On Thu, Nov 12, 2015 at 07:46:25PM +1000, Fraser Tweedale wrote: > On Thu, Nov 12, 2015 at 08:34:11AM +0100, Jan Pazdziora wrote: > > > > I'm a bit confused. Do you try to do the authentication in tomcat > > or do you try to front-end tomcat with Apache? If you do it in tomcat > > itself (like the investigation seems to suggest), what is the role > > of mod_lookup_identity here? > > No Apache, no mod_lookup_identity. But a Tomcat Realm > implementation that does a lookup of principal info via SSSD via > D-Bus, like what mod_lookup_identity does for Apache.
In general, that is what we tell people not to do. The goal is to use external authenticatication and identity operations in frontend server (Apache) and applications / frameworks consuming the results. The benefit of this approach is that you don't have to reimplement things when you say want to support additional protocol -- hopefully, the platform will do it for you in the form of Apache modules. The mod_auth_openidc is a prime example -- ideally, any application that consumes results of external authentication (which was initially done for example to support Kerberos) gets OpenId Connect for free, just by reconfiguring the frontend Apache HTTP Server. -- Jan Pazdziora | adelton at #ipa*, #brno Senior Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
