URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

simo5 commented:
As I noted in the ticket: "At most you may want to store it in 
/var/lib/ipa/somewhere, but we do not want to break sessions (there are people 
using APIs from non-interactive scripts) just because you needed to restart a 
service/server quickly.
These keys are considered long term keys, and should not be thrown away at each 

Let me also add that:
1. the directory needs to be writable by the apache user as the key is created 
the first time the server is started
2. only the apache user must be able to read this key

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to