[Freeipa-devel] session authentication URI issues
Adam Young
ayoung at redhat.com
Thu Dec 22 22:37:09 UTC 2011
On 12/21/2011 02:07 PM, John Dennis wrote:
> For your holiday reading pleasure :-) Happy holidays to all.
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
To answer a couple questions are almost certainly going to come up:
When we first started discussing this a long while back, I looked in to
what I still feel is the right long term solution, but whifch is not
currently an option for release reasons.
The most unified approach would extend mod_auth_krb to perform the
caching of the credentials. A set of files that are Kerberos protected
could have an additional specification that would stick the Credential
in the session.
This requires mod_auth_krb to know about mod_session. Unfortunately,
due the versions of Apache and how we configure it, that does not work
for IPA. Back porting mod_session to the version of Apache shipped with
RHEL 6 is a non trivial undertaking. The IPA server runs with Apache
in pre-fork mode, which means that each request is handled by a
different process. Thus sessions, which depend on shared state, become
a much heavier-weight proposal.
In the future I would like to revisit this issue and attempt to
integrate the change into mod_auth_krb.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111222/8b59fc2a/attachment.htm>
More information about the Freeipa-devel
mailing list