使用PHP到MariaDB的GSSAPI-Auth(Windows) [英] GSSAPI-Auth with PHP to MariaDB (Windows)
问题描述
我目前正在在干净的Windows域环境中对数据库服务器进行单点登录.
由于MySQL Enterprise和MSSQL服务器目前无法选择,因此它通过GSSAPI插件归结为MariaDB.
这就是我目前拥有的:
服务器:
MYDOMAIN的Windows 7 x64成员
MariaDB 10.2.14 x64
Apache2 2.4.33 x64 VC11 + mod_authnz_sspi + PHP 5.6.35 + mod_fcgid
MariaDB ODBC驱动程序x64
HeidiSQL(MariaDB安装程序随附的SQL客户端)
FCGID-Config如下所示("A:"不是计算机上的软盘驱动器,而是我实际放置Apache2的位置):
< IfModule!fcgid_module>LoadModule fcgid_module模块/mod_fcgid.soFcgidIOTimeout 64FcgidConnectTimeout 16FcgidMaxRequestsPerProcess 200FcgidMaxProcesses 500FcgidMaxRequestLen 8131072FcgidInitialEnv PHPRC"A:/php"FcgidInitialEnv PHP_FCGI_MAX_REQUESTS 200FcgidWrapper"A:/php/php-cgi.exe" .php</IfModule> 目录配置如下:
<目录"$ {SRVROOT}/htdocs">选项索引FollowSymLinksAllowOverride无AuthName"MYSERVER"AuthType SSPISSPIAuth开启SSPI权威性SSPIOfferBasic开SSPIOfferSSPI开< RequireAll>< RequireAny>需要sspi-group mygroup</RequireAny>< RequireNone>要求用户匿名登录"</RequireNone></RequireAll>SetEnvIf授权(.*)" HTTP_AUTHORIZATION = $ 1< FilesMatch \ .php>AddHandler fcgid脚本.php</FilesMatch>选项+ ExecCGI</目录> 对php.ini没什么幻想,仅以php.ini-development示例(以PHP zip软件包提供)为例,并启用了php_mysql,php_mysqli,php_mbstring和php_ldap扩展.
我当前的MariaDB my.ini如下:
[mysqld]datadir = M:/数据端口= 3306key_buffer_size = 384Mmax_allowed_packet = 512Mtable_open_cache = 512read_buffer_size = 256Mread_rnd_buffer_size = 128Msort_buffer_size = 512Mquery_cache_size = 32Mjoin_buffer_size = 128M默认存储引擎= INNODBinnodb-page-size = 65536innodb_buffer_pool_size = 4Ginnodb_write_io_threads = 8innodb_read_io_threads = 8innodb_thread_concurrency = 16innodb_log_buffer_size = 8Minnodb_log_file_size = 256Minnodb_log_files_in_group = 3innodb_max_dirty_pages_pct = 90innodb_lock_wait_timeout = 120字符集服务器= utf8thread_concurrency = 8thread_cache_size = 8[客户]端口= 3306plugin-dir = M:/lib/plugin[mysqldump]快的max_allowed_packet = 512M[mysql]不自动重新哈希安全更新 客户:
MYDOMAIN的Windows 10 x64成员
Internet Explorer 11
MySQL Workbench 6.0 CE(6.0.7.11215)
设置完所有内容后,我用root帐户将VIA HeidiSQL(或其他任何SQL-Client)连接到MariaDB-Server,并按此处所述创建实际用户 https://mariadb.com/kb/en/library/authentication-plugin-gssapi/:
通过gssapi作为"myuser @ MYDOMAIN"创建用户myuser身份; 现在,在与HeidiSQL连接时,或者在向MySQL Workbench提供auth_gssapi_client.dll之后(并且该进程以myuser身份运行时),我都可以毫无问题地连接到MariaDB服务器.
在现在尝试连接PHP之前,我先看了phpinfo();.使用$ _SERVER变量REMOTE_USER,PHP_AUTH_USER和PHP_AUTH_PW,一切看起来都与预期的一样.这是我的index.php:
<?php//phpinfo();出口;$ m = mysql_connect("localhost",$ _SERVER ["PHP_AUTH_USER"]);$ mi = mysqli_connect("localhost",$ _SERVER ["PHP_AUTH_USER"]);$ c = odbc_connect("MariaDB",$ _SERVER ["PHP_AUTH_USER"],");?> 正如您可能会看到的那样,我使用MariaDB ODBC Connector设置了SystemDSN,并将其称为MariaDB,它指向MariaDB的插件目录.
