430706070616q2eed5537w45f6e5227ce0b6a0@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 6/7/07, Steve Webb <webbsta@gmail.com> wrote:
> *Q. Can Kerberos be used to authenticate users and a php script then given
> access to a users username in order to authorize privilidges??*
>
> >From my reading I believe that using the mod_auth_kerb module for Apache in
> Negotiation mode may be the best bet for my needs but am hoping to confirm
> whether or not a php script on the same apache server can gain access to the
> users username in order to ascertain roles from a database, where I am quite
> happy to duplicate usernames if need be.
mod_auth_kerb works great in the right conditions. You must be using
IE or a newer Firefox. Linux works great (not sure about other Unix
systems). On Windows the two browsers can only acquire credentials
from the LSA which means the workstation needs to be joined to a
domain, I believe.
>From the server side, when Apache authenticates a user, it sets the
environment variable REMOTE_USER to the full principal name, so PHP
can get it from $_SERVER['REMOTE_USER'].
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
