Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> php-dev

php-dev

Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension
by Christopher Jones other posts by this author
May 9 2008 4:50AM messages near this date

Re: [PHP-DEV] Supporting External Authentication in the Oracle OCI8 Extension | #16820 [NoF->Opn]: hangs in multithreded environment (ZTS)

Michael B Allen wrote:
>  On Thu, May 8, 2008 at 2:02 PM, Christopher Jones
>  <christopher.jones@[...].com> wrote:
> >  I've had a couple of recent requests for the OCI8 extension to support
> >  "External Authentication" (aka OS authentication).  I also recall a
> >  discussion or two in the past, and there is at least one bug logged on
> >  it.
> >
> >  Having external authentication would allow things like Kerberos to be
> >  used for OCI8 authentication.  This need is clearly growing but I'm not
> >  in favor of having it always enabled in every web environment - I feel
> >  another php.ini parameter looming :(
> >
> >  If anyone wants to be throw in some comments or help me re-evaluate
> >  the pros and cons, drop me a line.
> >
> >  Some Oracle documentation discussing External Authentication is in:
> >
> > http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGI
FB
> >
> >  Chris
>  
>  Hi Chris,
>  
>  That's interesting but the scenario that is becoming more common and
>  is the case I'm interested in is using an existing credential to
>  initiate authentication with Oracle.
>  
>  For example, using our extension a PHP script can acquire a Kerberos
>  credential either through delegation (eg. during SPNEGO
>  authentication), explicitly with a username and password (ie. get a
>  TGT) or implicitly from the HTTP service account keytab file. The
>  mod_auth_kerb module for Apache can also save the user's delegated
>  Kerberos credential if present. Then Kerberos aware clients (e.g.
>  pgsql_connect) look at the KRB5CCNAME environment variable and use
>  that ccache file to acquire credentials for the desired resource.
>  
>  Does the PHP oci8 extension handle this scenario?
>  
>  Mike
>  

Without adding external authentication support, there is no support
for Kerberos at all.

Thanks for the use case.

Chris

-- 
Christopher Jones, Oracle
Email: christopher.jones@[...].com    Tel:  +1 650 506 8630
Blog:  http://blogs.oracle.com/opal/   Free PHP Book: http://tinyurl.com/f8jad

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Thread:

Christopher Jones

Michael B Allen

Christopher Jones