On Thu, 2016-03-10 at 15:03 +0100, Petr Vobornik wrote: > Attaching also mod_auth_gssapi patch. If the approach is good, then I'd > send it as a push request to upstream git repo. > > Copr build of mod_auth_gssapi with the patch: > https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/build/167157/ > > IPA patch attached uses the functionality. > > https://fedorahosted.org/freeipa/ticket/5653
I think the mod_auth_gssapi patch needs more work. For one you are not storing the generated ccname in the cookie, which means any following request using mod_auth_gssapi sessions will not be able to point to the ccache file. It is also not clear to me why you are using a timestamp and not just call something like mkstemp() with a template, and add an option called GssapiDelegCcacheTemplate instead. The templated part would have to be saved in the session so that following requests can keep using the same ccache file. There are other minor niticks around naming stuff, but those can be handled in the PR. One thing I am still undecided about is deletion of the files, I'd like to have a better option than "application must delete them", I was thinking about keeping a record of the expiration time (not sure where yet), and then provide a cron job or a systemd timer to clean up all expired stuff. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
