On Thu, Feb 19, 2015 at 12:09 PM, David Woodhouse <dwmw2 at infradead.org> wrote: > On Thu, 2015-02-19 at 10:06 +0100, Nikos Mavrogiannopoulos wrote: >> Note that I've not generalized authentication outside spnego, mainly >> intentionally as I have no way to test it. > I really do want to see that generalised. It's not so hard to test it. > Just have a completely unrelated URL elsewhere which requires > authentication of whatever kind, and when you've authenticated you get > an HTTP redirect to the real ocserv URL. > Not only will that allow us to test other auth methods, it'll also allow > us to test the case of authenticating with GSSAPI to more than one > server -- which might happen in load-balancing scenarios. The latter is orthogonal to the first one. For the latter we need to support alternative keytab. For the first we need to add support for the headers of the other authentication methods. I could do the latter, but I'm really not inclined to spend time for the former. It is not easy to implement and test (for me at least) and I have no use case for it. regards, Nikos