[Freeipa-devel] mod_auth_kerb ticket forwarding
Andrew Bartlett
abartlet at samba.org
Tue Aug 28 21:59:48 UTC 2007
On Tue, 2007-08-28 at 17:53 -0400, Simo Sorce wrote:
> On Tue, 2007-08-28 at 17:08 -0400, Rob Crittenden wrote:
> > I looked into it a bit today and was able get it working in the simplest
> > case where either would be supported. The trouble is that SASL auth
> > doesn't work over SSL. I'm not sure we want that. We may simply be
> > better off with proxy auth.
>
> When you do GSSAPI auth you get encryption for free, so SSL is not
> required in that case.
This is true for LDAP, just not for HTTP. Having just GSSAPI sealing
for the xml-rpc -> LDAP connection would seem simpler (and can nicely be
sniffed, with the right keys exported, with wireshark :-).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070829/a9ef220c/attachment.sig>
More information about the Freeipa-devel
mailing list