Hi Adam On 22/06/11 05:41, Adam Allred wrote: > That last sentence...that's the kicker. Apache wakes up, services your > first request after getting credentials (in this case, getting the > basic tree layout), and then intentionally deletes the credentials > cache that provides the ability to perform an ldap_sasl_bind. Any > subsequent attempts will, of course, fail miserably. That's why > phpldapadmin fails to work. It doesn't have the necessary credentials > to do GSSAPI authentication.
Thats not true. I have exactly that setup, which I used to fix PLA. My environment is using mod_auth_kerb, openldap 2.3, kerberous 5 and apache 2.2. You must have "KrbSaveCredentials On" for PHP to get access to the TGT. The cache file is deleted after each request (after PHP has used it). > The real kicker here is that as far as the GSSAPI is concerned, this > operation is correct. We don't want a credentials cache to lay around, > and we don't want phpldapadmin to cache a username and password in > "plain text" (even if in memory). With GSSAPI authentication, PLA doesnt store/use a username/password - however that information is available to PHP via the PHP_AUTH_* variables. Unless of course you use Negotiate instead of Basic authentication (with the supported browser), then PHP only gets the principle used to login. ...deon ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ phpldapadmin-users mailing list phpldapadmin-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users
