On Mon, 2015-03-30 at 11:52 -0400, Simo Sorce wrote: > Since we now merged in a change from mod_auth_kerb to > mod_auth_gssapi I > was wondering if we want to press further and emable by default the > use > of native mod_auth_gssapi sessions ? > > The old mod_auth_kerb didn't have this feature so, in order to have > decent performace we introduced split paths where some are always > incurring the full negotiate penalty and other are and instead rely > on a > session cookie. > > mod_auth_gssapi can be configured to use a session cookie directly > which > avoids the negotiate auth performance hit. Integration would require > that the FreeIPA code learns how to delete the cookie when someone > hits > a logout button, but it would be otherwise transparent. > > It would be especially useful for 3rd party clients that want to use > the > json/xmlrpc enpoints, as all they have to do is just support sending > back cookies and they do not have to learn how to contact multiple > endopints to get credentials and then switch to the session only > based > ones. > > Thoughts ?
+1. It is about time. :) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code