Moritz Bechler

I finally managed to get the krb5 extension for PHP ready for some kind of release, since the last time I wrote about it I felt the urge to implement yet another feature: Negotiate authentication using GSSAPI. This enables real kerberos single sign on support for webapplications in PHP and works in Mozilla (tested on Windows and Linux - using MIT kerberos/KfW) and should work on IE, too, but I have not yet had the chance to test using SSPI. Nice to have

I'll post some article on this feature in the next days.

I now have copied the missing headers from the the mit-krb5 distribution, so the source is not needed anymore.


You can get it here -
php_krb5-beta.tar.gz - and maybe some day through PECL.

Here comes - for my and possibly your convenience - a combined patch against ext/openssl for PKCS#12 and CRL support. It also fixes my patch (missing the header file) and Marc Dellings part (missing some TSRM macros).

ext-openssl.patch

Update: Marc Delling's patch has made it into the distribution, updated patch against current -dev.

As a result of a migration to OpenAFS (plus the implementation of a Kerberos infrastructure) I felt the need for a administrative solution for these two services and started working on PHP extensions for both of them. Both will be implemented as PHP5 OOP extensions.

The Kerberos (5 only) extension is nearly finished (just waiting whether further requirements come up while developing the AFS ext) and contains a simple interface for obtaining a TGT (which can later be used by other extensions to obtain service tickets) as well as a KADM5 interface for MIT's krb5. The installation procedure for it is a bit unfortunate at the moment because the kadmin headers have internal depencies and are not installed (so the source distribution is required for installation). I started a small discussion on krb5dev and it seems that fixing this is not that hard and can be expected for some future release. When this happens I think I'm going to propose it for PECL (there is a kadm5 extension, but it is neither maintained nor OO). In the meantime you can fetch the sources from my subversion repository if you like to.

The AFS extension is what I work on at the moment, doing it is more complicated than the krb5 ext - mainly because there is no real documentation - so it will take some time until it is finished. It is going to support kerberos5 afs-logons, creation/modification of PTS entries (users/groups), creation/modification of volumes as well as ACL modification, mount point creation and maybe backup coordination.

I just submitted a patch to php.internals which includes CRL generation support into PHP's ext/openssl. You can also get it here: ext-openssl-crl.patch. Hopefully It will be integrated - I'm working on a CA solution based on PHP and phpSATk which will be used for certificate management in a WPA-EAP/EAP-TLS environment. So hopefully it will be integrated fast (- well I do not have big illusions here )


UPDATE: There was a problem in the extension source - updated

Hello everybody who has found his way to this site

This is the place where I will post what I'm working on at the moment and maybe some other things that might be of interest.
Do not expect this blog to be high traffic, I think it will be more of "a post every week or two".

And of course a happy new year to anybody ...