[Freeipa-devel] Use sessions for mod_auth_gssapi ?

[Simo Sorce]

Since we now merged in a change from mod_auth_kerb to mod_auth_gssapi I
was wondering if we want to press further and emable by default the use
of native mod_auth_gssapi sessions ?

The old mod_auth_kerb didn't have this feature so, in order to have
decent performace we introduced split paths where some are always
incurring the full negotiate penalty and other are and instead rely on a
session cookie.

mod_auth_gssapi can be configured to use a session cookie directly which
avoids the negotiate auth performance hit. Integration would require
that the FreeIPA code learns how to delete the cookie when someone hits
a logout button, but it would be otherwise transparent.

It would be especially useful for 3rd party clients that want to use the
json/xmlrpc enpoints, as all they have to do is just support sending
back cookies and they do not have to learn how to contact multiple
endopints to get credentials and then switch to the session only based
ones.

Thoughts ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York