[36389] in Kerberos
Re: Announcing mod_auth_gssapi
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Aug 15 08:39:23 2014
Message-ID: <1408106342.15168.42.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Rick van Rein <rick@openfortress.nl>
Date: Fri, 15 Aug 2014 08:39:02 -0400
In-Reply-To: <5E2F591B-75ED-4398-A74E-DE1652A92EF5@openfortress.nl>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2014-08-15 at 10:04 +0200, Rick van Rein wrote:
> Hello Simo,
>
> > I have recently released a new module for Apache called mod_auth_gssapi
> > to modernize a little bit on the ancient and substantially unmaintained
> > mod_auth_kerb.
>
> Splendid, thank you very much!
>
> Have you considered including advanced facilities like S4U2Proxy
> (and perhaps S4U2Self) with Constrained Delegation?
mod_auth_gssapi does support exporting the evidence ticket to a ccache
so that the web application can use it to perform s4u2proxy requests
using the "delegated" ticket.
> It could be
> helpful with many things, for instance WebSockets to IMAP / SMTP
> for webmail applications.
Indeed this is one of the primary use case, we have a patch in
RHEL/Fedora's mod_auth_kerb too to do this.
> Are you, or is anyone else, aware of a similar facility for Nginx?
No, but if the code does not require enormous changes I could consider
restructuring it to build a nginx module too (patches would also be
welcome :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
