All geek questions in one place

Kerberos and / or other authentication systems - single sign-on for all PHP scripts

I manage a set of web applications written almost exclusively in PHP, and would like to find an authentication platform to create a role-based authorization system. In addition, I would like the authentication system to be extensible for use, for example, for system services (SSH, etc.).

Here are some of the main characteristics I'm looking for, in order of importance:

  • Simple PHP implementation (saving / reading ease, etc.).
  • Reservation, if possible. If the authorization system is disconnected, all are not blocked.
  • Has clients for Windows and Mac.
  • Simple web administration (add / remove users / roles, change passwords). If not, I can create an administration system without much effort.
  • Single logon.

I would also like when an authentication token is issued to save the user's IP address and use it to authorize the user for some non-web applications. For this reason, I would like the desktop client to issue tokens and cancel tokens when, for example, the user is idle on his workstation. I think Kerberos might be the solution, but what are the other options?

+4
source share
2 answers

If I did this, which I actually had several times in the past, I would use a combination of Kerberos and LDAP. Kerberos processes authentication and provides tokens to users. LDAP provides authorization; group membership information, user contact information, etc.

Kerberos is very, very well tested and widely used. To protect the Kerberos web application, use Apache mod_krb5 or a solution such as Stanford WebAuth. The user authenticates once with Kerberos, and then their browser will use the ticket through SPNEGO to automatically log into the web application. If you have a Windows Active Directory domain, your users already have Kerberos tickets that you can use in your computer login session!

Kerberos is also supported in many other network server programs such as OpenSSH, various IPSEC VPN tools, email (both SMTP and IMAP), XMPP (Jabber), etc. etc.

The Kerberos infrastructure can be as redundant as you like, and organized as you like. Regions can have many authentication servers and can trust each other arbitrarily.

This is not just a solution, it is a solution for a single.

+4
source

What you are looking for is (essentially) setting up the Lightweight Directory Access Protocol (LDAP) server / client. PHP has a built-in library, it is easily redundant, has clients for windows / mac / linux, front ends are available (although I can not recommend any good ones at the moment), and it will provide authentication for any set of applications that you want.

While there are some additional parts that you will need to implement to achieve exactly what you want, LDAP sounds like a structure with which you should start.

+2
source

Source: https://habr.com/ru/post/1304949/

More articles:


All Articles