Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:21299
Return-Path: <mba2000@ioplex.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6954 invoked by uid 1010); 21 Dec 2005 09:00:55 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 6939 invoked from network); 21 Dec 2005 09:00:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Dec 2005 09:00:55 -0000
X-Host-Fingerprint: 66.220.1.142 li4-142.members.linode.com Linux 2.4/2.6
Received: from ([66.220.1.142:1639] helo=li4-142.members.linode.com)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id 6E/10-14561-6C919A34 for <internals@lists.php.net>; Wed, 21 Dec 2005 04:00:54 -0500
Received: from quark.foo.net (pcp09149068pcs.union01.nj.comcast.net [69.142.219.62])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by li4-142.members.linode.com (Postfix) with ESMTP
	id F3FC042C29; Wed, 21 Dec 2005 04:00:48 -0500 (EST)
Date: Wed, 21 Dec 2005 03:56:06 -0500
To: Wez Furlong <kingwez@gmail.com>
Cc: internals@lists.php.net
Message-ID: <20051221035606.18815a25.mba2000@ioplex.com>
In-Reply-To: <4e89b4260512202258j47f6745foe3b3f4d493b6cbba@mail.gmail.com>
References: <20051221005926.4c8ad254.mba2000@ioplex.com>
	<4e89b4260512202258j47f6745foe3b3f4d493b6cbba@mail.gmail.com>
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Maintaining State Across Requests / An SSO Extension
From: mba2000@ioplex.com (Michael B Allen)

On Wed, 21 Dec 2005 01:58:41 -0500
Wez Furlong <kingwez@gmail.com> wrote:

> Just curious, why aren't you writing this as an apache module?
> 
> Is this of any use; it seems a bit dated, but could save you some effort:
> http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html

Well for one, mod_auth_gss_krb5 only does authentication. My *real*
product is Windows integration libraries for non-Windows environments
(i.e. LAMP). So, for example, this SSO module is going to include Windows
authorization functionality for integration with AD. Meaning the developer
can restrict content based on group membership of groups defined in an
AD domain:

  $auth = sso_authenticate();
  if (!sso_is_member($auth, "Authenticated Users")) {
      header("Location: /login.php");
      die("You are not authorized to access this content.");
  }

  ...

  if (sso_is_member($auth, "FOONET\\Engineers")) {
      echo "Engineers rule!";
  } else if (sso_is_member($auth, "FOONET\\Consultants")) {
      echo "Consultants rule!";
  }

Also I think there's also alot of polish that can go into failing over to
other authentication methods and redirecting to login pages and so on. You
just can't do any of this well unless your at the language level.

Mike