[Freeipa-devel] plugin limitations and more URL modifications
Rob Crittenden
rcritten at redhat.com
Fri Feb 24 18:44:22 UTC 2012
John Dennis wrote:
> On 02/24/2012 01:18 PM, John Dennis wrote:
>> * Move the existing /ipa/login URL to /ipa/session/login_kerberos. The
>> URL change is to be consistent with the above new URL. The URL change
>> reflects the fact it is only used to initialize a session when the user
>> already has a valid kerberos ticket. As before it obtains the
>> credentials established by mod_auth_kerb and stores them in a session.
>
> I may not have been entirely clear, a great question to ask is:
>
> "Why can't session login via either existing TGT or password be shared
> on a common /ipa/login URL? Why do we need different URL's?"
>
> Because the former needs to be protected by mod_auth_kerb in Apache and
> the later needs to be unprotected by Apache, thus you need distinct URL's.
>
This scheme sounds sensible to me.
rob
More information about the Freeipa-devel
mailing list