On Wed, Nov 19, 2008 at 11:45 AM, S2 <[EMAIL PROTECTED]> wrote: > Michael B Allen wrote: >> If you have PHP see the link in my sig about Plexcel. It certainly >> could do what you describe. > > The back end services are a mix of Java, .NET, php and rails apps (on > windows and on linux servers), so the proxy should be language > independent and not require a module on the application server side. > I am not sure I understood from the pdf how Plexcel works. > All application servers can already speak SPNEGO, so that should be used > to forward the Kerbeos credentials over HTTP (I did read SPNEGO on that > page, but I am not sure how it is used). > So what we would like to do is (fixed font required): > > O > \|/ +-------------+ +-------------------+ > | -------> | Magic proxy | ------> | Protected Service | > / \ HTTP +-------------+ SPNEGO +-------------------+ > User ^ > from the | > Internet | > v > +-----+ > | KDC | > +-----+ > > Do you think Plexcel could be the "Magic Proxy" Box?
Actually yes, I think Plexcel would work quite well for this. Basically you would just write a PHP script that presented a logon form and then used plexcel_logon [1] to associate the TGT with the user's session ID. You'll need to use the putenv_krb5ccname option with plexcel_new [2] so that the TGT is saved in a ccache file in the plexcel/tmp directory. Once you have their TGT in a ccache file, you can use an SPNEGO capable HTTP client like the cURL extension. In the plexcel/examples directory, there's actually an example script that uses the delegated TGT to query another SPNEGO protected page using cURL (note that unlike Plexcel, using cURL to do SPNEGO requires a valid local /etc/krb5.conf). Then you just need to look at the hostname (or whatever you're using to address second tier requests), build a cURL request with the original request input, send it to the corresponding service and redirect the output of cURL back to the client. Plexcel would also allow you to add nice access control at the proxy level. Note that you'll be invoking a PHP script with each request. Even though Plexcel is fast and SPNEGO with the second tier is the elephant in the room, a raw pure C proxy like Squid would give you better throughput (albeit with less flexability). In practice I think your level of awareness wrt protocol details like pipelining, chunked responses, etc will be the important to real world performance of the solution. But at the very least, building your "Magic Proxy" with Plexcel would be an easy way to determine if it is possible and how it can be done in an optimal way. Then you can worry more about performance. Your "Magic Proxy" idea is actually very interesting. One nice thing about it is that I suspect the script itself should be no more than a few hundred lines of code in one file. If it really works, send it my way and maybe I'll tweak it up and support it like the Plexcel plugins for Joomla! and MediaWiki (note these plugins are good examples of how to use Plexcel correctly). [1] http://www.ioplex.com/api/plexcel_logon.html [2] http://www.ioplex.com/api/plexcel_new.html >> PS: The '.invalid' address in your email actually stops gmail from >> sending directly to you. You might want to try a valid TLD. > > That email account is not valid anyway. I know but I'm saying gmail actually pops up a dialog that complains the address is invalid. I have to actually remove the bogus address before I can send. If you used @ndom.mail.invalid.net you might improve your chances of getting responses. Also we're drifting off topic with this thread. Contact me directly with your real address if you have any further questions. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
