Hi Adam

On 22/06/11 05:41, Adam Allred wrote:
> That last sentence...that's the kicker. Apache wakes up, services your
> first request after getting credentials (in this case, getting the
> basic tree layout), and then intentionally deletes the credentials
> cache that provides the ability to perform an ldap_sasl_bind. Any
> subsequent attempts will, of course, fail miserably. That's why
> phpldapadmin fails to work. It doesn't have the necessary credentials
> to do GSSAPI authentication.

Thats not true. I have exactly that setup, which I used to fix PLA.

My environment is using mod_auth_kerb, openldap 2.3, kerberous 5 and
apache 2.2. You must have "KrbSaveCredentials On" for PHP to get access
to the TGT. The cache file is deleted after each request (after PHP has
used it).

> The real kicker here is that as far as the GSSAPI is concerned, this
> operation is correct. We don't want a credentials cache to lay around,
> and we don't want phpldapadmin to cache a username and password in
> "plain text" (even if in memory).

With GSSAPI authentication, PLA doesnt store/use a username/password -
however that information is available to PHP via the PHP_AUTH_*
variables. Unless of course you use Negotiate instead of Basic
authentication (with the supported browser), then PHP only gets the
principle used to login.

...deon

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
phpldapadmin-users mailing list
phpldapadmin-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users

Reply via email to