Thanks Simo,

I've got this working now using PHP's shell_exec and a bash script that invokes 
curl directly (as opposed to using libcurl in PHP).  This allows me to clear 
the environment (unset GSS_USE_PROXY).

Here is the final solution for reference:

PHP script now looks like:

<?php
function user_show($username) {
    $body = "{\"method\":\"user_show/1\",\"params\":[[" . 
json_encode($username) . "],{\"version\": \"2.228\"}],\"id\":0}";
    $json = web_request($body);
    return $json;   
}
function web_request($body) {
    $body = escapeshellarg($body);
    $command = "/opt/scripts/request.sh $body";
    $result = shell_exec($command);
    $json = json_decode($result, true);
    if(is_null($json)) {
        throw new Exception("Request Error: " . $result);
    }
    if(!is_null($json['error'])) {
        $msg = $json['error']['message'];
        throw new Exception("Request Error: " . $msg);
    }
    return $json;
}
?>

Shell script request.sh:

#!/bin/sh
body=$1
tmpfile=$(mktemp)
# Remove GSSPROXY
export -n GSS_USE_PROXY
export KRB5CCNAME=FILE:/$tmpfile
kinit myservice/ipaserver.example.com -k -t /etc/myservice.keytab
/usr/bin/curl -s -H referer:https://ipaserver.example.com/ipa -H 
"Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : 
--cacert /etc/ipa/ca.crt -d "$body" -X POST 
https://ipaserver.example.com/ipa/json
rm "$tmpfile"
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WFH2RWOGCUPIS3GGD7JCH6KDT5HC7WAZ/

Reply via email to