Dear Sumit: I heard from Mike Orazi that Dmitry recommened you as an expert in Kerberos issues. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. The general plan is to use FreeIPA as the auth provider, but for now I have a different question: what protocol should I implement for HTTP transactions?
The client is expected to use Kerberos to obtain a session ticket, and something like that happens on the server as well. Then, the HTTP is authenticated and authorized. So far, I gather that so-called "SPNEGO" protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a "Kerberos on Widows" thing (4559), which actually defines the key pieces such as "WWW-Authenticate: Negotiate". The one strange thing though is that curl seems to imply having a support for "Negotiate" authentication type separate from SPNEGO. Fedora, while being the main target for FreeIPA, ships curl without SPNEGO. So, I suspect that I may be missing a protocol to implement. Yours, -- Pete _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
