On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote: > On Mon, 01 Aug 2016, Rob Crittenden wrote: > > > > How/where does the UI get a Kerberos ticket for the user? > That's indeed a problem -- even with the PKINIT support in KDC that Simo > is polishing up now, we don't have a way to obtain a ticket on behalf of > the user because Apache would terminate the SSL negotiation and we > wouldn't be able to use user's certificate to do PKINIT negotiation to > obtain a ticket as a user and then continue running on its behalf. > Neither we would get any Kerberos ticket from the client side.
The current idea is to use S4U2Self and the GssapiImpersonate feature of mod_auth_gssapi 1.4.0, similar to the approach from http://www.freeipa.org/page/V4/External_Authentication/NSS_Impersonation Tibor has done the investigation for FreeIPA and is working on some polished instructions for the FreeIPA WebUI. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code