Add support for GssapiImpersonate.

This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.

The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92

1 files changed, 16 insertions, 0 deletions

diff --git a/README b/README
index 1c5d1cd..755015e 100644
--- a/README
+++ b/README
@@ -310,3 +310,19 @@ Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation.
 - **Enable with:** GssapiNegotiateOnce On
 - **Default:** GssapiNegotiateOnce Off
 
+### GssapiImpersonate
+
+This option can be used even if AuthType GSSAPI is not used for given
+Location or LocationMatch, to obtain service ticket for a user that was
+already authenticated by different module.
+
+The principal of the user is retrieved from the internal r->user
+identifier which typically holds the username from the authentication
+results.
+
+Make sure the server principal is set to allow to acquire forwardable
+tickets to itself from arbitrary users, for use with constrained
+delegation, for example with the option +ok_to_auth_as_delegate.
+
+- **Enable with:** GssapiImpersonate On
+- **Default:** GssapiImpersonate Off