This PR adds unconstrained Kerberos delegation to the API.
The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials.
This PR adds unconstrained Kerberos delegation to the API.
The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials.
This PR adds unconstrained Kerberos delegation to the API.
The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials.
Don't know much about Kerobos but the code looks good to me.
Next, install and activate a virtualenv:
```sh
sudo apt install libkrb5-dev python3-dev
I also needed
libsasl2-dev
andlibldap2-dev
when I setup my environmentWe're not using python-ldap anymore so libldap2-dev should no longer be necessary.
d78d31eec0
into v1 1 year agoReviewers
d78d31eec0
.