Thanks Simo,

I've got this working now using PHP's shell_exec and a bash script that invokes 
curl directly (as opposed to using libcurl in PHP).  This allows me to clear 
the environment (unset GSS_USE_PROXY).

Here is the final solution for reference:

PHP script now looks like:

function user_show($username) {
    $body = "{\"method\":\"user_show/1\",\"params\":[[" . 
json_encode($username) . "],{\"version\": \"2.228\"}],\"id\":0}";
    $json = web_request($body);
    return $json;   
function web_request($body) {
    $body = escapeshellarg($body);
    $command = "/opt/scripts/ $body";
    $result = shell_exec($command);
    $json = json_decode($result, true);
    if(is_null($json)) {
        throw new Exception("Request Error: " . $result);
    if(!is_null($json['error'])) {
        $msg = $json['error']['message'];
        throw new Exception("Request Error: " . $msg);
    return $json;

Shell script

export -n GSS_USE_PROXY
export KRB5CCNAME=FILE:/$tmpfile
kinit myservice/ -k -t /etc/myservice.keytab
/usr/bin/curl -s -H referer: -H 
"Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : 
--cacert /etc/ipa/ca.crt -d "$body" -X POST
rm "$tmpfile"
FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to