Le 11 sept. 06 à 05:57, Michael Fuhr a écrit :
On Sun, Sep 10, 2006 at 09:39:59PM -0600, Michael Fuhr wrote:
On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote:
1) Is it possible to use the SSL authentification done by apache with
PostgreSQL ?
I'm not aware of a way for Apache to proxy PostgreSQL's SSL
negotiation with the PHP script back to the HTTP client.
If such a capability existed then it could arguably be considered
a flaw in SSL because it would allow a server to impersonate one
of its clients to another server or to hijack a client's secure
connection with another server. Secure protocols are designed to
prevent such attacks.
The point is to USE AGAIN the authentification done by Apache with PostgreSQL not DO AGAIN the authentification.
Googling around, I found:
mod_auth_krb with "AuthType KerberosV5SaveCredentials"
The auth is done by mod_auth_krb and mod_perl is able to use the same ticket for PostgreSQL. It is in the doc of PG.
I found a page that presents phpkrb5 that may do the same things for mod_php
but is not really up to date (3 years old, and only for php4)
I'VE DONE IT! THE HOLY GRAIL OF WEB/DB APPS! :)
All it takes it this line your PHP script:
putenv("KRB5CCNAME={$_SERVER['KRB5CCNAME']}");
Then pg_connect works :)
Sorry for the noise, but my question seems to me less and less PostgreSQL centric.
On heavy solution may be a SSO with kerberos. Many new questions then...
If someone has already done that, I would be glad to have some good URL.
Pailloncy Jean-Gerard