On Thu, Nov 12, 2015 at 07:46:25PM +1000, Fraser Tweedale wrote:
On Thu, Nov 12, 2015 at 08:34:11AM +0100, Jan Pazdziora wrote:
>
> I'm a bit confused. Do you try to do the authentication in tomcat
> or do you try to front-end tomcat with Apache? If you do it in tomcat
> itself (like the investigation seems to suggest), what is the role
> of mod_lookup_identity here?
No Apache, no mod_lookup_identity. But a Tomcat Realm
implementation that does a lookup of principal info via SSSD via
D-Bus, like what mod_lookup_identity does for Apache.
In general, that is what we tell people not to do.
The goal is to use external authenticatication and identity operations
in frontend server (Apache) and applications / frameworks consuming the
results. The benefit of this approach is that you don't have to
reimplement things when you say want to support additional protocol
-- hopefully, the platform will do it for you in the form of Apache
modules. The mod_auth_openidc is a prime example -- ideally, any
application that consumes results of external authentication (which
was initially done for example to support Kerberos) gets OpenId Connect
for free, just by reconfiguring the frontend Apache HTTP Server.
--
Jan Pazdziora | adelton at #ipa*, #brno
Senior Principal Software Engineer, Identity Management Engineering, Red Hat