Dne 30.3.2015 v 22:09 Adam Young napsal(a):
On 03/30/2015 11:52 AM, Simo Sorce wrote:
Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I
was wondering if we want to press further and emable by default the use
of native mod_auth_gssapi sessions ?
The old mod_auth_kerb didn't have this feature so, in order to have
decent performace we introduced split paths where some are always
incurring the full negotiate penalty and other are and instead rely on a
session cookie.
mod_auth_gssapi can be configured to use a session cookie directly which
avoids the negotiate auth performance hit. Integration would require
that the FreeIPA code learns how to delete the cookie when someone hits
a logout button, but it would be otherwise transparent.
It would be especially useful for 3rd party clients that want to use the
json/xmlrpc enpoints, as all they have to do is just support sending
back cookies and they do not have to learn how to contact multiple
endopints to get credentials and then switch to the session only based
ones.
Thoughts ?
Simo.
I always wanted this. It would be awesome, very valuable.
Yes please.
REcall that when we looked into it we were on Apache 1.3, and seesion
support, mod_seesion, was not avaialble. Fairly certain the landscape
has changed since then.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
