leenooks
Support GSSAPI Authentication Mechanism For App User
Is your feature request related to a problem? Please describe. I have an OpenLDAP server that is configured for SASL authentication only. I use Kerberos as the mechanism, usually. I'd like it if the app user could use their kerberos credentials (esp. a keytab file) to log in.
Describe the solution you'd like
Include the use of the ldap_sasl_bind() from PHP:LDAP along with accompanying env variables to allow specifying: KDC server, realm, principal to authorize as, password to use or local keytab file to use.
Alternatively, perhap support the common KRB5_* environment variables.
Describe alternatives you've considered I could mix authentication mechanisms on the LDAP server to include both SASL types and plain.
Additional context I believe v1 supports this so maybe it would just be a matter of transferring some of that code over. I don't personally know much about PHP or I would help out.
If you can provide details on the setup, including a step by step to create a similar environment, with a example on how the authentication should work, then it shouldn't be too hard to implement.
Without access to an environment to test against, this feature request wont go anywhere :(
Since my request here should be applicable to any Kerberos configuration where an LDAP server accepts GSSAPI login mechanisms, something like FreeIPA might be the closest thing to a quick, reproducible environment for testing purposes.
I found this repo, which sets up a FreeIPA environment for testing: https://github.com/freeipa/ipa-docker-test-runner
I haven't tried this yet but this is sort of where my headspace has been for this.
I've moved on to a different solution for my setup. I'm dropping Kerberos and using LDAP simple auth now. So I'm not going to be putting in the time to get this feature in place.
Feel free to close this if you want. Or leave it open if you think you'll be able to get to it at some point.