directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: OT kerberos, iwa and proxys
Date Fri, 01 Jun 2007 23:48:44 GMT
What use case is this for or rather what is your aim with a KRB5 proxy?

Alex

On 6/1/07, Marc Boorshtein <mboorshtein@gmail.com> wrote:
>
> Nope.  I know that the process of browser-->iis works, I wanted to put
> a proxy in between. Browser<-->http proxy<-->iis
>
> I know all of the spengo stuff is done in headers so I think its ok
> but I know this list has a lot of kereros knowledge so I wanted to get
> some input on if the proxy would interfere with the authentication
> process.
>
> Thanks
> Marc
>
> On 6/1/07, Alex Karasulu <akarasulu@apache.org> wrote:
> > SPNEGO does this.
> >
> > Alex
> >
> > On 6/1/07, Marc Boorshtein <mboorshtein@gmail.com> wrote:
> > >
> > > Thanks
> > >
> > > What I'm actually doing is trying to proxy the ticket as part of an
> > > http request/response but I thought I had heard that kerberos tickets
> > > could not be proxied unchanged.  It sounds like that's not the case.
> > > Ill read those links.
> > >
> > > Thanks!
> > > Marc
> > >
> > > On 6/1/07, Emmanuel Lecharny <elecharny@apache.org> wrote:
> > > > Marc Boorshtein a écrit :
> > > >
> > > > > All,
> > > >
> > > > Hi Marc,
> > > >
> > > > >
> > > > > I've got an kerberos question when cobined with integrated windows
> > > > > authentication.  Can the process of authenticating the user to an
> iis
> > > > > server be proxied succesfully?
> > > >
> > > > so far, I think you just need to enable SPNEGO on you browser to do
> so
> > > > (
> > >
> >
> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html
> > > > <
> > >
> >
> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html
> > > >)
> > > >
> > > > Of couse, this will be helpfull if you are just using a browser...
> > > > Otherwise, your application will have to implement SPNEGO. FYI, we
> have
> > > > written a java codec for this protocol, but it has been sandboxed...
> > > > Just tell us if you want it to be ressucitated.
> > > >
> > > >
> > > > Emmanuel.
> > > >
> > > > >
> > > > > Thanks for any input.
> > > > >
> > > > > Marc
> > > > >
> > > > >
> > > > > On 6/1/07, Alex Karasulu <akarasulu@apache.org> wrote:
> > > > >
> > > > >> On 6/1/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> > > > >>
> > > > >> SNIP
> > > > >>
> > > > >> BasicAttributes to a more ldap compliant BasicAttributesImpl...)
> > > > >>
> > > > >>
> > > > >> What about renaming  BasicAttributesImpl to just
> LdapAttributes?  Of
> > > > >> course
> > > > >> not in the 1.0 branch which would break backwards compatibility
> of
> > > > >> partitions but in the 1.5 branch?  Guess really it's the 0.9.6branch
> > > of
> > > > >> shared for 1.5 of ApacheDS.
> > > > >>
> > > > >> Anyway this would be clearer no?
> > > > >>
> > > > >> Alex
> > > > >>
> > > > >
> > > >
> > > >
> > >
> >
>

Mime
View raw message