[Freeipa-devel] mod_auth_kerb ticket forwarding
Rob Crittenden
rcritten at redhat.com
Tue Aug 28 21:08:03 UTC 2007
Karl MacMillan wrote:
> On Mon, 2007-08-27 at 11:22 -0700, Pete Rowley wrote:
>> Rob Crittenden wrote:
>>> So assuming we have ticket fowarding, how do we want to change the way
>>> things work in order to use it? Currently the XML-RPC server-side code
>>> authenticates with a client cert and a special user. I suppose we can
>>> do away with this and use the user's ticket?
>>>
>> Absolutely - this was the original intention.
>
> There was some discussion about this on #freeipa - thought I would bring
> it to the list.
>
> The concern with this is that we don't currently have the infrastructure
> to request forwardable tickets for only some services. That means that
> the default will have to be forwardable tickets for everything, which
> introduces its own security problems.
>
> It may be more secure to preserve the existing authentication between
> the xml-rpc server and ldap. Simo suggested a hybrid approach.
>
> Rob / Simo - what was the final outcome of that discussion?
>
> Karl
>
We decided to look into it further. We figured it was possible to
support both, so the user could decide.
I looked into it a bit today and was able get it working in the simplest
case where either would be supported. The trouble is that SASL auth
doesn't work over SSL. I'm not sure we want that. We may simply be
better off with proxy auth.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070828/38312b2c/attachment.bin>
More information about the Freeipa-devel
mailing list