Re: Certificate, login & php question ? krb / sso

Le 11 sept. 06 à 05:57, Michael Fuhr a écrit :
> On Sun, Sep 10, 2006 at 09:39:59PM -0600, Michael Fuhr wrote:
>> On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy
>> wrote:
>>> 1) Is it possible to use the SSL authentification done by apache
>>> with
>>> PostgreSQL ?
>>
>> I'm not aware of a way for Apache to proxy PostgreSQL's SSL
>> negotiation with the PHP script back to the HTTP client.
>
> If such a capability existed then it could arguably be considered
> a flaw in SSL because it would allow a server to impersonate one
> of its clients to another server or to hijack a client's secure
> connection with another server. Secure protocols are designed to
> prevent such attacks.
The point is to USE AGAIN the authentification done by Apache with
PostgreSQL not DO AGAIN the authentification.

Googling around, I found:
mod_auth_krb with "AuthType KerberosV5SaveCredentials"
The auth is done by mod_auth_krb and mod_perl is able to use the same
ticket for PostgreSQL. It is in the doc of PG.

I found a page that presents phpkrb5 that may do the same things for
mod_php
http://www.stacken.kth.se/lists/heimdal-discuss/2003-04/msg00026.html
The project is hosted on http://savannah.nongnu.org/projects/phpkrb5/
but is not really up to date (3 years old, and only for php4)

In fact, things may look simple after reading http://
archives.postgresql.org/pgsql-php/2004-08/msg00031.php
> I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)
> All it takes it this line your PHP script:
> putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
> Then pg_connect works :)
but it is not reliable (http://archives.postgresql.org/pgsql-php/
2004-08/msg00033.php).

Sorry for the noise, but my question seems to me less and less
PostgreSQL centric.
On heavy solution may be a SSO with kerberos. Many new questions then...

If someone has already done that, I would be glad to have some good URL.
Pailloncy Jean-Gerard