Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:37552
Return-Path: <ioplex@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14080 invoked from network); 8 May 2008 21:07:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 May 2008 21:07:47 -0000
Authentication-Results: pb1.pair.com header.from=ioplex@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=ioplex@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.184.224 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: ioplex@gmail.com
X-Host-Fingerprint: 64.233.184.224 wr-out-0506.google.com  
Received: from [64.233.184.224] ([64.233.184.224:2642] helo=wr-out-0506.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 13/84-23700-2AB63284 for <internals@lists.php.net>; Thu, 08 May 2008 17:07:46 -0400
Received: by wr-out-0506.google.com with SMTP id 50so518595wri.2
        for <internals@lists.php.net>; Thu, 08 May 2008 14:07:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=aMoQ6b810305yM1V82vKulromvWDWYtIoAsRptLaDgw=;
        b=T67cCJlZAp0LXvs/wJZRCCng7dFoh59JHmrVokVL/5hAqvaiUBWmmElolFzBpWSl1BvUImEatJSuPMJhJWeAb+QgGvGwmMH4udcJ1SbhCac30/m7C9Ey3k5aPdbeCvketPcWYrO9fd5otExVZ+0Ccf9DQhks9cQ5uhohC9eQXL8=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=tSL0QurYRU/giHzHZvSYKzX//vYFQOjZwhZMmAOSLvA7Njb/OwdFUIKNMqm+yBvReXh/nR1TXFjzOxX5nXwV0XdoOAMpMEcS1uC0bfPBPAD2OTZf+A2/fXsMwmVKHpCp7jRepAEFMEMLdXaQpRS2Rg19d8ltRgYagrApttpfFrI=
Received: by 10.142.128.6 with SMTP id a6mr1603303wfd.138.1210280863371;
        Thu, 08 May 2008 14:07:43 -0700 (PDT)
Received: by 10.142.224.18 with HTTP; Thu, 8 May 2008 14:07:43 -0700 (PDT)
Message-ID: <78c6bd860805081407h57457a17k30154843dd9cf1b3@mail.gmail.com>
Date: Thu, 8 May 2008 17:07:43 -0400
To: "Christopher Jones" <christopher.jones@oracle.com>
Cc: internals@lists.php.net
In-Reply-To: <48234048.4060708@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <48234048.4060708@oracle.com>
Subject: Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension
From: ioplex@gmail.com ("Michael B Allen")

On Thu, May 8, 2008 at 2:02 PM, Christopher Jones
<christopher.jones@oracle.com> wrote:
>
>  I've had a couple of recent requests for the OCI8 extension to support
>  "External Authentication" (aka OS authentication).  I also recall a
>  discussion or two in the past, and there is at least one bug logged on
>  it.
>
>  Having external authentication would allow things like Kerberos to be
>  used for OCI8 authentication.  This need is clearly growing but I'm not
>  in favor of having it always enabled in every web environment - I feel
>  another php.ini parameter looming :(
>
>  If anyone wants to be throw in some comments or help me re-evaluate
>  the pros and cons, drop me a line.
>
>  Some Oracle documentation discussing External Authentication is in:
>
> http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB
>
>  Chris

Hi Chris,

That's interesting but the scenario that is becoming more common and
is the case I'm interested in is using an existing credential to
initiate authentication with Oracle.

For example, using our extension a PHP script can acquire a Kerberos
credential either through delegation (eg. during SPNEGO
authentication), explicitly with a username and password (ie. get a
TGT) or implicitly from the HTTP service account keytab file. The
mod_auth_kerb module for Apache can also save the user's delegated
Kerberos credential if present. Then Kerberos aware clients (e.g.
pgsql_connect) look at the KRB5CCNAME environment variable and use
that ccache file to acquire credentials for the desired resource.

Does the PHP oci8 extension handle this scenario?

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/