X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=README;h=b4eca28e52894d1040710eae83932b38f9fe31a4;hp=9d25fb3fd774888c19a38100b256243c172e6f36;hb=5571d79a78a1360f2a56b22c6bf59640cf2c88e8;hpb=d42296e3e7cb8add473c8e028646ce134e17ca44 diff --git a/README b/README index 9d25fb3..b4eca28 100644 --- a/README +++ b/README @@ -119,7 +119,7 @@ to handle cookies so that module needs to be activated and configured. GSSAPI uses a secured (encrypted + MAC-ed) payload to maintain state in the session cookie. The session cookie lifetime depends on the lifetime of the GSSAPI session established at authentication. -NOTE: It is important to correctly set the SessionCookieName option. +**NOTE**: It is important to correctly set the SessionCookieName option. See the [mod_sessions](http://httpd.apache.org/docs/current/mod/mod_session.html) documentation for more information. @@ -182,6 +182,9 @@ This options requires GssapiDelegCcacheDir to be set. The ccache will be populated with the user's provided ticket which is later used as evidence ticket by the application. +**Note:** This flag has no effect when Basic-Auth is used since user's +credentials are delegated anyway when GssapiDelegCcacheDir is set. + #### Example GssapiUseS4U2Proxy On GssapiCredStore keytab:/etc/httpd.keytab @@ -196,9 +199,9 @@ keytab and store a ccache in the configured ccache file. ### GssapiBasicAuth Allows the use of Basic Auth in conjunction with Negotiate. -If the browser fails to use Negotiate is will instead fallback to Basic and +If the browser fails to use Negotiate it will instead fallback to Basic and the username and password will be used to try to acquire credentials in the -module via GSSAPI. If credentials are acquire successfully then they are +module via GSSAPI. If credentials are acquired successfully then they are validated against the server's keytab. - **Enable with:** GssapiBasicAuth On @@ -237,3 +240,56 @@ The recognized mechanism names are: krb5, iakerb, ntlmssp #### Example GssapiBasicAuthMech krb5 + + +### GssapiNameAttributes + +Enables the module to source Name Attributes from the client name +(authorization data associated with the established context) and exposes them +as environment variables. + +Value format: ENV_VAR_NAME ATTRIBUTE_NAME + +This option can be specified multiple times, once for each attribute to expose. +The Special value "json" is used to expose all attributes in a json formatted +string via the special environment variable GSS_NAME_ATTRS_JSON +The environment variable GSS_NAME_ATTR_ERROR is set with the Gssapi returned +error string in case the inquire name function fails to retrieve attributes, +and with the string "0 attributes found", if no attributes are set. + +**Note**: These variables are NOT saved in the session data stored in the +cookie so they are available only on the first authenticated request when +GssapiUseSessions is used. + +**Note:** It is recommended but not required to use only capital letters and +underscores for environment variable names. + +#### Example + GssapiNameAttributes json + GssapiNameAttributes RADIUS_NAME urn:ietf:params:gss:radius-attribute_1 + + +### GssapiNegotiateOnce + +When this option is enabled the Negotiate header will not be resent if +Negotiation has already been attempted but failed. + +Normally when a client fails to use Negotiate authentication, a HTTP 401 +response is returned with a WWW-Authenticate: Negotiate header, implying that +the client can retry to use Negotiate with different credentials or a +different mechanism. + +Consider enabling GssapiNegotiateOnce when only one single sign on mechanism +is allowed, or when GssapiBasicAuth is enabled. + +**NOTE:** if the initial Negotiate attempt fails, some browsers will fallback +to other Negotiate mechanisms, prompting the user for login credentials and +reattempting negotiation. This situation can mislead users - for example if +krb5 authentication failed and no other mechanisms are allowed, a user could +be prompted for login information even though any login information provided +cannot succeed. When this occurs, some browsers will not fall back to a Basic +Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation. + +- **Enable with:** GssapiNegotiateOnce On +- **Default:** GssapiNegotiateOnce Off +