<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 12/21/2011 02:07 PM, John Dennis wrote:
<blockquote cite="mid:4EF22E8D.3070405@redhat.com" type="cite">For
your holiday reading pleasure :-) Happy holidays to all.
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
To answer a couple questions are almost certainly going to come up:<br>
<br>
When we first started discussing this a long while back, I looked
in to what I still feel is the right long term solution, but whifch
is not currently an option for release reasons.<br>
<br>
The most unified approach would extend mod_auth_krb to perform the
caching of the credentials. A set of files that are Kerberos
protected could have an additional specification that would stick
the Credential in the session.<br>
<br>
This requires mod_auth_krb to know about mod_session.
Unfortunately, due the versions of Apache and how we configure it,
that does not work for IPA. Back porting mod_session to the version
of Apache shipped with RHEL 6 is a non trivial undertaking. The
IPA server runs with Apache in pre-fork mode, which means that each
request is handled by a different process. Thus sessions, which
depend on shared state, become a much heavier-weight proposal. <br>
<br>
In the future I would like to revisit this issue and attempt to
integrate the change into mod_auth_krb.<br>
</body>
</html>