On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote:
> On Mon, 01 Aug 2016, Rob Crittenden wrote:
> >
> > How/where does the UI get a Kerberos ticket for the user?
> That's indeed a problem -- even with the PKINIT support in KDC that Simo
> is polishing up now, we don't have a way to obtain a ticket on behalf of
> the user because Apache would terminate the SSL negotiation and we
> wouldn't be able to use user's certificate to do PKINIT negotiation to
> obtain a ticket as a user and then continue running on its behalf.
> Neither we would get any Kerberos ticket from the client side.
The current idea is to use S4U2Self and the GssapiImpersonate feature
of mod_auth_gssapi 1.4.0, similar to the approach from
http://www.freeipa.org/page/V4/External_Authentication/NSS_Impersonation
Tibor has done the investigation for FreeIPA and is working on some
polished instructions for the FreeIPA WebUI.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
