On 2007-07-03 14:51, Yves Martin wrote:
> On Tue, 2007-07-03 at 13:20 +0100, Joe Orton wrote:
> > On Tue, Jul 03, 2007 at 01:32:55PM +0200, Yves Martin wrote:
> > > My proposal:
> > > 1. DNS lookup of original serverName ("vhost.domain.com")
> > > 2. Reverse DNS each IP address returned by "ne_addr_resolve"
> > > 3. First result is used as SPN in "HTTP/main.domain.com"
> >
> > This seems reasonable to me. Not sure I understand why the SSPI
> > libraries don't do this automatically but if it is done in GSSAPI, but
> > so be it!
>
> That is a good point. I will look at GSSAPI sources to know more about
> its behavior.
>
> By the way, why not compile neon against MIT kerberos GSSAPI library on
> win32 too instead of using SSPI ? I mean "is it possible to do it ?"
> Can we be cautious about implementing DNS-based SPN canonicalization? I've been working for the last few weeks on updating my employers Subversion architecture to use mod_auth_kerb for SSO and it's been quite the chore, in part because of inconsistent reverse DNS. Before proceeding, I hope the ideas in this thread will be considered: http://mailman.mit.edu/pipermail/kerberos/2005-July/008167.html I'm obviously working on a similar project, but I'm using mod_auth_kerb rather than SSPI. The primary perk for mod_auth_kerb rather than SSPI is support on non-Windows clients and support for non-Windows KDCs. Ironically enough, Apache itself is running on Windows. Here are the three things of note so far: 1. I've compiled Tortoise against MIT GSSAPI, and yes, it all works great... as long as the client has MIT KFW installed, and makes sure they're using the correct ticket cache. If you're using Active Directory, you need to change the ticket cache to the MSLSA: cache. 2. I've hacked up mod_auth_kerb to support multiple SPN's on the server side, so if you have a machine which tends to canonicalize to different SPNs (mine canonicalizes into at least 7) you can still get everything to work. 3. I've discovered that stock TortoiseSVN 1.4.4 crashes after authenticating to the web server. The version I've built against MIT works fine. -- Alec Kloss [EMAIL PROTECTED] IM: [EMAIL PROTECTED] PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E The mountain called Monkey had spoken. There was only fire. -Gorillaz
pgpRIs5x388Jg.pgp
Description: PGP signature
_______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
