On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote:
> On Mon, 01 Aug 2016, Rob Crittenden wrote:
> > 
> > How/where does the UI get a Kerberos ticket for the user?
> That's indeed a problem -- even with the PKINIT support in KDC that Simo
> is polishing up now, we don't have a way to obtain a ticket on behalf of
> the user because Apache would terminate the SSL negotiation and we
> wouldn't be able to use user's certificate to do PKINIT negotiation to
> obtain a ticket as a user and then continue running on its behalf.
> Neither we would get any Kerberos ticket from the client side.

The current idea is to use S4U2Self and the GssapiImpersonate feature
of mod_auth_gssapi 1.4.0, similar to the approach from


Tibor has done the investigation for FreeIPA and is working on some
polished instructions for the FreeIPA WebUI.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to