[Freeipa-devel] Use sessions for mod_auth_gssapi ?
Jan Cholasta
jcholast at redhat.com
Tue Mar 31 06:04:23 UTC 2015
Dne 30.3.2015 v 22:09 Adam Young napsal(a):
> On 03/30/2015 11:52 AM, Simo Sorce wrote:
>> Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I
>> was wondering if we want to press further and emable by default the use
>> of native mod_auth_gssapi sessions ?
>>
>> The old mod_auth_kerb didn't have this feature so, in order to have
>> decent performace we introduced split paths where some are always
>> incurring the full negotiate penalty and other are and instead rely on a
>> session cookie.
>>
>> mod_auth_gssapi can be configured to use a session cookie directly which
>> avoids the negotiate auth performance hit. Integration would require
>> that the FreeIPA code learns how to delete the cookie when someone hits
>> a logout button, but it would be otherwise transparent.
>>
>> It would be especially useful for 3rd party clients that want to use the
>> json/xmlrpc enpoints, as all they have to do is just support sending
>> back cookies and they do not have to learn how to contact multiple
>> endopints to get credentials and then switch to the session only based
>> ones.
>>
>> Thoughts ?
>>
>> Simo.
>>
> I always wanted this. It would be awesome, very valuable.
Yes please.
>
> REcall that when we looked into it we were on Apache 1.3, and seesion
> support, mod_seesion, was not avaialble. Fairly certain the landscape
> has changed since then.
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list