[Freeipa-devel] mod_auth_kerb ticket forwarding
Karl MacMillan
kmacmill at redhat.com
Tue Aug 28 19:50:34 UTC 2007
On Mon, 2007-08-27 at 11:22 -0700, Pete Rowley wrote:
> Rob Crittenden wrote:
> > So assuming we have ticket fowarding, how do we want to change the way
> > things work in order to use it? Currently the XML-RPC server-side code
> > authenticates with a client cert and a special user. I suppose we can
> > do away with this and use the user's ticket?
> >
> Absolutely - this was the original intention.
There was some discussion about this on #freeipa - thought I would bring
it to the list.
The concern with this is that we don't currently have the infrastructure
to request forwardable tickets for only some services. That means that
the default will have to be forwardable tickets for everything, which
introduces its own security problems.
It may be more secure to preserve the existing authentication between
the xml-rpc server and ldap. Simo suggested a hybrid approach.
Rob / Simo - what was the final outcome of that discussion?
Karl
More information about the Freeipa-devel
mailing list