Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:37565 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78907 invoked from network); 9 May 2008 11:49:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 May 2008 11:49:21 -0000 Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain oracle.com from 141.146.126.228 cause and error) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 141.146.126.228 agminet01.oracle.com Linux 2.4/2.6 Received: from [141.146.126.228] ([141.146.126.228:63480] helo=agminet01.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A9/30-12016-E3A34284 for ; Fri, 09 May 2008 07:49:19 -0400 Received: from agmgw2.us.oracle.com (agmgw2.us.oracle.com [152.68.180.213]) by agminet01.oracle.com (Switch-3.2.4/Switch-3.1.7) with ESMTP id m49BiBdL012367; Fri, 9 May 2008 06:44:11 -0500 Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by agmgw2.us.oracle.com (Switch-3.2.0/Switch-3.2.0) with ESMTP id m48NjK1k015777; Fri, 9 May 2008 05:44:11 -0600 Received: from dhcp-amer-csvpn-gw1-141-144-64-212.vpn.oracle.com by acsmt355.oracle.com with ESMTP id 9539622711210333092; Fri, 09 May 2008 04:38:12 -0700 Message-ID: <482437A0.8080504@oracle.com> Date: Fri, 09 May 2008 04:38:08 -0700 User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Michael B Allen CC: internals@lists.php.net References: <48234048.4060708@oracle.com> <78c6bd860805081407h57457a17k30154843dd9cf1b3@mail.gmail.com> In-Reply-To: <78c6bd860805081407h57457a17k30154843dd9cf1b3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: AAAAAQAAAAI= X-Brightmail-Tracker: AAAAAQAAAAI= X-Whitelist: TRUE X-Whitelist: TRUE Subject: Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension From: christopher.jones@oracle.com (Christopher Jones) Michael B Allen wrote: > On Thu, May 8, 2008 at 2:02 PM, Christopher Jones > wrote: >> I've had a couple of recent requests for the OCI8 extension to support >> "External Authentication" (aka OS authentication). I also recall a >> discussion or two in the past, and there is at least one bug logged on >> it. >> >> Having external authentication would allow things like Kerberos to be >> used for OCI8 authentication. This need is clearly growing but I'm not >> in favor of having it always enabled in every web environment - I feel >> another php.ini parameter looming :( >> >> If anyone wants to be throw in some comments or help me re-evaluate >> the pros and cons, drop me a line. >> >> Some Oracle documentation discussing External Authentication is in: >> >> http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB >> >> Chris > > Hi Chris, > > That's interesting but the scenario that is becoming more common and > is the case I'm interested in is using an existing credential to > initiate authentication with Oracle. > > For example, using our extension a PHP script can acquire a Kerberos > credential either through delegation (eg. during SPNEGO > authentication), explicitly with a username and password (ie. get a > TGT) or implicitly from the HTTP service account keytab file. The > mod_auth_kerb module for Apache can also save the user's delegated > Kerberos credential if present. Then Kerberos aware clients (e.g. > pgsql_connect) look at the KRB5CCNAME environment variable and use > that ccache file to acquire credentials for the desired resource. > > Does the PHP oci8 extension handle this scenario? > > Mike > Without adding external authentication support, there is no support for Kerberos at all. Thanks for the use case. Chris -- Christopher Jones, Oracle Email: christopher.jones@oracle.com Tel: +1 650 506 8630 Blog: http://blogs.oracle.com/opal/ Free PHP Book: http://tinyurl.com/f8jad