mod_auth_gssapi.git/README, branch perms A GSSAPI based replacement for the aging mod_auth_kerb. Add support for GssapiImpersonate. 2016-06-09T14:11:43+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-05-28T06:31:32+00:00 d1710aff7c72263f691f09f20f91922a3ce57cfc This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92 
This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.

The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92
Additional python modules are needed. 2016-06-06T15:30:55+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-06-06T14:05:47+00:00 d7e3594d7952bf19f70f9fee0a24b5909191e904 Failed imports were found in tracebacks in ./scratchdir/tests.log. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #89 
Failed imports were found in tracebacks in ./scratchdir/tests.log.

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #89
The distribution does not ship ./configure, generate it. 2016-06-06T09:54:00+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-06-06T07:41:48+00:00 401160bc57305929ca4c232f0246ef1159018c1e Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #88 
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #88
Clarify make test dependencies. 2016-06-02T14:14:15+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-05-30T07:53:31+00:00 f78990a41e5b4beaec10315ac112dff2f00aedee Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #85 
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #85
Implement unique ccache names 2016-05-18T21:46:14+00:00 Robbie Harwood rharwood@redhat.com 2016-05-08T06:31:00+00:00 6a0bc4f5cd46b1ab85dba5bd2de28f568cc947b0 Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Unique ccache names may be requested using the GssapiDelegCcacheUnique
configuration option.  This option is off by default.  If both unique
ccache names and session use are enabled, then a mechanism for removing
old ccaches must be supplied.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Also-authored-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Cleanup s4u2proxy in mag_auth_basic 2016-02-18T01:44:36+00:00 Isaac Boukris iboukris@gmail.com 2016-02-16T23:21:25+00:00 5571d79a78a1360f2a56b22c6bf59640cf2c88e8 It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72 
It doesn't have any effect since we set GSS_C_DELEG_FLAG
when we initiate client credentials so we always get
delegated TGT regardless of constrained delegation.

This commit is not intended to change the current behaviour.

See #70

Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #70
Closes #72
Add option to not send a Negotiate headers 2016-02-17T23:59:31+00:00 James Groffen james.groffen@dsto.defence.gov.au 2016-01-08T06:31:50+00:00 f9cc36700c95a88ff7d7489167094556ac0e75cc If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65 
If negotiation was attempted but failed do not send a new Negotiate header.
Useful when only one single sign on mechanism is allowed and to avoid
misleading login prompts in some browsers.

Added a test of the GssapiDontReauth option to the test suite.
Also added SPNEGO no auth test.

[SS: reworded and fixed commit subject/comment]
[SS: fixed whitespace errors and 80 column wrappings]

Reviewed-by: Simo Sorce <simo@redhat.com>

Close #65
Corrected two typos in the README file. 2016-02-17T22:52:10+00:00 James Groffen groffenj@dsto.defence.gov.au 2016-02-16T23:24:42+00:00 f29a1574c94ad8875626d4d707cc712a6f68ee29 Reviewed-by: Simo Sorce <simo@redhat.com> Close #71 
Reviewed-by: Simo Sorce <simo@redhat.com>

Close #71
Minor formatting changes to the README. 2016-02-03T12:13:45+00:00 James Groffen groffenj@dsto.defence.gov.au 2016-01-15T01:15:24+00:00 3361a7910e5b934d65ca3cb70aa551dddff69179 [Changes to original commit: removed trailing whitespace] Reviewed-by: Simo Sorce <simo@redhat.com> Closes #67 
[Changes to original commit: removed trailing whitespace]

Reviewed-by: Simo Sorce <simo@redhat.com>

Closes #67
Add code to set attribute names in the environment 2015-12-03T18:30:09+00:00 Simo Sorce simo@redhat.com 2015-11-30T22:53:42+00:00 7f11db955b8440668fc806b4203f584bb44f58c1 This code allows to specify which attributes in a name are interesting to the application and set them as named environemnt variables. Optionally the whole set of attributes can be exported in a json formatted structure. Signed-off-by: Simo Sorce <simo@redhat.com> Close #62 Close #63 
This code allows to specify which attributes in a name are interesting
to the application and set them as named environemnt variables.
Optionally the whole set of attributes can be exported in a json
formatted structure.

Signed-off-by: Simo Sorce <simo@redhat.com>

Close #62
Close #63