For Apache: http://modauthkerb.sourceforge.net/
Should do everything you want already. Also, since group information is not stored on a Kerberos server, I assume you're going to be looking up LDAP information. I have some code that simplifies this somewhat, if you are using RFC 2307 (posix/NIS) compliant LDAP schemas. Other people have already written (and to be fair, support much better) php libraries for handling active directory LDAP lookups. Cheers, Edward Murrell On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote: > Hi everyone I have a noob question for ya. > > > > I need to develop a website for a company that uses kerberos login, the web > server resides on a different > server than the kerberos server. Unfortunatly I cannot use the built in PHP > functions for kerberos, so > I need to write my own C kerberos client as a PHP extension. Also to > eliminate possible man-in-the-middle > attacks, I need to have the keytab file manually uploaded to the web server. > > > > So this web page will simply authenticate the users username and password and > then pull that users group name > from the kerberos server (while having the keytab on the web server). There > is no need to kerberize any > application here. Also I will not be needing to cache tickets or pass any > tickets here. I will use > PHP sessions for the website. I just need the authentication side of > kerberos once per user login on the website. > > > > I read the O'Reilly Kerberos book and still have some questions. > > > > My question is, what methods are best for accomplishing my task. Can this be > accomplished with the > pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI? > Which one would be > easier for a noob? > > > > thanks > > _________________________________________________________________ > Windows Live™ SkyDrive™: Store, access, and share your photos. See how. > http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