有了这一点,我至少可以尝试使其完全正常运行,然后再担心这些问题:
警告:mysql_connect():服务器在第3行的A:\ htdocs \ index.php中请求客户端[auth_gssapi_client]未知的身份验证方法警告:mysql_connect():服务器在第3行的A:\ htdocs \ index.php中请求客户端未知的身份验证方法警告:mysqli_connect():服务器在第4行的A:\ htdocs \ index.php中请求客户端[auth_gssapi_client]未知的身份验证方法警告:mysqli_connect():(HY000/2054):服务器在第4行的A:\ htdocs \ index.php中请求客户端未知的身份验证方法 我找不到关于如何将mysql或mysqli的php扩展名(或我也用相同结果pdo_mysql测试)指向MariaDB的auth_gssapi_client.dll插件的任何解决方案.因此,如果有人能指出我的想法,那也将不胜感激.
但是真正的问题,也是我(很可能)会遇到mysql和mysqli,是odbc connect ...的结果...
警告:odbc_connect():SQL错误:[ma-3.0.3] GSSAPI名称不匹配,请求为"myuser @ MYDOMAIN",实际名称为"myserver $ @ MYDOMAIN",SQLConnect中的SQL状态28000:第5行的\ htdocs \ index.php 该进程本身是作为本地系统运行的,不幸的是,GSSAPI只对运行该进程的用户感兴趣,而对经过身份验证的用户不感兴趣.
我正在Internet上搜索并尝试大约一个星期才能使它正常工作,尽管仍然没有任何有效的结果(或在这方面还有什么剩余的想法可以尝试).
因此,如果有人对如何实现这一目标有个好主意.
Greetz TheSkyGuy
警告:odbc_connect():SQL错误:[ma-3.0.3] GSSAPI名称不匹配,请求的"myuser @ MYDOMAIN",实际名称"myserver $ @ MYDOMAIN",SQL第5行的A:\ htdocs \ index.php中SQLConnect中的状态28000
这意味着您的应用程序(apache?)与计算机帐户连接,也许它以NetworkService用户身份运行,或者类似的东西.如果您可以在域用户"myuser"的凭据下运行它,则它将连接.
或者,您可以创建与计算机帐户对应的MariaDB用户帐户,并将其用于连接.
I'm currently working on Single Sign On to a Database-Server in a clean Windows Domain Environment.
And as MySQL Enterprise and MSSQL servers are currently no option, it came down to MariaDB with the GSSAPI plugin.
That's what I currently have:
Server:
Windows 7 x64 member of MYDOMAIN
MariaDB 10.2.14 x64
Apache2 2.4.33 x64 VC11 + mod_authnz_sspi + PHP 5.6.35 + mod_fcgid
MariaDB ODBC Driver x64
HeidiSQL (SQL-Client delivered with the MariaDB installer)
FCGID-Config looks as follows ("A:" is not a floppy drive on my machine, but where I actually put my Apache2):
<IfModule !fcgid_module>
LoadModule fcgid_module modules/mod_fcgid.so
FcgidIOTimeout 64
FcgidConnectTimeout 16
FcgidMaxRequestsPerProcess 200
FcgidMaxProcesses 500
FcgidMaxRequestLen 8131072
FcgidInitialEnv PHPRC "A:/php"
FcgidInitialEnv PHP_FCGI_MAX_REQUESTS 200
FcgidWrapper "A:/php/php-cgi.exe" .php
</IfModule>
Directory-Config looks as follows:
<Directory "${SRVROOT}/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
AuthName "MYSERVER"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOfferSSPI On
<RequireAll>
<RequireAny>
Require sspi-group mygroup
</RequireAny>
<RequireNone>
Require user "ANONYMOUS LOGON"
</RequireNone>
</RequireAll>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<FilesMatch \.php>
AddHandler fcgid-script .php
</FilesMatch>
Options +ExecCGI
</Directory>
Nothing fancy done to the php.ini, just took the example php.ini-development (delivered in PHP zip package) and enabled the php_mysql, php_mysqli, php_mbstring and php_ldap extensions.
