| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (e.g. if you want to convey the ccname over AJP) the
request environment variable name "KRB5CCNAME" is not appropriate.
Add the GssapiDelegCcacheEnvVar option that allows the env var name
to be changed.
Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #124
Closes #123
|
|
|
|
|
|
|
|
|
|
| |
With the new 'file:' sytnax a session key can be automatically generated
the first time mod_auth_gssapi runs and stored on the filesystem.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Closes #117
|
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Closes #113
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.
The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92
|
|
|
|
|
|
|
|
| |
Failed imports were found in tracebacks in ./scratchdir/tests.log.
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #89
|
|
|
|
|
|
| |
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #88
|
|
|
|
|
|
| |
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #85
|
|
|
|
|
|
|
|
|
|
|
| |
Unique ccache names may be requested using the GssapiDelegCcacheUnique
configuration option. This option is off by default. If both unique
ccache names and session use are enabled, then a mechanism for removing
old ccaches must be supplied.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Also-authored-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It doesn't have any effect since we set GSS_C_DELEG_FLAG
when we initiate client credentials so we always get
delegated TGT regardless of constrained delegation.
This commit is not intended to change the current behaviour.
See #70
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #70
Closes #72
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If negotiation was attempted but failed do not send a new Negotiate header.
Useful when only one single sign on mechanism is allowed and to avoid
misleading login prompts in some browsers.
Added a test of the GssapiDontReauth option to the test suite.
Also added SPNEGO no auth test.
[SS: reworded and fixed commit subject/comment]
[SS: fixed whitespace errors and 80 column wrappings]
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #65
|
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #71
|
|
|
|
|
|
|
|
| |
[Changes to original commit: removed trailing whitespace]
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #67
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code allows to specify which attributes in a name are interesting
to the application and set them as named environemnt variables.
Optionally the whole set of attributes can be exported in a json
formatted structure.
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #62
Close #63
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #56
|
|
|
|
|
|
|
|
|
| |
Add symlink to .md so the markdown is picked up.
Updated styling and fixed a couple of typos.
Simo: Changed rename into a symlink. Reworded commit message
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #51
|
|
|
|
|
|
|
|
|
| |
This option allows to set a different list of mechanisms to use
with Basic Auth (Basic Auth must be explicitly enabled) than the
list of mechs that are allowed with Negotiate or Raw GSSAPI Client
authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
This option allows the admin to list the mechanisms that can be used for
authentication. An empty list allows any locally supported mechanisms.
|
|
|
|
|
|
|
| |
Controls whether to send the Persistent-Auth header, and sets it only
when necessary/appropriate
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Fix GssapiDelegCcacheDir examples and add all the required options to
make GssapiUseS4U2Proxy really work.
Thanks to David Kupka for testing that highlighted these issues.
|
|
|
|
| |
Fixes #8
|
|
|
|
|
|
|
| |
Support either passing Basic Auth Through to another module,
or handling it directly through gss_acquire_cred_with_password()
Fixes #8
|
| |
|
|
|