using kerberos to authenticate for a web api

Simo Sorce simo at
Tue Nov 5 09:50:14 EST 2013

On Tue, 2013-11-05 at 15:12 +0100, Mark Pröhl wrote:
> Hash: SHA256
> On 05.11.2013 13:48, Simo Sorce wrote:
> > I am not sure about upstream but the version we distribute in
> > Fedora and RHEL has Constrained delegation support (specifically
> > S4U2Proxy).
> Is the S4U support in Fedora mod_auth_kerb configurable? Can it be
> used to delegate to any backend service or can it just be used in ipa
> admin gui for delegation to 389 ldap? For example, it would be nice to
> use S4U in a webmail application to get imap tickets. Would that be
> possible?

What it does is to give you a ccache that you can then use to
gss_init_sec_context() against any service using the evidence ticket as
proof to obtain new tickets. If the KDC allows you, that is.

So as long as the webmail app retains the ccache (passed through an
apache environment variable) and uses it to init its connection, it will


Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list