My current MariaDBs my.ini looks as follows:
[mysqld]
datadir=M:/data
port=3306
key_buffer_size = 384M
max_allowed_packet = 512M
table_open_cache = 512
read_buffer_size = 256M
read_rnd_buffer_size = 128M
sort_buffer_size = 512M
query_cache_size = 32M
join_buffer_size = 128M
default-storage-engine = INNODB
innodb-page-size = 65536
innodb_buffer_pool_size = 4G
innodb_write_io_threads = 8
innodb_read_io_threads = 8
innodb_thread_concurrency = 16
innodb_log_buffer_size = 8M
innodb_log_file_size = 256M
innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
innodb_lock_wait_timeout = 120
character-set-server=utf8
thread_concurrency = 8
thread_cache_size = 8
[client]
port = 3306
plugin-dir = M:/lib/plugin
[mysqldump]
quick
max_allowed_packet = 512M
[mysql]
no-auto-rehash
safe-updates
Client:
Windows 10 x64 member of MYDOMAIN
Internet Explorer 11
MySQL Workbench 6.0 CE (6.0.7.11215)
After setting everything up I connect VIA HeidiSQL (or well any SQL-Client) to the MariaDB-Server with the root account and create the actual user as described here https://mariadb.com/kb/en/library/authentication-plugin-gssapi/ :
CREATE USER myuser IDENTIFIED VIA gssapi AS 'myuser@MYDOMAIN';
Now while connecting with HeidiSQL or after providing MySQL Workbench with the auth_gssapi_client.dll (and while the process is running as myuser) I have no problem connecting to the MariaDB-Server.
Before now trying to connect with PHP I took a look at phpinfo(); where everything seems as much as expected, with the $_SERVER vars REMOTE_USER, PHP_AUTH_USER and PHP_AUTH_PW. Here's my index.php:
<?php
//phpinfo(); exit;
$m = mysql_connect("localhost", $_SERVER["PHP_AUTH_USER"]);
$mi = mysqli_connect("localhost", $_SERVER["PHP_AUTH_USER"]);
$c = odbc_connect("MariaDB", $_SERVER["PHP_AUTH_USER"], "");
?>
As you may see at some point I set up a SystemDSN with the MariaDB ODBC Connector and called it MariaDB wich is pointed at MariaDBs Plugin dir.
With that I could at least try to get it working at all and after that worry about these:
Warning: mysql_connect(): The server requested authentication method unknown to the client [auth_gssapi_client] in A:\htdocs\index.php on line 3
Warning: mysql_connect(): The server requested authentication method unknown to the client in A:\htdocs\index.php on line 3
Warning: mysqli_connect(): The server requested authentication method unknown to the client [auth_gssapi_client] in A:\htdocs\index.php on line 4
Warning: mysqli_connect(): (HY000/2054): The server requested authentication method unknown to the client in A:\htdocs\index.php on line 4
I could not find any solution on how to point the php extensions for mysql or mysqli (or as I also tested with the same result pdo_mysql) to the auth_gssapi_client.dll plugin from MariaDB. So if anyone could point me there that would also been appreciated.
But the real problem, wich I would also (very likely) run into with the mysql and mysqli, is the result from the odbc connect ...:
Warning: odbc_connect(): SQL error: [ma-3.0.3]GSSAPI name mismatch, requested 'myuser@MYDOMAIN', actual name 'myserver$@MYDOMAIN', SQL state 28000 in SQLConnect in A:\htdocs\index.php on line 5
The process itself is ofc running as local system, sadly GSSAPI only is interested in the user running the process and not in the authenticated user.
I'm searching the internet and trying stuff for about a week now to get that working, though still without any functioning result (or any remaining idea on what to try out next in that regard).
So if anyone has an idea on how to get that working that would been great.
Greetz TheSkyGuy
Warning: odbc_connect(): SQL error: [ma-3.0.3]GSSAPI name mismatch, requested 'myuser@MYDOMAIN', actual name 'myserver$@MYDOMAIN', SQL state 28000 in SQLConnect in A:\htdocs\index.php on line 5
this means that your application (apache?) connects with the machine account, perhaps it runs as NetworkService user, or something like that. If you can run it under domain user "myuser" credentials, then it will connect.
Alternatively, you can create MariaDB user account corresponding to the machine account, and use that for connection.
这篇关于使用PHP到MariaDB的GSSAPI-Auth(Windows)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
