This PR adds unconstrained Kerberos delegation to the API.
The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials.
This PR adds unconstrained Kerberos delegation to the API.
The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials.
r345liu
This PR adds unconstrained Kerberos delegation to the API.
The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials.
Don't know much about Kerobos but the code looks good to me.
Next, install and activate a virtualenv:```shsudo apt install libkrb5-dev python3-devI also needed
libsasl2-devandlibldap2-devwhen I setup my environmentWe're not using python-ldap anymore so libldap2-dev should no longer be necessary.
d78d31eec0into v1 1 year agoReviewers
d78d31eec0.