On Thu, 2016-03-10 at 15:03 +0100, Petr Vobornik wrote:
> Attaching also mod_auth_gssapi patch. If the approach is good, then I'd 
> send it as a push request to upstream git repo.
> Copr build of mod_auth_gssapi with the patch: 
> https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/build/167157/
> IPA patch attached uses the functionality.
> https://fedorahosted.org/freeipa/ticket/5653

I think the mod_auth_gssapi patch needs more work.

For one you are not storing the generated ccname in the cookie, which
means any following request using mod_auth_gssapi sessions will not be
able to point to the ccache file.

It is also not clear to me why you are using a timestamp and not just
call something like mkstemp() with a template, and add an option called
GssapiDelegCcacheTemplate instead.

The templated part would have to be saved in the session so that
following requests can keep using the same ccache file.

There are other minor niticks around naming stuff, but those can be
handled in the PR.

One thing I am still undecided about is deletion of the files, I'd like
to have a better option than "application must delete them", I was
thinking about keeping a record of the expiration time (not sure where
yet), and then provide a cron job or a systemd timer to clean up all
expired stuff.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to