[katello-devel] Kerberos support design

Jan Pazdziora jpazdziora at redhat.com
Mon Jun 24 09:25:55 UTC 2013


On Thu, Jun 20, 2013 at 10:13:42AM +0200, Marek Hulan wrote:
> Few comments:
> 
> > > Re: fallback to other backends - I think traversing an ordered list of
> > > backends until authentication succeeds would work? Might require
> > > additional logic for web-ui though?
>
> I'll have to find out how to use web form instead of basic auth dialog. Note 
> that user would be asked by dialog and he'd have to hit cancel to continue 
> with other method.

You use a form by presenting the user with a form, and you don't use
Basic Auth by not sending WWW-Authenticate: Basic. In other words, 401
page with

	WWW-Authenticate: Negotiate

while having the login form on that page should do the trick.

> Or you meant we could display index page where user could 
> select which method to use?

In typical deployment, I don't see the admin wanting to support
multitude of mechanisms.

> That would be the ideal case. It's still open question how we can avoid 
> displaying basic auth popup and still use kerberos without ticket. I'll ask 

There is nothing magic about the Basic Auth popup. Just don't
advertize it.

> Simo from FreeIPA how they managed to do this. 

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat




More information about the katello-devel mailing list