the connection in order to keep the state between round-trips. With this option
enable incomplete context are store in the connection and retrieved on the next
request for continuation.
-When using this option you may also ant to set the Persistent-Auth header for
-those clients that make use of it.
Example:
GssapiConnectionBound On
- Header set Persistent-Auth "true"
+
+
+### GssapiSignalPersistentAuth
+For clients that make use of Persistent-Auth header, send the header according
+to GssapiConnectionBound setting.
+
+Example:
+ GssapiSignalPersistentAuth On
### GssapiUseSessions
to point to that file.
Example:
- GssapiDelegCcacheDir = /var/run/httpd/clientcaches
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
A user foo@EXAMPLE.COM delegating its credentials would cause the server to
Example:
GssapiUseS4U2Proxy On
- GssapiDelegCcacheDir = /var/run/httpd/clientcaches
+ GssapiCredStore keytab:/etc/httpd.keytab
+ GssapiCredStore client_keytab:/etc/httpd.keytab
+ GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
+
+NOTE: The client keytab is necessary to allow GSSAPI to initate via keytab
+on its own. If not present an external mechanism needs to kinit with the
+keytab and store a ccache in the configured ccache file.
### GssapiBasicAuth
GssapiCredStore keytab:/etc/httpd/http.keytab
Require valid-user
</Location>
+
+
+### GssapiAllowedMech
+
+List of allowed mechanisms. This is useful to restrict the mechanism that
+can be used when credentials for multiple mechanisms are available.
+By default no mechanism is set, this means all locally available mechanisms
+are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp
+
+Example:
+ GssapiAllowedMech krb5
+ GssapiAllowedMech ntlmssp