On 03/31/2015 08:04 AM, Jan Cholasta wrote: > Dne 30.3.2015 v 22:09 Adam Young napsal(a): >> On 03/30/2015 11:52 AM, Simo Sorce wrote: >>> Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I >>> was wondering if we want to press further and emable by default the use >>> of native mod_auth_gssapi sessions ? >>> >>> The old mod_auth_kerb didn't have this feature so, in order to have >>> decent performace we introduced split paths where some are always >>> incurring the full negotiate penalty and other are and instead rely on a >>> session cookie. >>> >>> mod_auth_gssapi can be configured to use a session cookie directly which >>> avoids the negotiate auth performance hit. Integration would require >>> that the FreeIPA code learns how to delete the cookie when someone hits >>> a logout button, but it would be otherwise transparent. >>> >>> It would be especially useful for 3rd party clients that want to use the >>> json/xmlrpc enpoints, as all they have to do is just support sending >>> back cookies and they do not have to learn how to contact multiple >>> endopints to get credentials and then switch to the session only based >>> ones. >>> >>> Thoughts ? >>> >>> Simo. >>> >> I always wanted this. It would be awesome, very valuable. > > Yes please.
We should have a ticket with all the details then... > >> >> REcall that when we looked into it we were on Apache 1.3, and seesion >> support, mod_seesion, was not avaialble. Fairly certain the landscape >> has changed since then. >> > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code