From d1710aff7c72263f691f09f20f91922a3ce57cfc Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Sat, 28 May 2016 08:31:32 +0200 Subject: Add support for GssapiImpersonate. This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora Signed-off-by: Simo Sorce Close #92 --- src/mod_auth_gssapi.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/mod_auth_gssapi.h') diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h index 0c77b8b..6ff9fbd 100644 --- a/src/mod_auth_gssapi.h +++ b/src/mod_auth_gssapi.h @@ -71,6 +71,7 @@ struct mag_config { char *deleg_ccache_dir; gss_key_value_set_desc *cred_store; bool deleg_ccache_unique;; + bool s4u2self; #endif struct seal_key *mag_skey; -- cgit