Well, looking at it I think it's already well documented at: https://www.freeipa.org/page/Web_App_Authentication#Kerberos
So maybe it doesn't need any change, although a link to the RFC and being more explicit about the HTTP/ thing would be better, I guess... but now I feel that the documentation is OK and I was just dumb :-p On Mon, Mar 11, 2019 at 11:22 AM Alexander Bokovoy <aboko...@redhat.com> wrote: > On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote: > >On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy <aboko...@redhat.com> > >wrote: > > > >> > >> Yes, the naming of Kerberos principals is more or less historical. All > >> browsers only request service tickets to HTTP/<hostname> principal. If > >> you expect browsers to utilize GSSAPI, your target Kerberos service > >> principal must be HTTP/.. according to > >> https://tools.ietf.org/html/rfc4559 section 4.1. > >> > >Ah, thanks Alexander, that is actually very useful, as now I would like to > >get the negotiation working across a reverse proxy (which I think is not > >possible in the way I'd like to- I took it to > >https://github.com/modauthgssapi/mod_auth_gssapi/issues/201 , but I'm not > >sure that's the best place). > > > >BTW, I think this tidbit is not mentioned in the howtos in the wiki. I > >think the wiki is not publicly editable, right? Could someone make a > >visible note about that (the link to the RFC is quite interesting)? > Can you point me to a page where you want it added? > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
