[Freeipa-devel] session authentication URI issues
Stephen Gallagher
sgallagh at redhat.com
Thu Dec 22 15:29:35 UTC 2011
On Wed, 2011-12-21 at 14:07 -0500, John Dennis wrote:
> For your holiday reading pleasure :-) Happy holidays to all.
>
Ok, I want to try to restate the problem so that I'm sure I understand
it.
The way the session management is going to work is that the Apache
server/FreeIPA application is going to kinit and get credentials on our
behalf and store them in a session cache and provide us with a secure
cookie. As long as we have that cookie, we have an access-key to the
credential cache and apache can then use that to perform RPC requests in
our name.
When we connect via the CLI, we already have valid kerberos credentials,
and we want to simply delegate those instead, so the Apache server
doesn't need to maintain a session.
What if we were to mandate that the FreeIPA server always allows issuing
a TGT with a renewal time of no less than the TGT time? Then it would be
possible to initiate a session by presenting our existing TGT to perform
a renewal request on the apache server, which could then be cached into
the session. We could then just use the session interface from then on,
even in the CLI/libcurl.
Is this doable?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111222/40f76459/attachment.sig>
More information about the Freeipa-devel
mailing list