[Freeipa-devel] another snag with kerberos
Rob Crittenden
rcritten at redhat.com
Tue Jul 17 12:23:49 UTC 2007
Andrew Bartlett wrote:
> On Mon, 2007-07-16 at 17:02 -0400, Rob Crittenden wrote:
>> Found another snag in the forwarding kerberos tickets via XML-RPC: the
>> python xmlrpc library only supports Basic Authentication.
>>
>> The really aggravating part is that as far as I can tell you can't
>> include extra headers to be send in the XMLRPC request, so we can't even
>> include an Authorization header ourselves.
>>
>> And even if we could include our own headers I'm not sure how to
>> hand-craft a Negotiate request.
>
> That's the easy part: base64 encode the blob that GSSAPI gives you.
>
>
Perhaps easy to you, someone know GSSAPI.
I looked at koji which uses python-krbv and was able to, I think,
generate a request, but I'm not sure how to test it. The other thing is
that my encoded blob is about 1/3 the size of the blob I see when other
clients make successful requests.
There is still the problem of ticket forwarding too.
Some folks on the mod_auth_kerb mailing list mentioned setting the
ok-as-delegate flag. Unfortunately this doesn't seem to be available in
MIT kerberos.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070717/a3c1208a/attachment.bin>
More information about the Freeipa-devel
mailing list