Hello, Good to hear that this is integrated into Fedora and/or FreeIPA. > gss_init_sec_context() against any service using the evidence ticket as > proof to obtain new tickets. If the KDC allows you, that is. > Absolute freedom within the confines of Constrained Delegation. Clear. > So as long as the webmail app retains the ccache (passed through an > apache environment variable) and uses it to init its connection, it will > work. > Aj, that's not what I had in mind when I mentioned S4U2Proxy in relation to mod_auth_kerb. You are making the ccache available to an environment wrought with ill-maintained (and regularly ill-written) code. I would have expected a way to delegate a limited an outward credential, or better even, an API (like GSSAPI) to talk to by select scripts in a proxy-client role.
Am I mistaken, or does this approach say "hijack any script on this vhost (or under this location/directory) and gain access to all the backend services available to the user? Rick van Rein OpenFortress ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos