[Freeipa-devel] mod_auth_kerb ticket forwarding
Simo Sorce
ssorce at redhat.com
Wed Aug 29 12:42:10 UTC 2007
On Wed, 2007-08-29 at 07:59 +1000, Andrew Bartlett wrote:
> On Tue, 2007-08-28 at 17:53 -0400, Simo Sorce wrote:
> > On Tue, 2007-08-28 at 17:08 -0400, Rob Crittenden wrote:
>
> > > I looked into it a bit today and was able get it working in the simplest
> > > case where either would be supported. The trouble is that SASL auth
> > > doesn't work over SSL. I'm not sure we want that. We may simply be
> > > better off with proxy auth.
> >
> > When you do GSSAPI auth you get encryption for free, so SSL is not
> > required in that case.
>
> This is true for LDAP, just not for HTTP.
Yes we were talking about the LDAP connection afaik.
HTTPS shouldn;t have any problems with GSSAPI and SSL is the standard
for HTTP anyway.
> Having just GSSAPI sealing
> for the xml-rpc -> LDAP connection would seem simpler (and can nicely be
> sniffed, with the right keys exported, with wireshark :-).
I guess wireshark can use an SSL certificate copy to unseal an SSL
encrypted connection?
Simo.
More information about the Freeipa-devel
mailing list