Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension
Michael B Allen wrote: On Thu, May 8, 2008 at 2:02 PM, Christopher Jones [EMAIL PROTECTED] wrote: I've had a couple of recent requests for the OCI8 extension to support External Authentication (aka OS authentication). I also recall a discussion or two in the past, and there is at least one bug logged on it. Having external authentication would allow things like Kerberos to be used for OCI8 authentication. This need is clearly growing but I'm not in favor of having it always enabled in every web environment - I feel another php.ini parameter looming :( If anyone wants to be throw in some comments or help me re-evaluate the pros and cons, drop me a line. Some Oracle documentation discussing External Authentication is in: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB Chris Hi Chris, That's interesting but the scenario that is becoming more common and is the case I'm interested in is using an existing credential to initiate authentication with Oracle. For example, using our extension a PHP script can acquire a Kerberos credential either through delegation (eg. during SPNEGO authentication), explicitly with a username and password (ie. get a TGT) or implicitly from the HTTP service account keytab file. The mod_auth_kerb module for Apache can also save the user's delegated Kerberos credential if present. Then Kerberos aware clients (e.g. pgsql_connect) look at the KRB5CCNAME environment variable and use that ccache file to acquire credentials for the desired resource. Does the PHP oci8 extension handle this scenario? Mike Without adding external authentication support, there is no support for Kerberos at all. Thanks for the use case. Chris -- Christopher Jones, Oracle Email: [EMAIL PROTECTED]Tel: +1 650 506 8630 Blog: http://blogs.oracle.com/opal/ Free PHP Book: http://tinyurl.com/f8jad -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension
I've had a couple of recent requests for the OCI8 extension to support External Authentication (aka OS authentication). I also recall a discussion or two in the past, and there is at least one bug logged on it. Having external authentication would allow things like Kerberos to be used for OCI8 authentication. This need is clearly growing but I'm not in favor of having it always enabled in every web environment - I feel another php.ini parameter looming :( If anyone wants to be throw in some comments or help me re-evaluate the pros and cons, drop me a line. Some Oracle documentation discussing External Authentication is in: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB Chris -- Christopher Jones, Oracle Email: [EMAIL PROTECTED]Tel: +1 650 506 8630 Blog: http://blogs.oracle.com/opal/ Free PHP Book: http://tinyurl.com/f8jad -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension
On Thu, May 8, 2008 at 2:02 PM, Christopher Jones [EMAIL PROTECTED] wrote: I've had a couple of recent requests for the OCI8 extension to support External Authentication (aka OS authentication). I also recall a discussion or two in the past, and there is at least one bug logged on it. Having external authentication would allow things like Kerberos to be used for OCI8 authentication. This need is clearly growing but I'm not in favor of having it always enabled in every web environment - I feel another php.ini parameter looming :( If anyone wants to be throw in some comments or help me re-evaluate the pros and cons, drop me a line. Some Oracle documentation discussing External Authentication is in: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB Chris Hi Chris, That's interesting but the scenario that is becoming more common and is the case I'm interested in is using an existing credential to initiate authentication with Oracle. For example, using our extension a PHP script can acquire a Kerberos credential either through delegation (eg. during SPNEGO authentication), explicitly with a username and password (ie. get a TGT) or implicitly from the HTTP service account keytab file. The mod_auth_kerb module for Apache can also save the user's delegated Kerberos credential if present. Then Kerberos aware clients (e.g. pgsql_connect) look at the KRB5CCNAME environment variable and use that ccache file to acquire credentials for the desired resource. Does the PHP oci8 extension handle this scenario? Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php