[Freeipa-devel] mod_auth_kerb ticket forwarding
Simo Sorce
ssorce at redhat.com
Tue Aug 28 21:53:57 UTC 2007
On Tue, 2007-08-28 at 17:08 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Mon, 2007-08-27 at 11:22 -0700, Pete Rowley wrote:
> >> Rob Crittenden wrote:
> >>> So assuming we have ticket fowarding, how do we want to change the way
> >>> things work in order to use it? Currently the XML-RPC server-side code
> >>> authenticates with a client cert and a special user. I suppose we can
> >>> do away with this and use the user's ticket?
> >>>
> >> Absolutely - this was the original intention.
> >
> > There was some discussion about this on #freeipa - thought I would bring
> > it to the list.
> >
> > The concern with this is that we don't currently have the infrastructure
> > to request forwardable tickets for only some services. That means that
> > the default will have to be forwardable tickets for everything, which
> > introduces its own security problems.
> >
> > It may be more secure to preserve the existing authentication between
> > the xml-rpc server and ldap. Simo suggested a hybrid approach.
> >
> > Rob / Simo - what was the final outcome of that discussion?
> >
> > Karl
> >
>
> We decided to look into it further. We figured it was possible to
> support both, so the user could decide.
>
> I looked into it a bit today and was able get it working in the simplest
> case where either would be supported. The trouble is that SASL auth
> doesn't work over SSL. I'm not sure we want that. We may simply be
> better off with proxy auth.
When you do GSSAPI auth you get encryption for free, so SSL is not
required in that case.
Simo.
More information about the Freeipa-devel
mailing list