[Freeipa-devel] Use sessions for mod_auth_gssapi ?
Anthony Messina
amessina at messinet.com
Tue Mar 31 16:31:21 UTC 2015
On Monday, March 30, 2015 11:52:07 AM Simo Sorce wrote:
> Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I
> was wondering if we want to press further and emable by default the use
> of native mod_auth_gssapi sessions ?
>
> The old mod_auth_kerb didn't have this feature so, in order to have
> decent performace we introduced split paths where some are always
> incurring the full negotiate penalty and other are and instead rely on a
> session cookie.
>
> mod_auth_gssapi can be configured to use a session cookie directly which
> avoids the negotiate auth performance hit. Integration would require
> that the FreeIPA code learns how to delete the cookie when someone hits
> a logout button, but it would be otherwise transparent.
>
> It would be especially useful for 3rd party clients that want to use the
> json/xmlrpc enpoints, as all they have to do is just support sending
> back cookies and they do not have to learn how to contact multiple
> endopints to get credentials and then switch to the session only based
> ones.
>
> Thoughts ?
>
> Simo.
This is a good thing, Simo. Yes. -A
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150331/607e83b9/attachment.sig>
More information about the Freeipa-devel
mailing list