Kerberos Authentication in PHP

Question

Let's just assume that I don't know much about Kerberos - just the basics.

I have...

• Debian Linux 2.6 Webserver
  • Apache 2.2
    • mod_auth_kerb/5.3
    • PHP/5.2
• a (working) Kerberos Realm
• Windows Client
  • Firefox 3
  • an logged in identity "[email protected]" in MIT Network Identity Manager

How do I use this information in a PHP script so that I don't need to log in to the website if the visitor has a kerberos ticket like that? I don't want Apache to handle the authentication. I need to find out which user is accessing the site via PHP.

Is that possible? If so: How?

What I have found out so far: I have to "enable" the domain in Firefox.

However that's about it...

Answer 1

mod_auth_kerb will handle for you actual authentication. After that, it will set REMOTE_USER and KRB5CCNAME environmental variables. Note that there are few caveats:

• mod_auth_kerb can do translation between Kerberos principal and local user name if Krb5AuthToLocal option is enabled.
• If Krb5AuthToLocal is enabled, when authentication succeeds, mod_auth_kerb will call Kerberos library to perform translation from an authenticated name to a local name as Kerberos principal is not always the same as actual user in the operating system (you can map principals to usernames).
• When MIT Kerberos is in use, this mapping is performed with the help of auth_to_local rules in /etc/krb5.conf, see krb5.conf manual page for details.
• mod_auth_kerb has a bug that resulting local name should not have longer name than the principal itself. This is usually true for principals from a default realm since they presented without realm part, i.e. 'user' instead of 'user@REALM'. However, if you have several trusted realms, users from non-default realms will be shown as '[email protected]' and then mod_auth_kerb will freak out. This bug should be fixed in Fedora 18+ and RHEL6.5, not sure about Debian since mod_auth_kerb upstream is a bit dead.
• Therefore, your REMOTE_USER variable will contain either Kerberos principal or local user name, depending on how mod_auth_kerb was configured. If your application relies on the fact that REMOTE_USER value must be a real existing system user, you would need to make sure Krb5AuthToLocal option is enabled and such users are visible in the system (through winbind or sssd).

For your case I'd recommend to look at excellent how to by Tom McLaughlin: http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/

Answer 2

I'm not sure if this will help, but it looks like Apache will send PHP the username information with the modauthkerb package if you use the KrbSaveCredentials parameter. You should get two global variables in php:

 $_SERVER['REMOTE_USER']
 $_SERVER['KRB5CCNAME']

http://archives.postgresql.org/pgsql-admin/2004-08/msg00144.php looks like they have got this working.

That way if you can see what the user is, it really isn't a requirement that php actually does the authentication.