On Mon, 2015-03-30 at 11:52 -0400, Simo Sorce wrote:
> Since we now merged in a change from mod_auth_kerb to 
> mod_auth_gssapi I
> was wondering if we want to press further and emable by default the 
> use
> of native mod_auth_gssapi sessions ?
> The old mod_auth_kerb didn't have this feature so, in order to have
> decent performace we introduced split paths where some are always
> incurring the full negotiate penalty and other are and instead rely 
> on a
> session cookie.
> mod_auth_gssapi can be configured to use a session cookie directly 
> which
> avoids the negotiate auth performance hit. Integration would require
> that the FreeIPA code learns how to delete the cookie when someone 
> hits
> a logout button, but it would be otherwise transparent.
> It would be especially useful for 3rd party clients that want to use 
> the
> json/xmlrpc enpoints, as all they have to do is just support sending
> back cookies and they do not have to learn how to contact multiple
> endopints to get credentials and then switch to the session only 
> based
> ones.
> Thoughts ?

+1. It is about time. :)

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to