[Freeipa-devel] plugin limitations and more URL modifications
John Dennis
jdennis at redhat.com
Fri Feb 24 18:32:48 UTC 2012
On 02/24/2012 01:18 PM, John Dennis wrote:
> * Move the existing /ipa/login URL to /ipa/session/login_kerberos. The
> URL change is to be consistent with the above new URL. The URL change
> reflects the fact it is only used to initialize a session when the user
> already has a valid kerberos ticket. As before it obtains the
> credentials established by mod_auth_kerb and stores them in a session.
I may not have been entirely clear, a great question to ask is:
"Why can't session login via either existing TGT or password be shared
on a common /ipa/login URL? Why do we need different URL's?"
Because the former needs to be protected by mod_auth_kerb in Apache and
the later needs to be unprotected by Apache, thus you need distinct URL's.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list