On 03/31/2015 08:04 AM, Jan Cholasta wrote:
> Dne 30.3.2015 v 22:09 Adam Young napsal(a):
>> On 03/30/2015 11:52 AM, Simo Sorce wrote:
>>> Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I
>>> was wondering if we want to press further and emable by default the use
>>> of native mod_auth_gssapi sessions ?
>>> The old mod_auth_kerb didn't have this feature so, in order to have
>>> decent performace we introduced split paths where some are always
>>> incurring the full negotiate penalty and other are and instead rely on a
>>> session cookie.
>>> mod_auth_gssapi can be configured to use a session cookie directly which
>>> avoids the negotiate auth performance hit. Integration would require
>>> that the FreeIPA code learns how to delete the cookie when someone hits
>>> a logout button, but it would be otherwise transparent.
>>> It would be especially useful for 3rd party clients that want to use the
>>> json/xmlrpc enpoints, as all they have to do is just support sending
>>> back cookies and they do not have to learn how to contact multiple
>>> endopints to get credentials and then switch to the session only based
>>> ones.
>>> Thoughts ?
>>> Simo.
>> I always wanted this.  It would be awesome, very valuable.
> Yes please.

We should have a ticket with all the details then...

>> REcall that when we looked into it we were on Apache 1.3, and seesion
>> support, mod_seesion, was not avaialble.  Fairly certain the landscape
>> has changed since then.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to