Red Hat Bugzilla – Bug 1257042
RequestHeaderIdentityProvider promotes Kerberos/mod_auth_kerb, GSSAPI/mod_auth_gssapi is preferred
Last modified: 2017-10-18 15:08:54 EDT
Section Number and Name:
Apache Configuration, the example of the configuration
Describe the issue:
# For Kerberos remove "AuthType basic" and insert the following:
# AuthType Kerberos
# KrbMethodNegotiate on
# KrbMethodK5Passwd off
# KrbServiceName Any
# KrbAuthRealms EXAMPLE.COM
# Krb5Keytab /path/to/keytab
# KrbSaveCredentials off
Suggestions for improvement:
The use of AuthType Kerberos implies the use of mod_auth_kerb. In Fedoras and RHEL 7, mod_auth_gssapi is now available which is a replacement of no-longer-actively-maintained mod_auth_kerb. The AuthType Kerberos should be replaced by AuthType GSSAPI and the Krb* directives with some equivalent directives of mod_auth_gssapi.
This PR references mod_auth_gssapi: https://github.com/openshift/openshift-docs/pull/903
It will merge sometime before 3.0.2 is released.
I confirm that https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#RequestHeaderIdentityProvider today says
# For Kerberos
# yum install mod_auth_gssapi
# AuthType GSSAPI
# GssapiCredStore keytab:/etc/httpd.keytab
Why is this bugzilla tracked with ose-2.2.z ? flag and not just marked resolved in CURRENTRELEASE?
The docs team doesn't really use flags for tracking bugs as far as I know. I'm going to close this bug if you say it's fixed. Thanks.