using kerberos to authenticate for a web api
Simo Sorce
simo at redhat.com
Tue Nov 5 09:50:14 EST 2013
On Tue, 2013-11-05 at 15:12 +0100, Mark Pröhl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 05.11.2013 13:48, Simo Sorce wrote:
> > I am not sure about upstream but the version we distribute in
> > Fedora and RHEL has Constrained delegation support (specifically
> > S4U2Proxy).
> Is the S4U support in Fedora mod_auth_kerb configurable? Can it be
> used to delegate to any backend service or can it just be used in ipa
> admin gui for delegation to 389 ldap? For example, it would be nice to
> use S4U in a webmail application to get imap tickets. Would that be
> possible?
What it does is to give you a ccache that you can then use to
gss_init_sec_context() against any service using the evidence ticket as
proof to obtain new tickets. If the KDC allows you, that is.
So as long as the webmail app retains the ccache (passed through an
apache environment variable) and uses it to init its connection, it will
work.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list