I'm trying to get IMAP4, krb4, and php4 working happily together.
I've got the krb4 aware c-client working with php 4.0.x as a DSO and
static server module with apache 1.3.x + mod_ssl.
Here's the problem.
c-client knows to use kerberosIV authentication if the KRBTKFILE
environment variable is set. I'm setting it by adding by prepending this
(using auto_prepend_file) to the front of every php page:
$krbtkfile = "/ticket/kerb." . getenv("REMOTE_USER");
This works fine with PHP compiled as a CGI, because it gets a fresh copy
of the environment everytime it's invoked.
If we use the server module version, it can't keep the ticket files
straight. It reports that the ticket file is set to /ticket/kerb.USERNAME
(which is what it's supposed to do), but in practice that's not what it's
using.. say we have three users, Tom, Dick and Harry. They authenticate
in that order..
Tom's ticket file contains a kerberos ticket-granting-ticket (TGT),
credentials for his imap server, credentials for Dick's imap server, and
credentials for Harry's imap server.
Dick's ticket contains a TGT, his imap credentials, Harry's imap
credentials, and Tom's credentials.
Harry's ticket contains a TGT.
it only gets messier as more people log into the server.
/something/ is caching the value of KRBTKFILE and applying it
inappropriately. I'm not sure if it's c-client, or PHP. I was wondering
if there was anything I could on the PHP side of things that could further
ensure that the right ticket (the right instance of the krbtkfile
variable?) gets used for the right user? Store it in a session? We don't
currently use kerberos 5, but I'm concerned that it will behave similarly
and play mix and match with the krb5 ticket files.
We had the same issue with PHP 3.0.x, but switched to the CGI version to
get around it. We migrate to the apache server module version to try and
get some extra speed out of our mail application, and to take some load
off of the server.
Does anyone have any suggestions?
UM Webmaster Team
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]