FAQ
I've had a couple of recent requests for the OCI8 extension to support
"External Authentication" (aka OS authentication). I also recall a
discussion or two in the past, and there is at least one bug logged on
it.

Having external authentication would allow things like Kerberos to be
used for OCI8 authentication. This need is clearly growing but I'm not
in favor of having it always enabled in every web environment - I feel
another php.ini parameter looming :(

If anyone wants to be throw in some comments or help me re-evaluate
the pros and cons, drop me a line.

Some Oracle documentation discussing External Authentication is in:
http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB

Chris

--
Christopher Jones, Oracle
Email: christopher.jones@oracle.com Tel: +1 650 506 8630
Blog: http://blogs.oracle.com/opal/ Free PHP Book: http://tinyurl.com/f8jad

Search Discussions

  • Michael B Allen at May 8, 2008 at 9:07 pm

    On Thu, May 8, 2008 at 2:02 PM, Christopher Jones wrote:

    I've had a couple of recent requests for the OCI8 extension to support
    "External Authentication" (aka OS authentication). I also recall a
    discussion or two in the past, and there is at least one bug logged on
    it.

    Having external authentication would allow things like Kerberos to be
    used for OCI8 authentication. This need is clearly growing but I'm not
    in favor of having it always enabled in every web environment - I feel
    another php.ini parameter looming :(

    If anyone wants to be throw in some comments or help me re-evaluate
    the pros and cons, drop me a line.

    Some Oracle documentation discussing External Authentication is in:

    http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB

    Chris
    Hi Chris,

    That's interesting but the scenario that is becoming more common and
    is the case I'm interested in is using an existing credential to
    initiate authentication with Oracle.

    For example, using our extension a PHP script can acquire a Kerberos
    credential either through delegation (eg. during SPNEGO
    authentication), explicitly with a username and password (ie. get a
    TGT) or implicitly from the HTTP service account keytab file. The
    mod_auth_kerb module for Apache can also save the user's delegated
    Kerberos credential if present. Then Kerberos aware clients (e.g.
    pgsql_connect) look at the KRB5CCNAME environment variable and use
    that ccache file to acquire credentials for the desired resource.

    Does the PHP oci8 extension handle this scenario?

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/
  • Christopher Jones at May 9, 2008 at 11:49 am

    Michael B Allen wrote:
    On Thu, May 8, 2008 at 2:02 PM, Christopher Jones
    wrote:
    I've had a couple of recent requests for the OCI8 extension to support
    "External Authentication" (aka OS authentication). I also recall a
    discussion or two in the past, and there is at least one bug logged on
    it.

    Having external authentication would allow things like Kerberos to be
    used for OCI8 authentication. This need is clearly growing but I'm not
    in favor of having it always enabled in every web environment - I feel
    another php.ini parameter looming :(

    If anyone wants to be throw in some comments or help me re-evaluate
    the pros and cons, drop me a line.

    Some Oracle documentation discussing External Authentication is in:

    http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authentication.htm#CHDEGIFB

    Chris
    Hi Chris,

    That's interesting but the scenario that is becoming more common and
    is the case I'm interested in is using an existing credential to
    initiate authentication with Oracle.

    For example, using our extension a PHP script can acquire a Kerberos
    credential either through delegation (eg. during SPNEGO
    authentication), explicitly with a username and password (ie. get a
    TGT) or implicitly from the HTTP service account keytab file. The
    mod_auth_kerb module for Apache can also save the user's delegated
    Kerberos credential if present. Then Kerberos aware clients (e.g.
    pgsql_connect) look at the KRB5CCNAME environment variable and use
    that ccache file to acquire credentials for the desired resource.

    Does the PHP oci8 extension handle this scenario?

    Mike
    Without adding external authentication support, there is no support
    for Kerberos at all.

    Thanks for the use case.

    Chris

    --
    Christopher Jones, Oracle
    Email: christopher.jones@oracle.com Tel: +1 650 506 8630
    Blog: http://blogs.oracle.com/opal/ Free PHP Book: http://tinyurl.com/f8jad

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedMay 8, '08 at 6:03p
activeMay 9, '08 at 11:49a
posts3
users2
websitephp.net

People

Translate

site design / logo © 2022 Grokbase