On Sun, 4 Feb 2007 09:57:50 +0100 dk <[EMAIL PROTECTED]> wrote: > Hello > > I want to build a web based application where a client sends a > request to server 1, > on which a php application resides. This application has to send a > request to > a gateway. The gateway itself then calls the target application on > server 3 > which again is protected by kerberos: > > Client (fTGT) ---> Server 1 (Apache, mod_auth_kerb) ---> Gateway ---> > Server 3 (Apache, mod_auth_kerb) > > Everything should work as a single sign on application.
Hi Donald, The next version of our product is specifically designed to do what you want. We provide a PHP module that can do SSO, direct Krb5 logon w/ user/pass, check group membership, use delegated creds to initiate with other tiers, advanced LDAP routines, set passwords and more. For example, to use the delegated credential to initiate with another SSO web server a minimalistic Plexcel script might look like the following: <?php require_once("plexcel.php"); $px = plexcel_authenticate(TRUE, array("putenv_krb5ccname" => "true")); if ($px == FALSE) die("Plexcel error: <pre>" . $plexcel_status . "</pre>"); $ch = curl_init("http://server2.example.com/protected.html"); $fp = fopen("/tmp/out.html", "w"); curl_setopt($ch, CURLOPT_FILE, $fp); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_FAILONERROR, FALSE); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE); curl_setopt($ch, CURLOPT_USERPWD, "[EMAIL PROTECTED]:"); // why? curl_exec($ch); curl_close($ch); fclose($fp); ?> You can also use the keytab credential to initate with the second teir as well. Let me know if you're interested. I'm going to have a beta ready very soon. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos