X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=README;h=93a90b86225e7f84f10cbe316d4a20d1980751cd;hp=903d1996e2c41b13ba3f6d7af4caea46458366c2;hb=a0cfc1b357998166773d3da36c1fe98ad0ea7d94;hpb=7407b64481bc49ad552f9ba0ff2efe1f6fb0982e diff --git a/README b/README index 903d199..93a90b8 100644 --- a/README +++ b/README @@ -89,12 +89,17 @@ authentication (like NTLMSSP) it is necessary to bind to the authentication to the connection in order to keep the state between round-trips. With this option enable incomplete context are store in the connection and retrieved on the next request for continuation. -When using this option you may also ant to set the Persistent-Auth header for -those clients that make use of it. Example: GssapiConnectionBound On - Header set Persistent-Auth "true" + + +### GssapiSignalPersistentAuth +For clients that make use of Persistent-Auth header, send the header according +to GssapiConnectionBound setting. + +Example: + GssapiSignalPersistentAuth On ### GssapiUseSessions @@ -152,7 +157,7 @@ principal and the subprocess environment variable KRB5CCNAME will be set to point to that file. Example: - GssapiDelegCcacheDir = /var/run/httpd/clientcaches + GssapiDelegCcacheDir /var/run/httpd/clientcaches A user foo@EXAMPLE.COM delegating its credentials would cause the server to @@ -171,14 +176,56 @@ ticket by the application. Example: GssapiUseS4U2Proxy On - GssapiDelegCcacheDir = /var/run/httpd/clientcaches + GssapiCredStore keytab:/etc/httpd.keytab + GssapiCredStore client_keytab:/etc/httpd.keytab + GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache + GssapiDelegCcacheDir /var/run/httpd/clientcaches + +NOTE: The client keytab is necessary to allow GSSAPI to initate via keytab +on its own. If not present an external mechanism needs to kinit with the +keytab and store a ccache in the configured ccache file. ### GssapiBasicAuth Allows the use of Basic Auth in conjunction with Negotiate. -Two modes are supported, direct usage of the received username and password -to try to acquire credentials via GSSAPI, or forwarding to following apache -module. +If the browser fails to use Negotiate is will instead fallback to Basic and +the username and password will be used to try to acquire credentials in the +module via GSSAPI. If credentials are acquire successfully then they are +validated agaist the server's keytab. + +Enable with: GssapiBasicAuth On +Default: GssapiBasicAuth Off + +Example: + + AuthType GSSAPI + AuthName "Login" + GssapiBasicAuth On + GssapiCredStore keytab:/etc/httpd/http.keytab + Require valid-user + + + +### GssapiAllowedMech + +List of allowed mechanisms. This is useful to restrict the mechanism that +can be used when credentials for multiple mechanisms are available. +By default no mechanism is set, this means all locally available mechanisms +are allowed. The recognized mechanism names are: krb5, iakerb, ntlmssp + +Example: + GssapiAllowedMech krb5 + GssapiAllowedMech ntlmssp + + +### GssapiBasicAuthMech + +List of mechanisms against which Basic Auth is attempted. This is useful to +restrict the mechanisms that can be used to attaempt password auth. +By default no mechanism is set, this means all locally available mechanisms +are allowed, unless GssapiAllowedMech is set, in which case those are used. +GssapiBasicAuthMech always takes precendence over GssapiAllowedMech. +The recognized mechanism names are: krb5, iakerb, ntlmssp Example: - GssapiBasicAuth Forward + GssapiBasicAuthMech krb5