Announcing mod_auth_gssapi
Simo Sorce
simo at redhat.com
Fri Aug 15 08:39:02 EDT 2014
On Fri, 2014-08-15 at 10:04 +0200, Rick van Rein wrote:
> Hello Simo,
>
> > I have recently released a new module for Apache called mod_auth_gssapi
> > to modernize a little bit on the ancient and substantially unmaintained
> > mod_auth_kerb.
>
> Splendid, thank you very much!
>
> Have you considered including advanced facilities like S4U2Proxy
> (and perhaps S4U2Self) with Constrained Delegation?
mod_auth_gssapi does support exporting the evidence ticket to a ccache
so that the web application can use it to perform s4u2proxy requests
using the "delegated" ticket.
> It could be
> helpful with many things, for instance WebSockets to IMAP / SMTP
> for webmail applications.
Indeed this is one of the primary use case, we have a patch in
RHEL/Fedora's mod_auth_kerb too to do this.
> Are you, or is anyone else, aware of a similar facility for Nginx?
No, but if the code does not require enormous changes I could consider
restructuring it to build a nginx module too (patches would also be
welcome :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list