How could I forward kerberos auth to another server (using CURL) with php.
I have $_SERVER['KRB5CCNAME'] in my request and I need to delegate this to another server using curl.
How can this be done?
Code:
$ch = curl_init();
$url = 'http://www.somesite.com/info.php';
@curl_setopt($ch, CURLOPT_HTTPGET, 1);
@curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);
@curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
@curl_setopt($ch, CURLOPT_USERPWD, ":");
@curl_setopt($ch, CURLOPT_URL, $url);
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resultContent = @curl_exec($ch);
$httpCode = @curl_getinfo($ch, CURLINFO_HTTP_CODE);
if(@curl_errno($ch))
{
$msg = @curl_error($ch);
curl_close($ch);
die('Curl error: content: '.$this->resultContent.' code: '.$this->httpCode);
}
curl_close($ch);
die('R: code: '.$httpCode.' content: '. htmlspecialchars($resultContent));
EDIT:
I just figured it out that php 5.3 hasn't got CURLOPT_GSSAPI_DELEGATION, it's been added in 5.5.0 alpha 3. Working on an issue to see if that's the problem.
As in http://curl.haxx.se/libcurl/c/curl_easy_setopt.html CURLOPT_GSSAPI_DELEGATION
Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI credential delegation. The delegation is disabled by default since 7.21.7. Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if the OK-AS-DELEGATE flag is set in the service ticket in case this feature is supported by the GSSAPI implementation and the definition of GSS_C_DELEG_POLICY_FLAG was available at compile-time.
OK-AS-DELEGATE flag should be set in the Kerberos service ticket (realm policy).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With